Skip to content

Commit 150b057

Browse files
buixorbuixor
committed
1 parent f54a27b commit 150b057

File tree

4 files changed

+59
-0
lines changed

4 files changed

+59
-0
lines changed

.appsec-tests/vpatch-CVE-2023-29357/CVE-2023-29357.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
id: CVE-2023-29357
2+
info:
3+
name: CVE-2023-29357
4+
author: crowdsec
5+
severity: info
6+
description: CVE-2023-29357 testing
7+
tags: appsec-testing
8+
http:
9+
- raw:
10+
- |
11+
GET /_api/web/siteusers HTTP/1.1
12+
Host: {{Hostname}}
13+
Accept: application/json
14+
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAcmVhbG0iLCJpc3MiOiIwMDAwMDAwMy0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDAiLCJuYmYiOjE2OTU5ODc3MDMsImV4cCI6MjAxMTU0NzIyMywidmVyIjoiaGFzaGVkcHJvb2Z0b2tlbiIsIm5hbWVpZCI6IjAwMDAwMDAzLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEByZWFsbSIsImVuZHBvaW50dXJsIjoicXFsQUptVHhwQjlBNjd4U3laayJ9.AAA
15+
X-PROOF_TOKEN: eyJhbGciOiJub25lIn0.eyJ2ZXIiOiJoYXNoZWRwcm9vZnRva2VuIn0.AAA
16+
17+
cookie-reuse: true
18+
matchers:
19+
- type: status
20+
status:
21+
- 403

.appsec-tests/vpatch-CVE-2023-29357/config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
appsec-rules:
2+
- ./appsec-rules/crowdsecurity/base-config.yaml
3+
- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml
4+
nuclei_template: CVE-2023-29357.yaml

appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
name: crowdsecurity/vpatch-CVE-2023-29357
2+
description: 'Detects Microsoft SharePoint authentication bypass via forged JWT tokens with "none" algorithm (CVE-2023-29357)'
3+
rules:
4+
- and:
5+
- zones:
6+
- URI
7+
transform:
8+
- lowercase
9+
- urldecode
10+
match:
11+
type: contains
12+
value: '/_api/'
13+
- zones:
14+
- HEADERS
15+
variables:
16+
- Authorization
17+
transform:
18+
- lowercase
19+
match:
20+
type: contains
21+
value: 'hashedprooftoken'
22+
23+
labels:
24+
type: exploit
25+
service: http
26+
confidence: 3
27+
spoofable: 0
28+
behavior: 'http:exploit'
29+
label: 'Microsoft SharePoint Server - Authentication Bypass'
30+
classification:
31+
- cve.CVE-2023-29357
32+
- attack.T1190
33+
- cwe.CWE-290

collections/crowdsecurity/appsec-virtual-patching.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ appsec-rules:
4242
- crowdsecurity/vpatch-CVE-2023-46805
4343
- crowdsecurity/vpatch-CVE-2024-23897
4444
- crowdsecurity/vpatch-CVE-2023-22527
45+
- crowdsecurity/vpatch-CVE-2023-29357
4546
- crowdsecurity/vpatch-CVE-2024-5057
4647
- crowdsecurity/vpatch-CVE-2023-35078
4748
- crowdsecurity/vpatch-CVE-2023-35082

0 commit comments

Comments
 (0)