-
Notifications
You must be signed in to change notification settings - Fork 320
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5cb8dd4
commit 1491b96
Showing
1,353 changed files
with
22,638 additions
and
5,249 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 20240711 | ||
| 20240712 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,23 @@ | ||
| id: google-api-key | ||
|
|
||
| info: | ||
| name: Google API Key | ||
| author: Swissky | ||
| severity: medium | ||
| requests: | ||
| severity: info | ||
| metadata: | ||
| max-request: 2 | ||
| tags: exposure,token,google | ||
|
|
||
| http: | ||
| - method: GET | ||
| path: | ||
| - "{{BaseURL}}" | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: regex | ||
| part: body | ||
| regex: | ||
| - "AIza[0-9A-Za-z\\-_]{35}" | ||
| - "{{BaseURL}}/hopfully404" | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| part: body | ||
| regex: | ||
| - "AIza[0-9A-Za-z\\-_]{35}" | ||
|
|
||
| # digest: 4a0a004730450221008529a1cf21d244ce3327f73d3d68a4e1afc76d0dab02130fa43f449db87fb51802200b6b4d64369e56d8ebba8796e30b0cee88ca1318014c35dee345905fffdb4a3c:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| id: hardcoded-api-keys | ||
|
|
||
| info: | ||
| name: Hardcoded API Keys | ||
| author: YoruYagami | ||
| severity: high | ||
| description: | | ||
| This template detects hardcoded API keys in the source code. Hardcoding API keys can lead to unauthorized access and abuse if the keys are extracted by attackers. It is recommended to securely store and manage API keys. | ||
| remediation: | | ||
| To remediate this issue, remove hardcoded API keys from the source code and use secure storage solutions such as environment variables, encrypted storage, or secure key management services. Example: | ||
| ```java | ||
| // Store API keys securely, avoid hardcoding | ||
| String apiKey = getApiKeyFromSecureStorage(); | ||
| ``` | ||
| file: | ||
| - extensions: | ||
| - java | ||
| - xml | ||
| - json | ||
|
|
||
| matchers: | ||
| - type: regex | ||
| regex: | ||
| - "apikey=\"[A-Za-z0-9]+\"" | ||
| - "API_KEY = \"[A-Za-z0-9]+\"" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| id: json-api-user | ||
|
|
||
| info: | ||
| name: > | ||
| JSON API User <= 3.9.3 - Unauthenticated Privilege Escalation | ||
| author: topscoder | ||
| severity: low | ||
| description: > | ||
| reference: | ||
| - https://github.com/topscoder/nuclei-wordfence-cve | ||
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/a4a26f60-5912-4d4a-8ef8-e4357c1fb1ff?source=api-scan | ||
| classification: | ||
| cvss-metrics: | ||
| cvss-score: | ||
| cve-id: | ||
| metadata: | ||
| fofa-query: "wp-content/plugins/json-api-user/" | ||
| google-query: inurl:"/wp-content/plugins/json-api-user/" | ||
| shodan-query: 'vuln:' | ||
| tags: cve,wordpress,wp-plugin,json-api-user,low | ||
|
|
||
| http: | ||
| - method: GET | ||
| redirects: true | ||
| max-redirects: 3 | ||
| path: | ||
| - "{{BaseURL}}/wp-content/plugins/json-api-user/readme.txt" | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| name: version | ||
| part: body | ||
| group: 1 | ||
| internal: true | ||
| regex: | ||
| - "(?mi)Stable tag: ([0-9.]+)" | ||
|
|
||
| - type: regex | ||
| name: version | ||
| part: body | ||
| group: 1 | ||
| regex: | ||
| - "(?mi)Stable tag: ([0-9.]+)" | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: status | ||
| status: | ||
| - 200 | ||
|
|
||
| - type: word | ||
| words: | ||
| - "json-api-user" | ||
| part: body | ||
|
|
||
| - type: dsl | ||
| dsl: | ||
| - compare_versions(version, '<= 3.9.3') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,25 @@ | ||
| id: kube-api-nodes | ||
| info: | ||
| name: Kube API Nodes | ||
| author: sharath | ||
| author: sharath,ritikchaddha | ||
| severity: info | ||
| description: Scans for kube nodes | ||
| tags: tech,k8s,kubernetes,devops,kube | ||
| requests: | ||
| - method: GET | ||
| path: | ||
| - "{{BaseURL}}/api/v1/nodes" | ||
| matchers-condition: and | ||
| matchers-condition: or | ||
| matchers: | ||
| - type: status | ||
| status: | ||
| - 200 | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '"NodeList":' | ||
| - '"items":' | ||
| condition: and | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - '"containerRuntimeVersion"' | ||
| - '"kubeletVersion": "v' | ||
| condition: and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,16 @@ | ||
| id: mailgun-api-key | ||
|
|
||
| info: | ||
| name: Mailgun API Key | ||
| author: gaurang | ||
| severity: high | ||
| tags: token,file,mailgun | ||
| tags: file,keys,token,mailgun | ||
| file: | ||
| - extensions: | ||
| - all | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| regex: | ||
| - "key-[0-9a-zA-Z]{32}" | ||
| # digest: 4a0a00473045022006098cd86f41bfb24a9c4c7c6bfc1a855c71c69e8b834739e5ffc4567261266c022100bd407109d7d54367361ebda630747d01a6ba308679d3f50a1654629aa9da4873:922c64590222798bb761d5b6d8e72950 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| id: mstore-api-fcf575731390b94d640824227bb01949 | ||
|
|
||
| info: | ||
| name: > | ||
| MStore API – Create Native Android & iOS Apps On The Cloud <= 4.14.7 - Authentication Bypass | ||
| author: topscoder | ||
| severity: critical | ||
| description: > | ||
| reference: | ||
| - https://github.com/topscoder/nuclei-wordfence-cve | ||
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/17d8e2e9-5e3f-433b-be1a-6ea765eba547?source=api-scan | ||
| classification: | ||
| cvss-metrics: | ||
| cvss-score: | ||
| cve-id: | ||
| metadata: | ||
| fofa-query: "wp-content/plugins/mstore-api/" | ||
| google-query: inurl:"/wp-content/plugins/mstore-api/" | ||
| shodan-query: 'vuln:' | ||
| tags: cve,wordpress,wp-plugin,mstore-api,critical | ||
|
|
||
| http: | ||
| - method: GET | ||
| redirects: true | ||
| max-redirects: 3 | ||
| path: | ||
| - "{{BaseURL}}/wp-content/plugins/mstore-api/readme.txt" | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| name: version | ||
| part: body | ||
| group: 1 | ||
| internal: true | ||
| regex: | ||
| - "(?mi)Stable tag: ([0-9.]+)" | ||
|
|
||
| - type: regex | ||
| name: version | ||
| part: body | ||
| group: 1 | ||
| regex: | ||
| - "(?mi)Stable tag: ([0-9.]+)" | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: status | ||
| status: | ||
| - 200 | ||
|
|
||
| - type: word | ||
| words: | ||
| - "mstore-api" | ||
| part: body | ||
|
|
||
| - type: dsl | ||
| dsl: | ||
| - compare_versions(version, '<= 4.14.7') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,16 @@ | ||
| id: pictatic-api-key | ||
|
|
||
| info: | ||
| name: Pictatic API Key | ||
| author: gaurang | ||
| severity: high | ||
| tags: token,file | ||
|
|
||
| file: | ||
| - extensions: | ||
| - all | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| regex: | ||
| - "sk_live_[0-9a-z]{32}" | ||
| - "sk_live_[0-9a-z]{32}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,16 @@ | ||
| id: twilio-api | ||
|
|
||
| info: | ||
| name: Twilio API Key | ||
| author: gaurang | ||
| severity: high | ||
| tags: token,file | ||
| tags: file,keys,token | ||
| file: | ||
| - extensions: | ||
| - all | ||
|
|
||
| extractors: | ||
| - type: regex | ||
| regex: | ||
| - "(?i)twilio(.{0,20})?SK[0-9a-f]{32}" | ||
| # digest: 4b0a004830460221009edd6055d2937d438ddc5a460cb57ceaf448ee273900a3a2ff9d217329cbaf170221009df1b8754959e50ef0155608d8ea98f45e87c59221868f7ad7a762ba88ba28fc:922c64590222798bb761d5b6d8e72950 |
Oops, something went wrong.