Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: POST出现服务器端请求伪造漏洞,位置:COOKIE #564

Open
3 tasks done
PhuketIsland opened this issue Jul 31, 2023 · 6 comments
Open
3 tasks done

[Bug]: POST出现服务器端请求伪造漏洞,位置:COOKIE #564

PhuketIsland opened this issue Jul 31, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@PhuketIsland
Copy link

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

1.13.0

Installation Type

Official Kubernetes

Service Name

DongTai-agent-java

Describe the details of the bug and the steps to reproduce it

image
洞态一直报这个地方有服务端请求伪造漏洞,但是token值不能修改,修改就报错显示token无效,所以这是不是一个误报?

Additional Information

No response

Logs

No response

@PhuketIsland PhuketIsland added the bug Something isn't working label Jul 31, 2023
@Bidaya0 Bidaya0 transferred this issue from HXSecurity/DongTai Jul 31, 2023
@lostsnow
Copy link
Member

lostsnow commented Aug 1, 2023

Could you provide the complete method pool information? It can be found from the field "method_pool" in the table "iast_agent_method_pool" of the database. Please remember to obfuscate any sensitive information.

@PhuketIsland
Copy link
Author

test.txt

@Bidaya0
Copy link
Contributor

Bidaya0 commented Aug 2, 2023

test.txt

This method pool did not find a vulnerability in our detection, please check if the correct method pool is provided.
If possible, please also provide the full_stack in the vulnerability information.

@PhuketIsland
Copy link
Author

test.txt
之前那个文本里面我只取了一条数据,这个是所有的数据。full_stack漏洞信息在哪找?

@lostsnow
Copy link
Member

lostsnow commented Aug 3, 2023

test.txt 之前那个文本里面我只取了一条数据,这个是所有的数据。full_stack漏洞信息在哪找?

Field full_stack is in the table iast_vulnerability, primary key id can be found in the vulnerability detail url, for example: https://<hostname>/vuln/vulnDetail/1/12473?..., id is 12473

@PhuketIsland
Copy link
Author

test.txt之前那个文本里面我只取了一条数据,这是所有的数据。full_stack漏洞信息在哪里找?

full_stack表中字段为iast_vulnerability,主键id可在漏洞详情 url 中找到,例如:https://<hostname>/vuln/vulnDetail/1/12473?..., idis12473

能找到full_stack,但是不知道该漏洞的id从哪找,上面那个test.txt文件里面还是不能发现漏洞吗?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants