Argo Workflows Exposed UI

[JamesFoxxx]

Hi, I already created the testbeds: google/security-testbeds#44

please connect this PR to #441

[v1ktor0t]

Hey @JamesFoxxx, thank you for your contribution!

I ran into some difficulties while reviewing the plugin. When running it locally, the Tsunami scanner detects the running application as a ssl/grpc service. This in turn results in the check NetworkServiceUtils::isWebService to fail, ultimately resulting in a failed detection.

Have you ran into similar during development?

[JamesFoxxx]

Hi @v1ktor0t
this is weird, I didn't have any issues with the plugin. I just tested the plugin again and all is fine, I tested it in another port rather than 2746 too.
I'm using this tsunami CLI: tsunami-main-0.0.24-SNAPSHOT-cli.jar

[v1ktor0t]

@JamesFoxxx, can you share how you have the port scanning on Tsunami configured? I suspect it might have something do to do with that.

[JamesFoxxx]

@v1ktor0t I don't add any Nmap configuration to the Tsunami, one of my guesses is that maybe it is because of port forwarding, I share my Minikube version and Nmap version here:

minikube version
# minikube version: v1.34.0
# commit: 210b148df93a80eb872ecbeb7e35281b3c582c61
nmap -V
# Nmap version 7.94SVN ( https://nmap.org )
# Platform: x86_64-pc-linux-gnu
# Compiled with: liblua-5.4.6 openssl-3.0.13 libssh2-1.11.0 libz-1.3 libpcre2-10.42 libpcap-1.10.4 nmap-libdnet-1.12 ipv6
# Compiled without:
# Available nsock engines: epoll poll select

# Tsunami CLI Run Command:
java -cp "tsunami-main-0.0.24-SNAPSHOT-cli.jar:/home/james/tsunami/myPlugins/*"   com.google.tsunami.main.cli.TsunamiCli   --uri-target=https://localhost:2746  --scan-results-local-output-format=JSON   --scan-results-local-output-filename=/tmp/tsunami-output.json  --http-client-trust-all-certificates --callback-address 10.0.3.5  --callback-port 8881 --callback-polling-uri http://10.0.3.5:8880

[v1ktor0t]

hey @JamesFoxxx.

I'm still running into the same issue where nmap is incorrectly detecting the service as a ssl/grpc service. Would you mind running the following nmap command and sharing the output with me:

nmap -sV -p 2746 127.0.0.1 

Additionally, can you share your tsunami_tcs.yaml file? I'm curious if there's any additional flag set for the scanner.

[JamesFoxxx]

nmap -sV -p 2746 127.0.0.1 

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 06:27 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000046s latency).

PORT     STATE SERVICE         VERSION
2746/tcp open  ssl/cpudpencap?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2746-TCP:V=7.94SVN%T=SSL%I=7%D=2/25%Time=67BDA956%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,3D0,"HTTP/1\.0\x20200\x20OK\r\nContent-Length:\x20487
SF:\r\nContent-Security-Policy:\x20default-src\x20'self'\x20'unsafe-inline
SF:';\x20img-src\x20'self'\x20data:\r\nContent-Type:\x20text/html;\x20char
SF:set=utf-8\r\nEtag:\x20d0fc1ea252c4bc411ac803f2bcc4a4ad1917d927d762a9d58
SF:a9b7785cf6a6934\r\nLast-Modified:\x20Thu,\x2029\x20Feb\x202024\x2021:01
SF::28\x20GMT\r\nStrict-Transport-Security:\x20max-age=31536000\r\nX-Frame
SF:-Options:\x20DENY\r\nX-Ratelimit-Limit:\x201000\r\nX-Ratelimit-Remainin
SF:g:\x20999\r\nX-Ratelimit-Reset:\x20Tue,\x2025\x20Feb\x202025\x2011:28:2
SF:3\x20UTC\r\nDate:\x20Tue,\x2025\x20Feb\x202025\x2011:28:22\x20GMT\r\n\r
SF:\n<!doctype\x20html><html\x20lang=\"en\"><head><meta\x20charset=\"UTF-8
SF:\"><title>Argo</title><base\x20href=\"/\"><meta\x20name=\"viewport\"\x2
SF:0content=\"width=device-width,initial-scale=1\"><meta\x20name=\"robots\
SF:"\x20content=\"noindex\"><link\x20rel=\"icon\"\x20type=\"image/png\"\x2
SF:0href=\"assets/favicon/favicon-32x32\.png\"\x20sizes=\"32x32\"><link\x2
SF:0rel=\"icon\"\x20type=\"image/png\"\x20href=\"assets/favicon/favicon-16
SF:x16\.png\"\x20sizes=\"16x16\"><script\x20defer=\"defer\"\x20src=\"main\
SF:.22064")%r(HTTPOptions,3D0,"HTTP/1\.0\x20200\x20OK\r\nContent-Length:\x
SF:20487\r\nContent-Security-Policy:\x20default-src\x20'self'\x20'unsafe-i
SF:nline';\x20img-src\x20'self'\x20data:\r\nContent-Type:\x20text/html;\x2
SF:0charset=utf-8\r\nEtag:\x20d0fc1ea252c4bc411ac803f2bcc4a4ad1917d927d762
SF:a9d58a9b7785cf6a6934\r\nLast-Modified:\x20Thu,\x2029\x20Feb\x202024\x20
SF:21:01:28\x20GMT\r\nStrict-Transport-Security:\x20max-age=31536000\r\nX-
SF:Frame-Options:\x20DENY\r\nX-Ratelimit-Limit:\x201000\r\nX-Ratelimit-Rem
SF:aining:\x20998\r\nX-Ratelimit-Reset:\x20Tue,\x2025\x20Feb\x202025\x2011
SF::28:23\x20UTC\r\nDate:\x20Tue,\x2025\x20Feb\x202025\x2011:28:22\x20GMT\
SF:r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><meta\x20charset=\"
SF:UTF-8\"><title>Argo</title><base\x20href=\"/\"><meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,initial-scale=1\"><meta\x20name=\"ro
SF:bots\"\x20content=\"noindex\"><link\x20rel=\"icon\"\x20type=\"image/png
SF:\"\x20href=\"assets/favicon/favicon-32x32\.png\"\x20sizes=\"32x32\"><li
SF:nk\x20rel=\"icon\"\x20type=\"image/png\"\x20href=\"assets/favicon/favic
SF:on-16x16\.png\"\x20sizes=\"16x16\"><script\x20defer=\"defer\"\x20src=\"
SF:main\.22064");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.83 seconds

[JamesFoxxx]

cat tsunami_tcs.yaml

plugin:
  callbackserver:
    callback_address: "127.0.0.1"  # Running callback server locally
    callback_port: 8881            # Make sure to match with ones configured in tcs_config.yaml
    polling_uri: "http://127.0.0.1:8880"
plugins:
  google:
    detectors:
      credentials:
        ncrack:
          ncrack_binary_path: "/usr/local/bin/ncrack"

[JamesFoxxx]

@v1ktor0t I don't add any Nmap configuration to the Tsunami, one of my guesses is that maybe it is because of port forwarding, I share my Minikube version and Nmap version here:

minikube version
# minikube version: v1.34.0
# commit: 210b148df93a80eb872ecbeb7e35281b3c582c61
nmap -V
# Nmap version 7.94SVN ( https://nmap.org )
# Platform: x86_64-pc-linux-gnu
# Compiled with: liblua-5.4.6 openssl-3.0.13 libssh2-1.11.0 libz-1.3 libpcre2-10.42 libpcap-1.10.4 nmap-libdnet-1.12 ipv6
# Compiled without:
# Available nsock engines: epoll poll select

# Tsunami CLI Run Command:
java -cp "tsunami-main-0.0.24-SNAPSHOT-cli.jar:/home/james/tsunami/myPlugins/*"   com.google.tsunami.main.cli.TsunamiCli   --uri-target=https://localhost:2746  --scan-results-local-output-format=JSON   --scan-results-local-output-filename=/tmp/tsunami-output.json  --http-client-trust-all-certificates --callback-address 10.0.3.5  --callback-port 8881 --callback-polling-uri http://10.0.3.5:8880

according to the command i run everytime, i don't use "-Dtsunami-config.location" switch for Tsunami CLI. i'm using options only from command line.

[JamesFoxxx]

@v1ktor0t I believe we should consider this a bug and completely remove the .filter(NetworkServiceUtils::isWebService) line. Since we already have .filter(this::isArgoWorkflows), we can be certain that the service is an Argo web app.

we can consider this as a false negative maybe.

If you are facing this issue then we should comply with this I believe.

[v1ktor0t]

hey @JamesFoxxx!

The issue ultimately comes down to nmap detecting an incorrect service type. I agree with you. Removing the filter is likely the best way to fix it. The change is a bit more involved, since Tsunami does rely on the detected service info to generate a target URL.

I recommended some changes that should remediate the issue. I tested it locally and it worked correctly. Please take a look and see if everything works well on your end too.

[JamesFoxxx]

@v1ktor0t it works fine for me.

[v1ktor0t]

LGTM - Approved
@maoning, can be merged together with the testbed.

Reviewer: Viktor, Doyensec
Plugin: Argo Workflows Exposed UI
Drawbacks: None.