-
-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Plugin Path Normalization #36
Comments
good catch! will fix asap |
Thank you for replying quickly. :) |
Hi @riramar, I just verified this behaviour and it seems like the path is only normalized if provided in the -T/--target, and in your case it shouldn't. For instance, I've tried with a small dictionary like so:
And added a log of url here. If the relative path component comes from the payload/wordlist (as it should), it doesn't go trough the Url crate normalization: So, instead of providing -T www.something.com/foo/../bar, just pass it via the wordlist and it'll work. You can check the dictionary of the LFI recipe for more payload examples. |
Thanks for the clarification! |
Hey @evilsocket Sorry to bore you again, but I think the problem is that I'm using a list of targets. So I created two files (payloads.txt and test.txt).
I tried the legba command below.
Not sure why I'm getting timed out, but when checking the request on my Burp Collaborator instance I see "/api/v1/system/platform?operation=testConnectivity" instead of "/api/v1/totp/user-backup-code/../../system/platform?operation=testConnectivity". I hope this can help you to reproduce from your side. Thanks! |
thanks for more details, I'll check it |
This one is very tricky ... as you said, it depends on the url crate path normalization. It happens here when the string is parsed into an Url object by the reqwest crate. And, despite my attempts, I could not avoid this behaviour in any way, even trying to trick the parser. I've opened an issue on the crate repo, let's see if they can change it. |
Thanks! Let's see if they implement the flag. |
@riramar i've managed to override the Url dependency with one I've customized with our required option. This works as a temporary solution until those folks will close the issue on their side. It seems like it's working correctly now :D |
Thank you! I appreciate your assistance. :) |
Hi @evilsocket
First, thanks for the amazing tool! :)
I'm trying to use http.enum with a payload that contains "foo/bar/../" and playing against my own server, I noticed the path was normalized to "foo/". This is unintended if a user wants to check against some path traversal.
I tried to apply a patch right here: https://github.com/evilsocket/legba/blob/main/src/plugins/http/mod.rs#L118, but it didn't work. Sorry, I'm totally a noob in Rust.
It seems the Crate url (https://docs.rs/url/latest/url/) does not completely disable path normalization with unwrap(), as you can see here: https://stackoverflow.com/questions/62335488/how-to-obtain-raw-url-path-in-rust. If that's true, a refactor would be required to implement a flag to totally disable path normalization.
Not sure if you have any intention to add such a flag to legba.
Thanks!
Ricardo Iramar
The text was updated successfully, but these errors were encountered: