Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to send a POST request to a different domain after initial fingerprinting #53

Open
anshumanbh opened this issue Oct 21, 2017 · 2 comments
Open

Ability to send a POST request to a different domain after initial fingerprinting #53

anshumanbh opened this issue Oct 21, 2017 · 2 comments

Comments

@anshumanbh
Copy link

Hi again,

I encountered one more usecase today. Now, this might not make sense to you at all but I just thought of letting you know.

After the initial fingerprinting against a target, the POST request is being sent to a different domain all together. Think about this as an authentication microservice that is used by a target.

So, even though the fingerprinting is successful, the next phase of trying the default creds will always fail because there is no way to change the domain to send the authentication request to. It tries it against the target only.

I noticed there is a HOST header but making that static to the authentication microservice didn't help either.

I am curious to know your thoughts on this?

Cheers!
@ztgrace
Copy link
Owner

ztgrace commented Oct 21, 2017

Hi @anshumanbh

Does the diagram below match what you were describing?

image

Are you able to describe this service a bit more? Is this a vendor product that acts funky or something custom your org has written? I want to be careful about feature bloat and this feels like it would very rarely occur yet introduces more complexity and changes to the core scanning modules.

Thanks,
Zach

@anshumanbh
Copy link
Author

anshumanbh commented Oct 22, 2017
edited
Loading

The diagram above is exactly what I was describing.

I have seen such an authentication microservice in multiple places. It can be something custom written specific to an org or can be a generic one like OpenStack's Keystone.

It shouldn't really matter what that service is doing really, as long as it can take a request and give back a response. So, from my perspective, it is just a matter of taking in a specific IP/domain for authentication in the YML file after a successful fingerprinting, like the HOST header.

But, then again, I don't really understand all the nuances of Changeme yet so again, I will leave this upto you to decide if this is something that should go in as a new feature or not.

I could accomplish the same thing with curl/grep statements and not Changeme so not a big deal for me personally. I was interested in knowing how easy/difficult implementing this would be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ztgrace @anshumanbh