Log4shell Alert

[Rami Ahmad]

Hello,

I am trying to reproduce the Log4Shell blog: https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/ 

 using desktop GUI to see the alert on Alert section. I use interact.sh as OAST, also enabled injection on all headers in activescan config. im attacking the app that is mentioned in the blog, bt i dont see the alert. 

i injected a the vulnerable header "X-Api-Version: ${jndi:ldap://127.0.0.1/a}"

using Replacer. but during the scan, this header will remain static and wont call interact.sh so i dont get the Alert 

pls let me know if anyone managed to get the alert. 

  

[Rami Ahmad]

i used nuclei scanner and injected the cookie header and got nuclei alert, bt in ZAP i cannot inject the cookie and get interact.sh injected. There should be an option in Replacer to allow attack vector injections to some selected headers. 

[kingthorin+owaspzap]

"X-Api-Version: ${jndi:ldap://127.0.0.1/a}"   isn't interacting with interact.sh so of course.

When you ran your scan did you enable header input vectors?

[Rami Ahmad]

yes i did. I can confirm also that user-agent gets injected. 

i think this is bad vulnerable app example in the blog, the log4j alert will not be triggered. 

[kingthorin+owaspzap]

The one in the blog works, done it.

[Peter Hauschulz]

I know this vulnerability is tricky to test for! 
There are many preconditions to be met, including that the injected header must be one that is logged, the connection between ZAP and vulnerable app must be functioning, the connection between vulnerable app and the callback must be functioning, and the connection between the callback and ZAP also must be functioning. If anyone of them doesn't, then it will be a false negative!

If it helps, I can confirm the vulnerable web app will execute on ${jndi: payloads, as far as I can tell only on the X-Api-Version header.

For my confirmation tests, I simply used another laptop of mine running wireshark as the 'malicious host' so I could see when the vulnerable app successfully executed my commands. (doesn't show up on active scan that way though)

[Rami Ahmad]

im wondering where did u inject the OAST payload? do u know which header that triggered ZAP alert?

[Rami Ahmad]

true, i see errors on the vulnerable app but i dont get ZAP alert! because OAST payload sent by ZAP is not logged by the app. using Nuclei i injected cookie header and got interact.sh called and got the alert. bt by default ZAP cannot inject the cookie header because its not called by default. even if i add cookie in ZAP Replacer it is not injected with OAST payload.  

"If it helps, I can confirm the vulnerable web app will execute on ${jndi: payloads, as far as I can tell only on the X-Api-Version header."

[Peter Hauschulz]

Do you mean that ZAP will use the cookie-header as an injection point, but not include the OAST payload? Or that it's not using the cookie header as an injection point at all?

[Rami Ahmad]

I mean Zap is not using cookie as injection point. Nor x-api-version. So the alert will never be triggered 

Anything in Zap Replacer is not injected with any payload. This is by design 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/24649179-c25d-43c0-9228-facf6d4113a7n%40googlegroups.com.

[thc...@gmail.com]

Did you enable the Input Vectors HTTP Headers and Cookie Data?
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ascaninput/

Best regards.

>> <https://groups.google.com/d/msgid/zaproxy-users/24649179-c25d-43c0-9228-facf6d4113a7n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>