Skip to content
Nuclei Templates

Open Proxy To Internal Network

ID: open-proxy-internal

Severity: high

Author: sullo

Tags: exposure,config,proxy,misconfig,fuzz

Description

Section titled “Description”

The host is configured as a proxy which allows access to other hosts on the internal network.

YAML Source

Section titled “YAML Source”
id: open-proxy-internal


info:
  name: Open Proxy To Internal Network
  author: sullo
  severity: high
  description: The host is configured as a proxy which allows access to other hosts on the internal network.
  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
  reference:
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
    - https://en.wikipedia.org/wiki/Open_proxy
    - https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-441
  metadata:
    max-request: 25
  tags: exposure,config,proxy,misconfig,fuzz


http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}


      - |+
        GET http://192.168.0.1/ HTTP/1.1
        Host: 192.168.0.1


      - |+
        GET https://192.168.0.1/ HTTP/1.1
        Host: 192.168.0.1


      - |+
        GET http://192.168.0.1:22/ HTTP/1.1
        Host: 192.168.0.1


      - |+
        GET http://192.168.1.1/ HTTP/1.1
        Host: 192.168.1.1


      - |+
        GET https://192.168.1.1/ HTTP/1.1
        Host: 192.168.1.1


      - |+
        GET http://192.168.1.1:22/ HTTP/1.1
        Host: 192.168.1.1


      - |+
        GET http://192.168.2.1/ HTTP/1.1
        Host: 192.168.2.1


      - |+
        GET https://192.168.2.1/ HTTP/1.1
        Host: 192.168.2.1


      - |+
        GET http://192.168.2.1:22/ HTTP/1.1
        Host: 192.168.2.1


      - |+
        GET http:/10.0.0.1/ HTTP/1.1
        Host: 10.0.0.1


      - |+
        GET https://10.0.0.1/ HTTP/1.1
        Host: 10.0.0.1


      - |+
        GET http://10.0.0.1:22/ HTTP/1.1
        Host: 10.0.0.1


      - |+
        GET http:/172.16.0.1/ HTTP/1.1
        Host: 172.16.0.1


      - |+
        GET https://172.16.0.1/ HTTP/1.1
        Host: 172.16.0.1


      - |+
        GET http://172.16.0.1:22/ HTTP/1.1
        Host: 172.16.0.1


      - |+
        GET http:/intranet/ HTTP/1.1
        Host: intranet


      - |+
        GET https://intranet/ HTTP/1.1
        Host: intranet


      - |+
        GET http://intranet:22/ HTTP/1.1
        Host: intranet


      - |+
        GET http:/mail/ HTTP/1.1
        Host: mail


      - |+
        GET https://mail/ HTTP/1.1
        Host: mail


      - |+
        GET http://mail:22/ HTTP/1.1
        Host: mail


      - |+
        GET http:/ntp/ HTTP/1.1
        Host: ntp


      - |+
        GET https://ntp/ HTTP/1.1
        Host: ntp


      - |+
        GET http://ntp:22/ HTTP/1.1
        Host: ntp


    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - (!contains(body_1, "It works")) && ((contains(body_2, "It works") || contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works") || contains(body_7, "It works") || contains(body_8, "It works") || contains(body_9, "It works") || contains(body_10, "It works") || contains(body_11, "It works") || contains(body_12, "It works") || contains(body_13, "It works") || contains(body_14, "It works") || contains(body_15, "It works") || contains(body_16, "It works") || contains(body_17, "It works") || contains(body_18, "It works") || contains(body_19, "It works") || contains(body_20, "It works") || contains(body_21, "It works") || contains(body_22, "It works") || contains(body_23, "It works")))
          - (!contains(body_1, "IIS Windows Server")) && ((contains(body_2, "IIS Windows Server") || contains(body_3, "IIS Windows Server") || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server") || contains(body_7, "IIS Windows Server") || contains(body_8, "IIS Windows Server") || contains(body_9, "IIS Windows Server") || contains(body_10, "IIS Windows Server") || contains(body_11, "IIS Windows Server") || contains(body_12, "IIS Windows Server") || contains(body_13, "IIS Windows Server") || contains(body_14, "IIS Windows Server") || contains(body_15, "IIS Windows Server") || contains(body_16, "IIS Windows Server") || contains(body_17, "IIS Windows Server") || contains(body_18, "IIS Windows Server") || contains(body_19, "IIS Windows Server") || contains(body_20, "IIS Windows Server") || contains(body_21, "IIS Windows Server") || contains(body_22, "IIS Windows Server") || contains(body_23, "IIS Windows Server")))
          - (!contains(body_1, "<title>IIS7</title>")) && ((contains(body_2, "<title>IIS7</title>") || contains(body_3, "<title>IIS7</title>") || contains(body_4, "<title>IIS7</title>") || contains(body_5, "<title>IIS7</title>") || contains(body_6, "<title>IIS7</title>") || contains(body_7, "<title>IIS7</title>") || contains(body_8, "<title>IIS7</title>") || contains(body_9, "<title>IIS7</title>") || contains(body_10, "<title>IIS7</title>") || contains(body_11, "<title>IIS7</title>") || contains(body_12, "<title>IIS7</title>") || contains(body_13, "<title>IIS7</title>") || contains(body_14, "<title>IIS7</title>") || contains(body_15, "<title>IIS7</title>") || contains(body_16, "<title>IIS7</title>") || contains(body_17, "<title>IIS7</title>") || contains(body_18, "<title>IIS7</title>") || contains(body_19, "<title>IIS7</title>") || contains(body_20, "<title>IIS7</title>") || contains(body_21, "<title>IIS7</title>") || contains(body_22, "<title>IIS7</title>") || contains(body_23, "<title>IIS7</title>")))
          - (!contains(body_1, "Welcome to Windows")) && ((contains(body_2, "Welcome to Windows") || contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows") || contains(body_7, "Welcome to Windows") || contains(body_8, "Welcome to Windows") || contains(body_9, "Welcome to Windows") || contains(body_10, "Welcome to Windows") || contains(body_11, "Welcome to Windows") || contains(body_12, "Welcome to Windows") || contains(body_13, "Welcome to Windows") || contains(body_14, "Welcome to Windows") || contains(body_15, "Welcome to Windows") || contains(body_16, "Welcome to Windows") || contains(body_17, "Welcome to Windows") || contains(body_18, "Welcome to Windows") || contains(body_19, "Welcome to Windows") || contains(body_20, "Welcome to Windows") || contains(body_21, "Welcome to Windows") || contains(body_22, "Welcome to Windows") || contains(body_23, "Welcome to Windows")))
          - (!contains(body_1, "Welcome to Microsoft Windows")) && ((contains(body_2, "Welcome to Microsoft Windows") || contains(body_3, "Welcome to Microsoft Windows") || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows") || contains(body_7, "Welcome to Microsoft Windows") || contains(body_8, "Welcome to Microsoft Windows") || contains(body_9, "Welcome to Microsoft Windows") || contains(body_10, "Welcome to Microsoft Windows") || contains(body_11, "Welcome to Microsoft Windows") || contains(body_12, "Welcome to Microsoft Windows") || contains(body_13, "Welcome to Microsoft Windows") || contains(body_14, "Welcome to Microsoft Windows") || contains(body_15, "Welcome to Microsoft Windows") || contains(body_16, "Welcome to Microsoft Windows") || contains(body_17, "Welcome to Microsoft Windows") || contains(body_18, "Welcome to Microsoft Windows") || contains(body_19, "Welcome to Microsoft Windows") || contains(body_20, "Welcome to Microsoft Windows") || contains(body_21, "Welcome to Microsoft Windows") || contains(body_22, "Welcome to Microsoft Windows") || contains(body_23, "Welcome to Microsoft Windows")))
          - (!contains(body_1, "Welcome to IIS")) && ((contains(body_2, "Welcome to IIS") || contains(body_3, "Welcome to IIS")) || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS") || contains(body_7, "Welcome to IIS") || contains(body_8, "Welcome to IIS") || contains(body_9, "Welcome to IIS") || contains(body_10, "Welcome to IIS") || contains(body_11, "Welcome to IIS") || contains(body_12, "Welcome to IIS") || contains(body_13, "Welcome to IIS") || contains(body_14, "Welcome to IIS") || contains(body_15, "Welcome to IIS") || contains(body_16, "Welcome to IIS") || contains(body_17, "Welcome to IIS") || contains(body_18, "Welcome to IIS") || contains(body_19, "Welcome to IIS") || contains(body_20, "Welcome to IIS") || contains(body_21, "Welcome to IIS") || contains(body_22, "Welcome to IIS") || contains(body_23, "Welcome to IIS"))
          - (!contains(body_1, "default welcome page")) && ((contains(body_2, "default welcome page") || contains(body_3, "default welcome page")) || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page") || contains(body_7, "default welcome page") || contains(body_8, "default welcome page") || contains(body_9, "default welcome page") || contains(body_10, "default welcome page") || contains(body_11, "default welcome page") || contains(body_12, "default welcome page") || contains(body_13, "default welcome page") || contains(body_14, "default welcome page") || contains(body_15, "default welcome page") || contains(body_16, "default welcome page") || contains(body_17, "default welcome page") || contains(body_18, "default welcome page") || contains(body_19, "default welcome page") || contains(body_20, "default welcome page") || contains(body_21, "default welcome page") || contains(body_22, "default welcome page") || contains(body_23, "default welcome page"))
          - (!contains(body_1, "Microsoft Azure App")) && ((contains(body_2, "Microsoft Azure App") || contains(body_3, "Microsoft Azure App")) || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App") || contains(body_7, "Microsoft Azure App") || contains(body_8, "Microsoft Azure App") || contains(body_9, "Microsoft Azure App") || contains(body_10, "Microsoft Azure App") || contains(body_11, "Microsoft Azure App") || contains(body_12, "Microsoft Azure App") || contains(body_13, "Microsoft Azure App") || contains(body_14, "Microsoft Azure App") || contains(body_15, "Microsoft Azure App") || contains(body_16, "Microsoft Azure App") || contains(body_17, "Microsoft Azure App") || contains(body_18, "Microsoft Azure App") || contains(body_19, "Microsoft Azure App") || contains(body_20, "Microsoft Azure App") || contains(body_21, "Microsoft Azure App") || contains(body_22, "Microsoft Azure App") || contains(body_23, "Microsoft Azure App"))
          - (!contains(body_1, "ssh")) && ((contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh"))
          - (!contains(body_1, "SSH")) && ((contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH"))
        condition: or
# digest: 4a0a00473045022029b8b98bec5eef01d65c5e1030b1c648df8daca050ccd39fbd9f5d73251534b1022100bda7bd5437d762d83fa381b9dc6f03e5ea8eccc6c01b0f23c6224d242e3f6baf:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/misconfiguration/proxy/open-proxy-internal.yaml"

View on Github