Sandeep Singh
GitHub
commit
08b1ace01e
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: django-framework-exceptions
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Django Framework Exceptions
|
||||||
|
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
|
||||||
|
author: geeknik
|
||||||
|
reference:
|
||||||
|
- https://docs.djangoproject.com/en/1.11/ref/exceptions/
|
||||||
|
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
|
||||||
|
severity: medium
|
||||||
|
tags: file,logs,django
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: exception
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'SuspiciousOperation'
|
||||||
|
- 'DisallowedHost'
|
||||||
|
- 'DisallowedModelAdminLookup'
|
||||||
|
- 'DisallowedModelAdminToField'
|
||||||
|
- 'DisallowedRedirect'
|
||||||
|
- 'InvalidSessionKey'
|
||||||
|
- 'RequestDataTooBig'
|
||||||
|
- 'SuspiciousFileOperation'
|
||||||
|
- 'SuspiciousMultipartForm'
|
||||||
|
- 'SuspiciousSession'
|
||||||
|
- 'TooManyFieldsSent'
|
||||||
|
- 'PermissionDenied'
|
||||||
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: python-app-sql-exceptions
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Python App SQL Exception Check
|
||||||
|
description: Generic check for SQL exceptions in Python according to PEP 249
|
||||||
|
reference: https://www.python.org/dev
|
||||||
|
author: geeknik
|
||||||
|
severity: medium
|
||||||
|
tags: file,logs,python,sql
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: exception
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'DataError'
|
||||||
|
- 'IntegrityError'
|
||||||
|
- 'ProgrammingError'
|
||||||
|
- 'OperationalError'
|
||||||
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: ruby-on-rails-framework-exceptions
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ruby on Rails Framework Exceptions
|
||||||
|
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
|
||||||
|
author: geeknik
|
||||||
|
reference:
|
||||||
|
- http://edgeguides.rubyonrails.org/security.html
|
||||||
|
- http://guides.rubyonrails.org/action_controller_overview.html
|
||||||
|
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
|
||||||
|
- https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
|
||||||
|
severity: medium
|
||||||
|
tags: file,logs,ruby,rails
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: exception
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'ActionController\:\:InvalidAuthenticityToken'
|
||||||
|
- 'ActionController::InvalidCrossOriginRequest'
|
||||||
|
- 'ActionController::MethodNotAllowed'
|
||||||
|
- 'ActionController::BadRequest'
|
||||||
|
- 'ActionController::ParameterMissing'
|
||||||
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: spring-framework-exceptions
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Spring Framework Exceptions
|
||||||
|
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
|
||||||
|
author: geeknik
|
||||||
|
reference:
|
||||||
|
- https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
|
||||||
|
severity: medium
|
||||||
|
tags: file,logs,spring
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: exception
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'AccessDeniedException'
|
||||||
|
- 'CsrfException'
|
||||||
|
- 'InvalidCsrfTokenException'
|
||||||
|
- 'MissingCsrfTokenException'
|
||||||
|
- 'CookieTheftException'
|
||||||
|
- 'InvalidCookieException'
|
||||||
|
- 'RequestRejectedException'
|
||||||
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: suspicious-sql-error-messages
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Suspicious SQL Error Messages
|
||||||
|
description: Detects SQL error messages that indicate probing for an injection attack
|
||||||
|
author: geeknik
|
||||||
|
severity: high
|
||||||
|
tags: file,logs,sql
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: oracle
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'quoted string not properly terminated'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: mysql
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'You have an error in your SQL syntax'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: sql_server
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'Unclosed quotation mark'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: sqlite
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'near \"\*\"\: syntax error'
|
||||||
|
- 'SELECTs to the left and right of UNION do not have the same number of result columns'
|
||||||
Loading…
Reference in New Issue