Active attacks can inject into the request path

Purpose

Request paths should be injected with active check attacks. An injection location should be created for every directory in the URL. Query parameters should be removed from the resulting attack request.

Example

When finding locations on the URL https://www.site.com/page/1/view?sort_by=username, the following injections should be found:

• https://www.site.com/<location>/1/view
• https://www.site.com/page/<location>/view

Thus when injecting the text ../../etc/passwd, the attack requests would be made. Note that the query string has been removed.

• https://www.site.com/../../etc/passwd/1/view
• https://www.site.com/page/../../etc/passwd/view

A note on directory vs file

The last path on the request should not be an injection location. For example, https://www.site.com/page/1 should not find an injection location for 1.

Implementation plan

• Build an implementation of browserk.InjectionLocation, called RequestPathInjectionLocation.
• The new type should define a Find... method that returns an browserk.InjectionLocationDetector. This method should find all possible injection locations.
  • Add the Find method to the InitializeInjectionLocationDetectionService in DI
  • Find should use a NewLazyInjectionLocationDetector and parse the URL for directories
• The Modify method should overwrite the attack request URL with a URL where the directory has been replaced by the injection value. Query parameters should be removed.
• This must be very well unit tested, including both happy and sad paths, as it will be run against every request crawled by Browserker
• Please add an integration test (example: TestCheck22_1WithQueryParameterInjection)

Reference

An example equivalent MR of adding a similar injection location is Add query parameter injection location to active attacks