parts update to use response instead of all

2022-04-20 20:08:07 +05:30 · 2022-04-20 20:08:07 +05:30 · 338d4622bf
parent f6d22de7ee
commit 338d4622bf
9 changed files with 94 additions and 94 deletions
--- a/cves/2018/CVE-2018-1207.yaml
+++ b/cves/2018/CVE-2018-1207.yaml
@ -28,4 +28,4 @@ requests:
      - type: word
        words:
          - "calling init: /lib/"
-        part: all
+        part: response
--- a/cves/2019/CVE-2019-16097.yaml
+++ b/cves/2019/CVE-2019-16097.yaml
@ -30,7 +30,7 @@ requests:
        words:
          - "username has already been used"
          - "Location: /api/users/"
-        part: all
+        part: response
        condition: or
      - type: status
--- a/exposed-panels/jamf-panel.yaml
+++ b/exposed-panels/jamf-panel.yaml
@ -18,7 +18,7 @@ requests:
    matchers-condition: and
    matchers:
      - type: word
-        part: all
+        part: response
        words:
          - "Jamf Pro Login"
          - "Jamf Cloud Node"
--- a/exposures/configs/exposed-gitignore.yaml
+++ b/exposures/configs/exposed-gitignore.yaml
@ -35,6 +35,6 @@ requests:
          - "<script"
          - "<meta"
          - "image/"
-        part: all
+        part: response
        negative: true
        condition: or
--- a/misconfiguration/shell-history.yaml
+++ b/misconfiguration/shell-history.yaml
@ -47,5 +47,5 @@ requests:
          - "application/xml"
          - "html>"
          - "text/html"
-        part: all
+        part: response
        negative: true
--- a/network/unauth-ftp.yaml
+++ b/network/unauth-ftp.yaml
@ -19,4 +19,4 @@ network:
      - type: word
        words:
          - "Anonymous access allowed,"
-        part: all
+        part: response
--- a/technologies/microsoft/microsoft-exchange-server-detect.yaml
+++ b/technologies/microsoft/microsoft-exchange-server-detect.yaml
@ -19,7 +19,7 @@ requests:
      - type: regex
        regex:
          - "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)"
-        part: all
+        part: response
      - type: word
        words:
--- a/technologies/tech-detect.yaml
+++ b/technologies/tech-detect.yaml
@ -3090,7 +3090,7 @@ requests:
          - "<title>Mida eFramework</title>"
          - "Server: Mida eFramework"
        condition: or
-        part: all
+        part: response
      - type: word
        name: SEEEMS-CMS
--- a/technologies/waf-detect.yaml
+++ b/technologies/waf-detect.yaml
@ -37,7 +37,7 @@ requests:
          - '(?i)perimeterx'
          - '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: webknight
@ -45,7 +45,7 @@ requests:
          - '(?i)\bwebknight'
          - '(?i)webknight'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: zscaler
@ -53,7 +53,7 @@ requests:
          - '(?i)zscaler(.\d+(.\d+)?)?'
          - '(?i)zscaler'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: fortigate
@ -69,21 +69,21 @@ requests:
          - '(?i)fortigate.hostname'
          - '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: teros
        regex:
          - '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: stricthttp
        regex:
          - '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: stricthttp
@ -91,7 +91,7 @@ requests:
          - '(?i)rejected.by.url.scan'
          - '(?i)/rejected.by.url.scan'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: shadowd
@ -99,7 +99,7 @@ requests:
          - '(?i)<h\d>\d{3}.forbidden<.h\d>'
          - '(?i)request.forbidden.by.administrative.rules.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: bigip
@ -110,14 +110,14 @@ requests:
          - '(?i)BigIP|BIG-IP|BIGIP'
          - '(?i)bigipserver'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: edgecast
        regex:
          - '(?i)\Aecdf'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: radware
@ -126,7 +126,7 @@ requests:
          - '(?i).>unauthorized.activity.has.been.detected<.'
          - '(?i)with.the.following.case.number.in.its.subject:.\d+.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: varnish
@ -136,7 +136,7 @@ requests:
          - '(?i)cachewall'
          - '(?i).>access.is.blocked.according.to.our.site.security.policy.<+'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: infosafe
@ -146,7 +146,7 @@ requests:
          - '(?i)infosafe.\d.\d'
          - '(?i)var.infosafekey='
        condition: or
-        part: all
+        part: response
      - type: regex
        name: aliyundun
@ -154,7 +154,7 @@ requests:
          - '(?i)error(s)?.aliyun(dun)?.(com|net)'
          - '(?i)http(s)?://(www.)?aliyun.(com|net)'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: ats
@ -162,7 +162,7 @@ requests:
          - '(?i)(\()?apachetrafficserver((\/)?\d+(.\d+(.\d+)?)?)'
          - '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: malcare
@ -171,19 +171,19 @@ requests:
          - '(?i).>login.protection<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
          - '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: wts
        regex:
          - '(?i)(<title>)?wts.wa(f)?(\w+(\w+(\w+)?)?)?'
-        part: all
+        part: response
      - type: regex
        name: dw
        regex:
          - '(?i)dw.inj.check'
-        part: all
+        part: response
      - type: regex
        name: denyall
@ -191,7 +191,7 @@ requests:
          - '(?i)\Acondition.intercepted'
          - '(?i)\Asessioncookie='
        condition: or
-        part: all
+        part: response
      - type: regex
        name: yunsuo
@ -199,13 +199,13 @@ requests:
          - '(?i)<img.class=.yunsuologo.'
          - '(?i)yunsuo.session'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: litespeed
        regex:
          - '(?i)litespeed.web.server'
-        part: all
+        part: response
      - type: regex
        name: cloudfront
@ -214,7 +214,7 @@ requests:
          - '(?i)cloudfront'
          - '(?i)x.amz.cf.id|nguardx'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: anyu
@ -223,7 +223,7 @@ requests:
          - '(?i)anyu'
          - '(?i)anyu-?.the.green.channel'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: googlewebservices
@ -232,7 +232,7 @@ requests:
          - '(?i)our.systems.have.detected.unusual.traffic'
          - '(?i)block(ed)?.by.g.cloud.security.policy.+'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: didiyun
@ -240,31 +240,31 @@ requests:
          - '(?i)(http(s)?://)(sec-waf.|www.)?didi(static|yun)?.com(/static/cloudwafstatic)?'
          - '(?i)didiyun'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: blockdos
        regex:
          - '(?i)blockdos\.net'
-        part: all
+        part: response
      - type: regex
        name: codeigniter
        regex:
          - '(?i)the.uri.you.submitted.has.disallowed.characters'
-        part: all
+        part: response
      - type: regex
        name: stingray
        regex:
          - '(?i)\AX-Mapping-'
-        part: all
+        part: response
      - type: regex
        name: west263
        regex:
          - '(?i)wt\d*cdn'
-        part: all
+        part: response
      - type: regex
        name: aws
@ -274,7 +274,7 @@ requests:
          - '(?i)x.amz.id.\d+'
          - '(?i)x.amz.request.id'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: yundun
@ -284,7 +284,7 @@ requests:
          - '(?i)http(s)?.//(www\.)?(\w+.)?yundun(.com)?'
          - '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: barracuda
@ -293,13 +293,13 @@ requests:
          - '(?i)(\A|\b)?barracuda.'
          - '(?i)barracuda.networks.{1,2}inc'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: dodenterpriseprotection
        regex:
          - '(?i)dod.enterprise.level.protection.system'
-        part: all
+        part: response
      - type: regex
        name: secupress
@ -307,13 +307,13 @@ requests:
          - '(?i)<h\d*>secupress<.'
          - '(?i)block.id.{1,2}bad.url.contents.<.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: aesecure
        regex:
          - '(?i)aesecure.denied.png'
-        part: all
+        part: response
      - type: regex
        name: incapsula
@ -322,7 +322,7 @@ requests:
          - '(?i)incapsula'
          - '(?i)incapsula.incident.id'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: nexusguard
@ -330,7 +330,7 @@ requests:
          - '(?i)nexus.?guard'
          - '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: cloudflare
@ -344,7 +344,7 @@ requests:
          - '(?i)ray.id'
          - '(?i)__cfduid'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: akamai
@ -353,7 +353,7 @@ requests:
          - '(?i)akamaighost'
          - '(?i)ak.bmsc.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: webseal
@ -361,13 +361,13 @@ requests:
          - '(?i)webseal.error.message.template'
          - '(?i)webseal.server.received.an.invalid.http.request'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: dotdefender
        regex:
          - '(?i)dotdefender.blocked.your.request'
-        part: all
+        part: response
      - type: regex
        name: pk
@ -376,7 +376,7 @@ requests:
          - '(?i).http(s)?.//([w]{3})?.kitnetwork.\w'
          - '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: expressionengine
@ -385,19 +385,19 @@ requests:
          - '(?i).>:.the.uri.you.submitted.has.disallowed.characters.<.'
          - '(?i)invalid.(get|post).data'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: comodo
        regex:
          - '(?i)protected.by.comodo.waf'
-        part: all
+        part: response
      - type: regex
        name: ciscoacexml
        regex:
          - '(?i)ace.xml.gateway'
-        part: all
+        part: response
      - type: regex
        name: barikode
@ -405,7 +405,7 @@ requests:
          - '(?i).>barikode<.'
          - '(?i)<h\d{1}>forbidden.access<.h\d{1}>'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: watchguard
@ -413,7 +413,7 @@ requests:
          - '(?i)(request.denied.by.)?watchguard.firewall'
          - '(?i)watchguard(.technologies(.inc)?)?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: binarysec
@ -422,7 +422,7 @@ requests:
          - '(?i)x.binarysec.nocache'
          - '(?i)binarysec'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: bekchy
@ -430,7 +430,7 @@ requests:
          - '(?i)bekchy.(-.)?access.denied'
          - '(?i)(http(s)?://)(www.)?bekchy.com(/report)?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: bitninja
@ -439,7 +439,7 @@ requests:
          - '(?i)security.check.by.bitninja'
          - '(?i).>visitor.anti(\S)?robot.validation<.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: apachegeneric
@ -450,7 +450,7 @@ requests:
          - '(?i)<address>apache/([\d+{1,2}](.[\d+]{1,2}(.[\d+]{1,3})?)?)?'
          - '(?i)<title>403 Forbidden</title>'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: greywizard
@ -460,13 +460,13 @@ requests:
          - '(?i)(http(s)?.//)?(\w+.)?greywizard.com'
          - '(?i)grey.wizard'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: configserver
        regex:
          - '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+'
-        part: all
+        part: response
      - type: regex
        name: viettel
@ -475,7 +475,7 @@ requests:
          - '(?i)viettel.waf.system'
          - '(?i)(http(s).//)?cloudrity.com(.vn)?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: safedog
@ -483,13 +483,13 @@ requests:
          - '(?i)(http(s)?)?(://)?(www|404|bbs|\w+)?.safedog.\w'
          - '(?i)waf(.?\d+.?\d+)'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: baidu
        regex:
          - '(?i)yunjiasu.nginx'
-        part: all
+        part: response
      - type: regex
        name: alertlogic
@ -501,13 +501,13 @@ requests:
          - '(?i)reference.id.?'
          - '(?i)page.has.either.been.removed.{1,2}renamed'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: armor
        regex:
          - '(?i)blocked.by.website.protection.from.armour'
-        part: all
+        part: response
      - type: regex
        name: dosarrest
@ -515,7 +515,7 @@ requests:
          - '(?i)dosarrest'
          - '(?i)x.dis.request.id'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: paloalto
@ -523,7 +523,7 @@ requests:
          - 'has.been.blocked.in.accordance.with.company.policy'
          - '.>Virus.Spyware.Download.Blocked<.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: aspgeneric
@ -541,7 +541,7 @@ requests:
          - "(?i)<.+>server.error.in.'/'.application.+"
          - '(?i)\basp.net\b'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: powerful
@ -549,7 +549,7 @@ requests:
          - '(?i)Powerful Firewall'
          - '(?i)http(s)?...tiny.cc.powerful.firewall'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: uewaf
@ -557,7 +557,7 @@ requests:
          - '(?i)http(s)?.//ucloud'
          - '(?i)uewaf(.deny.pages)'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: janusec
@ -565,7 +565,7 @@ requests:
          - '(?i)janusec'
          - '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: siteguard
@ -573,7 +573,7 @@ requests:
          - '(?i)>Powered.by.SiteGuard.Lite<'
          - '(?i)refuse.to.browse'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: sonicwall
@ -585,7 +585,7 @@ requests:
          - '(?i)SonicWALL'
          - '(?i).>policy.this.site.is.blocked<.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: jiasule
@ -595,7 +595,7 @@ requests:
          - '(?i)notice.jiasule'
          - '(?i)(static|www|dynamic).jiasule.(com|net)'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: nginxgeneric
@ -603,7 +603,7 @@ requests:
          - '(?i)nginx'
          - '(?i)you.do(not|n.t)?.have.permission.to.access.this.document'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: stackpath
@ -611,13 +611,13 @@ requests:
          - '(?i)action.that.triggered.the.service.and.blocked'
          - '(?i)<h2>sorry,.you.have.been.blocked.?<.h2>'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: sabre
        regex:
          - '(?i)dxsupport@sabre.com'
-        part: all
+        part: response
      - type: regex
        name: wordfence
@ -626,7 +626,7 @@ requests:
          - '(?i)your.access.to.this.site.has.been.limited'
          - '(?i).>wordfence<.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: '360'
@ -637,14 +637,14 @@ requests:
          - '(?i)360wzws'
          - '(?i)transfer.is.blocked'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: asm
        regex:
          - '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: rsfirewall
@ -654,7 +654,7 @@ requests:
          - '(?i)(\b)?rsfirewall(\b)?'
          - '(?i)rsfirewall'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: sucuri
@ -664,25 +664,25 @@ requests:
          - '(?i)questions\?.+cloudproxy@sucuri\.net'
          - '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: airlock
        regex:
          - '(?i)\Aal[.-]?(sess|lb)=?'
-        part: all
+        part: response
      - type: regex
        name: xuanwudun
        regex:
          - '(?i)class=.(db)?waf.?(-row.)?>'
-        part: all
+        part: response
      - type: regex
        name: chuangyudun
        regex:
          - '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)'
-        part: all
+        part: response
      - type: regex
        name: securesphere
@ -695,13 +695,13 @@ requests:
          - '(?i)page.cannot.be.displayed'
          - '(?i)contact.support.for.additional.information'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: anquanbao
        regex:
          - '(?i).aqb_cc.error.'
-        part: all
+        part: response
      - type: regex
        name: modsecurity
@ -713,7 +713,7 @@ requests:
          - '(?i)page.you.are.(accessing|trying)?.(to|is)?.(access)?.(is|to)?.(restricted)?'
          - '(?i)blocked.by.mod.security'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: modsecurityowasp
@ -721,7 +721,7 @@ requests:
          - '(?i)not.acceptable'
          - '(?i)additionally\S.a.406.not.acceptable'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: squid
@ -730,7 +730,7 @@ requests:
          - '(?i)Access control configuration prevents'
          - '(?i)X.Squid.Error'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: shieldsecurity
@ -739,16 +739,16 @@ requests:
          - '(?i)transgression(\(s\))?.against.this'
          - '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate'
        condition: or
-        part: all
+        part: response
      - type: regex
        name: wallarm
        regex:
          - '(?i)nginix.wallarm'
-        part: all
+        part: response
      - type: regex
-        part: all
+        part: response
        name: huaweicloud
        condition: and
        regex: