daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

misc changes

patch-1
sandeep 2021-05-28 10:45:16 +05:30
parent 92f455cc6e
commit ad269dddc7
1 changed files with 91 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
technologies/waf-detect.yaml
View File

@ -4,9 +4,8 @@ info:
name: WAF Detection
author: dwisiswant0 & lu4nx
severity: info
# Source:
# - https://github.com/Ekultek/WhatWaf
reference: https://github.com/Ekultek/WhatWaf
tags: waf,tech,misc
requests:
- raw:
@ -20,11 +19,13 @@ requests:
redirects: true
max-redirects: 2
matchers:
- type: regex
name: instart
regex:
- '(?i)instartrequestid'
part: all
part: body
- type: regex
name: perimx
regex:
@ -34,6 +35,7 @@ requests:
- '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js'
condition: or
part: all
- type: regex
name: webknight
regex:
@ -41,6 +43,7 @@ requests:
- '(?i)webknight'
condition: or
part: all
- type: regex
name: zscaler
regex:
@ -48,6 +51,7 @@ requests:
- '(?i)zscaler'
condition: or
part: all
- type: regex
name: fortigate
regex:
@ -63,18 +67,21 @@ requests:
- '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information'
condition: or
part: all
- type: regex
name: teros
regex:
- '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?'
condition: or
part: all
- type: regex
name: stricthttp
regex:
- '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string'
condition: or
part: all
- type: regex
name: stricthttp
regex:
@ -82,6 +89,7 @@ requests:
- '(?i)/rejected.by.url.scan'
condition: or
part: all
- type: regex
name: shadowd
regex:
@ -89,6 +97,7 @@ requests:
- '(?i)request.forbidden.by.administrative.rules.'
condition: or
part: all
- type: regex
name: bigip
regex:
@ -99,12 +108,14 @@ requests:
- '(?i)bigipserver'
condition: or
part: all
- type: regex
name: edgecast
regex:
- '(?i)\Aecdf'
condition: or
part: all
- type: regex
name: radware
regex:
@ -113,6 +124,7 @@ requests:
- '(?i)with.the.following.case.number.in.its.subject:.\d+.'
condition: or
part: all
- type: regex
name: varnish
regex:
@ -122,6 +134,7 @@ requests:
- '(?i).>access.is.blocked.according.to.our.site.security.policy.<+'
condition: or
part: all
- type: regex
name: infosafe
regex:
@ -131,6 +144,7 @@ requests:
- '(?i)var.infosafekey='
condition: or
part: all
- type: regex
name: aliyundun
regex:
@ -138,6 +152,7 @@ requests:
- '(?i)http(s)?://(www.)?aliyun.(com|net)'
condition: or
part: all
- type: regex
name: ats
regex:
@ -145,6 +160,7 @@ requests:
- '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?'
condition: or
part: all
- type: regex
name: malcare
regex:
@ -153,16 +169,19 @@ requests:
- '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
condition: or
part: all
- type: regex
name: wts
regex:
- '(?i)(<title>)?wts.wa(f)?(\w+(\w+(\w+)?)?)?'
part: all
- type: regex
name: dw
regex:
- '(?i)dw.inj.check'
part: all
- type: regex
name: denyall
regex:
@ -170,6 +189,7 @@ requests:
- '(?i)\Asessioncookie='
condition: or
part: all
- type: regex
name: yunsuo
regex:
@ -177,11 +197,13 @@ requests:
- '(?i)yunsuo.session'
condition: or
part: all
- type: regex
name: litespeed
regex:
- '(?i)litespeed.web.server'
part: all
- type: regex
name: cloudfront
regex:
@ -190,6 +212,7 @@ requests:
- '(?i)x.amz.cf.id|nguardx'
condition: or
part: all
- type: regex
name: anyu
regex:
@ -198,6 +221,7 @@ requests:
- '(?i)anyu-?.the.green.channel'
condition: or
part: all
- type: regex
name: googlewebservices
regex:
@ -206,6 +230,7 @@ requests:
- '(?i)block(ed)?.by.g.cloud.security.policy.+'
condition: or
part: all
- type: regex
name: didiyun
regex:
@ -213,26 +238,31 @@ requests:
- '(?i)didiyun'
condition: or
part: all
- type: regex
name: blockdos
regex:
- '(?i)blockdos\.net'
part: all
- type: regex
name: codeigniter
regex:
- '(?i)the.uri.you.submitted.has.disallowed.characters'
part: all
- type: regex
name: stingray
regex:
- '(?i)\AX-Mapping-'
part: all
- type: regex
name: west263
regex:
- '(?i)wt\d*cdn'
part: all
- type: regex
name: aws
regex:
@ -242,6 +272,7 @@ requests:
- '(?i)x.amz.request.id'
condition: or
part: all
- type: regex
name: yundun
regex:
@ -251,6 +282,7 @@ requests:
- '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>'
condition: or
part: all
- type: regex
name: barracuda
regex:
@ -259,11 +291,13 @@ requests:
- '(?i)barracuda.networks.{1,2}inc'
condition: or
part: all
- type: regex
name: dodenterpriseprotection
regex:
- '(?i)dod.enterprise.level.protection.system'
part: all
- type: regex
name: secupress
regex:
@ -271,11 +305,13 @@ requests:
- '(?i)block.id.{1,2}bad.url.contents.<.'
condition: or
part: all
- type: regex
name: aesecure
regex:
- '(?i)aesecure.denied.png'
part: all
- type: regex
name: incapsula
regex:
@ -284,6 +320,7 @@ requests:
- '(?i)incapsula.incident.id'
condition: or
part: all
- type: regex
name: nexusguard
regex:
@ -291,6 +328,7 @@ requests:
- '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage'
condition: or
part: all
- type: regex
name: cloudflare
regex:
@ -304,6 +342,7 @@ requests:
- '(?i)__cfduid'
condition: or
part: all
- type: regex
name: akamai
regex:
@ -312,6 +351,7 @@ requests:
- '(?i)ak.bmsc.'
condition: or
part: all
- type: regex
name: webseal
regex:
@ -319,11 +359,13 @@ requests:
- '(?i)webseal.server.received.an.invalid.http.request'
condition: or
part: all
- type: regex
name: dotdefender
regex:
- '(?i)dotdefender.blocked.your.request'
part: all
- type: regex
name: pk
regex:
@ -332,6 +374,7 @@ requests:
- '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.'
condition: or
part: all
- type: regex
name: expressionengine
regex:
@ -340,16 +383,19 @@ requests:
- '(?i)invalid.(get|post).data'
condition: or
part: all
- type: regex
name: comodo
regex:
- '(?i)protected.by.comodo.waf'
part: all
- type: regex
name: ciscoacexml
regex:
- '(?i)ace.xml.gateway'
part: all
- type: regex
name: barikode
regex:
@ -357,6 +403,7 @@ requests:
- '(?i)<h\d{1}>forbidden.access<.h\d{1}>'
condition: or
part: all
- type: regex
name: watchguard
regex:
@ -364,6 +411,7 @@ requests:
- '(?i)watchguard(.technologies(.inc)?)?'
condition: or
part: all
- type: regex
name: binarysec
regex:
@ -372,6 +420,7 @@ requests:
- '(?i)binarysec'
condition: or
part: all
- type: regex
name: bekchy
regex:
@ -379,6 +428,7 @@ requests:
- '(?i)(http(s)?://)(www.)?bekchy.com(/report)?'
condition: or
part: all
- type: regex
name: bitninja
regex:
@ -387,6 +437,7 @@ requests:
- '(?i).>visitor.anti(\S)?robot.validation<.'
condition: or
part: all
- type: regex
name: apachegeneric
regex:
@ -397,6 +448,7 @@ requests:
- '(?i)<title>403 Forbidden</title>'
condition: or
part: all
- type: regex
name: greywizard
regex:
@ -406,11 +458,13 @@ requests:
- '(?i)grey.wizard'
condition: or
part: all
- type: regex
name: configserver
regex:
- '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+'
part: all
- type: regex
name: viettel
regex:
@ -419,6 +473,7 @@ requests:
- '(?i)(http(s).//)?cloudrity.com(.vn)?'
condition: or
part: all
- type: regex
name: safedog
regex:
@ -426,11 +481,13 @@ requests:
- '(?i)waf(.?\d+.?\d+)'
condition: or
part: all
- type: regex
name: baidu
regex:
- '(?i)yunjiasu.nginx'
part: all
- type: regex
name: alertlogic
regex:
@ -442,11 +499,13 @@ requests:
- '(?i)page.has.either.been.removed.{1,2}renamed'
condition: or
part: all
- type: regex
name: armor
regex:
- '(?i)blocked.by.website.protection.from.armour'
part: all
- type: regex
name: dosarrest
regex:
@ -454,6 +513,7 @@ requests:
- '(?i)x.dis.request.id'
condition: or
part: all
- type: regex
name: paloalto
regex:
@ -461,6 +521,7 @@ requests:
- '.>Virus.Spyware.Download.Blocked<.'
condition: or
part: all
- type: regex
name: aspgeneric
regex:
@ -478,6 +539,7 @@ requests:
- '(?i)\basp.net\b'
condition: or
part: all
- type: regex
name: powerful
regex:
@ -485,6 +547,7 @@ requests:
- '(?i)http(s)?...tiny.cc.powerful.firewall'
condition: or
part: all
- type: regex
name: uewaf
regex:
@ -492,6 +555,7 @@ requests:
- '(?i)uewaf(.deny.pages)'
condition: or
part: all
- type: regex
name: janusec
regex:
@ -499,6 +563,7 @@ requests:
- '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)'
condition: or
part: all
- type: regex
name: siteguard
regex:
@ -506,6 +571,7 @@ requests:
- '(?i)refuse.to.browse'
condition: or
part: all
- type: regex
name: sonicwall
regex:
@ -517,6 +583,7 @@ requests:
- '(?i).>policy.this.site.is.blocked<.'
condition: or
part: all
- type: regex
name: jiasule
regex:
@ -526,6 +593,7 @@ requests:
- '(?i)(static|www|dynamic).jiasule.(com|net)'
condition: or
part: all
- type: regex
name: nginxgeneric
regex:
@ -533,6 +601,7 @@ requests:
- '(?i)you.do(not|n.t)?.have.permission.to.access.this.document'
condition: or
part: all
- type: regex
name: stackpath
regex:
@ -540,11 +609,13 @@ requests:
- '(?i)<h2>sorry,.you.have.been.blocked.?<.h2>'
condition: or
part: all
- type: regex
name: sabre
regex:
- '(?i)dxsupport@sabre.com'
part: all
- type: regex
name: wordfence
regex:
@ -553,6 +624,7 @@ requests:
- '(?i).>wordfence<.'
condition: or
part: all
- type: regex
name: '360'
regex:
@ -563,12 +635,14 @@ requests:
- '(?i)transfer.is.blocked'
condition: or
part: all
- type: regex
name: asm
regex:
- '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.'
condition: or
part: all
- type: regex
name: rsfirewall
regex:
@ -578,6 +652,7 @@ requests:
- '(?i)rsfirewall'
condition: or
part: all
- type: regex
name: sucuri
regex:
@ -587,21 +662,25 @@ requests:
- '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?'
condition: or
part: all
- type: regex
name: airlock
regex:
- '(?i)\Aal[.-]?(sess|lb)=?'
part: all
- type: regex
name: xuanwudun
regex:
- '(?i)class=.(db)?waf.?(-row.)?>'
part: all
- type: regex
name: chuangyudun
regex:
- '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)'
part: all
- type: regex
name: securesphere
regex:
@ -614,11 +693,13 @@ requests:
- '(?i)contact.support.for.additional.information'
condition: or
part: all
- type: regex
name: anquanbao
regex:
- '(?i).aqb_cc.error.'
part: all
- type: regex
name: modsecurity
regex:
@ -630,6 +711,7 @@ requests:
- '(?i)blocked.by.mod.security'
condition: or
part: all
- type: regex
name: modsecurityowasp
regex:
@ -637,6 +719,7 @@ requests:
- '(?i)additionally\S.a.406.not.acceptable'
condition: or
part: all
- type: regex
name: squid
regex:
@ -645,6 +728,7 @@ requests:
- '(?i)X.Squid.Error'
condition: or
part: all
- type: regex
name: shieldsecurity
regex:
@ -653,11 +737,13 @@ requests:
- '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate'
condition: or
part: all
- type: regex
name: wallarm
regex:
- '(?i)nginix.wallarm'
part: all
- type: regex
part: all
name: huaweicloud
@ -665,21 +751,4 @@ requests:
regex:
- '(?)content="CloudWAF"'
- 'Server: CloudWAF'
- 'Set-Cookie: HWWAFSESID='
dns:
- name: "{{FQDN}}"
type: CNAME
recursion: true
retries: 5
class: inet
matchers:
- type: word
name: sanfor-shield
words:
- ".sangfordns.com"
- type: word
name: 360panyun
words:
- ".360panyun.com"
- 'Set-Cookie: HWWAFSESID='