Enable Active Check 74.1 (!822) · Merge requests · GitLab.org / security-products / dast

Arpit Gogia requested to merge release-74.1-check into main Oct 31, 2023

What does this MR do?

Enables Active Check 74.1 - XSLT Injection

What are the relevant issue numbers?

gitlab-org/gitlab#428023 (closed)

Verification

Unable to verify against DVSW - comment on the issue

OWASP WebGoat and DVWA are not vulnerable

Browserker Fixture

Source: https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/blob/main/test/end-to-end/fixtures/check-74-1/server.rb

Configuration

docker run --rm -v $PWD/output:/output \
  --env DAST_BROWSER_SCAN=true \
  --env DAST_FULL_SCAN_ENABLED=true \
  --env DAST_ONLY_INCLUDE_RULES="74.1" \
  --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \
  --env DAST_BROWSER_MAX_ACTIONS=100 \
  --env DAST_DEBUG=1 \
  --env DAST_ZAP_LOG_CONFIGURATION="rootLogger.level=debug" dast:$(git branch --no-color --show-current) /analyze -t 'http://host.docker.internal:8098/'

Logs

# attack registered
2023-10-31T10:15:32.597 INF VLDFN registered vulnerability check type="active" vulnerability_check="74.1 XSLT Injection" details="74.1.1;74.1.2;74.1.3"

# attack successful
2023-10-31T10:06:59.117 INF ACTIV matched, attack successful attack="74.1.1" attack_request="OXheEHfVEe6dagJCrBEABQ" injection="<!DOCTYPE gl [<!ENTITY x SYSTEM "file:///etc/passwd">]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/"><gl>&x;</gl></xsl:template>
</xsl:stylesheet>" location="application/x-www-form-urlencoded form field xslt" type="match-response" url="http://host.docker.internal:8098/read-input"

Edited Nov 01, 2023 by Arpit Gogia

Enable Active Check 74.1

What does this MR do?

What are the relevant issue numbers?

Verification

Browserker Fixture

Merge request reports