nuclei-templates/exposures/tokens/generic/general-tokens.yaml

id: generic-tokens

info:
  name: Generic Tokens
  author: nadino,geeknik
  severity: info
  tags: exposure,token

requests:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - regex("TOKEN[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
          - regex("API[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
          - regex("KEY[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
          - regex("SECRET[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
          - regex("AUTHORIZATION[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
          - regex("PASSWORD[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))

      - type: regex
        part: body
        regex:
          - '(?i)key(sinternal|up|down|press|boardnavigation|words?|board|ebrow|board_fill|_retry_interval|_fetched|_expiresat|board_shortcuts|s_close|s_previous|s_next|s_zoom|s_play_pause)'
          - '(?i)password(lessauth|requirementsashtmllist|emailnotfoundmessage|label|errormessage|message|_checkemail_title|_newfield_retype|_text_new|login_submit|_has_expired_title|_has_expired_text|_error|_hint|_strength)'
          - '(?i)(!native)|(.*keybindings)'
          - '(?i)(layout|a)key'
          - '(?i)token_expires_in'
        condition: or
        negative: true

    extractors:
      - type: regex
        part: body
        regex:
          - (T|t)(O|o)(K|k)(E|e)(N|n)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)+()*(\''|")?[ 0-9A-Za-z\-_]+(\''|")?
          - (A|a)(P|p)(Ii)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)( )*(\''|")?[0-9A-Za-z\-_]+(\''|")?
          - (K|k)(E|e)(Y|y)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)( )*(\''|")?[0-9A-Za-z\-_]+(\''|")?
          - (S|s)(E|e)(C|c)(R|r)(E|e)(T|t)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)()*(\''|")?[ 0-9A-Za-z\-_]+(\''|")?
          - (A|a)(U|u)(T|t)(H|h)(O|o)(R|r)(I|i)(Z|z)(A|a)(T|t)(I|i)(O|o)(N|n)[\-|_|A-Za-z0-9]*(\''|")?()*(:|=)( )*(\''|")?[ 0-9A-Za-z\-_]+(\''|")?
          - (P|p)(A|a)(S|s)(S|s)(W|w)(O|o)(R|r)(D|d)[\-|_|A-Za-z0-9]*(\''|")?()*(:|=)( )*(\''|")?[ 0-9A-Za-z\-_]+(\''|")?
fixes 2021-01-10 23:20:14 +00:00			`id: generic-tokens`
renamed noisy to basic-detections 2020-05-24 03:57:26 +00:00
			`info:`
fixes 2021-01-10 23:20:14 +00:00			`name: Generic Tokens`
Updated author names 2021-06-09 12:20:56 +00:00			`author: nadino,geeknik`
fixes 2021-01-10 23:20:14 +00:00			`severity: info`
Moving tokens under exposures with tags support 2021-04-13 13:48:02 +00:00			`tags: exposure,token`
Fix comments-indentation linter 2021-03-11 16:17:26 +00:00
renamed noisy to basic-detections 2020-05-24 03:57:26 +00:00			`requests:`
			`- method: GET`
			`path:`
Linting refactor to make yamllint happy 2020-05-25 11:52:12 +00:00			`- '{{BaseURL}}'`
More tokens and keys :rocket: 2021-04-08 15:45:49 +00:00
adding condition 2020-07-11 05:50:35 +00:00			`matchers-condition: and`
renamed noisy to basic-detections 2020-05-24 03:57:26 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
Linting refactor to make yamllint happy 2020-05-25 11:52:12 +00:00			`- regex("TOKEN[\\-\|_\|A-Z0-9]*(\'\|\")?(:\|=)(\'\|\")?[\\-\|_\|A-Z0-9]{10}",replace(toupper(body),"",""))`
			`- regex("API[\\-\|_\|A-Z0-9]*(\'\|\")?(:\|=)(\'\|\")?[\\-\|_\|A-Z0-9]{10}",replace(toupper(body),"",""))`
			`- regex("KEY[\\-\|_\|A-Z0-9]*(\'\|\")?(:\|=)(\'\|\")?[\\-\|_\|A-Z0-9]{10}",replace(toupper(body),"",""))`
			`- regex("SECRET[\\-\|_\|A-Z0-9]*(\'\|\")?(:\|=)(\'\|\")?[\\-\|_\|A-Z0-9]{10}",replace(toupper(body),"",""))`
			`- regex("AUTHORIZATION[\\-\|_\|A-Z0-9]*(\'\|\")?(:\|=)(\'\|\")?[\\-\|_\|A-Z0-9]{10}",replace(toupper(body),"",""))`
			`- regex("PASSWORD[\\-\|_\|A-Z0-9]*(\'\|\")?(:\|=)(\'\|\")?[\\-\|_\|A-Z0-9]{10}",replace(toupper(body),"",""))`
More tokens and keys :rocket: 2021-04-08 15:45:49 +00:00
			`- type: regex`
			`part: body`
			`regex:`
Update general-tokens.yaml more FP work 2021-08-12 14:53:33 +00:00			`- '(?i)key(sinternal\|up\|down\|press\|boardnavigation\|words?\|board\|ebrow\|board_fill\|_retry_interval\|_fetched\|_expiresat\|board_shortcuts\|s_close\|s_previous\|s_next\|s_zoom\|s_play_pause)'`
			`- '(?i)password(lessauth\|requirementsashtmllist\|emailnotfoundmessage\|label\|errormessage\|message\|_checkemail_title\|_newfield_retype\|_text_new\|login_submit\|_has_expired_title\|_has_expired_text\|_error\|_hint\|_strength)'`
Update general-tokens.yaml I believe this might work. 2021-08-17 16:52:31 +00:00			`- '(?i)(!native)\|(.*keybindings)'`
Update general-tokens.yaml more FP work 2021-08-12 14:53:33 +00:00			`- '(?i)(layout\|a)key'`
Update general-tokens.yaml 2021-09-02 15:36:46 +00:00			`- '(?i)token_expires_in'`
Update general-tokens.yaml fix another false positive 2021-06-01 18:22:05 +00:00			`condition: or`
More tokens and keys :rocket: 2021-04-08 15:45:49 +00:00			`negative: true`

renamed noisy to basic-detections 2020-05-24 03:57:26 +00:00			`extractors:`
			`- type: regex`
			`part: body`
			`regex:`
Linting refactor to make yamllint happy 2020-05-25 11:52:12 +00:00			`- (T\|t)(O\|o)(K\|k)(E\|e)(N\|n)[\-\|_\|A-Za-z0-9](\''\|")?( )(:\|=)+()*(\''\|")?[ 0-9A-Za-z\-_]+(\''\|")?`
			`- (A\|a)(P\|p)(Ii)[\-\|_\|A-Za-z0-9](\''\|")?( )(:\|=)( )*(\''\|")?[0-9A-Za-z\-_]+(\''\|")?`
			`- (K\|k)(E\|e)(Y\|y)[\-\|_\|A-Za-z0-9](\''\|")?( )(:\|=)( )*(\''\|")?[0-9A-Za-z\-_]+(\''\|")?`
			`- (S\|s)(E\|e)(C\|c)(R\|r)(E\|e)(T\|t)[\-\|_\|A-Za-z0-9](\''\|")?( )(:\|=)()*(\''\|")?[ 0-9A-Za-z\-_]+(\''\|")?`
			`- (A\|a)(U\|u)(T\|t)(H\|h)(O\|o)(R\|r)(I\|i)(Z\|z)(A\|a)(T\|t)(I\|i)(O\|o)(N\|n)[\-\|_\|A-Za-z0-9](\''\|")?()(:\|=)( )*(\''\|")?[ 0-9A-Za-z\-_]+(\''\|")?`
			`- (P\|p)(A\|a)(S\|s)(S\|s)(W\|w)(O\|o)(R\|r)(D\|d)[\-\|_\|A-Za-z0-9](\''\|")?()(:\|=)( )*(\''\|")?[ 0-9A-Za-z\-_]+(\''\|")?`