Class: Aikido::Zen::Scanners::StoredSSRFScanner
- Inherits:
-
Object
- Object
- Aikido::Zen::Scanners::StoredSSRFScanner
- Defined in:
- lib/aikido/zen/scanners/stored_ssrf_scanner.rb
Overview
Inspects the result of DNS lookups, to determine if we’re being the target of a stored SSRF targeting IMDS addresses (169.254.169.254).
Constant Summary collapse
- DANGEROUS_ADDRESSES =
[ IPAddr.new("169.254.169.254"), IPAddr.new("100.100.100.200"), IPAddr.new("::ffff:169.254.169.254"), IPAddr.new("::ffff:100.100.100.200"), IPAddr.new("fd00:ec2::254") ]
Class Method Summary collapse
- .call(hostname:, addresses:, operation:, sink:, context:, **opts) ⇒ Object
-
.skips_on_nil_context? ⇒ Boolean
Stored-SSRF can occur without external input, so we do not require a context to determine if an attack is happening.
Instance Method Summary collapse
-
#attack? ⇒ String?
Either the offending address, or
nilif no address is deemed dangerous. -
#initialize(hostname, addresses, config: Aikido::Zen.config) ⇒ StoredSSRFScanner
constructor
A new instance of StoredSSRFScanner.
Constructor Details
#initialize(hostname, addresses, config: Aikido::Zen.config) ⇒ StoredSSRFScanner
Returns a new instance of StoredSSRFScanner.
28 29 30 31 32 |
# File 'lib/aikido/zen/scanners/stored_ssrf_scanner.rb', line 28 def initialize(hostname, addresses, config: Aikido::Zen.config) @hostname = hostname @addresses = addresses @config = config end |
Class Method Details
.call(hostname:, addresses:, operation:, sink:, context:, **opts) ⇒ Object
14 15 16 17 18 19 20 21 22 23 24 25 26 |
# File 'lib/aikido/zen/scanners/stored_ssrf_scanner.rb', line 14 def self.call(hostname:, addresses:, operation:, sink:, context:, **opts) offending_address = new(hostname, addresses).attack? return if offending_address.nil? Attacks::StoredSSRFAttack.new( hostname: hostname, address: offending_address, sink: sink, context: context, operation: "#{sink.operation}.#{operation}", stack: Aikido::Zen.clean_stack_trace ) end |
.skips_on_nil_context? ⇒ Boolean
Stored-SSRF can occur without external input, so we do not require a context to determine if an attack is happening.
10 11 12 |
# File 'lib/aikido/zen/scanners/stored_ssrf_scanner.rb', line 10 def self.skips_on_nil_context? false end |
Instance Method Details
#attack? ⇒ String?
Returns either the offending address, or nil if no address is deemed dangerous.
36 37 38 39 40 41 42 43 44 |
# File 'lib/aikido/zen/scanners/stored_ssrf_scanner.rb', line 36 def attack? return unless @config.stored_ssrf? # Feature flag return if @config.imds_allowed_hosts.include?(@hostname) @addresses.find do |candidate| DANGEROUS_ADDRESSES.any? { |address| address === candidate } end end |