id: reflection-ssti
info:
name: Reflected SSTI Arithmetic Based
author: pdteam
severity: medium
reference:
- https://github.com/zaproxy/zap-extensions/blob/2d9898900abe85a47b9fe0ceb85ec39070816b98/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/SstiScanRule.java
- https://github.com/DiogoMRSilva/websitesVulnerableToSSTI#list-of-seversneeds-update
metadata:
max-request: 14
tags: ssti,dast,vuln
variables:
first: "{{rand_int(1000, 9999)}}"
second: "{{rand_int(1000, 9999)}}"
result: "{{to_number(first)*to_number(second)}}"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
skip-variables-check: true
payloads:
ssti:
- '{{concat("${", "{{first}}*{{second}}", "}")}}'
- '{{concat("{{", "{{first}}*{{second}}", "}}")}}'
- '{{concat("<%=", "{{first}}*{{second}}", "%>")}}'
- '{{concat("{", "{{first}}*{{second}}", "}")}}'
- '{{concat("{{{", "{{first}}*{{second}}", "}}}")}}'
- '{{concat("${{", "{{first}}*{{second}}", "}}")}}'
- '{{concat("#{", "{{first}}*{{second}}", "}")}}'
- '{{concat("[[", "{{first}}*{{second}}", "]]")}}'
- '{{concat("{{=", "{{first}}*{{second}}", "}}")}}'
- '{{concat("[[${", "{{first}}*{{second}}", "}]]")}}'
- '{{concat("${xyz|", "{{first}}*{{second}}", "}")}}'
- '{{concat("#set($x=", "{{first}}*{{second}}", ")${x}")}}'
- '{{concat("@(", "{{first}}*{{second}}", ")")}}'
- '{{concat("{@", "{{first}}*{{second}}", "}")}}'
fuzzing:
- part: query
type: postfix
fuzz:
- "{{ssti}}"
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "{{result}}"
# digest: 4a0a00473045022100e42debf5595abb6137887005ecbe2ff1d3c4d8233e2ae2fc6514ccfc5914e874022079c61495b271176d5379854afbd839170a1a63d1c96f1ddd5455fa6274140ac4:922c64590222798bb761d5b6d8e72950