Report stored ssrf attacks correctly

Author: bitterpanda63

aikido_zen/vulnerabilities/ssrf/imds.py

@@ -51,10 +51,12 @@ def is_trusted_hostname(hostname):
 
 def resolves_to_imds_ip(resolved_ip_addresses, hostname):
     """
-    returns a boolean, true if the IP is an imds ip
+    Returns the IMDS IP address as a string if it exists in resolved_ip_addresses,
+    otherwise returns an empty string.
     """
-    #  Allow access to Google Cloud metadata service as you need to set specific headers to access it
-    #  We don't want to block legitimate requests
     if is_trusted_hostname(hostname):
-        return False
-    return any(is_imds_ip_address(ip) for ip in resolved_ip_addresses)
+        return
+    for ip in resolved_ip_addresses:
+        if is_imds_ip_address(ip):
+            return ip
+    return

aikido_zen/vulnerabilities/ssrf/inspect_getaddrinfo_result.py

@@ -24,12 +24,16 @@ def inspect_getaddrinfo_result(dns_results, hostname, port):
         return
 
     ip_addresses = extract_ip_array_from_results(dns_results)
-    stored_ssrf_findings = resolves_to_imds_ip(ip_addresses, hostname)
-    if stored_ssrf_findings:
+    imds_ip = resolves_to_imds_ip(ip_addresses, hostname)
+    if imds_ip:
         return {
             "module": "socket",
             "operation": "socket.getaddrinfo",
-            "kind": "ssrf",
+            "kind": "stored_ssrf",
+            "source": "",
+            "path": "",
+            "metadata": {"hostname": hostname, "privateIP": imds_ip},
+            "payload": hostname,
         }
 
     if not ip_addresses_contain_private_ip(ip_addresses):