Add iis-shortname template

security-misconfiguration/iis-shortname.yaml

@@ -0,0 +1,26 @@
+id: iis-shortname
+info:
+  name: iis-shortname
+  author: nodauf
+  severity: info
+  description:  If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.
+
+  # References:
+  # - https://github.com/lijiejie/IIS_shortname_Scanner
+  # - https://www.exploit-db.com/exploits/19525
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/N0t4xist*~1*/a.aspx"
+      - "{{BaseURL}}/*~1*/a.aspx'"
+  - method: OPTIONS
+    path:
+      - "{{BaseURL}}/N0t4xist*~1*/a.aspx"
+      - "{{BaseURL}}/*~1*/a.aspx'"
+
+    matchers:
+      - type: dsl
+        name: multi-req
+        dsl:
+          - "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"