feat(931100): add IPv6 support / XML scan and SSH scheme.#4321
Conversation
|
📊 Quantitative test results for language: |
EsadCetiner
left a comment
There was a problem hiding this comment.
I haven't seen RFI attacks with brackets, do certain web apps accept URLs within brackets.
Why is this check required for IPv6 and not an optional one?
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
|
According to RFC 2732 later incorporated into RFC 3986 Appendix A - square brackets around IPv6 literals are mandatory within the host component of a URL. This syntax rule exists because IPv6 addresses use colons (:), which would otherwise conflict with the colon used to denote the port (e.g., https://host:443/). That said, if we slightly adjust the regex to ensure that there are at least two colon characters (:) in the host part - which reliably indicates an IPv6 literal - I consider the false positive risk low enough to justify making the brackets optional in the detection logic. (?i)^(file|ftps?|https?|ssh)://(?:\[?[a-f0-9]+:[a-f0-9]*?:[a-f0-9:]+\]?|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) |
EsadCetiner
left a comment
There was a problem hiding this comment.
Good catch on the accidental matching on a domain name with a port number
Can you add a positive test for matching IPv6 with no brackets, and a negative one for not matching domain names with a port (Within the a-f 0-9 range)?
|
It seems I am tired. This can never happen - a domain name must always contain a dot, and that character is excluded from the group. I’ve updated the regex and the unit test accordingly. |
…00.yaml Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Hello,
I propose to extend the URL detection rule to cover IPv6 literals and SSH URLs, and apply it to both ARGS and XML collections.
Changes:
It will improve detection of SSRF-style patterns using IPv6 or alternative protocols, and increases coverage for XML payloads.