Hi @maoning !

This PR has been open for a couple months. Just wanted to check if everything was okay with it or if there were any changes you needed me to make!

Thanks! :)

@Isaac-GC Sorry for the delay, the main comment I had in the review is about testing the real code execution in the plugin. I would like to see this plugin merged in before end of the year. Once you have the updated version, I will try to finish the review asap.

@Isaac-GC I have patched in your plugin and tested against the vulnerable container you provided, your plugin doesn't report the vulnerability as expected. There are 2 main issues after some debugging:

1. Your plugin is expecting a web service returned from nmap for the papercut service. However my local nmap returns tcp service instead which triggers isWebService to return false, so the core detection logic is skipped. As a result of being a tcp service, buildWebApplicationRootUrl would crash the plugin, so the application root url has to be manually constructed.

Could you double check on your end to verify the nmap output (from a local Tsunami run). If your nmap does return http service, could you let me know your nmap version? I'm curious about the differences in our nmap output.

2. For the core detection logic, I see that you pulled JSESSION_ID from the cookie and used it throughout all the later network requests. However, the set-cookie value may changes per request, and the cookie field for the subsequent request needs to be updated in order to get successful response from the server. I would recommend you to check if set-cookie field from each response is non-empty, if it is present, then copy over the value to the cookie for the next request.

Also, please test out the plugin with a local instance of the callback server and verify the detector works e2e (triggering callback interaction and reporting a vulnerability). Let me know if you have any issue configuring the callback server with your Tsunami instance.

@Isaac-GC Let me know if you have further questions about the comments and if there's any issue with callback server usage. I would like to have your plugin merged soon :)

Hi @maoning, apologies on the delay!

I just pushed the latest version of the code and should be good to be tested on your side. (I confirmed it worked as expected with all of the vulnerable papercut versions). The PR summary was also updated to reflect a change in the ports used by the docker containers. Instead of using the default port of 9191, I modified the server properties to have the container port instead be reflected as 80 (which is a more real world scenario, albeit without HTTPS just for testing purposes)

There were some issues encountered that were primarily session based (see the below summary) and some issues with how the parameter strings were handled built from the initial push. But everything seems to be working now :)

If possible or if you would think it is beneficial, please consider adding ability to use the CookieJar implementation from the OkHttp library as one of the capabilities for the client connection. While this plugin may be an edge-case in regards to using/needing session management, I still feel having that potentially being added into the Tsunami Scanner will greatly increase the overall capabilities/possibilities for the tool. LMK your thoughts on this!

Thanks! :)

Adding this here for anyone in the future that may review this pull request or reference this CVE:

Upon connecting to the application initially with the /app?service=page/SetupCompleted, you are provided a JSESSION_ID cookie. During subsequent connections, the JSESSION_ID may be updated with a new iterated version (i.e. abc009 -> abc010).
If saving the cookies or using a tool that uses session management, such as python requests, the JSESSION_ID cookie will be updated for you. If you are using the OkHttp library, it is recommended to use the OkHttp CookieJar implementation with the client if possible.

To handle the url path parameters in clear/easy way when using the OkHTTP library, please reference Line 110 in PapercutNGMFHelper.class

Hey @maoning!

I know you said you wanted to merge the plug-in soon, just wanted to check if there were any issues on you encountered or any changes you'd like to me to make!

Thanks!

Thanks @Isaac-GC for the wait as well as your detailed response, supporting the cookie jar feature from okhttp in Tsunami is a great idea! I will track it as a feature request for Tsunami.

I have re-tested your updated plugin, everything is working well now. I will leave some comment about the minor styling issues in the code review for future references. For the sake of the time, I will merge in your code and fix them up quickly on my side.

We have recently updated our patch reward tracking workflow. Could you resubmit this plugin via the form at https://bughunters.google.com/report/tsunami? The reward is expected to be distributed 2-3 weeks after the code merge (slightly delayed by the holidays).