FrankSpierings/client-desync-error-path.bcheck

## client-desync-error-path.bcheck
metadata:
    language: v1-beta
    name: "Potential Client-Side Desync on erroneous path"
    description: "Tests for Client-Side Desync vulnerabilities on specifically erroneous paths"
    author: "Frank Spierings"

run for each:
    potential_path =
        "/..%2f",
        "/%2e%2e",
        "/%2e%2e%2f"

given host then
    send request called trigger:
        method: "POST"
        path: {potential_path}
        body: "GET /hopefully404 HTTP/1.1\r\nX: foo"

    send request called check:
        method: "GET"
        path: "/"

    if {check.response.status_code} is "404" then
        report issue:
            severity: high
            confidence: tentative
            detail: `Potential client-side desync vector via erroneous path at {potential_path}.`
            remediation: "Ensure the proxy does not introduce Client-Side Desync vulnerabilities."
    end if
	metadata:
	language: v1-beta
	name: "Potential Client-Side Desync on erroneous path"
	description: "Tests for Client-Side Desync vulnerabilities on specifically erroneous paths"
	author: "Frank Spierings"

	run for each:
	potential_path =
	"/..%2f",
	"/%2e%2e",
	"/%2e%2e%2f"

	given host then
	send request called trigger:
	method: "POST"
	path: {potential_path}
	body: "GET /hopefully404 HTTP/1.1\r\nX: foo"

	send request called check:
	method: "GET"
	path: "/"

	if {check.response.status_code} is "404" then
	report issue:
	severity: high
	confidence: tentative
	detail: `Potential client-side desync vector via erroneous path at {potential_path}.`
	remediation: "Ensure the proxy does not introduce Client-Side Desync vulnerabilities."
	end if