From ccdfda258dd3d0b58e7986a14b23e61c28850607 Mon Sep 17 00:00:00 2001
From: Oways <oways@users.noreply.github.com>
Date: Tue, 1 Sep 2020 15:45:29 +0300
Subject: [PATCH] Create drupal-user-enum-ajax.yaml

[drupal-user-enum-ajax] [http] https://example.com/admin/views/ajax/autocomplete/user/a ["Anonymous"]
---
 .../drupal-user-enum-ajax.yaml                | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 security-misconfiguration/drupal-user-enum-ajax.yaml

diff --git a/security-misconfiguration/drupal-user-enum-ajax.yaml b/security-misconfiguration/drupal-user-enum-ajax.yaml
new file mode 100644
index 0000000000..19c22c1a9e
--- /dev/null
+++ b/security-misconfiguration/drupal-user-enum-ajax.yaml
@@ -0,0 +1,34 @@
+id: drupal-user-enum-ajax
+
+info:
+  name: Drupal User Enumration [Ajax]
+  author: 0w4ys
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin/views/ajax/autocomplete/user/a"
+      - "{{BaseURL}}/views/ajax/autocomplete/user/a"
+      - "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
+      - "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"
+    headers:
+      User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '(?i)\{\"a'
+        part: body
+      - type: word
+        words:
+          - "Content-Type: application/json"
+        part: header
+      - type: status
+        status:
+          - 200
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - '"[\w \-\_\@\.]+\"'