id: server-private-keys

info:
  name: SSL/SSH/TLS/JWT Keys - Detect
  author: geeknik,R12W4N,j4vaovo
  severity: high
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-200
  description: Private SSL, SSH, TLS, and JWT keys were detected.
  tags: config,exposure
  metadata:
    max-request: 45

http:
  - method: GET
    path:
      - "{{BaseURL}}/localhost.key"
      - "{{BaseURL}}/host.key"
      - "{{BaseURL}}/www.key"
      - "{{BaseURL}}/private-key"
      - "{{BaseURL}}/privatekey.key"
      - "{{BaseURL}}/server.key"
      - "{{BaseURL}}/my.key"
      - "{{BaseURL}}/key.pem"
      - "{{BaseURL}}/ssl/localhost.key"
      - "{{BaseURL}}/ssl/{{Hostname}}.key"
      - "{{BaseURL}}/id_rsa"
      - "{{BaseURL}}/id_dsa"
      - "{{BaseURL}}/id_rsa_1024"
      - "{{BaseURL}}/id_rsa_2048"
      - "{{BaseURL}}/id_rsa_3072"
      - "{{BaseURL}}/id_rsa_4096"
      - "{{BaseURL}}/.ssh/id_rsa"
      - "{{BaseURL}}/.ssh/id_dsa"
      - "{{BaseURL}}/.ssh/id_rsa_1024"
      - "{{BaseURL}}/.ssh/id_rsa_2048"
      - "{{BaseURL}}/.ssh/id_rsa_3072"
      - "{{BaseURL}}/.ssh/id_rsa_4096"
      - "{{BaseURL}}/{{Hostname}}.key"
      - "{{BaseURL}}/{{Hostname}}.pem"
      - "{{BaseURL}}/config/jwt/private.pem"
      - "{{BaseURL}}/jwt/private.pem"
      - "{{BaseURL}}/var/jwt/private.pem"
      - "{{BaseURL}}/private.pem"
      - "{{BaseURL}}/ssl.txt"
      - "{{BaseURL}}/ssl_key.txt"
      - "{{BaseURL}}/certificates/{{Host}}.pfx"
      - "{{BaseURL}}/certificates/{{Host}}.p12"
      - "{{BaseURL}}/ssl/{{Host}}.pem"
      - "{{BaseURL}}/ssl/{{Host}}_key.txt"
      - "{{BaseURL}}/cert/{{Host}}_key.txt"
      - "{{BaseURL}}/cert/{{RDN}}_key.txt"
      - "{{BaseURL}}/cert/{{Host}}.txt"
      - "{{BaseURL}}/ssl/private/{{Host}}_key.pem"
      - "{{BaseURL}}/certs/{{Host}}_private.key"
      - "{{BaseURL}}/certs/{{Host}}.key"
      - "{{BaseURL}}/certificates/{{Host}}_priv.pem"
      - "{{BaseURL}}/certificates/{{Host}}_privkey.pem"
      - "{{BaseURL}}/certs/{{Host}}.pem"
      - "{{BaseURL}}/private/{{Host}}.key"
      - "{{BaseURL}}/keys/{{Host}}.pem"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "BEGIN OPENSSH PRIVATE KEY"
          - "BEGIN PRIVATE KEY"
          - "BEGIN RSA PRIVATE KEY"
          - "BEGIN DSA PRIVATE KEY"
          - "BEGIN EC PRIVATE KEY"
          - "BEGIN PGP PRIVATE KEY BLOCK"
          - "BEGIN ENCRYPTED PRIVATE KEY"
        condition: or

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - '!contains(body_2, "<html")'
          - '!contains(body_2, "<HTML")'
        condition: and