Class: Aikido::Zen::Scanners::SSRFScanner

Inherits:

Object

Object
Aikido::Zen::Scanners::SSRFScanner

show all

Defined in:: lib/aikido/zen/scanners/ssrf_scanner.rb

Defined Under Namespace

Modules: Headers Classes: RedirectChains, Request, Response

Class Method Summary collapse

.call(request:, sink:, context:, operation:) ⇒ Aikido::Zen::Attacks::SSRFAttack^?

Checks if an outbound HTTP request is to a hostname supplied from user input that resolves to a “dangerous” address.
.track_redirects(request:, response:, context: Aikido::Zen.current_context) ⇒ void

Track the origin of a redirection so we know if an attacker is using redirect chains to mask their use of a (seemingly) safe domain.

Instance Method Summary collapse

#attack? ⇒ Boolean private
#initialize(request_uri, input, redirects) ⇒ SSRFScanner constructor private

A new instance of SSRFScanner.

Constructor Details

#initialize(request_uri, input, redirects) ⇒ `SSRFScanner`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of SSRFScanner.

# File 'lib/aikido/zen/scanners/ssrf_scanner.rb', line 77

def initialize(request_uri, input, redirects)
  @request_uri = request_uri
  @input = input
  @redirects = redirects
end

Class Method Details

.call(request:, sink:, context:, operation:) ⇒ `Aikido::Zen::Attacks::SSRFAttack`^?

Checks if an outbound HTTP request is to a hostname supplied from user input that resolves to a “dangerous” address. This is called from two different places:

HTTP library sinks, before we make a request. In these cases we can detect very obvious attempts such as a request that attempts to access localhost or an internal IP.
DNS lookup sinks, after we resolve a hostname. For HTTP requests that are not obviously an attack, we let the DNS resolution happen, and then check again, now knowing if the domain name provided actually resolves to an internal IP or not.

NOTE: Because not all DNS resolutions might be happening in the context of a protected HTTP request, the request argument below might be nil and we can then skip this scan.

Parameters:

request (Aikido::Zen::Scanners::SSRFScanner::Request, nil) —

the ongoing outbound HTTP request.
context (Aikido::Zen::Context)
sink (Aikido::Zen::Sink) —

the Sink that is running the scan.
operation (Symbol, String) —

name of the method being scanned. Expects sink.operation being set to get the full module/name combo.

Returns:

(Aikido::Zen::Attacks::SSRFAttack, nil) —

an Attack if any user input is detected to be attempting SSRF, or nil if not.

# File 'lib/aikido/zen/scanners/ssrf_scanner.rb', line 34

def self.call(request:, sink:, context:, operation:, **)
  return if context.nil?
  return if request.nil? # See NOTE above.

  context["ssrf.redirects"] ||= RedirectChains.new

  context.payloads.each do |payload|
    scanner = new(request.uri, payload.value, context["ssrf.redirects"])
    next unless scanner.attack?

    attack = Attacks::SSRFAttack.new(
      sink: sink,
      request: request,
      input: payload,
      context: context,
      operation: "#{sink.operation}.#{operation}"
    )

    return attack
  end

  nil
end

.track_redirects(request:, response:, context: Aikido::Zen.current_context) ⇒ `void`

This method returns an undefined value.

Track the origin of a redirection so we know if an attacker is using redirect chains to mask their use of a (seemingly) safe domain.