From 70c4e76f05ee6c938a9f23444046a43728c56b31 Mon Sep 17 00:00:00 2001
From: nodauf <nodauf@users.noreply.github.com>
Date: Sat, 24 Oct 2020 23:21:17 +0200
Subject: [PATCH] Add iis-shortname template

---
 security-misconfiguration/iis-shortname.yaml | 26 ++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 security-misconfiguration/iis-shortname.yaml

diff --git a/security-misconfiguration/iis-shortname.yaml b/security-misconfiguration/iis-shortname.yaml
new file mode 100644
index 0000000000..f576a4554a
--- /dev/null
+++ b/security-misconfiguration/iis-shortname.yaml
@@ -0,0 +1,26 @@
+id: iis-shortname
+info:
+  name: iis-shortname
+  author: nodauf
+  severity: info
+  description:  If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.
+
+  # References:
+  # - https://github.com/lijiejie/IIS_shortname_Scanner
+  # - https://www.exploit-db.com/exploits/19525
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/N0t4xist*~1*/a.aspx"
+      - "{{BaseURL}}/*~1*/a.aspx'"
+  - method: OPTIONS
+    path:
+      - "{{BaseURL}}/N0t4xist*~1*/a.aspx"
+      - "{{BaseURL}}/*~1*/a.aspx'"
+
+    matchers:
+      - type: dsl
+        name: multi-req
+        dsl:
+          - "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"