id: jenkins-detect

info:
  name: Jenkins Detection
  author: philippdelteil,daffainfo,c-sh0,AdamCrosser
  severity: info
  reference:
    - https://www.jenkins.io/doc/book/using/remote-access-api/#RemoteaccessAPI-DetectingJenkinsversion
    - https://github.com/jenkinsci/jenkins/pull/470
    - https://www.jenkins.io/doc/book/security/access-control/permissions/#access-granted-without-overallread
  classification:
    cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: jenkins
    product: jenkins
    shodan-query:
      - http.favicon.hash:81586312
      - cpe:"cpe:2.3:a:jenkins:jenkins"
      - product:"jenkins"
    category: devops
    fofa-query: icon_hash=81586312
  tags: tech,jenkins,detect

http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/whoAmI/"

    host-redirects: true
    max-redirects: 2
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "x-jenkins:"
        case-insensitive: true

      - type: word
        words:
          - "Jenkins"

    extractors:
      - type: kval
        name: version
        kval:
          - x_jenkins

      - type: kval
        kval:
          - version
# digest: 4a0a00473045022100ed0cc896357b09f72c00214357f0210d05fc0aab026ccbdfdd3c90d9e7261a14022043f908229917187bcf7a74ca31e035771ed6e5c82e01fe56f0eb44371984e378:922c64590222798bb761d5b6d8e72950