Merge branch 'PortSwigger:main' into main

.github/workflows/issue_webhook.yml

@@ -16,8 +16,7 @@ jobs:
         env:
           AUTHOR: ${{ github.event.issue.user.login }}
           TITLE: ${{ github.event.issue.title }}
-          LINK: ${{ github.event.issue.url }}
-          GITHUB_CONTEXT: ${{ toJson(github) }}
+          LINK: ${{ github.event.issue.html_url }}
           WEBHOOK: ${{ secrets.WEBHOOK_URL }}
           AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}
-
+

.github/workflows/pr_bcheck_checker.yml

@@ -1,7 +1,7 @@
 name: Pull Request BCheckChecker
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, reopened]
 
 jobs:
@@ -16,4 +16,4 @@ jobs:
           distribution: 'oracle'
 
       - name: Validate BChecks
-        run: java -jar BCheckChecker-1.0.jar
+        run: java -jar BCheckChecker-1.0.jar

.github/workflows/pr_webhook.yml

@@ -16,7 +16,6 @@ jobs:
         env:
           AUTHOR: ${{ github.event.pull_request.user.login }}
           TITLE: ${{ github.event.pull_request.title }}
-          LINK: ${{ github.event.pull_request.url }}
-          GITHUB_CONTEXT: ${{ toJson(github) }}
+          LINK: ${{ github.event.pull_request.html_url }}
           WEBHOOK: ${{ secrets.WEBHOOK_URL }}
-          AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}
+          AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}

README.md

@@ -2,6 +2,18 @@
 
 Burp Suite Professional BChecks developed both by PortSwigger and the community with 🧡
 
+## Documentation and Blogs
+If you click the ? Icon in the top right of the BChecks sub tab in the Extensions tab you will be linked to the documentation.
+
+Online documentation can be found [here](https://portswigger.net/burp/documentation/scanner/bchecks)
+
+[BChecks: Houston, we have a solution! (blog)](https://portswigger.net/blog/bchecks-houston-we-have-a-solution)
+
+[Burp Suite Short (video)](https://youtu.be/NaiQMJk4nus)
+
+## Community submissions
+Please issue a pull request
+
 ## the BChecks
 
 ### Examples
@@ -29,13 +41,3 @@ BChecks for specific vulnerability classes as opposed to discrete vulnerabilitie
 Other BChecks doing all the wonderful things which we didn't imagine
 
 [/other](/other/)
-
-## Documentation and Blogs
-If you click the ? Icon in the top right of the BChecks sub tab in the Extensions tab you will be linked to the documentation.
-
-Online documentation can be found here https://portswigger.net/burp/documentation/scanner/bchecks
-
-Blogs to follow when it hits our Stable release channel. 
-
-## Community submissions
-Please issue a pull request

other/exposed-simple-saml-php-ui.bcheck

@@ -0,0 +1,23 @@
+metadata:
+    language: v1-beta
+    name: "Simple SAML php Admin Interface"
+    description: "Tests for exposed admin interface of Simple SAML php"
+    author: "Patrick Schmid"
+
+run for each:
+    potential_path =
+        "/saml/module.php/core/login-admin.php?ReturnTo=",
+        "/sso/module.php/core/login-admin.php?ReturnTo="
+
+given host then
+    send request called check:
+        method: "GET"
+        path: {potential_path}
+
+    if "loginuserpass.php" in {check.response.body} then
+        report issue:
+            severity: info
+            confidence: certain
+            detail: `Simple SAML php admin interface found at {potential_path}.`
+            remediation: "Ensure your Simple SAML php admin interface is not exposed."
+    end if

other/missing-security-txt.bcheck

@@ -0,0 +1,22 @@
+metadata:
+    language: v1-beta
+    name: "Missing security.txt"
+    description: "Checks for a missing security.txt according to RFC 9116"
+    author: "Patrick Schmid"
+
+define:
+    potential_path =
+        "/.well-known/security.txt"
+
+given host then
+    send request called check:
+        method: "GET"
+        path: {potential_path}
+
+    if not("Contact:" in {check.response.body}) then
+        report issue:
+            severity: info
+            confidence: certain
+            detail: `No security.txt could be found at {potential_path}.`
+            remediation: "Consider describing your security vulnerability disclosure process in a security.txt file according to RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)."
+    end if

vulnerabilities-CVEd/CVE-2023-24488.bcheck

@@ -0,0 +1,24 @@
+metadata:
+    language: v1-beta
+    name: "[CVE-2023-24488] Vulnerable Citrix Gateway Detected."
+    description: "This rule checks if the remote host is vulnerable to CVE-2023-24488 - Citrix CRLF Injection / Reflected Xss"
+    author: "TheButcher"
+    tags: "CVE-2023-24488","citrix","crlf","xss","openredirection"
+
+define:
+    potential_path =
+        "/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E"
+
+given host then
+    send request called check:
+        method: "GET"
+        path: {potential_path}
+
+    if "document.cookie" in {check.response.body} then
+        report issue:
+            severity: medium
+            confidence: certain
+            detail: "The post_logout_redirect_uri GET Parameter is susceptible to Open Redirection, which can be exploited for CRLF injection leading to XSS through HTTP Response Splitting. There is also a potential risk of cache poisoning if Citrix Gateway is deployed in such a configuration."
+            remediation: "Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible - https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488"
+
+    end if

vulnerabilities-CVEd/README.md

@@ -6,3 +6,4 @@
 
 ## CVE-2021-27748 Websphere Portal Server Side Request Forgery 
 
+## CVE-2023-24488 Citrix Gateway CRLF Injection / Reflected Xss