Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive with cloud metadata due to receiving a successful response HTTP/1.1 200 OK #8514

Open
1 task
nuhasha opened this issue Jun 7, 2024 · 5 comments · May be fixed by zaproxy/zap-extensions#5729
Open
1 task

False Positive with cloud metadata due to receiving a successful response HTTP/1.1 200 OK #8514

nuhasha opened this issue Jun 7, 2024 · 5 comments · May be fixed by zaproxy/zap-extensions#5729
Labels
add-on FalsePositive

Comments

@nuhasha
Copy link

nuhasha commented Jun 7, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Cloud metadata potentially exploited:
https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java

If a successful response  HTTP/1.1 200 received, the check gives alert as cloud meta data potentially exploited, this cause many false positive alerts, as upon investigating the received response it does not really include any cloud metadata.

Describe the solution you'd like

Instead of just validating http return code, we may check wether or not it’s getting answers from the metadata services, for example, check what header information metadata service may return and then compare that with the actual data received.

Another option:
If html is present in the response it is most likely not metadata; instead, it is usually just text or JSON.

Describe alternatives you've considered

none.

Screenshots

No response

Additional context

Example of response received from a host where cloud metadata potentially exploited was false positive:

<html>
<head>
<meta charset="UTF-8">
<title>Site Unavailable</title>
<link rel="stylesheet" type="text/css" href="https://s3.amazonaws.com/redacted/style.css" />
<!--[if lt IE 9]>
 <script src="https://s3.amazonaws.com/redacted/html5shiv.js"></script>
<![endif]-->
</head>
<body>

<div id="hero">
<img src="https://s3.amazonaws.com/redacted/tool_icon.png" />
<h1>Site Unavailable</h1>
</div>
<section>
<script src="https://s3.amazonaws.com/redacted/language.js" ></script>
</section>
</body>
</html>

Would you like to help fix this issue?

  • Yes
@psiinon
Copy link
Member

psiinon commented Jun 10, 2024

Sounds good. Does anyone have any examples of valid cloud metadata responses, or links to ways to get them?
Those sort of things would make it much easier for us to fix this...

@nuhasha
Copy link
Author

nuhasha commented Jun 10, 2024
edited
Loading

To get cloud metadata response for https://example.com, we use:
curl https://example.com/latest/meta-data/ -H "Host: 169.254.169.254" -k

Resource: https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/

@nuhasha
Copy link
Author

nuhasha commented Jun 10, 2024

How the detection works?
scan(): method performs the actual scan. It iterates over a list of metadata hosts, sends requests to each host, and checks if the request is successful and if the response contains any data.

METADATA_HOSTS List from the detection:

1. 169.254.169.254
2. aws.zaproxy.org
3. 100.100.100.200
4. alibaba.zaproxy.org

in the example given in the previous comment we used metadata host: Host: 169.254.169.254 to get cloud metadata response from https://example.com by running curl command: curl https://example.com/latest/meta-data/ -H "Host: 169.254.169.254" -k

@kingthorin
Copy link
Member

He was asking if anyone had actual legit metadata responses from cloud providers so we could model things even more specifically.

@nuhasha
Copy link
Author

nuhasha commented Jun 10, 2024

Thank you @kingthorin for clarification, here is some examples of actual metadata response from (AWS, Azure, and GCP):

AWS:

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/

References: Retrieve instance metadata

Google Cloud Platform (GCP)

curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/
attributes/
cpu-platform
description
disks/
guest-attributes/
hostname
id
image
legacy-endpoint-access/
licenses/
machine-type
maintenance-event
name
network-interfaces/
preempted
remaining-cpu-time
scheduling/
service-accounts/
tags
virtual-clock/
zone

References:
Predefined instance metadata keys
Gathering cloud instance metadata

Azure

attested
identity
instance
loadbalancer
scheduledevents
versions

References: Azure Endpoint categories

@kingthorin kingthorin linked a pull request Sep 17, 2024 that will close this issue
Open
@thc202 thc202 changed the title False Positive results due to receiving a successful response HTTP/1.1 200 OK False Positive with cloud metadata due to receiving a successful response HTTP/1.1 200 OK Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
add-on FalsePositive
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ascanrules: fix false positive in cloud metadata alessiodallapiazza/zap-extensions
4 participants
@psiinon @thc202 @kingthorin @nuhasha