If you click Copy as curl command, Burp Suite will generate the following command and copy it to the clipboard: curl -i -s -k To make sharing these proof-of-concept exploits with other people easier, we have a Copy as curl command feature which generates a curl command that replicates a request inside Burp Suite.įor example, given the following request: POST / HTTP/1.1Ĭontent-Type: application/x-We patched Burp Suite a while back, but suspect the technique might be useful to exploit other applications that have a 'copy as curl' feature, or invoke curl from the command line. H $'Content-Type: application/x-www-form-urlencoded' \ You can then paste this command into the terminal to re-issue the request outside Burp Suite. We're careful about escaping this data to avoid users being exploited by malicious requests injecting extra shell commands, or arbitrary curl arguments. Can you see it?Īs usual, the answer lies in the friendly manual: -data-binary Unfortunately, there's a subtler problem.
This posts data exactly as specified with no extra processing whatsoever. If you start the data with the letter the rest should be a filename.
So, this is safe: curl -data-binary '/home/albinowax/.ssh/id_rsa' -trace-ascii - Īnd this is.
Not so safe: curl -data-binary -trace-ascii. > -BEGIN RSA PRIVATE KEY-.b3BlbnNzaC1rZXktdjEA. We patched this vulnerability in release 2020.5.1 by switching to the newer and safer but less-supported -data-raw flag if the request body starts with an symbol. We were lucky in that exploiting this in Burp Suite required relatively heavy user-interaction - the attacker would have to induce a user to visit a malicious website, copy the crafted request as a curl command, and then execute it via the command line. If a website uses curl with an attacker-controlled request body, this could have a significantly higher impact, so it's definitely worth keeping an eye out for during SSRF testing.
0 kommentar(er)
