implement basic ssrf tests

dmdhrumilmistry · dmdhrumilmistry · commit 0f5100b14b54 · 2024-08-19T00:53:15.000+05:30
diff --git a/src/cmd/offat/flag.go b/src/cmd/offat/flag.go
@@ -24,6 +24,9 @@ type FlagConfig struct {
 	QueryParams         KeyValueMap
 	Proxy               *string
 
+	// SSRF Test
+	SsrfUrl *string
+
 	// Report
 	AvoidImmuneFilter *bool
 	OutputFilePath    *string
diff --git a/src/cmd/offat/main.go b/src/cmd/offat/main.go
@@ -33,6 +33,8 @@ func main() {
 	config.DisableSchemaDefaultsValidation = flag.Bool("ds", false, "disable schema defaults validation for OAS files")
 	config.DisableSchemaPatternValidation = flag.Bool("dp", false, "disable schema patterns validation for OAS files")
 
+	config.SsrfUrl = flag.String("ssrf", "", "injects user defined SSRF url payload in http request components")
+
 	config.RequestsPerSecond = flag.Int("r", 60, "number of requests per second")
 	config.SkipTlsVerification = flag.Bool("ns", false, "disable TLS/SSL Verfication")
 	config.Proxy = flag.String("p", "", "specify proxy for capturing requests, supports http and socks urls. example: http://localhost:8080")
@@ -111,7 +113,11 @@ func main() {
 
 		// Tests
 		RunUnrestrictedHttpMethodTest: true,
-		RunSimpleSQLiTest:             true,
+		RunBasicSQLiTest:              true,
+		RunBasicSSRFTest:              true,
+
+		// SSRF Test
+		SsrfUrl: *config.SsrfUrl,
 	}
 
 	// generate and run api tests
diff --git a/src/pkg/tgen/basicSqliTest.go b/src/pkg/tgen/basicSqliTest.go
@@ -5,10 +5,11 @@ import (
 )
 
 // generates very basic sqli API tests
-func SimpleSQLiTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string, injectionConfig InjectionConfig) []*ApiTest {
+func BasicSqliTest(baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string, injectionConfig InjectionConfig) []*ApiTest {
 	testName := "Basic SQLI Test"
 	vulnResponseCodes := []int{500}
 	immuneResponseCodes := []int{}
+	// TODO: implement injection in both keys and values
 	payloads := []string{
 		"' OR 1=1 ;--",
 		"' UNION SELECT 1,2,3 -- -",
diff --git a/src/pkg/tgen/basicSsrf.go b/src/pkg/tgen/basicSsrf.go
@@ -0,0 +1,17 @@
+package tgen
+
+import "github.com/OWASP/OFFAT/src/pkg/parser"
+
+// generates very basic SSRF API tests by injecting provided URL
+func BasicSsrfTest(ssrfUrl, baseUrl string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string, injectionConfig InjectionConfig) []*ApiTest {
+	testName := "Basic SSRF Test"
+	vulnResponseCodes := []int{500}
+	immuneResponseCodes := []int{}
+	payloads := []string{ssrfUrl}
+
+	injectionConfig.Payloads = payloads
+
+	tests := injectParamIntoApiTest(baseUrl, docParams, queryParams, headers, testName, vulnResponseCodes, immuneResponseCodes, injectionConfig)
+
+	return tests
+}
diff --git a/src/pkg/tgen/payloadInjection.go b/src/pkg/tgen/payloadInjection.go
@@ -30,12 +30,13 @@ func injectParamInParam(params *[]parser.Param, payload string) {
 	}
 }
 
-// generates Api tests based on provided payloads
+// generates Api tests by injecting payloads in values
 func injectParamIntoApiTest(url string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string, testName string, vulnResponseCodes, immuneResponseCodes []int, injectionConfig InjectionConfig) []*ApiTest {
 	var tests []*ApiTest
 	// TODO: only inject payloads if any payload is accepted by the endpoint, else ignore injection
 	// as this will reduce number of tests generated and increase efficiency
 	for _, payload := range injectionConfig.Payloads {
+		// TODO: implement injection in both key or value at a time
 		for _, docParam := range docParams {
 			// inject payloads into string before converting it to map[string]string
 			if injectionConfig.InBody {
diff --git a/src/pkg/tgen/tgen.go b/src/pkg/tgen/tgen.go
@@ -3,17 +3,23 @@ package tgen
 import (
 	_ "github.com/OWASP/OFFAT/src/pkg/logging"
 	"github.com/OWASP/OFFAT/src/pkg/parser"
+	"github.com/OWASP/OFFAT/src/pkg/utils"
 	"github.com/rs/zerolog/log"
 )
 
 type TGenHandler struct {
-	RunUnrestrictedHttpMethodTest bool
-	RunSimpleSQLiTest             bool
-
 	Doc                []*parser.DocHttpParams
 	DefaultQueryParams map[string]string
 	DefaultHeaders     map[string]string
 	BaseUrl            string
+
+	// Register all tests using bool values below
+	RunUnrestrictedHttpMethodTest bool
+	RunBasicSQLiTest              bool
+	RunBasicSSRFTest              bool
+
+	// SSRF Test related data
+	SsrfUrl string
 }
 
 func (t *TGenHandler) GenerateTests() []*ApiTest {
@@ -25,18 +31,33 @@ func (t *TGenHandler) GenerateTests() []*ApiTest {
 		log.Info().Msgf("%d tests generated for Unrestricted HTTP Methods/Verbs", len(newTests))
 	}
 
-	if t.RunSimpleSQLiTest {
+	// Basic SQLI Test
+	if t.RunBasicSQLiTest {
+		injectionConfig := InjectionConfig{
+			InBody:   true,
+			InCookie: true,
+			InHeader: true,
+			InPath:   true,
+			InQuery:  true,
+		}
+		newTests := BasicSqliTest(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders, injectionConfig)
+		tests = append(tests, newTests...)
+
+		log.Info().Msgf("%d tests generated for Basic SQLI", len(newTests))
+	}
+
+	if t.RunBasicSSRFTest && utils.ValidateURL(t.SsrfUrl) {
 		injectionConfig := InjectionConfig{
 			InBody:   true,
 			InCookie: true,
-			InHeader: false,
+			InHeader: true,
 			InPath:   true,
 			InQuery:  true,
 		}
-		newTests := SimpleSQLiTest(t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders, injectionConfig)
+		newTests := BasicSsrfTest(t.SsrfUrl, t.BaseUrl, t.Doc, t.DefaultQueryParams, t.DefaultHeaders, injectionConfig)
 		tests = append(tests, newTests...)
 
-		log.Info().Msgf("%d tests generated for Simple SQLI", len(newTests))
+		log.Info().Msgf("%d tests generated for Basic SSRF", len(newTests))
 	}
 
 	return tests
diff --git a/src/pkg/utils/validation.go b/src/pkg/utils/validation.go
@@ -4,7 +4,8 @@ import (
 	"net/url"
 )
 
-// ValidateURL checks if the provided URL is valid
+// ValidateURL checks if the provided URL is valid.
+// Note it doesn't make request to the server.
 func ValidateURL(u string) bool {
 	parsedURL, err := url.Parse(u)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -30,12 +30,13 @@ func injectParamInParam(params *[]parser.Param, payload string) {`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
`33`		`-// generates Api tests based on provided payloads`
	`33`	`+// generates Api tests by injecting payloads in values`
`34`	`34`	`func injectParamIntoApiTest(url string, docParams []parser.DocHttpParams, queryParams map[string]string, headers map[string]string, testName string, vulnResponseCodes, immuneResponseCodes []int, injectionConfig InjectionConfig) []ApiTest {`
`35`	`35`	`var tests []*ApiTest`
`36`	`36`	`// TODO: only inject payloads if any payload is accepted by the endpoint, else ignore injection`
`37`	`37`	`// as this will reduce number of tests generated and increase efficiency`
`38`	`38`	`for _, payload := range injectionConfig.Payloads {`
	`39`	`+ // TODO: implement injection in both key or value at a time`
`39`	`40`	`for _, docParam := range docParams {`
`40`	`41`	`// inject payloads into string before converting it to map[string]string`
`41`	`42`	`if injectionConfig.InBody {`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,8 @@ import (`
`4`	`4`	`"net/url"`
`5`	`5`	`)`
`6`	`6`
`7`		`-// ValidateURL checks if the provided URL is valid`
	`7`	`+// ValidateURL checks if the provided URL is valid.`
	`8`	`+// Note it doesn't make request to the server.`
`8`	`9`	`func ValidateURL(u string) bool {`
`9`	`10`	`parsedURL, err := url.Parse(u)`
`10`	`11`	`if err != nil {`