From 338d4622bf902ee1c4427fc8fc5acf2ab7db12c0 Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 20 Apr 2022 20:08:07 +0530 Subject: [PATCH] parts update to use response instead of all --- cves/2018/CVE-2018-1207.yaml | 2 +- cves/2019/CVE-2019-16097.yaml | 2 +- exposed-panels/jamf-panel.yaml | 2 +- exposures/configs/exposed-gitignore.yaml | 2 +- misconfiguration/shell-history.yaml | 2 +- network/unauth-ftp.yaml | 2 +- .../microsoft-exchange-server-detect.yaml | 2 +- technologies/tech-detect.yaml | 2 +- technologies/waf-detect.yaml | 172 +++++++++--------- 9 files changed, 94 insertions(+), 94 deletions(-) diff --git a/cves/2018/CVE-2018-1207.yaml b/cves/2018/CVE-2018-1207.yaml index 2d01313840..f7995e3620 100644 --- a/cves/2018/CVE-2018-1207.yaml +++ b/cves/2018/CVE-2018-1207.yaml @@ -28,4 +28,4 @@ requests: - type: word words: - "calling init: /lib/" - part: all + part: response diff --git a/cves/2019/CVE-2019-16097.yaml b/cves/2019/CVE-2019-16097.yaml index a22723a7a2..9ed09c3374 100644 --- a/cves/2019/CVE-2019-16097.yaml +++ b/cves/2019/CVE-2019-16097.yaml @@ -30,7 +30,7 @@ requests: words: - "username has already been used" - "Location: /api/users/" - part: all + part: response condition: or - type: status diff --git a/exposed-panels/jamf-panel.yaml b/exposed-panels/jamf-panel.yaml index 848da57aec..6338c115ca 100644 --- a/exposed-panels/jamf-panel.yaml +++ b/exposed-panels/jamf-panel.yaml @@ -18,7 +18,7 @@ requests: matchers-condition: and matchers: - type: word - part: all + part: response words: - "Jamf Pro Login" - "Jamf Cloud Node" diff --git a/exposures/configs/exposed-gitignore.yaml b/exposures/configs/exposed-gitignore.yaml index 86972a626d..2091d462f1 100644 --- a/exposures/configs/exposed-gitignore.yaml +++ b/exposures/configs/exposed-gitignore.yaml @@ -35,6 +35,6 @@ requests: - "" - "text/html" - part: all + part: response negative: true diff --git a/network/unauth-ftp.yaml b/network/unauth-ftp.yaml index a228cb9043..3ac671efd4 100644 --- a/network/unauth-ftp.yaml +++ b/network/unauth-ftp.yaml @@ -19,4 +19,4 @@ network: - type: word words: - "Anonymous access allowed," - part: all \ No newline at end of file + part: response \ No newline at end of file diff --git a/technologies/microsoft/microsoft-exchange-server-detect.yaml b/technologies/microsoft/microsoft-exchange-server-detect.yaml index a07f331300..db5d394f14 100644 --- a/technologies/microsoft/microsoft-exchange-server-detect.yaml +++ b/technologies/microsoft/microsoft-exchange-server-detect.yaml @@ -19,7 +19,7 @@ requests: - type: regex regex: - "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)" - part: all + part: response - type: word words: diff --git a/technologies/tech-detect.yaml b/technologies/tech-detect.yaml index c4a07cac2c..ed2978a58e 100644 --- a/technologies/tech-detect.yaml +++ b/technologies/tech-detect.yaml @@ -3090,7 +3090,7 @@ requests: - "Mida eFramework" - "Server: Mida eFramework" condition: or - part: all + part: response - type: word name: SEEEMS-CMS diff --git a/technologies/waf-detect.yaml b/technologies/waf-detect.yaml index 1afeb85f84..8ad8d90505 100644 --- a/technologies/waf-detect.yaml +++ b/technologies/waf-detect.yaml @@ -37,7 +37,7 @@ requests: - '(?i)perimeterx' - '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js' condition: or - part: all + part: response - type: regex name: webknight @@ -45,7 +45,7 @@ requests: - '(?i)\bwebknight' - '(?i)webknight' condition: or - part: all + part: response - type: regex name: zscaler @@ -53,7 +53,7 @@ requests: - '(?i)zscaler(.\d+(.\d+)?)?' - '(?i)zscaler' condition: or - part: all + part: response - type: regex name: fortigate @@ -69,21 +69,21 @@ requests: - '(?i)fortigate.hostname' - '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information' condition: or - part: all + part: response - type: regex name: teros regex: - '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?' condition: or - part: all + part: response - type: regex name: stricthttp regex: - '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string' condition: or - part: all + part: response - type: regex name: stricthttp @@ -91,7 +91,7 @@ requests: - '(?i)rejected.by.url.scan' - '(?i)/rejected.by.url.scan' condition: or - part: all + part: response - type: regex name: shadowd @@ -99,7 +99,7 @@ requests: - '(?i)\d{3}.forbidden<.h\d>' - '(?i)request.forbidden.by.administrative.rules.' condition: or - part: all + part: response - type: regex name: bigip @@ -110,14 +110,14 @@ requests: - '(?i)BigIP|BIG-IP|BIGIP' - '(?i)bigipserver' condition: or - part: all + part: response - type: regex name: edgecast regex: - '(?i)\Aecdf' condition: or - part: all + part: response - type: regex name: radware @@ -126,7 +126,7 @@ requests: - '(?i).>unauthorized.activity.has.been.detected<.' - '(?i)with.the.following.case.number.in.its.subject:.\d+.' condition: or - part: all + part: response - type: regex name: varnish @@ -136,7 +136,7 @@ requests: - '(?i)cachewall' - '(?i).>access.is.blocked.according.to.our.site.security.policy.<+' condition: or - part: all + part: response - type: regex name: infosafe @@ -146,7 +146,7 @@ requests: - '(?i)infosafe.\d.\d' - '(?i)var.infosafekey=' condition: or - part: all + part: response - type: regex name: aliyundun @@ -154,7 +154,7 @@ requests: - '(?i)error(s)?.aliyun(dun)?.(com|net)' - '(?i)http(s)?://(www.)?aliyun.(com|net)' condition: or - part: all + part: response - type: regex name: ats @@ -162,7 +162,7 @@ requests: - '(?i)(\()?apachetrafficserver((\/)?\d+(.\d+(.\d+)?)?)' - '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?' condition: or - part: all + part: response - type: regex name: malcare @@ -171,19 +171,19 @@ requests: - '(?i).>login.protection<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?' - '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?' condition: or - part: all + part: response - type: regex name: wts regex: - '(?i)()?wts.wa(f)?(\w+(\w+(\w+)?)?)?' - part: all + part: response - type: regex name: dw regex: - '(?i)dw.inj.check' - part: all + part: response - type: regex name: denyall @@ -191,7 +191,7 @@ requests: - '(?i)\Acondition.intercepted' - '(?i)\Asessioncookie=' condition: or - part: all + part: response - type: regex name: yunsuo @@ -199,13 +199,13 @@ requests: - '(?i)<img.class=.yunsuologo.' - '(?i)yunsuo.session' condition: or - part: all + part: response - type: regex name: litespeed regex: - '(?i)litespeed.web.server' - part: all + part: response - type: regex name: cloudfront @@ -214,7 +214,7 @@ requests: - '(?i)cloudfront' - '(?i)x.amz.cf.id|nguardx' condition: or - part: all + part: response - type: regex name: anyu @@ -223,7 +223,7 @@ requests: - '(?i)anyu' - '(?i)anyu-?.the.green.channel' condition: or - part: all + part: response - type: regex name: googlewebservices @@ -232,7 +232,7 @@ requests: - '(?i)our.systems.have.detected.unusual.traffic' - '(?i)block(ed)?.by.g.cloud.security.policy.+' condition: or - part: all + part: response - type: regex name: didiyun @@ -240,31 +240,31 @@ requests: - '(?i)(http(s)?://)(sec-waf.|www.)?didi(static|yun)?.com(/static/cloudwafstatic)?' - '(?i)didiyun' condition: or - part: all + part: response - type: regex name: blockdos regex: - '(?i)blockdos\.net' - part: all + part: response - type: regex name: codeigniter regex: - '(?i)the.uri.you.submitted.has.disallowed.characters' - part: all + part: response - type: regex name: stingray regex: - '(?i)\AX-Mapping-' - part: all + part: response - type: regex name: west263 regex: - '(?i)wt\d*cdn' - part: all + part: response - type: regex name: aws @@ -274,7 +274,7 @@ requests: - '(?i)x.amz.id.\d+' - '(?i)x.amz.request.id' condition: or - part: all + part: response - type: regex name: yundun @@ -284,7 +284,7 @@ requests: - '(?i)http(s)?.//(www\.)?(\w+.)?yundun(.com)?' - '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>' condition: or - part: all + part: response - type: regex name: barracuda @@ -293,13 +293,13 @@ requests: - '(?i)(\A|\b)?barracuda.' - '(?i)barracuda.networks.{1,2}inc' condition: or - part: all + part: response - type: regex name: dodenterpriseprotection regex: - '(?i)dod.enterprise.level.protection.system' - part: all + part: response - type: regex name: secupress @@ -307,13 +307,13 @@ requests: - '(?i)<h\d*>secupress<.' - '(?i)block.id.{1,2}bad.url.contents.<.' condition: or - part: all + part: response - type: regex name: aesecure regex: - '(?i)aesecure.denied.png' - part: all + part: response - type: regex name: incapsula @@ -322,7 +322,7 @@ requests: - '(?i)incapsula' - '(?i)incapsula.incident.id' condition: or - part: all + part: response - type: regex name: nexusguard @@ -330,7 +330,7 @@ requests: - '(?i)nexus.?guard' - '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage' condition: or - part: all + part: response - type: regex name: cloudflare @@ -344,7 +344,7 @@ requests: - '(?i)ray.id' - '(?i)__cfduid' condition: or - part: all + part: response - type: regex name: akamai @@ -353,7 +353,7 @@ requests: - '(?i)akamaighost' - '(?i)ak.bmsc.' condition: or - part: all + part: response - type: regex name: webseal @@ -361,13 +361,13 @@ requests: - '(?i)webseal.error.message.template' - '(?i)webseal.server.received.an.invalid.http.request' condition: or - part: all + part: response - type: regex name: dotdefender regex: - '(?i)dotdefender.blocked.your.request' - part: all + part: response - type: regex name: pk @@ -376,7 +376,7 @@ requests: - '(?i).http(s)?.//([w]{3})?.kitnetwork.\w' - '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.' condition: or - part: all + part: response - type: regex name: expressionengine @@ -385,19 +385,19 @@ requests: - '(?i).>:.the.uri.you.submitted.has.disallowed.characters.<.' - '(?i)invalid.(get|post).data' condition: or - part: all + part: response - type: regex name: comodo regex: - '(?i)protected.by.comodo.waf' - part: all + part: response - type: regex name: ciscoacexml regex: - '(?i)ace.xml.gateway' - part: all + part: response - type: regex name: barikode @@ -405,7 +405,7 @@ requests: - '(?i).>barikode<.' - '(?i)<h\d{1}>forbidden.access<.h\d{1}>' condition: or - part: all + part: response - type: regex name: watchguard @@ -413,7 +413,7 @@ requests: - '(?i)(request.denied.by.)?watchguard.firewall' - '(?i)watchguard(.technologies(.inc)?)?' condition: or - part: all + part: response - type: regex name: binarysec @@ -422,7 +422,7 @@ requests: - '(?i)x.binarysec.nocache' - '(?i)binarysec' condition: or - part: all + part: response - type: regex name: bekchy @@ -430,7 +430,7 @@ requests: - '(?i)bekchy.(-.)?access.denied' - '(?i)(http(s)?://)(www.)?bekchy.com(/report)?' condition: or - part: all + part: response - type: regex name: bitninja @@ -439,7 +439,7 @@ requests: - '(?i)security.check.by.bitninja' - '(?i).>visitor.anti(\S)?robot.validation<.' condition: or - part: all + part: response - type: regex name: apachegeneric @@ -450,7 +450,7 @@ requests: - '(?i)<address>apache/([\d+{1,2}](.[\d+]{1,2}(.[\d+]{1,3})?)?)?' - '(?i)<title>403 Forbidden' condition: or - part: all + part: response - type: regex name: greywizard @@ -460,13 +460,13 @@ requests: - '(?i)(http(s)?.//)?(\w+.)?greywizard.com' - '(?i)grey.wizard' condition: or - part: all + part: response - type: regex name: configserver regex: - '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+' - part: all + part: response - type: regex name: viettel @@ -475,7 +475,7 @@ requests: - '(?i)viettel.waf.system' - '(?i)(http(s).//)?cloudrity.com(.vn)?' condition: or - part: all + part: response - type: regex name: safedog @@ -483,13 +483,13 @@ requests: - '(?i)(http(s)?)?(://)?(www|404|bbs|\w+)?.safedog.\w' - '(?i)waf(.?\d+.?\d+)' condition: or - part: all + part: response - type: regex name: baidu regex: - '(?i)yunjiasu.nginx' - part: all + part: response - type: regex name: alertlogic @@ -501,13 +501,13 @@ requests: - '(?i)reference.id.?' - '(?i)page.has.either.been.removed.{1,2}renamed' condition: or - part: all + part: response - type: regex name: armor regex: - '(?i)blocked.by.website.protection.from.armour' - part: all + part: response - type: regex name: dosarrest @@ -515,7 +515,7 @@ requests: - '(?i)dosarrest' - '(?i)x.dis.request.id' condition: or - part: all + part: response - type: regex name: paloalto @@ -523,7 +523,7 @@ requests: - 'has.been.blocked.in.accordance.with.company.policy' - '.>Virus.Spyware.Download.Blocked<.' condition: or - part: all + part: response - type: regex name: aspgeneric @@ -541,7 +541,7 @@ requests: - "(?i)<.+>server.error.in.'/'.application.+" - '(?i)\basp.net\b' condition: or - part: all + part: response - type: regex name: powerful @@ -549,7 +549,7 @@ requests: - '(?i)Powerful Firewall' - '(?i)http(s)?...tiny.cc.powerful.firewall' condition: or - part: all + part: response - type: regex name: uewaf @@ -557,7 +557,7 @@ requests: - '(?i)http(s)?.//ucloud' - '(?i)uewaf(.deny.pages)' condition: or - part: all + part: response - type: regex name: janusec @@ -565,7 +565,7 @@ requests: - '(?i)janusec' - '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)' condition: or - part: all + part: response - type: regex name: siteguard @@ -573,7 +573,7 @@ requests: - '(?i)>Powered.by.SiteGuard.Lite<' - '(?i)refuse.to.browse' condition: or - part: all + part: response - type: regex name: sonicwall @@ -585,7 +585,7 @@ requests: - '(?i)SonicWALL' - '(?i).>policy.this.site.is.blocked<.' condition: or - part: all + part: response - type: regex name: jiasule @@ -595,7 +595,7 @@ requests: - '(?i)notice.jiasule' - '(?i)(static|www|dynamic).jiasule.(com|net)' condition: or - part: all + part: response - type: regex name: nginxgeneric @@ -603,7 +603,7 @@ requests: - '(?i)nginx' - '(?i)you.do(not|n.t)?.have.permission.to.access.this.document' condition: or - part: all + part: response - type: regex name: stackpath @@ -611,13 +611,13 @@ requests: - '(?i)action.that.triggered.the.service.and.blocked' - '(?i)

sorry,.you.have.been.blocked.?<.h2>' condition: or - part: all + part: response - type: regex name: sabre regex: - '(?i)dxsupport@sabre.com' - part: all + part: response - type: regex name: wordfence @@ -626,7 +626,7 @@ requests: - '(?i)your.access.to.this.site.has.been.limited' - '(?i).>wordfence<.' condition: or - part: all + part: response - type: regex name: '360' @@ -637,14 +637,14 @@ requests: - '(?i)360wzws' - '(?i)transfer.is.blocked' condition: or - part: all + part: response - type: regex name: asm regex: - '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.' condition: or - part: all + part: response - type: regex name: rsfirewall @@ -654,7 +654,7 @@ requests: - '(?i)(\b)?rsfirewall(\b)?' - '(?i)rsfirewall' condition: or - part: all + part: response - type: regex name: sucuri @@ -664,25 +664,25 @@ requests: - '(?i)questions\?.+cloudproxy@sucuri\.net' - '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?' condition: or - part: all + part: response - type: regex name: airlock regex: - '(?i)\Aal[.-]?(sess|lb)=?' - part: all + part: response - type: regex name: xuanwudun regex: - '(?i)class=.(db)?waf.?(-row.)?>' - part: all + part: response - type: regex name: chuangyudun regex: - '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)' - part: all + part: response - type: regex name: securesphere @@ -695,13 +695,13 @@ requests: - '(?i)page.cannot.be.displayed' - '(?i)contact.support.for.additional.information' condition: or - part: all + part: response - type: regex name: anquanbao regex: - '(?i).aqb_cc.error.' - part: all + part: response - type: regex name: modsecurity @@ -713,7 +713,7 @@ requests: - '(?i)page.you.are.(accessing|trying)?.(to|is)?.(access)?.(is|to)?.(restricted)?' - '(?i)blocked.by.mod.security' condition: or - part: all + part: response - type: regex name: modsecurityowasp @@ -721,7 +721,7 @@ requests: - '(?i)not.acceptable' - '(?i)additionally\S.a.406.not.acceptable' condition: or - part: all + part: response - type: regex name: squid @@ -730,7 +730,7 @@ requests: - '(?i)Access control configuration prevents' - '(?i)X.Squid.Error' condition: or - part: all + part: response - type: regex name: shieldsecurity @@ -739,16 +739,16 @@ requests: - '(?i)transgression(\(s\))?.against.this' - '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate' condition: or - part: all + part: response - type: regex name: wallarm regex: - '(?i)nginix.wallarm' - part: all + part: response - type: regex - part: all + part: response name: huaweicloud condition: and regex: