Skip to content

Initial Linkerd service detection rules #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 22, 2020
Merged

Initial Linkerd service detection rules #153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c5fc99a
Add rules Linkerd service detection
manuelbua Jun 22, 2020
19edc73
Fix formatting
manuelbua Jun 22, 2020
4104238
Tweak flags
manuelbua Jun 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions technologies/linkerd-badrule-detect.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
id: linkerd-badrule-detect

# Detect the Linkerd service by overriding the delegation table with an invalid
# rule, the presence of the service is indicated by either:
# - a "Via: .. linkerd .."
# - a "l5d-err" and/or a "l5d-success" header
# - a literal error in the body

info:
name: Linkerd detection via bad rule
author: dudez
severity: low

requests:
- method: GET
path:
- "{{BaseURL}}/"
headers:
l5d-dtab: /svc/*

matchers-condition: or
matchers:
- type: regex
name: via-linkerd-present
regex:
- '(?mi)^Via\s*?:.*?linkerd.*$'
part: header

- type: regex
name: l5d-err-present
regex:
- '(?mi)^l5d-err:.*$'
part: header

- type: regex
name: l5d-success-class-present
regex:
- '(?mi)^l5d-success-class: 0.*$'
part: header

- type: word
name: body-error-present
words:
- 'expected but end of input found at'
part: body
66 changes: 66 additions & 0 deletions technologies/linkerd-ssrf-detect.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
id: linkerd-ssrf-detect

# Detect the Linkerd service by overriding the delegation table and
# inspect the response for:
# - a "Via: .. linkerd .."
# - a "l5d-err" and/or a "l5d-success" header
# - a verbose timeout error (binding timeout)
# - a full response
# The full-response case indicates a possible SSRF condition, the others
# only indicates the service presence.
#
# If a full-response is returned you should really manually probe requests with
# the following header values:
#
# - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts
# - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata

info:
name: Linkerd SSRF detection
author: dudez
severity: medium

requests:
- method: GET
path:
- "{{BaseURL}}/"
headers:
l5d-dtab: /svc/* => /$/inet/example.com/443

matchers-condition: or
matchers:
- type: regex
name: via-linkerd-present
regex:
- '(?mi)^Via\s*?:.*?linkerd.*$'
part: header

- type: regex
name: l5d-err-present
regex:
- '(?mi)^l5d-err:.*$'
part: header

- type: regex
name: l5d-success-class-present
regex:
- '(?mi)^l5d-success-class: 0.*$'
part: header

- type: word
name: ssrf-response-body
words:
- '<p>This domain is for use in illustrative examples in documents.'
part: body

- type: regex
name: resolve-timeout-error-present
regex:
- '(?mi)Exceeded .*? binding timeout while resolving name'
part: body

- type: regex
name: dynbind-error-present
regex:
- '(?mi)exceeded .*? to unspecified while dyn binding'
part: body