Merge pull request #153 from manuelbua/detect-linkerd-service

ehsandeep · web-flow · commit 7372b169f8ee · 2020-06-23T03:36:00.000+05:30
Initial Linkerd service detection rules
diff --git a/technologies/linkerd-badrule-detect.yaml b/technologies/linkerd-badrule-detect.yaml
@@ -0,0 +1,45 @@
+id: linkerd-badrule-detect
+
+# Detect the Linkerd service by overriding the delegation table with an invalid
+# rule, the presence of the service is indicated by either:
+#   - a "Via: .. linkerd .."
+#   - a "l5d-err" and/or a "l5d-success" header
+#   - a literal error in the body
+
+info:
+  name: Linkerd detection via bad rule
+  author: dudez
+  severity: low
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      l5d-dtab: /svc/*
+
+    matchers-condition: or
+    matchers:
+      - type: regex
+        name: via-linkerd-present
+        regex:
+          - '(?mi)^Via\s*?:.*?linkerd.*$'
+        part: header
+
+      - type: regex
+        name: l5d-err-present
+        regex:
+          - '(?mi)^l5d-err:.*$'
+        part: header
+
+      - type: regex
+        name: l5d-success-class-present
+        regex:
+          - '(?mi)^l5d-success-class: 0.*$'
+        part: header
+
+      - type: word
+        name: body-error-present
+        words:
+          - 'expected but end of input found at'
+        part: body
diff --git a/technologies/linkerd-ssrf-detect.yaml b/technologies/linkerd-ssrf-detect.yaml
@@ -0,0 +1,66 @@
+id: linkerd-ssrf-detect
+
+# Detect the Linkerd service by overriding the delegation table and
+# inspect the response for:
+#   - a "Via: .. linkerd .."
+#   - a "l5d-err" and/or a "l5d-success" header
+#   - a verbose timeout error (binding timeout)
+#   - a full response
+# The full-response case indicates a possible SSRF condition, the others
+# only indicates the service presence.
+#
+# If a full-response is returned you should really manually probe requests with
+# the following header values:
+#
+#   - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
+#   - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata
+
+info:
+  name: Linkerd SSRF detection
+  author: dudez
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      l5d-dtab: /svc/* => /$/inet/example.com/443
+
+    matchers-condition: or
+    matchers:
+      - type: regex
+        name: via-linkerd-present
+        regex:
+          - '(?mi)^Via\s*?:.*?linkerd.*$'
+        part: header
+
+      - type: regex
+        name: l5d-err-present
+        regex:
+          - '(?mi)^l5d-err:.*$'
+        part: header
+
+      - type: regex
+        name: l5d-success-class-present
+        regex:
+          - '(?mi)^l5d-success-class: 0.*$'
+        part: header
+
+      - type: word
+        name: ssrf-response-body
+        words:
+          - '<p>This domain is for use in illustrative examples in documents.'
+        part: body
+
+      - type: regex
+        name: resolve-timeout-error-present
+        regex:
+          - '(?mi)Exceeded .*? binding timeout while resolving name'
+        part: body
+
+      - type: regex
+        name: dynbind-error-present
+        regex:
+          - '(?mi)exceeded .*? to unspecified while dyn binding'
+        part: body
