From 94f879f1e8e7e6e9a22d980c978385ca08fd034d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ou=C5=A1ek?= <brousek@ics.muni.cz>
Date: Wed, 20 Mar 2024 12:41:07 +0100
Subject: [PATCH] feat: use secret file for raw test, bearer token for headless
---
.gitignore | 2 ++
README.md | 41 ++++++++++++++++++++-----
nuclei-templates/saml-headless-all.yaml | 4 +--
nuclei-templates/saml-raw-all.yaml | 3 --
secret-file.example.yaml | 5 +++
5 files changed, 43 insertions(+), 12 deletions(-)
create mode 100644 .gitignore
create mode 100644 secret-file.example.yaml
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..fb26134
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+screenshots/
+secret-file.yaml
diff --git a/README.md b/README.md
index 957edff..a115ff2 100644
--- a/README.md
+++ b/README.md
@@ -29,39 +29,66 @@ docker run --rm -v ./:/app/ projectdiscovery/nuclei # ...
### conformance IdP
-You need to setup a conformance IdP, with a module developed for SAML signature validation testing.
+You need to setup a [conformance IdP](https://gitlab.software.geant.org/TI_Incubator/conformance-idp-deployment),
+with a [module](https://github.com/cicnavi/simplesamlphp-module-conformance) developed for SAML signature validation testing.
Then you need to connect SPs to the conformance IdP (exchange metadata), so that regular SAML authentication works.
## Usage
+### Raw HTTP test (fast, no screenshots)
+
+Make a copy of `secret-file.example.yaml` to `secret-file.yaml` and put in your authorization token for the conformance IdP.
+
Run against one target:
```sh
-nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
- -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30
+nuclei -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -secret-file secret-file.yaml \
+ -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags raw
```
or using docker:
```sh
-docker run --rm -v ./:/app/ projectdiscovery/nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
- -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30
+docker run --rm -v ./:/app/ projectdiscovery/nuclei -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -secret-file secret-file.yaml \
+ -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags raw
```
where
* `ACS_URL_HERE` is the assertion consumer service endpoint URL
* `ENTITY_ID_HERE` is the entity ID of the SP
-* `AUTHORIZATION_HERE` is the authorization header, e.g. `Bearer abcd...789`
It is expected that the SP will return HTTP code 200/302/303 on success
and a different HTTP code on failure (e.g. when SAML response is not signed).
-## Limitations
+### Headless browser test (slower, with screenshots)
+
+Run against one target:
+
+```sh
+nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "BEARER_TOKEN=BEARER_TOKEN_HERE" \
+ -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags headless
+```
+
+or using docker:
+
+```sh
+docker run --rm -v ./:/app/ projectdiscovery/nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "BEARER_TOKEN=BEARER_TOKEN_HERE" \
+ -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags headless
+```
+
+where
+
+* `ACS_URL_HERE` is the assertion consumer service endpoint URL
+* `ENTITY_ID_HERE` is the entity ID of the SP
+* `BEARER_TOKEN_HERE` is your authorization token for the conformance IdP
+
+## Current limitations
* templates are only usable with the conformace IdP
* testing cannot be run in parallel for the same entity ID
* only `HTTP-POST` binding is currently supported
* nuclei has to be invoked individually for each target (for each entity ID)
* only SPs which accept unsolicited logins (IdP-initiated) can be tested
+* headless browser test behaves differently than raw HTTP test (nuclei limitation)
diff --git a/nuclei-templates/saml-headless-all.yaml b/nuclei-templates/saml-headless-all.yaml
index 57a5d03..d770e41 100644
--- a/nuclei-templates/saml-headless-all.yaml
+++ b/nuclei-templates/saml-headless-all.yaml
@@ -5,7 +5,7 @@ info:
severity: high
tags: saml,headless
variables:
- AUTHORIZATION: "Bearer abcd...789"
+ BEARER_TOKEN: "abcd...789"
CONFORMANCE_IDP_BASE_URL: https://conformance-idp.maiv1.incubator.geant.org/
SCREENSHOTS_DIR: ""
FILENAME: '{{date_time("%Y-%M-%D_%H-%m-%s")}}-{{replace_regex(BaseURL,"(\\W+)","_")}}'
@@ -28,7 +28,7 @@ headless:
args:
part: request
key: Authorization
- value: "{{AUTHORIZATION}}"
+ value: "Bearer {{BEARER_TOKEN}}"
- action: navigate
args:
url: "{{trim_suffix(CONFORMANCE_IDP_BASE_URL, '/')}}/module.php/conformance/test/setup?testId={{url_encode(TEST_CASE)}}&spEntityId={{url_encode(SP_ENTITY_ID)}}"
diff --git a/nuclei-templates/saml-raw-all.yaml b/nuclei-templates/saml-raw-all.yaml
index 892d267..0fc049f 100644
--- a/nuclei-templates/saml-raw-all.yaml
+++ b/nuclei-templates/saml-raw-all.yaml
@@ -5,7 +5,6 @@ info:
severity: high
tags: saml,raw
variables:
- AUTHORIZATION: "Bearer abcd...789"
CONFORMANCE_IDP_BASE_URL: https://conformance-idp.maiv1.incubator.geant.org/
CONFORMANCE_IDP_HOSTNAME: '{{replace_regex(CONFORMANCE_IDP_BASE_URL, "^https?://|/.*$", "")}}'
TEST_CASES:
@@ -33,13 +32,11 @@ http:
@Host: https://{{CONFORMANCE_IDP_HOSTNAME}}
POST /module.php/conformance/test/setup?testId={{url_encode(TEST_CASE)}}&spEntityId={{url_encode(SP_ENTITY_ID)}} HTTP/1.1
Host: {{CONFORMANCE_IDP_HOSTNAME}}
- Authorization: {{AUTHORIZATION}}
- |
@Host: https://{{CONFORMANCE_IDP_HOSTNAME}}
GET /saml2/idp/SSOService.php?spentityid={{url_encode(SP_ENTITY_ID)}}&ConsumerURL={{url_encode(BaseURL)}} HTTP/1.1
Host: {{CONFORMANCE_IDP_HOSTNAME}}
- Authorization: {{AUTHORIZATION}}
disable-path-automerge: true
extractors:
- type: xpath
diff --git a/secret-file.example.yaml b/secret-file.example.yaml
new file mode 100644
index 0000000..e4ec360
--- /dev/null
+++ b/secret-file.example.yaml
@@ -0,0 +1,5 @@
+static:
+ - type: bearertoken
+ domains:
+ - conformance-idp.maiv1.incubator.geant.org
+ token: abcd...789
--
GitLab