From ae8b2125a109733ba469ec4ee8fbbf5e79fd36e2 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 5 Jun 2023 14:24:27 +0530 Subject: [PATCH] updated templates --- .../cloud/atechmedia-codebase.yaml | 7 +++---- http/credential-stuffing/cloud/atlassian.yaml | 5 +++-- .../cloud/avnil-pdf-generator.yaml | 4 +++- http/credential-stuffing/cloud/chefapi.yaml | 6 ++---- http/credential-stuffing/cloud/codepen.yaml | 2 +- http/credential-stuffing/cloud/datadog.yaml | 2 +- http/credential-stuffing/cloud/docker-hub.yaml | 10 ++++------ http/credential-stuffing/cloud/gitea.yaml | 5 +++-- http/credential-stuffing/cloud/github.yaml | 6 +++++- http/credential-stuffing/cloud/postman.yaml | 3 +-- http/credential-stuffing/cloud/pulmi.yaml | 5 +---- http/credential-stuffing/self-hosted/gitlab.yaml | 16 +++++----------- .../credential-stuffing/self-hosted/grafana.yaml | 6 ++---- http/credential-stuffing/self-hosted/jira.yaml | 2 +- 14 files changed, 35 insertions(+), 44 deletions(-) diff --git a/http/credential-stuffing/cloud/atechmedia-codebase.yaml b/http/credential-stuffing/cloud/atechmedia-codebase.yaml index 746c0452a7..ad725e75f9 100644 --- a/http/credential-stuffing/cloud/atechmedia-codebase.yaml +++ b/http/credential-stuffing/cloud/atechmedia-codebase.yaml @@ -2,7 +2,7 @@ id: atechmedia-codebase-login-check info: name: Atechmedia/Codebase Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid Atechmedia/Codebase account. reference: @@ -15,17 +15,14 @@ requests: - | GET https://identity.atechmedia.com/login HTTP/1.1 Host: identity.atechmedia.com - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Referer: https://identity.atechmedia.com/login - | POST https://identity.atechmedia.com/login HTTP/1.1 Host: identity.atechmedia.com - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Origin: https://identity.atechmedia.com Content-Type: application/x-www-form-urlencoded Referer: https://identity.atechmedia.com/login - Connection: close utf8=%E2%9C%93&authenticity_token={{url_encode(authenticity_token)}}&username={{username}}&password={{password}}&commit=Login @@ -39,6 +36,7 @@ requests: internal: true xpath: - /html/body/div/div[2]/div/form/input[2] + - type: dsl dsl: - username @@ -50,6 +48,7 @@ requests: part: header words: - 'Set-Cookie: user_session' + - type: status status: - 302 diff --git a/http/credential-stuffing/cloud/atlassian.yaml b/http/credential-stuffing/cloud/atlassian.yaml index 3c9846da7f..18a448f6f2 100644 --- a/http/credential-stuffing/cloud/atlassian.yaml +++ b/http/credential-stuffing/cloud/atlassian.yaml @@ -2,7 +2,7 @@ id: atlassian-login-check info: name: Atlassian Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid atlassian account. reference: @@ -17,7 +17,6 @@ requests: Content-Type: application/json Origin: https://id.atlassian.com Referer: https://id.atlassian.com/ - Connection: close {"username":"{{username}}","password":"{{password}}","state":{"csrfToken":"{{rand_text_alpha(10, "")}}"}} @@ -26,6 +25,7 @@ requests: dsl: - username - password + attack: pitchfork matchers-condition: and matchers: @@ -33,6 +33,7 @@ requests: part: body words: - '"error_description":"Wrong email or password."' + - type: status status: - 403 diff --git a/http/credential-stuffing/cloud/avnil-pdf-generator.yaml b/http/credential-stuffing/cloud/avnil-pdf-generator.yaml index 72059bc350..cd2f0fe964 100644 --- a/http/credential-stuffing/cloud/avnil-pdf-generator.yaml +++ b/http/credential-stuffing/cloud/avnil-pdf-generator.yaml @@ -2,7 +2,7 @@ id: avnil-pdf-generator-check info: name: useanvil.com Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid avnil pdf generator account. reference: @@ -25,6 +25,7 @@ requests: dsl: - username - password + matchers-condition: and matchers: - type: word @@ -32,6 +33,7 @@ requests: words: - '"email":"' - '"eid":"' + - type: status status: - 200 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/chefapi.yaml b/http/credential-stuffing/cloud/chefapi.yaml index e4b6fb994f..7645fb51d3 100644 --- a/http/credential-stuffing/cloud/chefapi.yaml +++ b/http/credential-stuffing/cloud/chefapi.yaml @@ -15,9 +15,6 @@ requests: POST https://api.chef.io/login HTTP/1.1 Host: api.chef.io Content-Type: application/x-www-form-urlencoded - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8 - Content-Length: 160 utf8=%E2%9C%93&authenticity_token=&authenticity_token=&to=https://api.chef.io/login-success&username={{username}}&password={{password}}&commit=Sign+In @@ -27,6 +24,7 @@ requests: part: header words: - 'Location: https://api.chef.io/login-success' + - type: status status: - - 302 + - 302 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/codepen.yaml b/http/credential-stuffing/cloud/codepen.yaml index 3390d97ae5..296cfaa9f3 100644 --- a/http/credential-stuffing/cloud/codepen.yaml +++ b/http/credential-stuffing/cloud/codepen.yaml @@ -1,7 +1,7 @@ id: codepen-login-check info: name: codepen.io Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid codepen account. reference: diff --git a/http/credential-stuffing/cloud/datadog.yaml b/http/credential-stuffing/cloud/datadog.yaml index 9031f57720..f02685c8d7 100644 --- a/http/credential-stuffing/cloud/datadog.yaml +++ b/http/credential-stuffing/cloud/datadog.yaml @@ -2,7 +2,7 @@ id: datadog-login-check info: name: Datadog Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid datadog account. reference: diff --git a/http/credential-stuffing/cloud/docker-hub.yaml b/http/credential-stuffing/cloud/docker-hub.yaml index c2355a1195..669c5ff6ba 100644 --- a/http/credential-stuffing/cloud/docker-hub.yaml +++ b/http/credential-stuffing/cloud/docker-hub.yaml @@ -2,7 +2,7 @@ id: docker-hub-login-check info: name: Docker Hub Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid atlassian account. reference: @@ -12,13 +12,9 @@ info: self-contained: true requests: - raw: - - |- + - | POST https://hub.docker.com/v2/users/login HTTP/1.1 Host: hub.docker.com - Accept: */* - Accept-Language: en-US;q=0.9,en;q=0.8 - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36 - Connection: close Content-Type: application/json { @@ -34,10 +30,12 @@ requests: part: body words: - 'token' + - type: word part: header words: - 'Set-Cookie: token=' + - type: status status: - 200 diff --git a/http/credential-stuffing/cloud/gitea.yaml b/http/credential-stuffing/cloud/gitea.yaml index 7591ca49ab..66457e308d 100644 --- a/http/credential-stuffing/cloud/gitea.yaml +++ b/http/credential-stuffing/cloud/gitea.yaml @@ -2,7 +2,7 @@ id: gitea-login-check info: name: gitea.com Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid gitea account. reference: @@ -12,7 +12,7 @@ info: self-contained: true requests: - raw: - - |- + - | POST https://gitea.com/user/login HTTP/1.1 Host: gitea.com Content-Type: application/x-www-form-urlencoded @@ -31,6 +31,7 @@ requests: part: header words: - 'Location: /' + - type: status status: - 303 \ No newline at end of file diff --git a/http/credential-stuffing/cloud/github.yaml b/http/credential-stuffing/cloud/github.yaml index 8ba24197c7..75f8afadee 100644 --- a/http/credential-stuffing/cloud/github.yaml +++ b/http/credential-stuffing/cloud/github.yaml @@ -2,7 +2,7 @@ id: github-login-check info: name: Github Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid github account. reference: @@ -34,6 +34,7 @@ requests: internal: true xpath: - /html/body/div[3]/main/div/div[4]/form/input[1] + - type: xpath name: timestamp part: body @@ -41,6 +42,8 @@ requests: internal: true xpath: - /html/body/div[3]/main/div/div[4]/form/div/input[10] + + - type: xpath name: timestamp_secret part: body @@ -48,6 +51,7 @@ requests: internal: true xpath: - /html/body/div[3]/main/div/div[4]/form/div/input[11] + - type: dsl dsl: - username diff --git a/http/credential-stuffing/cloud/postman.yaml b/http/credential-stuffing/cloud/postman.yaml index 28f617dc11..786ba7b413 100644 --- a/http/credential-stuffing/cloud/postman.yaml +++ b/http/credential-stuffing/cloud/postman.yaml @@ -2,7 +2,7 @@ id: postman-login-check info: name: Postman Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid postman account. reference: @@ -42,7 +42,6 @@ requests: - username - password - matchers-condition: and matchers: - type: dsl dsl: diff --git a/http/credential-stuffing/cloud/pulmi.yaml b/http/credential-stuffing/cloud/pulmi.yaml index 2d281b0382..fc7c736a70 100644 --- a/http/credential-stuffing/cloud/pulmi.yaml +++ b/http/credential-stuffing/cloud/pulmi.yaml @@ -2,7 +2,7 @@ id: pulmi-login-check info: name: pulmi.com Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid github account. reference: @@ -15,12 +15,9 @@ requests: - |- POST https://api.pulumi.com/api/console/email/login HTTP/1.1 Host: api.pulumi.com - Content-Length: 48 - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Content-Type: application/json Origin: https://app.pulumi.com Referer: https://app.pulumi.com/ - Connection: close {"emailOrLogin":"{{username}}","password":"{{password}}"} diff --git a/http/credential-stuffing/self-hosted/gitlab.yaml b/http/credential-stuffing/self-hosted/gitlab.yaml index ea27471e25..b49d88a20c 100644 --- a/http/credential-stuffing/self-hosted/gitlab.yaml +++ b/http/credential-stuffing/self-hosted/gitlab.yaml @@ -1,7 +1,7 @@ id: gitlab-login-check-self-hosted info: name: Gitlab Login Check Self Hosted - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid login on self hosted Grafana instance. reference: @@ -20,25 +20,19 @@ http: - | GET /users/sign_in HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 - Accept-Language: en-US,en;q=0.9,de;q=0.8 - Connection: close - | POST /users/sign_in HTTP/1.1 Host: {{Hostname}} - Content-Length: 186 Cache-Control: max-age=0 - Origin: http://{{Hostname}} + Origin: {{BaseURL}} DNT: 1 - Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 - Referer: http://{{Hostname}}/users/sign_in + Referer: {{BaseURL}}/users/sign_in Accept-Language: en-US,en;q=0.9,de;q=0.8 - Connection: close authenticity_token={{url_encode(authenticity_token)}}&user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&user%5Bremember_me%5D=0 + cookie-reuse: true attack: pitchfork @@ -50,12 +44,12 @@ http: group: 1 regex: - '"/users/sign_in".*?authenticity_token"\s+value="([^"]+)"' + - type: dsl dsl: - username - password - matchers-condition: and req-condition: true matchers: - type: dsl diff --git a/http/credential-stuffing/self-hosted/grafana.yaml b/http/credential-stuffing/self-hosted/grafana.yaml index 4c54e4ca6c..704790a2ee 100644 --- a/http/credential-stuffing/self-hosted/grafana.yaml +++ b/http/credential-stuffing/self-hosted/grafana.yaml @@ -2,7 +2,7 @@ id: grafana-login-check info: name: Grafana Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid login on self hosted Grafana instance. reference: @@ -23,13 +23,10 @@ requests: Host: {{Hostname}} accept: application/json, text/plain, */* DNT: 1 - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 content-type: application/json Origin: {{BaseURL}} Referer: {{BaseURL}}/login - Accept-Language: en-US,en;q=0.9,de;q=0.8 Cookie: redirect_to=%2F - Connection: close {"user":"{{username}}","password":"{{password}}"} @@ -38,6 +35,7 @@ requests: dsl: - username - password + matchers-condition: and matchers: - type: word diff --git a/http/credential-stuffing/self-hosted/jira.yaml b/http/credential-stuffing/self-hosted/jira.yaml index 6a4e5d01d9..b047cb00c0 100644 --- a/http/credential-stuffing/self-hosted/jira.yaml +++ b/http/credential-stuffing/self-hosted/jira.yaml @@ -2,7 +2,7 @@ id: jira-login-check info: name: Jira Login Check - author: parthmalhotra, pdresearch + author: parthmalhotra,pdresearch severity: critical description: Checks for a valid login on self hosted Jira instance. reference: