If a website uses curl with an attacker-controlled request body, this could have a significantly higher impact, so it's definitely worth keeping an eye out for during SSRF testing. We were lucky in that exploiting this in Burp Suite required relatively heavy user-interaction - the attacker would have to induce a user to visit a malicious website, copy the crafted request as a curl command, and then execute it via the command line.
We patched this vulnerability in release 2020.5.1 by switching to the newer and safer but less-supported -data-raw flag if the request body starts with an symbol. > -BEGIN RSA PRIVATE KEY-.b3BlbnNzaC1rZXktdjEA.
not so safe: curl -data-binary -trace-ascii. So, this is safe: curl -data-binary '/home/albinowax/.ssh/id_rsa' -trace-ascii - Īnd this is. If you start the data with the letter the rest should be a filename. This posts data exactly as specified with no extra processing whatsoever. Can you see it?Īs usual, the answer lies in the friendly manual: -data-binary Unfortunately, there's a subtler problem. We're careful about escaping this data to avoid users being exploited by malicious requests injecting extra shell commands, or arbitrary curl arguments. You can then paste this command into the terminal to re-issue the request outside Burp Suite. H $'Content-Type: application/x-www-form-urlencoded' \
If you click Copy as curl command, Burp Suite will generate the following command and copy it to the clipboard: curl -i -s -k To make sharing these proof-of-concept exploits with other people easier, we have a Copy as curl command feature which generates a curl command that replicates a request inside Burp Suite.įor example, given the following request: POST / HTTP/1.1Ĭontent-Type: application/x-www-form-urlencoded This vulnerability was privately reported to our bug bounty program by Paul Mutton, and he's kindly agreed to let us publish this writeup.īurp Suite users often craft complex HTTP requests to demonstrate vulnerabilities in websites. We patched Burp Suite a while back, but suspect the technique might be useful to exploit other applications that have a 'copy as curl' feature, or invoke curl from the command line. In this post, we'll explore a little-known feature in curl that led to a local-file disclosure vulnerability in both Burp Suite Pro, and Google Chrome.
0 kommentar(er)
