Added a few Magento related templates

cves/2020/CVE-2020-5776.yaml

@@ -6,7 +6,7 @@ info:
   severity: high
   description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
   reference: https://www.tenable.com/security/research/tra-2020-51
-  tags: cve,cve2020,magmi
+  tags: cve,cve2020,magmi,magento
 
   # Due to the lack of CSRF tokens, RCE (via phpcli command) is possible
   # in the event that a CSRF is leveraged against an existing admin session for MAGMI.

cves/2020/CVE-2020-5777.yaml

@@ -6,7 +6,7 @@ info:
   severity: high
   description: MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.
   reference: https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35
-  tags: cve,cve2020,magmi
+  tags: cve,cve2020,magmi,magento
 
   # Response code 503 indicates a potential successful "Too many connections" error
   # While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php

exposed-panels/magento-admin-panel.yaml

@@ -0,0 +1,25 @@
+id: magento-admin-panel
+
+info:
+  name: Exposed Magento Admin Panel
+  author: TechbrunchFR
+  severity: info
+  description: As a security best practice, Magento recommends that you use a unique, custom Admin URL instead of the default admin or a common term such as backend. Although it will not directly protect your site from a determined bad actor, it can reduce exposure to scripts that try to gain unauthorized access.
+  reference:
+    - https://docs.magento.com/user-guide/stores/store-urls-custom-admin.html
+  tags: magento
+
+# There might be a better way and I don't know if it will always return a 302 or set an admin cookie
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/admin'
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
+      - type: dsl
+        dsl:
+          - contains(tolower(all_headers), 'admin=') # Set-Cookie: admin=nfocvc2vj376c28red2o6aukpe; e
+        part: header

exposures/configs/magento-config.yaml

@@ -3,7 +3,7 @@ info:
   name: Magento Config Disclosure
   author: geeknik
   severity: medium
-  tags: config,exposure
+  tags: config,exposure,magento
 
 requests:
   - method: GET

technologies/magento-detect.yaml

@@ -0,0 +1,41 @@
+id: magento-detect
+
+info:
+  name: Magento Detect
+  author: TechbrunchFR
+  severity: info
+  description: Identify Magento
+  tags: magento
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(tolower(all_headers), 'x-magento')
+        part: header
+  # - method: GET
+  #   path:
+  #     # There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
+  #     # consumed by a SPA/PWA app so we need a valid GraphQL query from Magento to check
+  #     # https://devdocs.magento.com/guides/v2.4/graphql/
+  #     - '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url+order_increment_id+remaining_downloads+status+}}+}'
+  #   matchers-condition: and
+  #   matchers:
+  #     - type: status
+  #       status:
+  #         - 200
+  #     - type: word
+  #       words:
+  #         - "The current customer isn't authorized."
+  #       part: body
+  # - method: GET
+  #   path:
+  #     # Based on a check done by magereport.com
+  #     - '{{BaseURL}}/js/varien/product.js'
+  #   matchers:
+  #     - type: status
+  #       status:
+  #         - 200

technologies/magmi-detect.yaml

@@ -4,6 +4,7 @@ info:
   name: "MAGMI (Magento Mass Importer) Plugin Detect"
   author: "dwisiswant0"
   severity: "info"
+  tags: magento
 
 requests:
   - method: GET

vulnerabilities/magento/magento-2-exposed-api.yaml

@@ -0,0 +1,38 @@
+id: magento-2-exposed-api
+
+info:
+  name: Exposed Magento 2 API
+  author: TechbrunchFR
+  severity: info
+  description: The API in Magento 2 can be accessed by the world without providing credentials. Through the API information like storefront, (hidden) products including prices are exposed.
+  reference:
+    - https://support.hypernode.com/en/ecommerce/magento-2/how-to-protect-the-magento-2-api
+  tags: magento
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/rest/V1/products'
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 400
+      - type: word
+        words:
+          - "searchCriteria"
+        part: body
+  - method: GET
+    path:
+      - '{{BaseURL}}/rest/V1/store/storeViews'
+    matchers:
+      - type: status
+        status:
+          - 200
+  - method: GET
+    path:
+      - '{{BaseURL}}/rest/V1/store/storeConfigs'
+    matchers:
+      - type: status
+        status:
+          - 200

vulnerabilities/magento/magento-cacheleak.yaml

@@ -0,0 +1,22 @@
+id: magento-cacheleak
+
+info:
+  name: Magento Cacheleak
+  author: TechbrunchFR
+  severity: high
+  description: Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files.  When Magento is installed on web servers that are ignoring .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files.
+  reference:
+    - https://support.hypernode.com/en/best-practices/security/how-to-secure-magento-cacheleak
+    - https://www.acunetix.com/vulnerabilities/web/magento-cacheleak/
+    - https://royduineveld.nl/magento-cacheleak-exploit/
+  tags: magento
+
+requests:
+  - method: GET
+    path:
+      # Based on royduineveld.nl blogpost, was not tested against a vulnerable Magento site
+      - '{{BaseURL}}/var/resource_config.json'
+    matchers:
+      - type: status
+        status:
+          - 200

vulnerabilities/magento/magento-unprotected-dev-files.yaml

@@ -0,0 +1,20 @@
+id: magento-unprotected-dev-files
+
+info:
+  name: Magento Unprotected development files
+  author: TechbrunchFR
+  severity: high
+  description: Magento version 1.9.2.x includes /dev directories or files that might reveal your passwords and other sensitive information. The /dev directories and files are not protected by default. According to Magento, "these tests are not supposed to end up on production servers".
+  reference:
+    - magereport.com
+  tags: magento
+
+requests:
+  - method: GET
+    path:
+      # Based on royduineveld.nl blogpost, was not tested against a vulnerable Magento site
+      - '{{BaseURL}}/dev'
+    matchers:
+      - type: status
+        status:
+          - 200

workflows/magento-workflow.yaml

@@ -0,0 +1,20 @@
+id: magento-workflow
+
+info:
+  name: Magento Security Checks
+  author: TechbrunchFR
+  description: A simple workflow that runs all Magento related nuclei templates on a given target.
+  tags: workflow
+
+workflows:
+  - template: technologies/magento-detect.yaml
+
+    subtemplates:
+      - template: technologies/magmi-detect.yaml
+        subtemplates:
+        - template: cves/2020/CVE-2020-5776.yaml
+        - template: cves/2020/CVE-2020-5777.yaml
+      - template: exposures/configs/magento-config.yaml
+      - template: exposed-panels/magento-admin-panel.yaml
+      - template: vulnerabilities/magento
+      #- tags: magento #716