Understand Signatures

architecture-2

Signature have many ways allow to execute command on your machine. So make sure you read the signature before you run it.

Page Description
Info Information about the signature
Variables & Payloads Various way to generate input for a request
Request builder Overview Define various comoponent of the request that will send
Examples Signatures Real Signature from base repository

Info

Some information about the signature to index in the DB

# ID to index a signature
id: common-01-01
# Type of signature: list, fuzz (default is "list")
type: list
# detection once (default is false) indicate that skip multiples detection if request already vulnerable.
donce: false
# Some info about signature
info:
  name: PHP Debug bar
  # those fields below are optional
  # default is "Info"
  risk: High
  # default is "Tentative"
  confidence: Certain
  tech: general
  os: general

Request Builder Overview

  • Conditions: If present, do some logical stuff to decide request will be send or not.

  • Detection: Do some logical on based on detections script to determine request is vulnerable or not.

  • Conclusions: Do some task with result after request was send.

  • Request comoponent: Define various comoponent of the request that will be send to the target and detect if it vulnerable or not by analyze response.

    • Generator: Only available in fuzz signature. Provide some functions to generate request based on the template request with payloads.
    • Middleware: Doing some extra task before sending a request to target.

architecture-3

architecture-2

architecture-2


id: sensitive-01-01
type: list

# default params or will be override by options `--params 'ssrf=example.com'`
params:
  - ssrf: example.com

# Original request to compare
origin:
  method: GET
  redirect: true
  path: >-
    {{.BaseURL}}

variables:
  # we can put list of it in a file and load it
  - sensitive: /tmp/sensitive_path.txt

requests:
  - method: GET
    redirect: true
    path: >-
     {{.BaseURL}}/{{.stats}}s
    detections:
      - >-
        StatusCode() == 200 && StringSearch("response", "Secret")
      - >-
        StatusCode() == 200 && !StringSearch("response", "Not Found") && Math.abs(ContentLength() - OriginContentLength() > 1000)

[Optional] Reference

This is just a reference info used to describe where the signature come out.

reference:
  # author of the CVE or peopel inspired you create this signature
  - credit: @example
  - link: https://jira.atlassian.com/browse/JRASERVER-70018
  # author of this signature
  - author: @example
  - affected_version: 1.2 - 2