daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-5

patch-1
Ritik Chaddha 2023-10-30 17:50:45 +05:30 committed by GitHub
parent dfacfe85c3 f2c464b8c3
commit b27800f38f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7636 changed files with 103405 additions and 34885 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/scripts/wordpress-plugins-update-requirements.txt vendored
View File

@ -1,6 +1,6 @@
beautifulsoup4==4.11.1
bs4==0.0.1
certifi==2022.9.24
certifi==2023.7.22
charset-normalizer==2.1.1
idna==3.4
Markdown==3.4.1

123
.github/scripts/yaml2json.go vendored
View File

@ -16,78 +16,93 @@ type Classification struct {
}
type Info struct {
Name string `yaml:"name"`
Severity string `yaml:"severity"`
Description string `yaml:"description"`
Name string `yaml:"name"`
Severity string `yaml:"severity"`
Description string `yaml:"description"`
Classification Classification `yaml:"classification,omitempty"`
}
type Data struct {
ID string `yaml:"id"`
Info Info `yaml:"info"`
FilePath string `json:"file_path"`
ID string `yaml:"id"`
Info Info `yaml:"info"`
FilePath string `json:"file_path"`
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run main.go <directory> <output_file>")
fmt.Println("Usage: go run main.go <directory1[,directory2,...]> <output_file>")
os.Exit(1)
}
directory := os.Args[1]
input := os.Args[1]
outputFile := os.Args[2]
var directories []string
// Check if the input contains a comma
if strings.Contains(input, ",") {
directories = strings.Split(input, ",")
} else {
directories = []string{input}
}
var data []Data
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
return err
}
for _, directory := range directories {
fmt.Println("Generating data for", directory)
var d Data
err = yaml.Unmarshal(yamlFile, &d)
if err != nil {
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
return err
}
if d.Info.Classification.CVSSScore == "" {
d.Info.Classification.CVSSScore = "N/A"
}
if d.Info.Classification == (Classification{}) {
d.Info.Classification.CVSSScore = "N/A"
}
fpath := strings.Replace(path, "/home/runner/work/nuclei-templates/nuclei-templates/", "", 1)
d.FilePath = fpath
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
if err != nil {
fmt.Printf("Error accessing path %s: %v\n", path, err)
return err
}
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
return err
}
data = append(data, d)
}
return nil
})
var d Data
err = yaml.Unmarshal(yamlFile, &d)
if err != nil {
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
return err
}
if d.Info.Classification.CVSSScore == "" {
d.Info.Classification.CVSSScore = "N/A"
}
if d.Info.Classification == (Classification{}) {
d.Info.Classification.CVSSScore = "N/A"
}
fpath := strings.Replace(path, "/home/runner/work/nuclei-templates/nuclei-templates/", "", 1)
d.FilePath = fpath
if err != nil {
fmt.Printf("Error reading directory: %v\n", err)
os.Exit(1)
}
data = append(data, d)
}
return nil
})
var jsonData []byte
for _, d := range data {
temp, err := json.Marshal(d)
if err != nil {
fmt.Printf("Error marshalling JSON: %v\n", err)
os.Exit(1)
}
jsonData = append(jsonData, temp...)
jsonData = append(jsonData, byte('\n'))
}
err = ioutil.WriteFile(outputFile, jsonData, 0644)
if err != nil {
fmt.Printf("Error writing JSON data to file: %v\n", err)
os.Exit(1)
}
if err != nil {
fmt.Printf("Error reading directory: %v\n", err)
os.Exit(1)
}
}
fmt.Println("JSON data written to", outputFile)
}
var jsonData []byte
for _, d := range data {
temp, err := json.Marshal(d)
if err != nil {
fmt.Printf("Error marshalling JSON: %v\n", err)
os.Exit(1)
}
jsonData = append(jsonData, temp...)
jsonData = append(jsonData, byte('\n'))
}
err := ioutil.WriteFile(outputFile, jsonData, 0644)
if err != nil {
fmt.Printf("Error writing JSON data to file: %v\n", err)
os.Exit(1)
}
fmt.Println("JSON data written to", outputFile)
}

6
.github/workflows/autoassign.yml vendored
View File

@ -1,4 +1,4 @@
name: run assign_tasks.py
name: 🤖 issue/pr assignment
on:
pull_request:
types: [opened]
@ -12,10 +12,10 @@ jobs:
permissions: write-all
runs-on: ubuntu-latest
env:
ASSIGN_TASK_TOKEN: ${{ secrets.GITHUB_TOKEN }} # github personal token
ASSIGN_TASK_TOKEN: ${{ secrets.PDTEAMX_PAT }} # github personal token
steps:
- name: checkout repo content
uses: actions/checkout@v2 # checkout the repository content
uses: actions/checkout@v4 # checkout the repository content
- name: setup python
uses: actions/setup-python@v4
with:

3
.github/workflows/cve2json.yml vendored
View File

@ -11,6 +11,7 @@ on:
jobs:
cve2json:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@master
- name: Set up Go
@ -23,7 +24,7 @@ jobs:
run: |
go env -w GO111MODULE=off
go get gopkg.in/yaml.v3
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/http/cves/ cves.json
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/http/cves/,$GITHUB_WORKSPACE/network/cves/ cves.json
md5sum cves.json | cut -d' ' -f1 > cves.json-checksum.txt
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT

2
.github/workflows/syntax-checking.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Yamllint
uses: karancode/yamllint-github-action@v2.1.1
with:

6
.github/workflows/template-checksum.yml vendored
View File

@ -13,18 +13,18 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.20.x
go-version: 1.21.x
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
go install -v github.com/projectdiscovery/nuclei/v3/cmd/generate-checksum@dev
- name: generate checksum
id: checksum

4
.github/workflows/template-db-indexer.yml vendored
View File

@ -10,13 +10,13 @@ on:
jobs:
index:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-16-cores
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.19
go-version: 1.21.x
- name: Installing Indexer
run: |

51
.github/workflows/template-sign.yml vendored Normal file
View File

@ -0,0 +1,51 @@
name: ☑️ Template Sign
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.21.x
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@dev
- name: Template Sign
id: sign
run: |
nuclei -lfa -duc -sign -t /home/runner/work/nuclei-templates/nuclei-templates
nuclei -lfa -duc -t /home/runner/work/nuclei-templates/nuclei-templates
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
env:
NUCLEI_USER_CERTIFICATE: ${{ secrets.NUCLEI_USER_CERTIFICATE }}
NUCLEI_USER_PRIVATE_KEY: ${{ secrets.NUCLEI_USER_PRIVATE_KEY }}
- name: Commit files
if: steps.sign.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add cves.json cves.json-checksum.txt
git commit -m "Auto Template Signing [$(date)] :robot:" -a
- name: Push changes
if: steps.sign.outputs.CHANGES > 0
run: |
git pull --rebase
git push origin ${{ github.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

10
.github/workflows/template-validate.yml vendored
View File

@ -10,20 +10,20 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.20.x
go-version: 1.21.x
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
- name: Template Validation
run: |
cp -r ${{ github.workspace }} $HOME
nuclei -duc -validate
nuclei -duc -validate -w ./workflows
nuclei -duc -validate -allow-local-file-access
nuclei -duc -validate -w ./workflows -allow-local-file-access

11
.github/workflows/templateman.yml vendored
View File

@ -13,23 +13,26 @@ jobs:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.20.x
go-version: 1.21.x
- name: Install TemplateMan CLI Client
run: |
go install -v github.com/projectdiscovery/nuclei/v2/cmd/tmc@dev
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/templateman.git
cd templateman/templateman-cli/cmd/tmc
go install
- name: Run TemplateMan
id: tmc
run: |
tmc -i $GITHUB_WORKSPACE -mr
echo /home/runner/work/nuclei-templates/nuclei-templates | tmc -mr -e
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files

2
.github/workflows/templates-stats.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0

2
.github/workflows/wordpress-plugins-update.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
fetch-depth: 0 # otherwise, you will failed to push refs to dest repo

1
.gitignore vendored
View File

@ -3,3 +3,4 @@
local/
.checksum
.new-additions
*.txt

16
.new-additions
View File

@ -1,12 +1,4 @@
file/webshell/asp-webshell.yaml
file/webshell/jsp-webshell.yaml
file/webshell/php-webshell.yaml
http/cves/2018/CVE-2018-6530.yaml
http/cves/2023/CVE-2023-28121.yaml
http/exposed-panels/arangodb-web-Interface.yaml
http/exposed-panels/arcserve-panel.yaml
http/exposed-panels/cloudpanel-login.yaml
http/exposed-panels/dell-idrac.yaml
http/exposed-panels/efak-login-panel.yaml
http/exposed-panels/pritunl-panel.yaml
http/exposed-panels/untangle-admin-login.yaml
http/default-logins/goip-default-login.yaml
http/exposed-panels/cisco/cisco-ios-xe-panel.yaml
http/exposed-panels/kiteworks-pcn-panel.yaml
http/exposed-panels/truenas-scale-panel.yaml

7
.nuclei-ignore
View File

@ -24,14 +24,7 @@ tags:
files:
- http/cves/2006/CVE-2006-1681.yaml
- http/cves/2007/CVE-2007-5728.yaml
- http/cves/2014/CVE-2014-9608.yaml
- http/cves/2018/CVE-2018-5233.yaml
- http/cves/2019/CVE-2019-14696.yaml
- http/cves/2020/CVE-2020-11930.yaml
- http/cves/2020/CVE-2020-19295.yaml
- http/cves/2020/CVE-2020-2036.yaml
- http/cves/2020/CVE-2020-28351.yaml
- http/cves/2021/CVE-2021-35265.yaml
- http/vulnerabilities/oracle/oracle-ebs-xss.yaml
- http/vulnerabilities/other/nginx-module-vts-xss.yaml

4
.yamllint
View File

@ -19,3 +19,7 @@ rules:
min-spaces-from-content: 1
empty-lines:
max: 5
braces:
forbid: true
brackets:
forbid: true

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1908 | dhiyaneshdk | 882 | http | 5970 | info | 2907 | file | 130 |
| panel | 909 | dwisiswant0 | 796 | workflows | 190 | high | 1298 | dns | 18 |
| wordpress | 787 | daffainfo | 664 | file | 130 | medium | 1076 | | |
| exposure | 692 | pikpikcu | 353 | network | 98 | critical | 717 | | |
| wp-plugin | 678 | pdteam | 280 | ssl | 24 | low | 224 | | |
| xss | 660 | pussycat0x | 258 | dns | 18 | unknown | 27 | | |
| osint | 652 | geeknik | 221 | headless | 9 | | | | |
| tech | 614 | ricardomaia | 220 | contributors.json | 1 | | | | |
| edb | 597 | ritikchaddha | 217 | cves.json | 1 | | | | |
| lfi | 557 | 0x_akoko | 179 | TEMPLATES-STATS.json | 1 | | | | |
| cve | 2239 | dhiyaneshdk | 1088 | http | 6768 | info | 3275 | file | 310 |
| panel | 1018 | dwisiswant0 | 798 | file | 310 | medium | 1413 | dns | 17 |
| wordpress | 923 | daffainfo | 787 | workflows | 191 | high | 1412 | | |
| xss | 837 | pikpikcu | 353 | network | 119 | critical | 888 | | |
| exposure | 820 | pussycat0x | 298 | ssl | 27 | low | 234 | | |
| wp-plugin | 807 | pdteam | 283 | dns | 17 | unknown | 31 | | |
| osint | 675 | ritikchaddha | 275 | headless | 10 | | | | |
| tech | 637 | ricardomaia | 226 | javascript | 2 | | | | |
| lfi | 614 | geeknik | 221 | TEMPLATES-STATS.json | 1 | | | | |
| edb | 598 | theamanrawat | 221 | contributors.json | 1 | | | | |
**412 directories, 6679 files**.
**511 directories, 7690 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

7370
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1908 | dhiyaneshdk | 882 | http | 5970 | info | 2907 | file | 130 |
| panel | 909 | dwisiswant0 | 796 | workflows | 190 | high | 1298 | dns | 18 |
| wordpress | 787 | daffainfo | 664 | file | 130 | medium | 1076 | | |
| exposure | 692 | pikpikcu | 353 | network | 98 | critical | 717 | | |
| wp-plugin | 678 | pdteam | 280 | ssl | 24 | low | 224 | | |
| xss | 660 | pussycat0x | 258 | dns | 18 | unknown | 27 | | |
| osint | 652 | geeknik | 221 | headless | 9 | | | | |
| tech | 614 | ricardomaia | 220 | contributors.json | 1 | | | | |
| edb | 597 | ritikchaddha | 217 | cves.json | 1 | | | | |
| lfi | 557 | 0x_akoko | 179 | TEMPLATES-STATS.json | 1 | | | | |
| cve | 2239 | dhiyaneshdk | 1088 | http | 6768 | info | 3275 | file | 310 |
| panel | 1018 | dwisiswant0 | 798 | file | 310 | medium | 1413 | dns | 17 |
| wordpress | 923 | daffainfo | 787 | workflows | 191 | high | 1412 | | |
| xss | 837 | pikpikcu | 353 | network | 119 | critical | 888 | | |
| exposure | 820 | pussycat0x | 298 | ssl | 27 | low | 234 | | |
| wp-plugin | 807 | pdteam | 283 | dns | 17 | unknown | 31 | | |
| osint | 675 | ritikchaddha | 275 | headless | 10 | | | | |
| tech | 637 | ricardomaia | 226 | javascript | 2 | | | | |
| lfi | 614 | geeknik | 221 | TEMPLATES-STATS.json | 1 | | | | |
| edb | 598 | theamanrawat | 221 | contributors.json | 1 | | | | |

10
contributors.json
View File

@ -1380,6 +1380,15 @@
}
},
{
"author": "noraj",
"links": {
"github": "https://github.com/noraj",
"twitter": "https://twitter.com/noraj_rawsec",
"linkedin": "",
"website": "https://pwn.by/noraj",
"email": ""
}
},{
"author": "mabdullah22",
"links": {
"github": "https://www.github.com/maabdullah22",
@ -1389,5 +1398,4 @@
"email": ""
}
}
]

746
cves.json
View File

File diff suppressed because it is too large Load Diff

2
cves.json-checksum.txt
View File

@ -1 +1 @@
b830e8b5ef413ec8d972848bd93b95d8
66dfa2bf73baea2b9f3865cf5e919966

11
dns/azure-takeover-detection.yaml
View File

@ -13,9 +13,9 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cwe-id: CWE-404
tags: dns,takeover,azure
metadata:
max-request: 1
tags: dns,takeover,azure
dns:
- name: "{{FQDN}}"
@ -50,9 +50,8 @@ dns:
- "NXDOMAIN"
extractors:
- type: regex
group: 1
regex:
- "IN\tCNAME\t(.+)"
- type: dsl
dsl:
- cname
# Enhanced by mp on 2022/03/13
# digest: 4a0a00473045022043d1113417de308936591aa35f8175c25ad9d5b66b6d076fe0ba324450b1799e022100add5bb113b494d920eb39a99c107f2e7dff1979d482302e2580ff07e5857d9ff:922c64590222798bb761d5b6d8e72950

11
dns/caa-fingerprint.yaml
View File

@ -9,18 +9,17 @@ info:
- https://support.dnsimple.com/articles/caa-record/#whats-a-caa-record
classification:
cwe-id: CWE-200
tags: dns,caa
metadata:
max-request: 1
tags: dns,caa
dns:
- name: "{{FQDN}}"
type: CAA
matchers:
- type: word
words:
- "IN\tCAA"
- type: regex
regex:
- "IN\\s+CAA\\s+(.+)"
extractors:
- type: regex
@ -29,3 +28,5 @@ dns:
- 'issue "(.*)"'
- 'issuewild "(.*)"'
- 'iodef "(.*)"'
# digest: 4a0a00473045022023198a26073ed129fe588c545c89a003975219e7da0033744c267d99093324370221008a42dc42e882b45ff2f7ef81ffd916e41dab50a710deb2d0c7268bf9dec11e8f:922c64590222798bb761d5b6d8e72950

30
dns/cname-fingerprint.yaml
View File

@ -1,30 +0,0 @@
id: cname-fingerprint
info:
name: CNAME Fingerprint
author: pdteam
severity: info
description: A CNAME DNS record was discovered.
reference:
- https://www.theregister.com/2021/02/24/dns_cname_tracking/
- https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/
classification:
cwe-id: CWE-200
tags: dns,cname
metadata:
max-request: 1
dns:
- name: "{{FQDN}}"
type: CNAME
matchers:
- type: word
words:
- "IN\tCNAME"
extractors:
- type: regex
group: 1
regex:
- "IN\tCNAME\t(.+)"

45
dns/cname-service.yaml
View File

@ -1,45 +0,0 @@
id: cname-service
info:
name: CNAME Service Detection
author: pdteam
severity: info
description: A CNAME service was detected.
reference:
- https://ns1.com/resources/cname
classification:
cwe-id: CWE-200
tags: dns,service
metadata:
max-request: 1
dns:
- name: "{{FQDN}}"
type: CNAME
matchers-condition: or
matchers:
- type: word
name: zendesk
words:
- "zendesk.com"
- type: word
name: github
words:
- "github.io"
- type: word
name: announcekit
words:
- "cname.announcekit.app"
- type: word
name: wix
words:
- "wixdns.net"
- type: word
name: salesforce-community
words:
- "live.siteforce.com"

17
dns/detect-dangling-cname.yaml
View File

@ -12,9 +12,9 @@ info:
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
classification:
cwe-id: CWE-200
tags: dns,takeover
metadata:
max-request: 1
tags: dns,takeover
dns:
- name: "{{FQDN}}"
@ -26,14 +26,13 @@ dns:
words:
- "NXDOMAIN"
- type: word
words:
- "IN\tCNAME"
- type: regex
regex:
- "IN\tCNAME\\t(.+)$"
extractors:
- type: regex
group: 1
regex:
- "IN\tCNAME\t(.+)"
- type: dsl
dsl:
- cname
# Enhanced by mp on 2022/03/13
# digest: 4a0a00473045022100ec9f942301604384f1ef3a2f9987cd29d437e35e882b86ed15127558bfe7ff7302203de45942e5824f5074f3d30b9d3323394b8fbd95c30e519c99901086ad64eecc:922c64590222798bb761d5b6d8e72950

11
dns/dmarc-detect.yaml
View File

@ -11,15 +11,20 @@ info:
- https://dmarc.org/wiki/FAQ#Why_is_DMARC_important.3F
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cvss-score: 0
cwe-id: CWE-200
tags: dns,dmarc
metadata:
max-request: 1
tags: dns,dmarc
dns:
- name: "_dmarc.{{FQDN}}"
type: TXT
matchers:
- type: regex
part: answer
regex:
- "IN\tTXT\\t(.+)$"
extractors:
- type: regex
@ -27,4 +32,4 @@ dns:
regex:
- "IN\tTXT\t(.+)"
# Enhanced by md on 2023/04/20
# digest: 4a0a0047304502204076c7a56a64102033ddcbffe604e0099b21d4e3fc93681f25db84b6c9ea0d49022100cc84a29967d71f3d07b107990f34ec5d804757336391661727adf79dc07eef3d:922c64590222798bb761d5b6d8e72950

437
dns/dns-saas-service-detection.yaml Normal file
View File

@ -0,0 +1,437 @@
id: dns-saas-service-detection
info:
name: DNS SaaS Service Detection
author: noah @thesubtlety,pdteam
severity: info
description: A CNAME DNS record was discovered
reference:
- https://ns1.com/resources/cname
- https://www.theregister.com/2021/02/24/dns_cname_tracking/
- https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/
metadata:
max-request: 1
tags: dns,service
dns:
- name: "{{FQDN}}"
type: CNAME
extractors:
- type: dsl
dsl:
- cname
matchers-condition: or
matchers:
- type: word
part: answer
name: ms-office
words:
- outlook.com
- office.com
- type: word
part: answer
name: azure
words:
- "azure-api.net"
- "azure.com"
- "azure-mobile.net"
- "azurecontainer.io"
- "azurecr.io"
- "azuredatalakestore.net"
- "azureedge.net"
- "azurefd.net"
- "azurehdinsight.net"
- "azurewebsites.net"
- "azurewebsites.windows.net"
- "blob.core.windows.net"
- "cloudapp.azure.com"
- "cloudapp.net"
- "database.windows.net"
- "redis.cache.windows.net"
- "search.windows.net"
- "servicebus.windows.net"
- "visualstudio.com"
- "-msedge.net"
- "trafficmanager.net"
- type: word
part: answer
name: zendesk
words:
- "zendesk.com"
- type: word
part: answer
name: announcekit
words:
- "cname.announcekit.app"
- type: word
part: answer
name: wix
words:
- "wixdns.net"
- type: word
part: answer
name: akamai-cdn
words:
- akadns.net
- akagtm.org
- akahost.net
- akam.net
- akamai.com
- akamai.net
- akamaiedge-staging.net
- akamaiedge.net
- akamaientrypoint.net
- akamaihd.net
- akamaistream.net
- akamaitech.net
- akamaitechnologies.com
- akamaitechnologies.fr
- akamaized.net
- akaquill.net
- akasecure.net
- akasripcn.net
- edgekey.net
- edgesuite.net
- type: word
part: answer
name: cloudflare-cdn
words:
- cloudflare.net
- cloudflare-dm-cmpimg.com
- cloudflare-ipfs.com
- cloudflare-quic.com
- cloudflare-terms-of-service-abuse.com
- cloudflare.com
- cloudflare.net
- cloudflare.tv
- cloudflareaccess.com
- cloudflareclient.com
- cloudflareinsights.com
- cloudflareok.com
- cloudflareportal.com
- cloudflareresolve.com
- cloudflaressl.com
- cloudflarestatus.com
- sn-cloudflare.com
- type: word
part: answer
name: amazon-cloudfront
words:
- cloudfront.net
- type: word
part: answer
name: salesforce
words:
- salesforce.com
- siteforce.com
- force.com
- type: word
part: answer
name: amazon-aws
words:
- amazonaws.com
- elasticbeanstalk.com
- awsglobalaccelerator.com
- type: word
part: answer
name: fastly-cdn
words:
- fastly.net
- type: word
part: answer
name: netlify
words:
- netlify.app
- netlify.com
- netlifyglobalcdn.com
- type: word
part: answer
name: vercel
words:
- vercel.app
- type: word
part: answer
name: sendgrid
words:
- sendgrid.net
- sendgrid.com
- type: word
part: answer
name: qualtrics
words:
- qualtrics.com
- type: word
part: answer
name: heroku
words:
- herokuapp.com
- herokucdn.com
- herokudns.com
- herokussl.com
- herokuspace.com
- type: word
part: answer
name: gitlab
words:
- gitlab.com
- gitlab.io
- type: word
part: answer
name: perforce-akana
words:
- akana.com
- apiportal.akana.com
- type: word
part: answer
name: skilljar
words:
- skilljarapp.com
- type: word
part: answer
name: datagrail
words:
- datagrail.io
- type: word
part: answer
name: platform.sh
words:
- platform.sh
- type: word
part: answer
name: folloze
words:
- folloze.com
- type: word
part: answer
name: pendo-receptive
words:
- receptive.io
- pendo.io
- type: word
part: answer
name: discourse
words:
- bydiscourse.com
- discourse-cdn.com
- discourse.cloud
- discourse.org
- hosted-by-discourse.com
- type: word
part: answer
name: adobe-marketo
words:
- marketo.com
- marketo.co.uk
- mktoweb.com
- mktossl.com
- mktoweb.com
- type: word
part: answer
name: adobe-marketo - 'mkto-.{5,8}\.com'
- type: word
part: answer
name: adobe-marketo
words:
- marketo.com
- type: word
part: answer
name: rock-content
words:
- postclickmarketing.com
- rockcontent.com
- rockstage.io
- type: word
part: answer
name: rocketlane
words:
- rocketlane.com
- type: word
part: answer
name: webflow
words:
- proxy-ssl.webflow.com
- type: word
part: answer
name: stacker-hq
words:
- stacker.app
- type: word
part: answer
name: hubspot
words:
- hs-analytics.net
- hs-banner.com
- hs-scripts.com
- hsappstatic.net
- hscollectedforms.net
- hscoscdn00.net
- hscoscdn10.net
- hscoscdn20.net
- hscoscdn30.net
- hscoscdn40.net
- hsforms.com
- hsforms.net
- hubapi.com
- hubspot.com
- hubspot.es
- hubspot.net
- hubspotemail.net
- hubspotlinks.com
- hubspotusercontent-na1.net
- sidekickopen90.com
- usemessages.com
- type: word
part: answer
name: gitbook
words:
- gitbook.com
- gitbook.io
- type: word
part: answer
name: google-firebase
words:
- fcm.googleapis.com
- firebase.com
- firebase.google.com
- firebase.googleapis.com
- firebaseapp.com
- firebaseappcheck.googleapis.com
- firebasedynamiclinks-ipv4.googleapis.com
- firebasedynamiclinks-ipv6.googleapis.com
- firebasedynamiclinks.googleapis.com
- firebaseinappmessaging.googleapis.com
- firebaseinstallations.googleapis.com
- firebaseio.com
- firebaselogging-pa.googleapis.com
- firebaselogging.googleapis.com
- firebaseperusertopics-pa.googleapis.com
- firebaseremoteconfig.googleapis.com
- type: word
part: answer
name: zendesk
words:
- zdassets.com
- zdorigin.com
- "zendesk.com"
- zopim.com
- type: word
part: answer
name: imperva
words:
- incapdns.net
- incapsula.com
- type: word
part: answer
name: proofpoint
words:
- infoprtct.com
- metanetworks.com
- ppe-hosted.com
- pphosted.com
- proofpoint.com
- type: word
part: answer
name: q4-investor-relations
words:
- q4inc.com
- q4ir.com
- q4web.com
- type: word
part: answer
name: google-hosted
words:
- appspot.com
- cloudfunctions.net
- ghs.googlehosted.com
- ghs4.googlehosted.com
- ghs46.googlehosted.com
- ghs6.googlehosted.com
- googlehosted.com
- googlehosted.l.googleusercontent.com
- run.app
- type: word
part: answer
name: wp-engine
words:
- wpengine.com
- type: word
part: answer
name: github
words:
- github.com
- github.io
- githubusercontent.com
- type: word
part: answer
name: ghost
words:
- ghost.io
- type: word
part: answer
name: digital-ocean
words:
- ondigitalocean.app
- type: word
part: answer
name: typedream
words:
- ontypedream.com
- type: word
part: answer
name: oracle-eloqua-marketing
words:
- hs.eloqua.com
- type: regex
part: answer
regex:
- "IN\tCNAME\\t(.+)$"
- "IN\\s*CNAME\\t(.+)$"
# digest: 4a0a004730450221008eca40fb73f32c811d6d1d7283bbf220eb09a81bbaa047e4204406dd1c4da012022033a3e578c9ee7d903cff9bc617af38353d49ba0cb65955487aca3e841cdbfc56:922c64590222798bb761d5b6d8e72950

29
dns/dns-waf-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: A DNS WAF was detected.
classification:
cwe-id: CWE-200
tags: tech,waf,dns
metadata:
max-request: 2
tags: tech,waf,dns
dns:
- name: "{{FQDN}}"
@ -17,57 +17,66 @@ dns:
- name: "{{FQDN}}"
type: NS
matchers:
- type: word
part: answer
name: sanfor-shield
words:
- ".sangfordns.com"
- type: word
part: answer
name: 360panyun
words:
- ".360panyun.com"
- type: word
part: answer
name: baiduyun
words:
- ".yunjiasu-cdn.net"
- type: word
part: answer
name: chuangyudun
words:
- ".365cyd.cn"
- ".cyudun.net"
- type: word
part: answer
name: knownsec
words:
- ".jiashule.com"
- ".jiasule.org"
- type: word
part: answer
name: huaweicloud
words:
- ".huaweicloudwaf.com"
- type: word
part: answer
name: xinliuyun
words:
- ".ngaagslb.cn"
- type: word
part: answer
name: chinacache
words:
- ".chinacache.net"
- ".ccgslb.net"
- type: word
part: answer
name: nscloudwaf
words:
- ".nscloudwaf.com"
- type: word
part: answer
name: wangsu
words:
- ".wsssec.com"
@ -85,17 +94,20 @@ dns:
- ".mwcloudcdn.com"
- type: word
part: answer
name: qianxin
words:
- ".360safedns.com"
- ".360cloudwaf.com"
- type: word
part: answer
name: baiduyunjiasu
words:
- ".yunjiasu-cdn.net"
- type: word
part: answer
name: anquanbao
words:
- ".anquanbao.net"
@ -114,60 +126,71 @@ dns:
- '\.aliyundunwaf\.com'
- type: word
part: answer
name: xuanwudun
words:
- ".saaswaf.com"
- ".dbappwaf.cn"
- type: word
part: answer
name: yundun
words:
- ".hwwsdns.cn"
- ".yunduncname.com"
- type: word
part: answer
name: knownsec-ns
words:
- ".jiasule.net"
- type: word
part: answer
name: chuangyudun
words:
- ".365cyd.net"
- type: word
part: answer
name: qianxin
words:
- ".360wzb.com"
- type: word
part: answer
name: anquanbao
words:
- ".anquanbao.com"
- type: word
part: answer
name: wangsu
words:
- ".chinanetcenter.com"
- type: word
part: answer
name: baiduyunjiasue
words:
- ".ns.yunjiasu.com"
- type: word
part: answer
name: chinacache
words:
- ".chinacache.com"
- type: word
part: answer
name: cloudflare
words:
- "ns.cloudflare.com"
- type: word
part: answer
name: edns
words:
- ".iidns.com"
# Enhanced by mp on 2022/03/13
# digest: 4a0a0047304502200a845666375d02a84b9b0a1b56465d375357774b8c0c3a044dccf1e02fbf6267022100bf5e4f34f8e41d1cf13880ed6760c273df09e408a6d0c53c335dceeadac76182:922c64590222798bb761d5b6d8e72950

8
dns/dnssec-detection.yaml
View File

@ -10,17 +10,17 @@ info:
- https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
classification:
cwe-id: CWE-200
tags: dns,dnssec
metadata:
max-request: 1
tags: dns,dnssec
dns:
- name: "{{FQDN}}"
type: DS
matchers:
- type: regex
part: answer
regex:
- "IN\tDS\t(.+)"
- "IN\tDS\\t(.+)$"
# Enhanced by mp on 2022/03/14
# digest: 4b0a00483046022100dd7c45e1b16ab7caba75d6b28a27e3678896daad8cc2413e3f9120efa8be540202210095b8145af0ff47b2c140dc6f9f643f058bb31768759be99af4098f2cbd0d1997:922c64590222798bb761d5b6d8e72950

4
dns/ec2-detection.yaml
View File

@ -9,9 +9,9 @@ info:
- https://blog.melbadry9.xyz/dangling-dns/aws/ddns-ec2-current-state
classification:
cwe-id: CWE-200
tags: dns,ec2,aws
metadata:
max-request: 1
tags: dns,ec2,aws
dns:
- name: "{{FQDN}}"
@ -23,4 +23,4 @@ dns:
- "ec2-[-\\d]+\\.compute[-\\d]*\\.amazonaws\\.com"
- "ec2-[-\\d]+\\.[\\w\\d\\-]+\\.compute[-\\d]*\\.amazonaws\\.com"
# Enhanced by mp on 2022/03/14
# digest: 4a0a00473045022100995379438eef7d1b9435317e2326c27b32ff7c257437185c9bf505dc30d972e002202882175b25ec22258156a75b31ed020bfcdc29ababcd9e052ce591ab2acb3ff8:922c64590222798bb761d5b6d8e72950

23
dns/elasticbeantalk-takeover.yaml → dns/elasticbeanstalk-takeover.yaml
View File

@ -1,11 +1,10 @@
id: elasticbeantalk-takeover
id: elasticbeanstalk-takeover
info:
name: ElasticBeanTalk Subdomain Takeover Detection
author: philippedelteil,rotemreiss,zy9ard3
name: ElasticBeanstalk Subdomain Takeover Detection
author: philippedelteil,rotemreiss,zy9ard3,joaonevess
severity: high
description: ElasticBeanTalk subdomain takeover detected. A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical
name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.
description: ElasticBeanstalk subdomain takeover detected. A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.
reference:
- https://github.com/EdOverflow/can-i-take-over-xyz/issues/147
- https://twitter.com/payloadartist/status/1362035009863880711
@ -33,19 +32,17 @@ dns:
matchers-condition: and
matchers:
- type: regex
regex:
- CNAME\t[a-z0-9_-]*\.(us|af|ap|ca|eu|me|sa)\-(east|west|south|northeast|southeast|central)\-[1-9]+\.elasticbeanstalk\.com
- CNAME\t[a-z0-9_-]*\.(us|af|ap|ca|eu|me|sa|il)\-(north|east|west|south|northeast|southeast|central)\-[1-9]+\.elasticbeanstalk\.com
- type: word
words:
- "NXDOMAIN"
- NXDOMAIN
extractors:
- type: regex
group: 1
regex:
- "IN\tCNAME\t(.+)"
- type: dsl
dsl:
- cname
# Enhanced by mp on 2022/03/14
# digest: 4b0a00483046022100b17bf9a80ae6819d64cc1a58b2cf349b843548dcbfd9d9455230cace98f79b04022100cec30c98b7df5b5d7d359146fb95c16c511856e3d7648b50b0a3e671e4b81b01:922c64590222798bb761d5b6d8e72950

12
dns/mx-fingerprint.yaml
View File

@ -10,18 +10,18 @@ info:
- https://mxtoolbox.com/
classification:
cwe-id: CWE-200
tags: dns,mx
metadata:
max-request: 1
tags: dns,mx
dns:
- name: "{{FQDN}}"
type: MX
matchers:
- type: word
words:
- "IN\tMX"
- type: regex
part: answer
regex:
- "IN\tMX\\t(.+)$"
extractors:
- type: regex
@ -29,4 +29,4 @@ dns:
regex:
- "IN\tMX\t(.+)"
# Enhanced by mp on 2022/03/14
# digest: 4a0a0047304502205efe2d8fc4f39144631e42eaf8d4e45773974e43ff3d2db923203db6e044be4d022100c3fb0ba12d80ceff4ea27c45f1a3380ff6727b8a747803d3899a255fb2672f0f:922c64590222798bb761d5b6d8e72950

4
dns/mx-service-detector.yaml
View File

@ -7,9 +7,9 @@ info:
description: An email service was detected. Check the email service or spam filter that is used for a domain.
classification:
cwe-id: CWE-200
tags: dns,service
metadata:
max-request: 1
tags: dns,service
dns:
- name: "{{FQDN}}"
@ -82,4 +82,4 @@ dns:
- "mx1-us1.ppe-hosted.com"
- "mx2-us1.ppe-hosted.com"
# Enhanced by mp on 2022/03/14
# digest: 4b0a0048304602210099a2fc7473ed27cd6def422387ade50932830f42a13a93928782b060f911f4bf0221009505a43f95011404d692365315d646406918c54d2829546a2312d4d67440ac0e:922c64590222798bb761d5b6d8e72950

12
dns/nameserver-fingerprint.yaml
View File

@ -7,18 +7,18 @@ info:
description: An NS record was detected. An NS record delegates a subdomain to a set of name servers.
classification:
cwe-id: CWE-200
tags: dns,ns
metadata:
max-request: 1
tags: dns,ns
dns:
- name: "{{FQDN}}"
type: NS
matchers:
- type: word
words:
- "IN\tNS"
- type: regex
part: answer
regex:
- "IN\tNS\\t(.+)$"
extractors:
- type: regex
@ -26,4 +26,4 @@ dns:
regex:
- "IN\tNS\t(.+)"
# Enhanced by mp on 2022/03/14
# digest: 4a0a0047304502201ea440eb1f3de07432e12f94f89b2db94a960b7e41bf0a985db8454471217852022100ea06c3b9f829f1e4cbdd3e2ce32b039e0cf6150525202a42361133fb321794fc:922c64590222798bb761d5b6d8e72950

12
dns/ptr-fingerprint.yaml
View File

@ -7,18 +7,18 @@ info:
description: A PTR record was detected. A PTR record refers to the domain name.
classification:
cwe-id: CWE-200
tags: dns,ptr
metadata:
max-request: 1
tags: dns,ptr
dns:
- name: "{{FQDN}}"
type: PTR
matchers:
- type: word
words:
- "IN\tPTR"
- type: regex
part: answer
regex:
- "IN\tPTR\\t(.+)$"
extractors:
- type: regex
@ -26,4 +26,4 @@ dns:
regex:
- "IN\tPTR\t(.+)"
# Enhanced by mp on 2022/03/14
# digest: 490a00463044022028a8f25e5f2d2d00e9aa403a801265be54f6889185388c416baef105d9b58193022011b971c138e5bf8e83bd52bc68b65f3c7ac9c81a43320629549465a1bc8be1d3:922c64590222798bb761d5b6d8e72950

8
dns/servfail-refused-hosts.yaml
View File

@ -4,22 +4,20 @@ info:
name: DNS Servfail Host Finder
author: pdteam
severity: info
description: A DNS ServFail error occurred. ServFail errors occur when there is an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary
networking issue.
description: A DNS ServFail error occurred. ServFail errors occur when there is an error communicating with a DNS server. This could have a number of causes, including an error on the DNS server itself, or a temporary networking issue.
classification:
cwe-id: CWE-200
tags: dns,takeover
metadata:
max-request: 1
tags: dns,takeover
dns:
- name: "{{FQDN}}"
type: A
matchers:
- type: word
words:
- "SERVFAIL"
- "REFUSED"
# Enhanced by mp on 2022/03/14
# digest: 4a0a0047304502201e4ab6d52233b5600ef7e9f54060934699002359838bd2802d602b642154ea1402210094809cea67fc9ad6c8a472142c8b3afb960c5e5cb3dfdd6708cb84f411a1790f:922c64590222798bb761d5b6d8e72950

5
dns/spoofable-spf-records-ptr.yaml
View File

@ -9,14 +9,13 @@ info:
- https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
classification:
cwe-id: CWE-200
tags: dns,spf
metadata:
max-request: 1
tags: dns,spf
dns:
- name: "{{FQDN}}"
type: TXT
matchers:
- type: word
words:
@ -24,4 +23,4 @@ dns:
- " ptr "
condition: and
# Enhanced by mp on 2022/03/14
# digest: 4a0a00473045022100dcb965b47233e3942f4879e832d145cc6ade3ddc990891e0ff365e8209a6aa8302201ecdb55e85d79a9c4e2d585fd8ce7b83e7549fb3bc257be05038e166b73ec1a6:922c64590222798bb761d5b6d8e72950

12
dns/txt-fingerprint.yaml
View File

@ -9,18 +9,18 @@ info:
- https://www.netspi.com/blog/technical/network-penetration-testing/analyzing-dns-txt-records-to-fingerprint-service-providers/
classification:
cwe-id: CWE-200
tags: dns,txt
metadata:
max-request: 1
tags: dns,txt
dns:
- name: "{{FQDN}}"
type: TXT
matchers:
- type: word
words:
- "IN\tTXT"
- type: regex
part: answer
regex:
- "IN\tTXT\\t(.+)$"
extractors:
- type: regex
@ -28,4 +28,4 @@ dns:
regex:
- "IN\tTXT\t(.+)"
# Enhanced by mp on 2022/03/14
# digest: 4b0a00483046022100e4559c121d9f67b4f8ae256bc1310808d8b5223de95617f4043356431e9d65e50221008b74ba8f34d3497f956434868c133d05dfe8408acdcfa3480f7cd64284dee17a:922c64590222798bb761d5b6d8e72950

5
dns/worksites-detection.yaml
View File

@ -9,17 +9,16 @@ info:
- https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
classification:
cwe-id: CWE-200
tags: dns,service
metadata:
max-request: 1
tags: dns,service
dns:
- name: "{{FQDN}}"
type: A
matchers:
- type: word
words:
- "69.164.223.206"
# Enhanced by mp on 2022/03/14
# digest: 4a0a0047304502205f67d327d32f1d0c1060ed655d0fa32415cd9c82a90d37b6edd56c72c001e3d9022100a3955a69d030743492077d921ae562a00dce69a8def4abad33b18f0a982a8a0e:922c64590222798bb761d5b6d8e72950

5
file/android/adb-backup-enabled.yaml
View File

@ -5,13 +5,12 @@ info:
author: gaurang
severity: low
description: ADB Backup is enabled, which allows the backup and restore of an app's private data.
remediation: Ensure proper access or disable completely.
reference:
- https://adb-backup.com/
classification:
cwe-id: CWE-200
remediation: Ensure proper access or disable completely.
tags: android,file
file:
- extensions:
- all
@ -20,4 +19,4 @@ file:
words:
- "android:allowBackup=\"true\""
# Enhanced by mp on 2022/02/09
# digest: 490a00463044022079148ddcb17d63e510878ffcf923d2c9074822a68a15975e82dfacf0b823b75b02201099b266190b9e360ff401f621c9b6e6362c5bdcc37de07adc1c01c379307ad0:922c64590222798bb761d5b6d8e72950

12
file/android/biometric-detect.yaml
View File

@ -1,17 +1,23 @@
id: biometric-detect
info:
name: Biometric or Fingerprint detect
name: Android Biometric/Fingerprint - Detect
author: gaurang
severity: info
description: Android Biometric/Fingerprint permission files were detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "android.permission.USE_FINGERPRINT"
- "android.permission.USE_BIOMETRIC"
# Enhanced by md on 2023/05/02
# digest: 4b0a00483046022100f43f7c82a443df1bdd1728b98b23a3d63aaa901d0338bf24a418fa62aa5b99c3022100d42fbf9d55efd87f006503421e1589c32046deb9fe240809156c321d870cfec9:922c64590222798bb761d5b6d8e72950

12
file/android/certificate-validation.yaml
View File

@ -1,16 +1,22 @@
id: improper-certificate-validation
info:
name: Improper Certificate Validation
name: Android Improper Certificate Validation - Detect
author: gaurang
severity: medium
description: Android improper certificate validation was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "Landroid/webkit/SslErrorHandler;->proceed()V"
# Enhanced by md on 2023/05/02
# digest: 4a0a00473045022100aef4ef4ea43eae93cb0373d207d40684412a63044e33386a05852840b2ee110702203dce816c57358a4a1b8ddf362be46263693e4295e9bcff78bfd6d7f2e32f6cd3:922c64590222798bb761d5b6d8e72950

12
file/android/content-scheme.yaml
View File

@ -1,16 +1,22 @@
id: content-scheme
info:
name: Content Scheme Enabled
name: Android Content Scheme - Detect
author: gaurang
severity: info
description: Android content scheme enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- xml
matchers:
- type: word
words:
- "android:scheme=\"content\""
# Enhanced by md on 2023/05/03
# digest: 4a0a0047304502201ca83928239ca3b0a3219fa4f2907f800eb31702bca0f70be096d4c26d041343022100a07bae71e1117a4eee7953c74184cb2bc2ee89e96b8c9af492bd20f66e6e9a6c:922c64590222798bb761d5b6d8e72950

5
file/android/debug-enabled.yaml
View File

@ -4,13 +4,14 @@ info:
name: Android Debug Enabled
author: gaurang
severity: low
description: Android debug enabling was detected.
tags: android,file
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "android:debuggable=\"true\""
# digest: 4a0a0047304502203616fe532eee00daa7402f8e6595e34c0ce7bc19cc6777f164d069adb081267e022100cf17913c42a3a234371ca0236fbd066317c53d36b3c6ceabffb130eeffadbcf8:922c64590222798bb761d5b6d8e72950

11
file/android/deep-link-detect.yaml
View File

@ -1,17 +1,21 @@
id: deep-link-detect
info:
name: Deep Link Detection
name: Android Deep Link - Detect
author: Hardik-Solanki
severity: info
description: Android deep link functionality was detected.
reference:
- https://developer.android.com/training/app-links/deep-linking
- https://www.geeksforgeeks.org/deep-linking-in-android-with-example/
- https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: android,file,deeplink
file:
- extensions:
- xml
@ -24,3 +28,6 @@ file:
- "android:host"
- "android:name"
condition: and
# Enhanced by md on 2023/05/02
# digest: 490a0046304402207edbcd24d76af152b6368274009d835e0462d0256c4e99c2819ca0f9e691ec34022078cfca39b64958091ac474623fb5bdc89f79e3e0e716ecc706b092fd003b9987:922c64590222798bb761d5b6d8e72950

12
file/android/dynamic-broadcast-receiver.yaml
View File

@ -1,16 +1,22 @@
id: dynamic-registered-broadcast-receiver
info:
name: Dynamic Registered Broadcast Receiver
name: Android Dynamic Broadcast Receiver Register - Detect
author: gaurang
severity: info
description: Android dynamic broadcast receiver register functionality was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: word
words:
- ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)"
# Enhanced by md on 2023/05/02
# digest: 490a0046304402200a21274be70d274c77c63cf66b98e1d17b14fcbfff10995feefc37a44c7cbc6a022076339e3fbebc6122b4991b64b1c1208697e31560886e2d86f5a0ac665c582758:922c64590222798bb761d5b6d8e72950

12
file/android/file-scheme.yaml
View File

@ -1,16 +1,22 @@
id: file-scheme
info:
name: File Scheme Enabled
name: Android File Scheme - Detect
author: gaurang
severity: info
description: Android file scheme enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- xml
matchers:
- type: word
words:
- "android:scheme=\"file\""
# Enhanced by md on 2023/05/03
# digest: 4a0a00473045022100e1b3965f57f869c3babac5d0d8eaab8473fbd547ede00744e8e2dc2bb683f10c02200491a767c6fda145c2b792a960fdfac4f541c9ae9db0256dcffc1b858d9ddd13:922c64590222798bb761d5b6d8e72950

20
file/android/google-storage-bucket.yaml Normal file
View File

@ -0,0 +1,20 @@
id: google-storage-bucket
info:
name: Google Storage Bucket - Detection
author: Thabisocn
severity: info
metadata:
verified: "true"
github-query: "/[a-z0-9.-]+\\.appspot\\.com/"
tags: file,android,google
file:
- extensions:
- all
extractors:
- type: regex
regex:
- "[a-z0-9.-]+\\.appspot\\.com"
# digest: 4b0a00483046022100f5b1873c8bca743330c13ec8aa0470d0456310ee42d1afcf58efba79f1a645720221008f58f9cff9e8ccfea0b4a3d8e6ed14c9d20c5ddb8d6106f113a6ff0d28f29b62:922c64590222798bb761d5b6d8e72950

12
file/android/provider-path.yaml
View File

@ -1,17 +1,23 @@
id: insecure-provider-path
info:
name: Insecure Provider Path
name: Android Insecure Provider Path - Detect
author: gaurang
severity: medium
description: Android insecure provider path was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: regex
regex:
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\""
- "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\""
# Enhanced by md on 2023/05/02
# digest: 4b0a00483046022100c7a1b1c2556047998abaef0b98976b35c8058ceaa66838bf8711c30ef2cf36980221009595cab483ee1f8c602d9d2c936db350b1d8622fb32470d74e62e88c43c72452:922c64590222798bb761d5b6d8e72950

12
file/android/webview-addjavascript-interface.yaml
View File

@ -1,16 +1,22 @@
id: webview-addjavascript-interface
info:
name: Webview addJavascript Interface Usage
name: Android WebView Add Javascript Interface - Detect
author: gaurang
severity: info
description: Android WebView Add Javascript interface usage was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: word
words:
- ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V"
# Enhanced by md on 2023/05/02
# digest: 490a0046304402203981bdb59f2dcb96fc32d914a6ad857c3ab9cc7a7e13721fbb70d5e02d56479602203f304de4f54bc79bb48097452fe53cf82aed0a50741027791fecdc92909a32a0:922c64590222798bb761d5b6d8e72950

12
file/android/webview-javascript.yaml
View File

@ -1,16 +1,22 @@
id: webview-javascript-enabled
info:
name: Webview JavaScript enabled
name: WebView JavaScript - Detect
author: gaurang
severity: info
description: WebView Javascript enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: android,file,javascript
file:
- extensions:
- all
matchers:
- type: word
words:
- "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V"
# Enhanced by md on 2023/05/03
# digest: 490a0046304402202cb44b3b176f00694b16cac7a61f5db343e65232d7dbb0e4c3f19815322ffa30022041f4229478a122c2b2f3b7878815a3391f9725e527b8eb7c18488d0c958b3324:922c64590222798bb761d5b6d8e72950

12
file/android/webview-load-url.yaml
View File

@ -1,16 +1,22 @@
id: webview-load-url
info:
name: Webview loadUrl usage
name: WebView loadUrl - Detect
author: gaurang
severity: info
description: WebView loadUrl usage was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V"
# Enhanced by md on 2023/05/02
# digest: 4a0a0047304502203e6573c6bd46a8ffccb46b934de85f8489aa4206ace3c395eb97ded8a483ca6d022100dc2c1947834d8746ee19b34dc7ca18c67691235cb4d04c3530b52d9a072cdf22:922c64590222798bb761d5b6d8e72950

12
file/android/webview-universal-access.yaml
View File

@ -1,16 +1,22 @@
id: webview-universal-access
info:
name: Webview Universal Access enabled
name: Android WebView Universal Access - Detect
author: gaurang
severity: medium
description: Android WebView Universal Access enabling was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: android,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V"
# Enhanced by md on 2023/05/03
# digest: 4a0a00473045022100a47e2082fc66a04948c89867eea66d41624cf5a26a7e0e6faebecd5e18281a74022025ef3b1093b7cfa7eeb45aea5a30518577674355526f2621c96bde80d175642a:922c64590222798bb761d5b6d8e72950

12
file/audit/cisco/configure-aaa-service.yaml
View File

@ -1,15 +1,18 @@
id: configure-aaa-service
info:
name: Configure AAA service
name: Cisco AAA Service Configuration - Detect
author: pussycat0x
severity: info
description: |
Authentication, authorization and accounting (AAA) services provide an authoritative source for managing and monitoring access for devices.
Cisco authentication, authorization and accounting service configuration was detected.
reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#GUID-E05C2E00-C01E-4053-9D12-EC37C7E8EEC5
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router
file:
- extensions:
- conf
@ -24,3 +27,6 @@ file:
- type: word
words:
- "configure terminal"
# Enhanced by md on 2023/05/02
# digest: 4a0a00473045022079df055c2e5696994818ce4c85c08341ceb33ee8812c8f7c489991bbb85c13e5022100889d8d69f0812d3402167ff57e13d702a8fde570d27ec634e6ec90edc647b81e:922c64590222798bb761d5b6d8e72950

12
file/audit/cisco/configure-service-timestamps-debug.yaml
View File

@ -1,15 +1,18 @@
id: configure-service-timestamps-debug
info:
name: Configure Service Timestamps for Debug
name: Cisco Configure Service Timestamps for Debug - Detect
author: pussycat0x
severity: info
description: |
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.
The configuration for service timestamps on Cisco devices was not implemented for debugging purposes. It's important to note that timestamps can be added to either debugging or logging messages independently.
reference:
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router
file:
- extensions:
- conf
@ -24,3 +27,6 @@ file:
- type: word
words:
- "configure terminal"
# Enhanced by md on 2023/05/02
# digest: 4a0a00473045022100bc3785d0a7b24f396ab4fed4a8d9f901369fe263a0749c872fcaf5385e07db80022003bd8f4e1e5c637b8226641ce70b584a59608f1311c98f43fa7b74f0605ffe75:922c64590222798bb761d5b6d8e72950

12
file/audit/cisco/configure-service-timestamps-logmessages.yaml
View File

@ -1,15 +1,18 @@
id: configure-service-log-messages
info:
name: Configure Service Timestamps Log Messages
name: Cisco Configure Service Timestamps Log Messages - Detect
author: pussycat0x
severity: info
description: |
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.
Cisco service timestamp configuration for log messages was not implemented.
reference:
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router
file:
- extensions:
- conf
@ -24,3 +27,6 @@ file:
- type: word
words:
- "configure terminal"
# Enhanced by md on 2023/05/02
# digest: 4a0a00473045022100eec5568ee37b9570d34f5a84ef8cb6c87e0d4c328c563a315bae6485d81f34c602205dd2190d468102b996589f3d15fca169cf6805a71b5cd76c30f5db5d02189b25:922c64590222798bb761d5b6d8e72950

12
file/audit/cisco/disable-ip-source-route.yaml
View File

@ -1,15 +1,19 @@
id: disable-ip-source-route
info:
name: Disable IP source-route
name: Cisco Disable IP Source-Route - Detect
author: pussycat0x
severity: info
description: |
Organizations should plan and implement network policies to ensure unnecessary services are explicitly disabled. The 'ip source-route' feature has been used in several attacks and should be disabled.
Cisco IP source-route functionality has been utilized in several attacks. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Disable IP source-route where appropriate.
reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#GUID-C7F971DD-358F-4B43-9F3E-244F5D4A3A93
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router
file:
- extensions:
- conf
@ -24,3 +28,5 @@ file:
- type: word
words:
- "configure terminal"
# digest: 4a0a00473045022074c0a1cf8e4aa1aae86601df3d56f2d8a24cbdfd644ff047cfb34ed4c79397080221009b5f95e3a473009298bb7cf875d282617fb93ad30dafc9c3f2efcba049e672ea:922c64590222798bb761d5b6d8e72950

11
file/audit/cisco/disable-pad-service.yaml
View File

@ -1,15 +1,18 @@
id: disable-pad-service
info:
name: Disable PAD service
name: Cisco Disable PAD - Detect
author: pussycat0x
severity: info
description: |
To reduce the risk of unauthorized access, organizations should implement a security policy restricting unnecessary services such as the 'PAD' service.
Cisco PAD service has proven vulnerable to attackers. To reduce the risk of unauthorized access, organizations should implement a security policy restricting or disabling unnecessary access.
reference:
- http://www.cisco.com/en/US/docs/ios-xml/ios/wan/command/wan-s1.html#GUID-C5497B77-3FD4-4D2F-AB08-1317D5F5473B
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file,router
file:
- extensions:
- conf
@ -24,3 +27,5 @@ file:
- type: word
words:
- "configure terminal"
# digest: 4a0a00473045022100c59ff03045b104e65dc2f92569ebc4ed981b39844b3e1fc03d48b1ed82e1e0a3022056fd96605d454caebc29595bf2d7771efe3b438061f4c50245a3897f7176ddcd:922c64590222798bb761d5b6d8e72950

5
file/audit/cisco/enable-secret-for-password-user-and-.yaml
View File

@ -5,11 +5,10 @@ info:
author: pussycat0x
severity: info
description: |
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.
To configure the system to time-stamp debugging or logging messages, use one of the service timestamps global configuration commands. Use the no form of this command to disable this service.
reference:
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/service_timestamps.htm
tags: cisco,config-audit,cisco-switch,file,router
file:
- extensions:
- conf
@ -24,3 +23,5 @@ file:
- type: word
words:
- "configure terminal"
# digest: 4a0a0047304502204f6beffea112852a6e7dbf11a7fd8fe97da58385e475b5d3485a12678568107f022100afe3edd05b216cb7a94d9080430e939c95b36d13f0195516681a1e2b31874aec:922c64590222798bb761d5b6d8e72950

12
file/audit/cisco/logging-enable.yaml
View File

@ -1,15 +1,18 @@
id: logging-enable
info:
name: Logging enable
name: Cisco Logging Enable - Detect
author: pussycat0x
severity: info
description: |
Enabling the Cisco IOS 'logging enable' command enforces the monitoring of technology risks for the organizations' network devices.
Cisco logging 'logging enable' enable command enforces the monitoring of technology risks for organizations' network devices.
reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-16-6/config-mgmt-xe-16-6-book/cm-config-logger.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file
file:
- extensions:
- conf
@ -24,3 +27,6 @@ file:
- type: word
words:
- "configure terminal"
# Enhanced by md on 2023/05/03
# digest: 4a0a0047304502202a8c038850f96007448de5721920df67d783f04b494c7cad889ff010905c651a0221008d64ff006c97de269f9503222257a6d9bf550a462eddb4112d600a65513b1321:922c64590222798bb761d5b6d8e72950

12
file/audit/cisco/set-and-secure-passwords.yaml
View File

@ -1,15 +1,18 @@
id: set-and-secure-passwords
info:
name: Set and secure passwords
name: Cisco Set and Secure Password - Detect
author: pussycat0x
severity: info
description: |
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
Cisco set and secure password functionality is recommended to control privilege level access. To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
reference:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3884449514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: cisco,config-audit,cisco-switch,file
file:
- extensions:
- conf
@ -24,3 +27,6 @@ file:
- type: word
words:
- "configure terminal"
# Enhanced by md on 2023/05/03
# digest: 490a0046304402207029e29a2d75aea030e8818991a5da7ab7c47204f24a1c238ddcfd78138d8c2e022013f3a96886a9daa37c9df80d46fe6ec3f59a1cce3423fae634016908b8e5ee2c:922c64590222798bb761d5b6d8e72950

12
file/audit/fortigate/auto-usb-install.yaml
View File

@ -1,13 +1,16 @@
id: auto-usb-install
info:
name: Auto USB Installation Enabled
name: Fortinet Auto USB Installation Enabled - Detect
author: pussycat0x
severity: info
description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port.
description: Via Fortinet Auto USB installation, an attacker with physical access to a FortiGate can load a new configuration or firmware using the USB port, thereby potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -26,3 +29,6 @@ file:
- "config router"
- "config firewall"
condition: or
# Enhanced by md on 2023/05/03
# digest: 4b0a00483046022100ccc576bcc6257505a68ceaefbbe56b0c66e38c49ec5b93942176d669e5e01959022100fab05994e7edde53474a33d7e43c9513f59ff7a55d485122457864b2390aeb5e:922c64590222798bb761d5b6d8e72950

13
file/audit/fortigate/heuristic-scan.yaml
View File

@ -1,13 +1,17 @@
id: heuristic-scan
info:
name: Heuristic scanning is not configured
name: Fortinet Heuristic Scanning not Configured - Detect
author: pussycat0x
severity: info
description: Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message will be forwarded to the recipient. Blocked files are quarantined if quarantine is enabled.
description: |
Fortinet heuristic scanning configuration is advised to thwart attacks. Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message is forwarded to the recipient, and blocked files are quarantined if quarantine is enabled.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -26,3 +30,6 @@ file:
- "config router"
- "config firewall"
condition: or
# Enhanced by md on 2023/05/03
# digest: 4a0a00473045022100fa37189cba4ed2ec0013bb0b51b8a53f8d0cbc15e173827ddb5936e9d9bf7f1e02206dfeeaf7dffec71e85545522022158bb29aa157802a79a06a040ed4c112abbb5:922c64590222798bb761d5b6d8e72950

12
file/audit/fortigate/inactivity-timeout.yaml
View File

@ -1,13 +1,16 @@
id: inactivity-timeout
info:
name: Inactivity Timeout Not Implemented
name: Fortinet Inactivity Timeout Not Implemented - Detect
author: pussycat0x
severity: info
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
description: If Fortinet inactivity timeout functionality is disabled, an attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations within that window if the administrator is away from the computer.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -25,3 +28,6 @@ file:
- "config router"
- "config firewall"
condition: or
# Enhanced by md on 2023/05/03
# digest: 4a0a00473045022100cea6b95920897938fc382b500396ac8f32ff99b0eec0ecaf088fb5cb0449776802202a68db332abee65d2afb58c2fa4c6934543e89992df389a9f324ad70d6a67c9b:922c64590222798bb761d5b6d8e72950

11
file/audit/fortigate/maintainer-account.yaml
View File

@ -1,13 +1,16 @@
id: maintainer-account
info:
name: Maintainer Account Not Implemented
name: Fortinet Maintainer Account Not Implemented - Detect
author: pussycat0x
severity: info
description: If the FortiGate is compromised and Password is not recoverable. A maintainer account can be used by an administrator with physical access to log into CLI..
description: In Fortinet, if a FortiGate is compromised and the password is not recoverable, a maintainer account can be used by an administrator with physical access to log into CLI.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -25,3 +28,5 @@ file:
- "config router"
- "config firewall"
condition: or
# digest: 4a0a0047304502210095dfe6f50e1344c29cb73fdf72e79eec9b146ee421cafb0ec09d8b252f26cd18022019682a67d6b6265c8c4ca6ba95d900ce429ad5bbb188af95953698ab445dad8b:922c64590222798bb761d5b6d8e72950

11
file/audit/fortigate/password-policy.yaml
View File

@ -1,13 +1,16 @@
id: password-policy
info:
name: Password Policy not Set
name: Fortinet Password Policy Not Set - Detect
author: pussycat0x
severity: info
description: The Administrative Password Policy is not set. Use the password policy feature to ensure all administrators use secure passwords that meet your organization's requirements.
description: Fortinet administrative password policy is not set. Using this feature is recommended to ensure all administrators use secure passwords that meet organizations' requirements.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: fortigate,config,audit,file,firewall
file:
- extensions:
- conf
@ -25,3 +28,5 @@ file:
- "config router"
- "config firewall"
condition: or
# digest: 4a0a00473045022100973422e6e42cfee55eeb7bcb78a54ebc4382c2e74d87bd231fcdd44e89c42b5d02207cf72f8c099025aa5c7aad767d31a2847cf74fbbe73c43194502bf807d9c81b7:922c64590222798bb761d5b6d8e72950

14
file/audit/fortigate/remote-auth-timeout.yaml
View File

@ -1,13 +1,17 @@
id: remote-auth-timeout
info:
name: Remote Authentication timeout not set
name: Fortinet Remote Authentication Timeout Not Set - Detect
author: pussycat0x
severity: info
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
description: Fortinet remote authentication timeout functionality is recommended to be enabled. Lack of a set timeout can allow an attacker to act within that threshold if the administrator is away from the computer, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -25,3 +29,5 @@ file:
- "config router"
- "config firewall"
condition: or
# digest: 4a0a004730450220460b3387929bbf2d35f5e220f1501f7e95aee4169633d49cab715e89830e44b102210090004afc4f71c06bfc0c3b2762dd2f6094c2abbe7cef201ebd30f98b7c38e3a5:922c64590222798bb761d5b6d8e72950

11
file/audit/fortigate/scp-admin.yaml
View File

@ -1,13 +1,16 @@
id: scp-admin
info:
name: Admin-SCP Disabled
name: Fortinet Admin-SCP Disabled - Detect
author: pussycat0x
severity: info
description: Disable SCP by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file.
description: Fortinet Admin-SCP functionality is recommended to be disabled by default. Enabling SCP allows download of the configuration file from the FortiGate as an alternative method of backing up the configuration file.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -25,3 +28,5 @@ file:
- "config router"
- "config firewall"
condition: or
# digest: 4a0a00473045022017907ef84d543d31938a81f98b74c0e2cbb8046446564d60d93ab016b211ccbe022100bf653ab2e2a8cd2b59fe160d7c5a605fdb079fff2eb049540f0c0e59d79272dd:922c64590222798bb761d5b6d8e72950

3
file/audit/fortigate/strong-ciphers.yaml
View File

@ -7,7 +7,6 @@ info:
description: Weak Ciphers can be broken by an attacker in a local network and can perform attacks like Blowfish.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
tags: audit,config,file,firewall,fortigate
file:
- extensions:
- conf
@ -25,3 +24,5 @@ file:
- "config router"
- "config firewall"
condition: or
# digest: 4a0a00473045022100c807aaceda1d677145cd86b23d68df8651d47461ff50883ab407b999b3ab89d8022066419939b0b5d9f1d44fecd6958ab45e46a3f1c931ef94f2f36ca71907d46974:922c64590222798bb761d5b6d8e72950

12
file/audit/pfsense/configure-dns-server.yaml
View File

@ -1,17 +1,20 @@
id: configure-dns-server
info:
name: Configure DNS Server
name: DNS Server Not Implemented - Detect
author: pussycat0x
severity: info
description: |
The purpose DNs server is to perform the resolution of system hostnames to Internet Protocol (IP) addresses.
DNS is recommended to be configured over TLS. This prevents intermediate parties and potential attackers from viewing the content of DNS queries and can also assure that DNS is being provided by the expected DNS servers.
reference: |
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: firewall,config,audit,pfsense,file
file:
- extensions:
- xml
@ -28,3 +31,6 @@ file:
- "<pfsense>"
- "<system>"
condition: and
# Enhanced by md on 2023/05/04
# digest: 4a0a0047304502206e6b95e81bec7d3776c15a7d13ee6ceec276641f2cea2b0e3f27cfbff11ffb0b022100dc3dd5041f7ff2b046b72bb868c4e08c18766913069ee573ca4da3347a603e75:922c64590222798bb761d5b6d8e72950

12
file/audit/pfsense/configure-session-timeout.yaml
View File

@ -1,17 +1,20 @@
id: configure-session-timeout
info:
name: Configure Sessions Timeout
name: PfSence Configure Sessions Timeout Not Set - Detect
author: pussycat0x
severity: info
description: |
Indefinite or even long session timeout window increase the risk of attackers abusing abandoned sessions.
Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: firewall,config,audit,pfsense,file
file:
- extensions:
- xml
@ -31,3 +34,6 @@ file:
- "<webgui>"
- "<system>"
condition: and
# Enhanced by md on 2023/05/04
# digest: 4a0a004730450220428bd620e5177de61a4b58993a27ef7ff13adb0f5fbbd6590d7801c1f719b1710221009a9c3c9efdc4581d55bbbdebf48baf7d32ebd75cfb3cd0f0e2326b91922aceed:922c64590222798bb761d5b6d8e72950

13
file/audit/pfsense/enable-https-protocol.yaml
View File

@ -1,18 +1,20 @@
id: enable-https-protocol
info:
name: Enable HTTPS on Web Management
name: Pfsence Web Admin Management Portal HTTPS Not Set - Detect
author: pussycat0x
severity: info
description: |
Web Admin Management Portal should only be accessed using HTTPS Protocol.HTTP transmits all data (including passwords) in clear text over the network and
provides no assurance of the identity of the hosts involved.
PfSence Web Admin Management Portal is recommended to be accessible using only HTTPS protocol. HTTP transmits all data, including passwords, in clear text over the network and provides no assurance of the identity of the hosts involved, making it possible for an attacker to obtain sensitive information, modify data, and/or execute unauthorized operations.
reference: |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: firewall,config,audit,pfsense,file
file:
- extensions:
- xml
@ -31,3 +33,6 @@ file:
- "<pfsense>"
- "<system>"
condition: and
# Enhanced by md on 2023/05/04
# digest: 4a0a0047304502200b7f468fa03dc5a9da4434cc16c2158051689e6367855fc15e3bbebc5396ce03022100dfcf501466defaa4960609da00c79d3015a88752b60735097487324e61281425:922c64590222798bb761d5b6d8e72950

15
file/audit/pfsense/known-default-account.yaml
View File

@ -1,18 +1,18 @@
id: known-default-account
info:
name: Known Default Account - Detect
name: PfSence Known Default Account - Detect
author: pussycat0x
severity: info
description: |
In order to attempt access to known devices' platforms, attackers use the available database of the known default accounts for each platform or Operating System.
The known default accounts are often (without limiting to) the following: 'admin'.
PfSence configured known default accounts are recommended to be deleted. In order to attempt access to known devices' platforms, an attacker can use the available database of the known default accounts for each platform or operating system. Known default accounts are often, but not limited to, 'admin'.
reference: |
- https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
remediation: |
Deletes the known default accounts configured.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: audit,config,file,firewall,pfsense
file:
- extensions:
- xml
@ -25,3 +25,6 @@ file:
- "<descr><![CDATA[System Administrator]]></descr>"
- "<priv>user-shell-access</priv>"
condition: and
# Enhanced by md on 2023/05/04
# digest: 490a004630440220021b724d5c938c772dce4f4fb69947f5b07bb278e82211289af983207ea2091902205e36a512ae90e197d329cfa247658297e6bf6ffdde97aa1f6c54900c057c1448:922c64590222798bb761d5b6d8e72950

12
file/audit/pfsense/password-protected-consolemenu.yaml
View File

@ -1,17 +1,20 @@
id: password-protected-consolemenu
info:
name: Configure Password Protected on Console Menu
name: PfSence Consolemenu Password Protection Not Implememnted - Detect
author: pussycat0x
severity: info
description: |
An unattended computer with an open Console Menu session to the device could allow an unauthorized user access to the firewalls management.
PfSence password protection via the Console Menu is recommended to be configured. An unattended computer with an open Console Menu session can allow an unauthorized user access to the firewall management.
reference: |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: firewall,config,audit,pfsense,file
file:
- extensions:
- xml
@ -31,3 +34,6 @@ file:
- "<webgui>"
- "<system>"
condition: and
# Enhanced by md on 2023/05/04
# digest: 490a00463044022012ee67126f50b5cf259b101b1f2b9ea34d9675f8d1741eb4edfb87b4abfeca6202207f3522cd9d8e35fe7d2dcccc815c28638b0799ceded0dbeea3572cb3f612e891:922c64590222798bb761d5b6d8e72950

13
file/audit/pfsense/set-hostname.yaml
View File

@ -1,16 +1,18 @@
id: set-hostname
info:
name: Ensure Hostname is Set
name: PfSence Hostname Not Set - Detect
author: pussycat0x
severity: info
description: |
Ensure Hostname is set is a process that helps to ensure that the computer or device is being identified correctly on a network.
The hostname is a unique identifier for the device, and it is important that it is properly set so that other devices on the network can identify it.
PfSence Hostname should be set so that other devices on the network can correctly identify it. The hostname is a unique identifier for the device.
reference: |
https://docs.netgate.com/pfsense/en/latest/config/general.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: firewall,config,audit,pfsense,file
file:
- extensions:
- xml
@ -23,3 +25,6 @@ file:
- "<hostname></hostname>"
- "domain>"
condition: and
# Enhanced by md on 2023/05/04
# digest: 4a0a00473045022052d3112a4e98adccd6b8fccd98f95244557d07eb4caef53dc9f09b7f996d642e022100e56f7d85f2d9bcbb8a03fc01e20588b9d2cb93de814a82b1e77069c2b48be485:922c64590222798bb761d5b6d8e72950

3
file/bash/bash-scanner.yaml
View File

@ -9,7 +9,6 @@ info:
- https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
- https://phoenixnap.com/kb/dangerous-linux-terminal-commands
tags: bash,file,shell,sh
file:
- extensions:
- sh
@ -45,3 +44,5 @@ file:
name: unknown filedownload
regex:
- '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'
# digest: 4a0a00473045022100db6e5f84fe8da8728aa4f05dd83a5d033d062fe552a148d3cf2fd599277d1eaf022040d4296bef6df6b57b8381af30fc75730d9bf8103ce7d37bdcfbe91317fc5344:922c64590222798bb761d5b6d8e72950

9
file/electron/electron-version-detect.yaml
View File

@ -1,13 +1,16 @@
id: electron-version-detect
info:
name: Electron Version Detect
name: Electron Version - Detect
author: me9187
severity: info
reference:
- https://www.electronjs.org/blog/chromium-rce-vulnerability/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: electron,file
file:
- extensions:
- json
@ -16,3 +19,5 @@ file:
- type: regex
regex:
- '"electronVersion":"[^"]*"'
# digest: 4b0a00483046022100a04f77fdda5916ff33b294ee3addb5451db77585a39ae8673f4cdfed08974d7b022100d421b8bd0600e4310c8ef55ea0b2a18771258f3c6c6ab884e8d661a6965c3112:922c64590222798bb761d5b6d8e72950

5
file/electron/node-integration-enabled.yaml
View File

@ -10,15 +10,12 @@ info:
- https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/
- https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps
tags: electron,file,nodejs
file:
- extensions:
- all
matchers:
- type: word
words:
- "nodeIntegration: true"
# Enhanced by mp on 2022/05/19
# digest: 4a0a00473045022070caab60eefc323b37e341d70c757d85c7fedf66d0e35b51a425a8aa7ec6c847022100bca4045fc5d68b14d123532d732daa73ffbc5af0e124764325706d859da74e9f:922c64590222798bb761d5b6d8e72950

3
file/js/js-analyse.yaml
View File

@ -9,7 +9,6 @@ info:
metadata:
verified: true
tags: file,js-analyse,js,javascript
file:
- extensions:
- js
@ -31,3 +30,5 @@ file:
name: extracted-uri
regex:
- "(?i)([a-z]{0,10}):(//|/)[a-z0-9\\./?&-_=:]+"
# digest: 490a004630440220295fa966d911a692e343adc830f080654abda1d1b1f3e59a421a54a5e9d29fe802203b8bf407243a4e13d0567bf99a9c6b4f6bcb863600c1a6a54c53cc67bec50f51:922c64590222798bb761d5b6d8e72950

23
file/keys/adafruit-key.yaml Normal file
View File

@ -0,0 +1,23 @@
id: adafruit-key
info:
name: Adafruit API Key
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adafruit-api-key.go
metadata:
verified: true
tags: adafruit,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4a0a00473045022100e18e66c25918d1d8e980ab39a1d206e65dc34ef8b6ae0e043c87d34f0496d4260220651cd87fb75b897e27766f354e0711534ef67b6f368885d00fbf79ed44ed72a7:922c64590222798bb761d5b6d8e72950

23
file/keys/adobe/adobe-client.yaml Normal file
View File

@ -0,0 +1,23 @@
id: adobe-client
info:
name: Adobe Client ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.go
metadata:
verified: true
tags: adobe,file,token
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4a0a00473045022100eff30b8e55f06b16c9d6319765c2ad58854c26856e355f039d1d5414b5d8258f02205c05e1a7b8edf37112c3c501eafc3207179c8e9afdda5f9c6ca93dc1dc7b9438:922c64590222798bb761d5b6d8e72950

3
file/keys/adobe-secret.yaml → file/keys/adobe/adobe-secret.yaml
View File

@ -12,7 +12,6 @@ info:
metadata:
verified: true
tags: adobe,oauth,file,token
file:
- extensions:
- all
@ -22,3 +21,5 @@ file:
part: body
regex:
- '(?i)\b(p8e-[a-z0-9-]{32})(?:[^a-z0-9-]|$)'
# digest: 4b0a0048304602210086cdebe3a78bf4282ea6b7e8107b833e98c6242501edc53c34ffad1d06dd8d760221009a912c40a016bdff61787eeb9d6fc9386c840a2b69b4c96915612c00fce6b493:922c64590222798bb761d5b6d8e72950

3
file/keys/age/age-identity-secret-key.yaml
View File

@ -11,7 +11,6 @@ info:
metadata:
verified: true
tags: age-encryption,file,token
file:
- extensions:
- all
@ -21,3 +20,5 @@ file:
part: body
regex:
- '\bAGE-SECRET-KEY-1[0-9A-Z]{58}\b'
# digest: 4a0a0047304502201a1f14a0a6f72bbd8e353c6db3647c596ccee294516249b42df3757df4fa56b7022100fe1dc8b4a2e83bd842dced9fff217732d392b28eb0dd027f7e6f75f5aff9d634:922c64590222798bb761d5b6d8e72950

3
file/keys/age/age-recipient-public-key.yaml
View File

@ -11,7 +11,6 @@ info:
metadata:
verified: true
tags: age-encryption,file,token
file:
- extensions:
- all
@ -21,3 +20,5 @@ file:
part: body
regex:
- '\bage1[0-9a-z]{58}\b'
# digest: 4a0a004730450221009fb14853721aa355f4dff9b164fd098ba99f8c579e3ef82325210e6fbbb8918f02203f2a50f4e91298e867107a4af77f80f70cbc2a5c7cad4fa4133d2d7233d51dda:922c64590222798bb761d5b6d8e72950

23
file/keys/airtable-key.yaml Normal file
View File

@ -0,0 +1,23 @@
id: airtable-key
info:
name: Airtable API Key
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/airtable-api-key.go
metadata:
verified: true
tags: airtable,file,token
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4b0a00483046022100f69a839cd0ef13a477e8e796614040b37eec85526932dca4bdf07ab3ff75f469022100ac62c27426f5f61546e702024dc2ab3293981cc05780460a2565bc9cb2c98ab8:922c64590222798bb761d5b6d8e72950

23
file/keys/algolia-key.yaml Normal file
View File

@ -0,0 +1,23 @@
id: algolia-key
info:
name: Algolia API Key
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/algolia-api-key.go
metadata:
verified: true
tags: algolia,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4a0a0047304502200114ce7db1c3fde42b20020e1d0ccddb88507568c665f21e1cdc8a7b722defdb022100c707d824ef36106683f16cc962e32ac899c727c5b22db59a7af8a4ab957a27d6:922c64590222798bb761d5b6d8e72950

23
file/keys/alibaba/alibaba-key-id.yaml Normal file
View File

@ -0,0 +1,23 @@
id: alibaba-key-id
info:
name: Alibaba Access Key ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-access-key-id.go
metadata:
verified: true
tags: alibaba,access,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4a0a00473045022010d9489b8b59a742d40af13eab87d1a56acc81ae51021beacd81f2cb3c2020670221008cfa46cab56f8ffd121bb8dad1d515c8136517f1da385fe6d1c364fcb95ef9b2:922c64590222798bb761d5b6d8e72950

23
file/keys/alibaba/alibaba-secret-id.yaml Normal file
View File

@ -0,0 +1,23 @@
id: alibaba-secret-id
info:
name: Alibaba Secret Key ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.yaml
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/alibaba-secret-key.go
metadata:
verified: true
tags: alibaba,secret,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 490a00463044022035a425a3c37a997471e5a91829014ba9e0e5be1e272e0cecd67317fcd54f5ea202204eaf1dd7997603c327ade970d78398373e7aa475aed015b70c2c6f2ec012c25d:922c64590222798bb761d5b6d8e72950

11
file/keys/amazon/amazon-account-id.yaml
View File

@ -1,15 +1,19 @@
id: amazon-account-id
info:
name: AWS Account ID
name: Amazon Web Services Account ID - Detect
author: DhiyaneshDK
severity: info
description: Amazon Web Services Account ID token was detected.
reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: aws,amazon,token,file
file:
- extensions:
- all
@ -19,3 +23,6 @@ file:
part: body
regex:
- '(?i)aws_?(?:account)_?(?:id)?["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([0-9]{4}-?[0-9]{4}-?[0-9]{4})'
# Enhanced by md on 2023/05/04
# digest: 490a0046304402204cdf5ae5eafb194436533d3bd5d707d3ed6e82bde669a90a33d3d6e7f841a4f1022016cc2daac84b2c82e2566fd7f5c68b83f2f1cbf93a5a19d259ac963a0ac330d0:922c64590222798bb761d5b6d8e72950

11
file/keys/amazon/amazon-mws-auth-token.yaml
View File

@ -1,11 +1,15 @@
id: amazon-mws-auth-token-value
info:
name: Amazon MWS Auth Token
name: Amazon MWS Authentication Token - Detect
author: gaurang
severity: medium
description: Amazon MWS authentication token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: token,file,amazon,auth
file:
- extensions:
- all
@ -14,3 +18,6 @@ file:
- type: regex
regex:
- "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
# Enhanced by md on 2023/05/04
# digest: 4a0a00473045022100a22e9ab4357449ff0b0d0e1d56fd2a2a815900eb260c13cdc8ca5b4904508d76022030e701c98fff70a3c0e8174fe27c30c87c60b0a4acdc97555a71970ab6e5e83a:922c64590222798bb761d5b6d8e72950

11
file/keys/amazon/amazon-session-token.yaml
View File

@ -1,15 +1,19 @@
id: amazon-session-token
info:
name: Amazon Session Token
name: Amazon Session Token - Detect
author: DhiyaneshDK
severity: info
description: Amazon session token was detected.
reference:
- https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/aws.yml
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
metadata:
verified: true
tags: aws,amazon,token,file,session
file:
- extensions:
- all
@ -19,3 +23,6 @@ file:
part: body
regex:
- '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'
# Enhanced by md on 2023/05/04
# digest: 490a00463044022042bbced45aee0d6943da5aac1efe8367af4c8d494a624bf45d428530a6fcba6e02204537fb05ae1ae72607f23bf06b9c8e0d20b917ba425905e80ce47cc7835d0a70:922c64590222798bb761d5b6d8e72950

11
file/keys/amazon/amazon-sns-token.yaml
View File

@ -1,11 +1,15 @@
id: amazon-sns-token
info:
name: Amazon SNS Token Detect
name: Amazon SNS Token - Detect
author: TheBinitGhimire
severity: info
description: Amazon SNS token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: file,token,amazon,aws
file:
- extensions:
- all
@ -15,3 +19,6 @@ file:
name: amazon-sns-topic
regex:
- 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+'
# Enhanced by md on 2023/05/04
# digest: 4a0a004730450220498ac9e1f8922b28f9d1bdf0b66f41b9d55ab995d2eae1c6b4fc40b0bd7b39e5022100dae071582233b67060a20eda722d8204d7fc923666496cb98c164f884e09d8d7:922c64590222798bb761d5b6d8e72950

11
file/keys/amazon/aws-access-id.yaml
View File

@ -1,11 +1,15 @@
id: aws-access-key
info:
name: AWS Access Key ID
name: Amazon Web Services Access Key ID - Detect
author: gaurang
severity: info
description: Amazon Web Services Access Key ID token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: token,file
file:
- extensions:
- all
@ -14,3 +18,6 @@ file:
- type: regex
regex:
- "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
# Enhanced by md on 2023/05/04
# digest: 4a0a00473045022001180031643147e369ad54d397f6e1ec99e061e1a771b8ec6b9f024bb97300a7022100b5b3b3027d3e8edea6822f05c18070f5cbd64b111c6ac7aa37e3603fcb4b08ea:922c64590222798bb761d5b6d8e72950

11
file/keys/amazon/aws-cognito.yaml
View File

@ -1,11 +1,15 @@
id: aws-cognito-pool
info:
name: AWS Cognito Pool ID
name: Amazon Web Services Cognito Pool ID - Detect
author: gaurang
severity: info
description: Amazon Web Services Cognito Pool ID token was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0
cwe-id: CWE-200
tags: token,file
file:
- extensions:
- all
@ -30,3 +34,6 @@ file:
- "us-west-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
- "us-west-2:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
- "sa-east-1:[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}"
# Enhanced by md on 2023/05/04
# digest: 4b0a00483046022100b065a7fffa3f1696948239b6546af3ff6d33ddd2ab72ce11e55831f029a152c5022100ce912a53c74a47179c62dbf4a78e93a8f5fdcbbbf497a94e6e4f4ef2e76efd91:922c64590222798bb761d5b6d8e72950

23
file/keys/asana/asana-clientid.yaml Normal file
View File

@ -0,0 +1,23 @@
id: asana-clientid
info:
name: Asana Client ID
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.go
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-id.yaml
metadata:
verified: true
tags: asana,client,file,keys
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4b0a00483046022100b5bca9cba24b0a4f3098d7a320c20a2152d1a115ea4677c6ca9eb9db50503b29022100c3189ce143a347cdb085e6eefa198c7c990e16049efd071154f7012490783fac:922c64590222798bb761d5b6d8e72950

23
file/keys/asana/asana-clientsecret.yaml Normal file
View File

@ -0,0 +1,23 @@
id: asana-clientsecret
info:
name: Asana Client Secret
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.go
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/asana-client-secret.yaml
metadata:
verified: true
tags: asana,client,file,keys,secret
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4a0a0047304502206b120f6ce1d96f67b8b676972a3f185e765c9b078a4023386c0aac41ca5f9ce6022100e263135d7df9faa92ca170f9da0cb5498ae505b0f70226672dcfed5dc23d13b5:922c64590222798bb761d5b6d8e72950

23
file/keys/atlassian/atlassian-api-token.yaml Normal file
View File

@ -0,0 +1,23 @@
id: atlassian-api-token
info:
name: Atlassian API Token
author: DhiyaneshDK
severity: info
reference:
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.go
- https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/atlassian-api-token.yaml
metadata:
verified: true
tags: atlassian,file,token,api
file:
- extensions:
- all
extractors:
- type: regex
part: body
regex:
- (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)
# digest: 4b0a00483046022100f0bda35ab0c6f042d2fe14f13a5f210b1dc29f733309f6b8f4da56ce8fa8bfcb022100a0e0348deb81e70fd2cdb84edb4365eba4d60a08075348d8ada6a6e0c7e687b4:922c64590222798bb761d5b6d8e72950

Some files were not shown because too many files have changed in this diff Show More