-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive with cloud metadata due to receiving a successful response HTTP/1.1 200 OK #8514
Comments
Sounds good. Does anyone have any examples of valid cloud metadata responses, or links to ways to get them? |
To get cloud metadata response for https://example.com, we use: Resource: https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ |
How the detection works? METADATA_HOSTS List from the detection:
in the example given in the previous comment we used metadata host: |
He was asking if anyone had actual legit metadata responses from cloud providers so we could model things even more specifically. |
Thank you @kingthorin for clarification, here is some examples of actual metadata response from (AWS, Azure, and GCP): AWS:
References: Retrieve instance metadata Google Cloud Platform (GCP)
References: Azure
References: Azure Endpoint categories |
Is your feature request related to a problem? Please describe.
Cloud metadata potentially exploited:
https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CloudMetadataScanRule.java
If a successful response HTTP/1.1 200 received, the check gives alert as cloud meta data potentially exploited, this cause many false positive alerts, as upon investigating the received response it does not really include any cloud metadata.
Describe the solution you'd like
Instead of just validating http return code, we may check wether or not it’s getting answers from the metadata services, for example, check what header information metadata service may return and then compare that with the actual data received.
Another option:
If html is present in the response it is most likely not metadata; instead, it is usually just text or JSON.
Describe alternatives you've considered
none.
Screenshots
No response
Additional context
Example of response received from a host where cloud metadata potentially exploited was false positive:
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: