Apache Tomcat Template improvements (#3446)

* Improved Tomcat matchers / extractors / paths

* removed duplicate detections / matchers

* removed duplicate template

* Added missing tomcat tags

cves/2017/CVE-2017-12615.yaml

@@ -4,7 +4,7 @@ info:
   name: Apache Tomcat RCE
   author: pikpikcu
   severity: high
-  tags: cve,cve2017,apache,rce
+  tags: cve,cve2017,apache,rce,tomcat
   reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
   description: |
     By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
@@ -49,7 +49,7 @@ requests:
       - type: regex
         regex:
           - "root:.*:0:0"
-        part: body
+
       - type: status
         status:
           - 200

cves/2018/CVE-2018-11759.yaml

@@ -4,14 +4,14 @@ info:
   name: Apache Tomcat JK Status Manager Access
   author: harshbothra_
   severity: high
+  description: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
   reference: https://github.com/immunIT/CVE-2018-11759
-  tags: cve,cve2018,apache
+  tags: cve,cve2018,apache,tomcat
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
     cvss-score: 7.50
     cve-id: CVE-2018-11759
     cwe-id: CWE-22
-  description: "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical."
 
 requests:
   - method: GET
@@ -24,6 +24,7 @@ requests:
       - type: status
         status:
           - 200
+
       - type: word
         words:
           - "JK Status Manager"

cves/2019/CVE-2019-0221.yaml

@@ -13,7 +13,7 @@ info:
     7.0.0 to 7.0.93 echoes user provided data without escaping and is,
     therefore, vulnerable to XSS. SSI is disabled by default.
     The printenv command is intended for debugging and is unlikely to be present in a production website.
-  tags: cve,cve2019,apache,xss
+  tags: cve,cve2019,apache,xss,tomcat
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.10
@@ -34,9 +34,9 @@ requests:
           - "<script>alert('xss')</script>"
 
       - type: word
+        part: header
         words:
           - "text/html"
-        part: header
 
       - type: status
         status:

cves/2020/CVE-2020-9484.yaml

@@ -11,14 +11,13 @@ info:
     c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
     d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
     Note that all of conditions a) to d) must be true for the attack to succeed.
-  tags: cve,cve2020,apache
-  reference:
-    - http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
+  reference: http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
   classification:
     cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 7.00
     cve-id: CVE-2020-9484
     cwe-id: CWE-502
+  tags: cve,cve2020,apache,tomcat
 
 requests:
   - method: GET
@@ -26,15 +25,17 @@ requests:
       Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"
     path:
       - "{{BaseURL}}/index.jsp"
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 500
+
       - type: word
+        part: body
         words:
           - "Exception"
           - "ObjectInputStream"
           - "PersistentManagerBase"
         condition: and
-        part: body

exposed-panels/public-tomcat-manager.yaml

@@ -4,7 +4,7 @@ info:
   name: tomcat manager disclosure
   author: Ahmed Sherif,geeknik
   severity: info
-  tags: panel
+  tags: panel,tomcat
 
 requests:
   - method: GET
@@ -16,7 +16,8 @@ requests:
     matchers:
       - type: word
         words:
-          - Apache Tomcat
+          - "Apache Tomcat"
+
       - type: status
         status:
           - 401

exposed-panels/tomcat-pathnormalization.yaml

@@ -5,7 +5,7 @@ info:
   author: organiccrap
   severity: info
   reference: https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
-  tags: panel
+  tags: panel,tomcat
 
 requests:
   - method: GET
@@ -22,7 +22,7 @@ requests:
         condition: and
 
       - type: status
+        negative: true
         status:
           - 403
-          - 401
-        negative: true
+          - 401

misconfiguration/apache/apache-tomcat-snoop.yaml

@@ -6,7 +6,7 @@ info:
   severity: low
   description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
   reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
-  tags: apache,misconfig
+  tags: apache,misconfig,tomcat
 
 requests:
   - method: GET

misconfiguration/tomcat-scripts.yaml

@@ -4,7 +4,7 @@ info:
   name: Detect Tomcat Exposed Scripts
   author: Co0nan
   severity: info
-  tags: apache
+  tags: apache,tomcat
 
 requests:
   - method: GET
@@ -15,6 +15,7 @@ requests:
       - "{{BaseURL}}/..;/examples/servlets/index.html"
       - "{{BaseURL}}/..;/examples/jsp/index.html"
       - "{{BaseURL}}/..;/examples/websocket/index.xhtml"
+
     matchers:
       - type: word
         words:
@@ -22,3 +23,4 @@ requests:
           - "JSP Samples"
           - "Servlets Examples"
           - "WebSocket Examples"
+        condition: or

technologies/apache/default-tomcat-page.yaml

@@ -1,18 +0,0 @@
-id: default-tomcat-page
-
-info:
-  name: Tomcat Default Page
-  author: dhiyaneshDk
-  severity: info
-  tags: tech,tomcat
-  reference: https://www.shodan.io/search?query=http.title%3A%22Apache+Tomcat%22
-
-requests:
-  - method: GET
-    path:
-      - '{{BaseURL}}'
-    matchers:
-      - type: word
-        words:
-          - "<title>Apache Tomcat"
-        part: body

technologies/apache/tomcat-detect.yaml

@@ -1,31 +1,36 @@
 id: tomcat-detect
 
 info:
-  name: Tomcat Version Detect
-  author: philippedelteil
+  name: Tomcat Detection
+  author: philippedelteil,dhiyaneshDk
   description: If an Tomcat instance is deployed on the target URL, when we send a request for a non existent resource we receive a Tomcat error page with version.
   severity: info
   tags: tech,tomcat,apache
+  metadata:
+    shodan-query: title:"Apache Tomcat"
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/something_not_existing_"
-    matchers-condition: and
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/{{randstr}}"
+
+    stop-at-first-match: true
+    matchers-condition: or
     matchers:
+      - type: dsl
+        dsl:
+          - 'contains(tolower(all_headers), "tomcat")'
 
-      - type: word
-        words:
-          - "Apache Tomcat"
-
-      - type: status
-        status:
-          - 404
+      - type: dsl
+        dsl:
+          - 'contains(tolower(body), "apache tomcat")'
+          - 'contains(tolower(body), "/manager/html")'
+          - 'contains(tolower(body), "/manager/status")'
+        condition: or
 
     extractors:
       - type: regex
-        part: body
-        name: version
-        group: 2
+        group: 1
         regex:
-          - '(<h3>)(.*?)(</h3>)'
+          - '(?i)Apache Tomcat.*([0-9]\.[0-9]+\.[0-9]+)'

technologies/fingerprinthub-web-fingerprints.yaml

@@ -841,38 +841,6 @@ requests:
         words:
           - content="Struts2 Showcase for Apache Struts Project"
 
-      - type: word
-        name: apache-tomcat
-        words:
-          - <h3>Apache Tomcat/
-
-      - type: word
-        name: apache-tomcat
-        words:
-          - <title>Apache Tomcat/
-
-      - type: word
-        condition: and
-        name: apache-tomcat
-        words:
-          - /manager/html
-          - /manager/status
-
-      - type: word
-        name: apache-tomcat
-        words:
-          - href="tomcat.css
-
-      - type: word
-        name: apache-tomcat
-        words:
-          - this is the default tomcat home page
-
-      - type: word
-        name: apache-tomcat
-        words:
-          - <h3>apache tomcat
-
       - type: word
         name: apache-unomi
         words:

technologies/tech-detect.yaml

@@ -2951,12 +2951,6 @@ requests:
           - "Microsoft-HTTPAPI"
         part: header
 
-      - type: word
-        name: tomcat
-        words:
-          - "Tomcat"
-        part: header
-
       - type: word
         name: darkhttpd
         words: