Better Magento Detection

lokiuox · lokiuox · commit e9d93b2bfd45 · 2024-09-04T18:36:10.000+02:00
diff --git a/doyensec/detectors/magento_cosmicsting_xxe/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202434102/MagentoCosmicStingXxe.java b/doyensec/detectors/magento_cosmicsting_xxe/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202434102/MagentoCosmicStingXxe.java
@@ -24,6 +24,7 @@
 import com.google.common.collect.ImmutableList;
 import com.google.common.flogger.GoogleLogger;
 import com.google.common.util.concurrent.Uninterruptibles;
+import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.protobuf.ByteString;
 import com.google.protobuf.util.Timestamps;
@@ -122,6 +123,11 @@ public final class MagentoCosmicStingXxe implements VulnDetector {
   static final String VULNERABLE_ENDPOINT_PATH =
       "rest/all/V1/guest-carts/test-assetnote/estimate-shipping-methods";
 
+  @VisibleForTesting
+  static final String CURRENCY_ENDPOINT_PATH = "rest/default/V1/directory/currency";
+
+  @VisibleForTesting static final String VERSION_ENDPOINT_PATH = "magento_version";
+
   private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
   private final Clock utcClock;
   private final HttpClient httpClient;
@@ -152,15 +158,59 @@ public DetectionReportList detect(
         .addAllDetectionReports(
             matchedServices.stream()
                 .filter(NetworkServiceUtils::isWebService)
+                .filter(this::isMagento)
                 .filter(this::isServiceVulnerable)
                 .map(networkService -> buildDetectionReport(targetInfo, networkService))
                 .collect(toImmutableList()))
         .build();
   }
 
+  /*
+    Check presence of endpoint with always anonymous access: /rest/default/V1/directory/currency
+    From: https://developer.adobe.com/commerce/webapi/rest/use-rest/anonymous-api-security/
+
+    Typical response:
+    HTTP/2 200 OK
+    {
+      "base_currency_code": "USD",
+      "base_currency_symbol": "$",
+      ...
+    }
+  */
+  private boolean isMagento(NetworkService networkService) {
+    String targetUri =
+        NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + CURRENCY_ENDPOINT_PATH;
+
+    HttpRequest req =
+        HttpRequest.get(targetUri)
+            .setHeaders(HttpHeaders.builder().addHeader("Accept", "application/json").build())
+            .build();
+
+    HttpResponse response;
+    try {
+      response = this.httpClient.send(req, networkService);
+    } catch (IOException e) {
+      return false;
+    }
+
+    // Check status code 200
+    if (response.status() != HttpStatus.OK) return false;
+    // Check if body is JSON
+    if (response.bodyJson().isEmpty()) return false;
+    JsonElement body = response.bodyJson().get();
+    // Check if JSON body is object
+    if (!body.isJsonObject()) return false;
+    // If the body has a known key, e.g. "base_currency_code", it's Magento
+    return body.getAsJsonObject().has("base_currency_code");
+  }
+
+  /*
+   Tries to get the Magento version by fetching /magento_version
+   This endpoint can be manually disabled, so don't stop the plugin if we can't fetch it
+  */
   private String detectMagentoVersion(NetworkService networkService) {
     String targetUri =
-        NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + "magento_version";
+        NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + VERSION_ENDPOINT_PATH;
     logger.atInfo().log("Trying to detect Magento version at '%s'", targetUri);
 
     HttpRequest req = HttpRequest.get(targetUri).withEmptyHeaders().build();
diff --git a/doyensec/detectors/magento_cosmicsting_xxe/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202434102/MagentoCosmicStingXxeTest.java b/doyensec/detectors/magento_cosmicsting_xxe/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202434102/MagentoCosmicStingXxeTest.java
@@ -74,6 +74,8 @@ public final class MagentoCosmicStingXxeTest {
   private MockWebServer mockCallbackServer = new MockWebServer();
 
   private static final String MOCK_MAGENTO_VERSION = "Magento/2.4 (Mock)";
+  private static final String MOCK_CURRENCY_ENDPOINT_RESPONSE =
+      "{\"base_currency_code\":\"USD\",\"base_currency_symbol\":\"$\",\"default_display_currency_code\":\"USD\",\"default_display_currency_symbol\":\"$\",\"available_currency_codes\":[\"USD\",\"EUR\"],\"exchange_rates\":[{\"currency_to\":\"USD\",\"rate\":1},{\"currency_to\":\"EUR\",\"rate\":0.7067}]}";
   private static final String PATCHED_INSTANCE_RESPONSE = "{\"message\":\"Invalid data type\"}";
   private static final String VULNERABLE_INSTANCE_RESPONSE =
       "{\"message\":\"Internal Error. Details are available in Magento log file. Report ID:"
@@ -120,7 +122,7 @@ public void detect_whenVulnerableAndTcsAvailable_reportsCriticalVulnerability()
     DetectionReport expectedDetection =
         generateDetectionReportWithCallback(targetInfo, httpServices.get(0));
     assertThat(detectionReports.getDetectionReportsList()).containsExactly(expectedDetection);
-    assertThat(mockWebServer.getRequestCount()).isEqualTo(2);
+    assertThat(mockWebServer.getRequestCount()).isEqualTo(3);
     assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1);
   }
 
@@ -140,7 +142,7 @@ public void detect_whenVulnerableAndTcsNotAvailable_reportsHighVulnerability()
     DetectionReport expectedDetection =
         generateDetectionReportWithResponseMatching(targetInfo, httpServices.get(0));
     assertThat(detectionReports.getDetectionReportsList()).containsExactly(expectedDetection);
-    assertThat(mockWebServer.getRequestCount()).isEqualTo(2);
+    assertThat(mockWebServer.getRequestCount()).isEqualTo(3);
     assertThat(mockCallbackServer.getRequestCount()).isEqualTo(0);
   }
 
@@ -158,7 +160,7 @@ public void detect_whenNotVulnerableAndTcsAvailable_reportsNoVulnerability() thr
     DetectionReportList detectionReports = detector.detect(targetInfo, httpServices);
 
     assertThat(detectionReports.getDetectionReportsList()).isEmpty();
-    assertThat(mockWebServer.getRequestCount()).isEqualTo(2);
+    assertThat(mockWebServer.getRequestCount()).isEqualTo(3);
     assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1);
   }
 
@@ -176,7 +178,7 @@ public void detect_whenNotVulnerableAndTcsNotAvailable_reportsNoVulnerability()
     DetectionReportList detectionReports = detector.detect(targetInfo, httpServices);
 
     assertThat(detectionReports.getDetectionReportsList()).isEmpty();
-    assertThat(mockWebServer.getRequestCount()).isEqualTo(2);
+    assertThat(mockWebServer.getRequestCount()).isEqualTo(3);
     assertThat(mockCallbackServer.getRequestCount()).isEqualTo(0);
   }
 
@@ -254,11 +256,18 @@ static final class EndpointDispatcher extends Dispatcher {
     public MockResponse dispatch(RecordedRequest recordedRequest) {
 
       if (recordedRequest.getMethod().equals("GET")
-          && recordedRequest.getPath().equals("/magento_version")) {
+          && recordedRequest.getPath().equals("/" + VERSION_ENDPOINT_PATH)) {
         // Version detection request
         return new MockResponse()
             .setResponseCode(HttpStatus.OK.code())
             .setBody(MOCK_MAGENTO_VERSION);
+      } else if (recordedRequest.getMethod().equals("GET")
+          && recordedRequest.getPath().equals("/" + CURRENCY_ENDPOINT_PATH)) {
+        // Magento identification request
+        return new MockResponse()
+            .setResponseCode(HttpStatus.OK.code())
+            .setHeader("Content-Type", "application/json; charset=utf-8")
+            .setBody(MOCK_CURRENCY_ENDPOINT_RESPONSE);
       } else if (recordedRequest.getMethod().equals("POST")
           && recordedRequest.getPath().equals("/" + VULNERABLE_ENDPOINT_PATH)) {
         // Exploit attempt
