Template IDs or paths
http/cves/2021/CVE-2021-28164.yaml
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/WEB-INF/web.xml"
matchers:
- type: dsl
internal: true
dsl:
- "!contains_all(body, '</web-app>', 'java.sun.com')"
- "!contains_all(header, 'application/xml')"
- "status_code != 200"
- "status_code != 404"
condition: and
- method: GET
path:
- "{{BaseURL}}/%2e/WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains_all(body, '</web-app>', 'java.sun.com')"
- "contains_all(header, 'application/xml')"
- "status_code == 200"
condition: and
Environment
Steps To Reproduce
pull/8597 should be revoked
pull:#8597
commit:9b9f79d
The condition "status_code != 404" in http(1) Should be removed.
Reasoning:
Detection Logic: This template uses a two-step process:
First request: checks if /WEB-INF/web.xml is NOT accessible directly (as expected in secure configurations)
Second request: checks if /%2e/WEB-INF/web.xml IS accessible (which would indicate the vulnerability)
Problem with Current Logic:
The first request's matcher uses an AND condition requiring all conditions to be true
When a server is properly secured, it will typically return a 404 for /WEB-INF/web.xml
The current condition status_code != 404 prevents the flow from continuing to the second request in this case.
Impact on Detection:
Many vulnerable systems would be missed because the first check fails when it encounters a 404
The 404 status code is actually the expected secure behavior for the first request
Relevant dumped responses
Anything else?
No response
Template IDs or paths
http/cves/2021/CVE-2021-28164.yamlEnvironment
Steps To Reproduce
pull/8597 should be revoked
pull:#8597
commit:9b9f79d
The condition "status_code != 404" in http(1) Should be removed.
Reasoning:
Detection Logic: This template uses a two-step process:
First request: checks if /WEB-INF/web.xml is NOT accessible directly (as expected in secure configurations)
Second request: checks if /%2e/WEB-INF/web.xml IS accessible (which would indicate the vulnerability)
Problem with Current Logic:
The first request's matcher uses an AND condition requiring all conditions to be true
When a server is properly secured, it will typically return a 404 for /WEB-INF/web.xml
The current condition status_code != 404 prevents the flow from continuing to the second request in this case.
Impact on Detection:
Many vulnerable systems would be missed because the first check fails when it encounters a 404
The 404 status code is actually the expected secure behavior for the first request
Relevant dumped responses
Anything else?
No response