feat: use secret file for raw test, bearer token for headless

94f879f1 · Pavel Břoušek · 9ae4810a · 94f879f1 · 94f879f1 · 94f879f1
Commit 94f879f1 authored 1 year ago by Pavel Břoušek
--- a/.gitignore
+++ b/.gitignore
+screenshots/
+secret-file.yaml
--- a/README.md
+++ b/README.md
@@ -29,39 +29,66 @@ docker run --rm -v ./:/app/ projectdiscovery/nuclei # ...
 ### conformance IdP
-You need to setup a conformance IdP, with a module developed for SAML signature validation testing.
+You need to setup a [conformance IdP](https://gitlab.software.geant.org/TI_Incubator/conformance-idp-deployment),
+with a [module](https://github.com/cicnavi/simplesamlphp-module-conformance) developed for SAML signature validation testing.
 Then you need to connect SPs to the conformance IdP (exchange metadata), so that regular SAML authentication works.
 ## Usage
+### Raw HTTP test (fast, no screenshots)
+Make a copy of `secret-file.example.yaml` to `secret-file.yaml` and put in your authorization token for the conformance IdP.
 Run against one target:
 ```sh
-nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
+nuclei -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -secret-file secret-file.yaml \
-    -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30
+    -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags raw
 ```
 or using docker:
 ```sh
-docker run --rm -v ./:/app/ projectdiscovery/nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
+docker run --rm -v ./:/app/ projectdiscovery/nuclei -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -secret-file secret-file.yaml \
-    -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30
+    -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags raw
 ```
 where
 * `ACS_URL_HERE` is the assertion consumer service endpoint URL
 * `ENTITY_ID_HERE` is the entity ID of the SP
-* `AUTHORIZATION_HERE` is the authorization header, e.g. `Bearer abcd...789`
 It is expected that the SP will return HTTP code 200/302/303 on success
 and a different HTTP code on failure (e.g. when SAML response is not signed).
-## Limitations
+### Headless browser test (slower, with screenshots)
+Run against one target:
+```sh
+nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "BEARER_TOKEN=BEARER_TOKEN_HERE" \
+    -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags headless
+```
+or using docker:
+```sh
+docker run --rm -v ./:/app/ projectdiscovery/nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "BEARER_TOKEN=BEARER_TOKEN_HERE" \
+    -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags headless
+```
+where
+* `ACS_URL_HERE` is the assertion consumer service endpoint URL
+* `ENTITY_ID_HERE` is the entity ID of the SP
+* `BEARER_TOKEN_HERE` is your authorization token for the conformance IdP
+## Current limitations
 * templates are only usable with the conformace IdP
  * testing cannot be run in parallel for the same entity ID
 * only `HTTP-POST` binding is currently supported
 * nuclei has to be invoked individually for each target (for each entity ID)
 * only SPs which accept unsolicited logins (IdP-initiated) can be tested
+* headless browser test behaves differently than raw HTTP test (nuclei limitation)
--- a/nuclei-templates/saml-headless-all.yaml
+++ b/nuclei-templates/saml-headless-all.yaml
@@ -5,7 +5,7 @@ info:
  severity: high
  tags: saml,headless
 variables:
-  AUTHORIZATION: "Bearer abcd...789"
+  BEARER_TOKEN: "abcd...789"
  CONFORMANCE_IDP_BASE_URL: https://conformance-idp.maiv1.incubator.geant.org/
  SCREENSHOTS_DIR: ""
  FILENAME: '{{date_time("%Y-%M-%D_%H-%m-%s")}}-{{replace_regex(BaseURL,"(\\W+)","_")}}'
@@ -28,7 +28,7 @@ headless:
      args:
        part: request
        key: Authorization
-        value: "{{AUTHORIZATION}}"
+        value: "Bearer {{BEARER_TOKEN}}"
    - action: navigate
      args:
        url: "{{trim_suffix(CONFORMANCE_IDP_BASE_URL, '/')}}/module.php/conformance/test/setup?testId={{url_encode(TEST_CASE)}}&spEntityId={{url_encode(SP_ENTITY_ID)}}"

--- a/nuclei-templates/saml-raw-all.yaml
+++ b/nuclei-templates/saml-raw-all.yaml
@@ -5,7 +5,6 @@ info:
  severity: high
  tags: saml,raw
 variables:
-  AUTHORIZATION: "Bearer abcd...789"
  CONFORMANCE_IDP_BASE_URL: https://conformance-idp.maiv1.incubator.geant.org/
  CONFORMANCE_IDP_HOSTNAME: '{{replace_regex(CONFORMANCE_IDP_BASE_URL, "^https?://|/.*$", "")}}'
  TEST_CASES:
@@ -33,13 +32,11 @@ http:
        @Host: https://{{CONFORMANCE_IDP_HOSTNAME}}
        POST /module.php/conformance/test/setup?testId={{url_encode(TEST_CASE)}}&spEntityId={{url_encode(SP_ENTITY_ID)}} HTTP/1.1
        Host: {{CONFORMANCE_IDP_HOSTNAME}}
-        Authorization: {{AUTHORIZATION}}
      - |
        @Host: https://{{CONFORMANCE_IDP_HOSTNAME}}
        GET /saml2/idp/SSOService.php?spentityid={{url_encode(SP_ENTITY_ID)}}&ConsumerURL={{url_encode(BaseURL)}} HTTP/1.1
        Host: {{CONFORMANCE_IDP_HOSTNAME}}
-        Authorization: {{AUTHORIZATION}}
    disable-path-automerge: true
    extractors:
      - type: xpath

--- a/secret-file.example.yaml
+++ b/secret-file.example.yaml
+static:
+  - type: bearertoken
+    domains:
+      - conformance-idp.maiv1.incubator.geant.org
+    token: abcd...789