└── passive
    ├── HUNT.py
    ├── exPscan.py
    └── exPscan
        ├── README
        ├── fuzzdb-errors.txt
        ├── nonreg-strings.txt
        ├── nonreg-strings.txt.NOMATCH
        ├── sqlmap-errors.xml
        ├── zaproxy-pscanrules-application_errors.xml
        └── zaproxy-pscanrulesAlpha-SourceCodeDisclosureScanner.java


/passive/HUNT.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | from org.zaproxy.zap.extension.script import ScriptVars
  3 | 
  4 | '''find possible vulnerable entry points using Hunt Methodology - https://github.com/bugcrowd/HUNT'''
  5 | 
  6 | 
  7 | def appliesToHistoryType(histType):
  8 |     """
  9 |     Limit scanned history types, which otherwise default to
 10 |     types in `PluginPassiveScanner.getDefaultHistoryTypes()`
 11 |     """
 12 |     from org.parosproxy.paros.model import HistoryReference as hr
 13 | 
 14 |     return histType in [hr.TYPE_PROXIED, hr.TYPE_SPIDER]
 15 | 
 16 | 
 17 | def find_words_in_params(param_list, word_list):
 18 |     result = []
 19 |     for word in word_list:
 20 |         for param in param_list:
 21 |             if word in param:
 22 |                 result.append(word)
 23 |     return result
 24 | 
 25 | 
 26 | def hunt_alert(ps, msg, uri, result, title, desc):
 27 |     if not result:
 28 |         return
 29 | 
 30 |     result_repr = ','.join(result)
 31 |     title += " (HUNT script)"
 32 |     desc = desc.strip().format(result=result_repr)
 33 | 
 34 |     info = msg.getRequestHeader().toString()
 35 |     info += "\n" + msg.getRequestBody().toString()
 36 | 
 37 |     # Docs on alert raising function:
 38 |     #  raiseAlert(int risk, int confidence, str name, str description, str uri,
 39 |     #             str param, str attack, str otherInfo, str solution,
 40 |     #             str evidence, int cweId, int wascId, HttpMessage msg)
 41 |     #  risk: 0: info, 1: low, 2: medium, 3: high
 42 |     #  confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
 43 |     ps.raiseAlert(0, 1, title, desc, uri, result_repr,
 44 |             None, info, None, None, 0, 0, msg)
 45 | 
 46 | 
 47 | def scan(ps, msg, src):
 48 |     words_dlp = ['access','admin','dbg','debug','edit','grant','test','alter','clone','create','delete','disable','enable','exec','execute','load','make','modify','rename','reset','shell','toggle','adm','root','cfg','config']
 49 |     words_pfi = ['file','document','folder','root','path','pg','style','pdf','template','php_path','doc']
 50 |     words_pidor = ['id','user','account','number','order','no','doc','key','email','group','profile','edit','report']
 51 |     words_prce = ['daemon','host' ,'upload','dir','execute','download','log','ip','cli','cmd']
 52 |     words_psql = ['id','select','report','role','update','query','user','name','sort','where','search','params','process','row','view','table','from','sel','results','sleep','fetch','order','keyword','column','field','delete','string','number','filter']
 53 |     words_pssrf = ['dest','redirect','uri','path','continue','url','window','next','data','reference','site','html','val','validate','domain','callback','return','page','feed','host','port','to','out','view','dir','show','navigation','open']
 54 |     words_pssti = ['template','preview','id','view','activity','name','content','redirect']
 55 | 
 56 |     uri = msg.getRequestHeader().getURI().toString()
 57 |     params = [p.lower() for p in msg.getParamNames()]
 58 | 
 59 |     base_uri = re.search('^https?://[^/]+/[^?#=]*', uri)
 60 | 
 61 |     if not params or not base_uri:
 62 |         return
 63 | 
 64 |     base_uri = base_uri.group()
 65 |     urlParam_repr = base_uri + str(params)
 66 |     globalvar = max(ScriptVars.getGlobalVar("hunt"), "")
 67 | 
 68 |     if urlParam_repr in globalvar:
 69 |         return
 70 | 
 71 |     ScriptVars.setGlobalVar("hunt", globalvar + ' , ' + urlParam_repr)
 72 | 
 73 |     # Searching Debug and Logic
 74 |     result = find_words_in_params(params, words_dlp)
 75 |     hunt_alert(ps, msg, uri, result,
 76 |     "Possible Debug & Logic Parameters", """
 77 | HUNT located the {result} parameter inside of your application traffic. \
 78 | The {result} parameter is most often associated to debug, access, or \
 79 | critical functionality in applications.
 80 | 
 81 | HUNT recommends further manual analysis of the parameter in question.
 82 | """)
 83 | 
 84 |     # Searching File Inclusion
 85 |     result = find_words_in_params(params, words_pfi)
 86 |     hunt_alert(ps, msg, uri, result,
 87 |     "Possible File Inclusion or Path Traversal", """
 88 | HUNT located the {result} parameter inside of your application traffic. \
 89 | The {result} parameter is most often susceptible to \
 90 | File Inclusion or Path Traversal.
 91 | 
 92 | HUNT recommends further manual analysis of the parameter in question.
 93 | 
 94 | Also note that several parameters from this section and SSRF might overlap or \
 95 | need testing for both vulnerability categories.
 96 | 
 97 | For File Inclusion or Path Traversal HUNT recommends the following resources \
 98 | to aid in manual testing:
 99 | 
100 | - The Web Application Hackers Handbook: \
101 | Chapter 10
102 | - LFI Cheat Sheet: https://highon.coffee/blog/lfi-cheat-sheet/
103 | - Gracefuls Path Traversal Cheat Sheet: Windows: \
104 | https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/
105 | - Gracefuls Path Traversal Cheat Sheet: Linux: \
106 | https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
107 | """)
108 | 
109 |     # Searching IDORs
110 |     result = find_words_in_params(params, words_pidor)
111 |     hunt_alert(ps, msg, uri, result,
112 |     "Possible IDOR", """
113 | HUNT located the {result} parameter inside of your application traffic. \
114 | The {result} parameter is most often susceptible to \
115 | Insecure Direct Object Reference Vulnerabilities.
116 | 
117 | Direct object reference vulnerabilities occur when there are insufficient \
118 | authorization checks performed against object identifiers used in requests. \
119 | This could occur when database keys, filenames, or other identifiers are used \
120 | to directly access resources within an application.
121 | These identifiers would likely be predictable (an incrementing counter, \
122 | the name of a file, etc), making it easy for an attacker to detect this \
123 | vulnerability class. If further authorization checks are not performed, this \
124 | could lead to unauthorized access to the underlying data.
125 | 
126 | HUNT recommends further manual analysis of the parameter in question.
127 | 
128 | For Insecure Direct Object Reference Vulnerabilities HUNT recommends the \
129 | following resources to aid in manual testing:
130 | 
131 | - The Web Application Hackers Handbook: \
132 | Chapter 8
133 | - Testing for Insecure Direct Object References (OTG-AUTHZ-004): \
134 | https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
135 | - Using Burp to Test for Insecure Direct Object References: \
136 | https://support.portswigger.net/customer/portal/articles/1965691-using-burp-to-test-for-insecure-direct-object-references
137 | - IDOR Examples from ngalongc/bug-bounty-reference: \
138 | https://github.com/ngalongc/bug-bounty-reference#insecure-direct-object-reference-idor
139 | """)
140 | 
141 |     # Searching RCEs
142 |     result = find_words_in_params(params, words_prce)
143 |     hunt_alert(ps, msg, uri, result,
144 |     "Possible RCE", """
145 | HUNT located the {result} parameter inside of your application traffic. \
146 | The {result} parameter is most often susceptible to OS Command Injection.
147 | 
148 | HUNT recommends further manual analysis of the parameter in question.
149 | 
150 | For OS Command Injection HUNT recommends the following resources to aid \
151 | in manual testing:
152 | 
153 | - (OWASP) Testing for OS Command Injection: \
154 | https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)
155 | - Joberts How To Command Injection: \
156 | https://www.hackerone.com/blog/how-to-command-injections
157 | - Commix Command Injection Tool: \
158 | https://github.com/commixproject/commix
159 | -The FuzzDB OS CMD Exec section: \
160 | https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution
161 | - Ferruh Mavitunas CMDi Cheat Sheet: \
162 | https://ferruh.mavituna.com/unix-command-injection-cheat-sheet-oku/
163 | - The Web Application Hackers Handbook: Chapter 10
164 | """)
165 | 
166 |     # Searching SQLi
167 |     result = find_words_in_params(params, words_psql)
168 |     hunt_alert(ps, msg, uri, result,
169 |     "Possible SQLi", """
170 | HUNT located the {result} parameter inside of your application traffic. \
171 | The {result} parameter is most often susceptible to SQL Injection.
172 | 
173 | HUNT recommends further manual analysis of the parameter in question.
174 | 
175 | For SQL Injection HUNT references The Bug Hunters Methodology \
176 | SQL Injection references table:
177 | 
178 | - PentestMonkeys MySQL Injection Cheat Sheet: \
179 | http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
180 | - Reiners MySQL Injection Filter Evasion: \
181 | https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
182 | - EvilSQLs Error/Union/Blind MSSQL Cheat Sheet: \
183 | http://evilsql.com/main/page2.php
184 | - PentestMonkeys MSSQL SQL Injection Cheat Sheet: \
185 | http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
186 | - PentestMonkeys Oracle SQL Cheat Sheet: \
187 | http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
188 | - PentestMonkeys PostgreSQL Cheat Sheet: \
189 | http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
190 | - Access SQL Injection Cheat Sheet: \
191 | http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
192 | - PentestMonkeys Ingres SQL Injection Cheat Sheet: \
193 | http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet
194 | - PentestMonkeys DB2 SQL Injection Cheat Sheet: \
195 | http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet
196 | - PentestMonkeys Informix SQL Injection Cheat Sheet: \
197 | http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet
198 | - SQLite3 Injection Cheat Sheet: \
199 | https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
200 | - Ruby on Rails (ActiveRecord) SQL Injection Guide: \
201 | https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
202 | """)
203 | 
204 |     # Searching SSRF
205 |     result = find_words_in_params(params, words_pssrf)
206 |     hunt_alert(ps, msg, uri, result,
207 |     "Possible SSRF", """
208 | HUNT located the {result} parameter inside of your application traffic. \
209 | The {result} parameter is most often susceptible to \
210 | Server Side Request Forgery (and sometimes URL redirects).
211 | 
212 | HUNT recommends further manual analysis of the parameter in question.
213 | 
214 | For Server Side Request Forgery HUNT recommends the following resources to \
215 | aid in manual testing:
216 | 
217 | - Server-side browsing considered harmful - Nicolas Gregoire: \
218 | http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf
219 | - How To: Server-Side Request Forgery (SSRF) - Jobert Abma: \
220 | https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
221 | - SSRF Examples from ngalongc/bug-bounty-reference: \
222 | https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf
223 | - Safebuff SSRF Tips: \
224 | http://blog.safebuff.com/2016/07/03/SSRF-Tips/
225 | - The SSRF Bible: \
226 | https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
227 | """)
228 | 
229 |     # Searching SSTI
230 |     result = find_words_in_params(params, words_pssti)
231 |     hunt_alert(ps, msg, uri, result,
232 |     "Possible SSTI", """
233 | HUNT located the {result} parameter inside of your application traffic. \
234 | The {result} parameter is most often susceptible to \
235 | Server Side Template Injection.
236 | 
237 | HUNT recommends further manual analysis of the parameter in question.
238 | """)
239 | 


--------------------------------------------------------------------------------
/passive/exPscan.py:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/python2
   2 | 
   3 | import re
   4 | import functools
   5 | import traceback
   6 | import pickle
   7 | import uuid
   8 | import pprint
   9 | 
  10 | from org.zaproxy.zap.extension.script import ScriptVars
  11 | 
  12 | 
  13 | # configuration
  14 | DEV_MODE = True
  15 | NAME = "exPscan"
  16 | MAX_BODY_SIZE = 300000
  17 | 
  18 | DATA_TYPES = {
  19 |         "js": ["javascript", "ecmascript"],
  20 |         "css": ["text/css"],
  21 |         "default": None,
  22 |         }
  23 | 
  24 | # don't touch these globales
  25 | _GLOB = {
  26 |         "REGEX": dict.fromkeys(DATA_TYPES, ""),
  27 |         "IREGEX": dict.fromkeys(DATA_TYPES, ""),
  28 |         "REG_BY_IDS": {},
  29 |         "ERRORS": "",
  30 |         }
  31 | _NONREG_STRINGS = """
  32 | ## vi: ft=conf
  33 | ## NOTE:
  34 | ##  this file is a aggregate of strings that `should probably` be recognized.
  35 | ##  It is useful for non-regression tests
  36 | ##  * Lines starting with '#' are ignored
  37 | ##
  38 | ## vim tips:
  39 | ##  remove duplicates:
  40 | ##      :'<,'>!sort -u
  41 | ##  sort by line length:
  42 | ##      :'<,'>!awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2-
  43 | DB2 ODBC
  44 | Index of
  45 | JDBC SQL
  46 | ODBC DB2
  47 | ODBC SQL
  48 | #DB2 Error #(always contains SQLSTATE, or SQL0204N like strings)
  49 | PHP Error
  50 |  server at 
  51 | #CLI Driver # (always contains SQL0420N like str)
  52 | #DB2 Driver
  53 | JDBC Error
  54 | JDBC MySQL
  55 | MySQL ODBC
  56 | ODBC Error
  57 | #Oracle DB2 # useless
  58 | Fatal error
  59 | JDBC Driver
  60 | JDBC Oracle
  61 | mysql error
  62 | MySQL Error
  63 | ODBC Driver
  64 | ODBC Oracle
  65 | Oracle ODBC
  66 | PHP Warning
  67 | data source=
  68 | Error Report
  69 | include_path
  70 | Invalid SQL:
  71 | MySQL Driver
  72 | Oracle Error
  73 | SQLException
  74 | invalid query
  75 | Oracle Driver
  76 | Type mismatch
  77 | Unknown table
  78 | database error
  79 | internal error
  80 | ODBC SQL Server
  81 | PHP Parse error
  82 | Parent Directory
  83 | unexpected error
  84 | ADODB.Field error
  85 | #ASP.NET_SessionId # irrelevant
  86 | mix of collations
  87 | SQL Server Driver
  88 | missing expression
  89 | server object error
  90 | #Warning: pg_connect # already detected to "on line [0-9]" regex in real life
  91 | Can't find record in
  92 | #Custom Error Message #???
  93 | #Warning: mysql_query # already detected ty "on line [0-9]" regex in real life
  94 | Incorrect column name
  95 | Incorrect syntax near
  96 | Internal Server Error
  97 | ODBC Microsoft Access
  98 | on MySQL result index
  99 | The error occurred in
 100 | Unable to jump to row
 101 | Can't connect to local
 102 | Disallowed Parent Path
 103 | Invalid parameter type
 104 | Invalid Path Character
 105 | mySQL error with query
 106 | ODBC SQL Server Driver
 107 | #Warning: mysql_query()
 108 | The script whose uid is
 109 | is not allowed to access
 110 | #Microsoft VBScript error # already caught in real life by microsoft regex '800a0400'
 111 | Microsoft VBScript error '800a0400'
 112 | Active Server Pages error
 113 | detected an internal error
 114 | A syntax error has occurred
 115 | Error Diagnostic Information
 116 | ODBC Microsoft Access Driver
 117 | Unterminated string constant
 118 | ): encountered SQLException [
 119 | SQL Server Driver][SQL Server
 120 | unexpected end of SQL command
 121 | Permission denied: 'GetObject'
 122 | SQL command not properly ended
 123 | [ODBC Informix driver][Informix]
 124 | OLE/DB provider returned message
 125 | Syntax error in query expression
 126 | Invalid procedure call or argument
 127 | Invision Power Board Database Error
 128 | #Microsoft VBScript compilation error # already caught in real life by microsoft regex '800a0400'
 129 | You have an error in your SQL syntax
 130 | ERROR: parser: parse error at or near
 131 | Incorrect column specifier for column
 132 | Error Occurred While Processing Request
 133 | Microsoft OLE DB Provider for SQL Server
 134 | Unexpected end of command in statement [
 135 | You have an error in your SQL syntax near
 136 | internal error [IBM][CLI Driver][DB2/6000]
 137 | Microsoft OLE DB Provider for ODBC Drivers
 138 | [Microsoft][ODBC Microsoft Access 97 Driver]
 139 | Column count doesn't match value count at row
 140 | Error converting data type varchar to numeric
 141 | supplied argument is not a valid MySQL result
 142 | An unexpected token "END-OF-STATEMENT" was found
 143 | Error Message : Error loading required libraries.
 144 | java.lang.NumberFormatException: For input string:
 145 | Supplied argument is not a valid PostgreSQL result
 146 | PostgreSQL query failed: ERROR: parser: parse error
 147 | Unclosed quotation mark before the character string
 148 | An illegal character has been found in the statement
 149 | ASP.NET is configured to show verbose error messages
 150 | detected an internal error [IBM][CLI Driver][DB2/6000]
 151 | supplied argument is not a valid MySQL result resource
 152 | [SQL Server Driver][SQL Server]Line 1: Incorrect syntax near
 153 | Warning: Cannot modify header information - headers already sent
 154 | Warning: Supplied argument is not a valid File-Handle resource in
 155 | Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL
 156 | Incorrect syntax near
 157 | query failed
 158 | #not an object # too much false positives
 159 | error occurred
 160 | ERROR OCCURRED
 161 | Server Error
 162 | invalid file name
 163 | fatal error
 164 | parse error
 165 | ERROR 1049 (42000): Unknown database
 166 | No database selected
 167 | #exception report # not relevant on google hack search
 168 | Servlet error : java.lang.IndexOutOfBoundsException
 169 | """
 170 | 
 171 | 
 172 | def exception_handler(function):
 173 |     """
 174 |     A decorator that wraps the passed in function and outputs
 175 |     exception instead if raising it, if DEV_MODE is True
 176 | 
 177 |     This is useful to not have to re-enable the script from ZAP
 178 |     each time we trigger an exception during development.
 179 |     """
 180 |     @functools.wraps(function)
 181 |     def wrapper(*args, **kwargs):
 182 |         if DEV_MODE:
 183 |             try:
 184 |                 return function(*args, **kwargs)
 185 |             except:
 186 |                 print("==== EXCEPTION CATCHED (DEV_MODE) ====")
 187 |                 print(traceback.format_exc())
 188 |         else:
 189 |             return function(*args, **kwargs)
 190 |     return wrapper
 191 | 
 192 | 
 193 | def hash_source_code():
 194 |     """
 195 |     Get a hash representing the source code of current script
 196 |     It remains the same as long as source code has not changed
 197 |     """
 198 |     import ctypes
 199 |     from org.parosproxy.paros.control import Control
 200 | 
 201 |     script_name = globals()["zap.script.name"]
 202 | 
 203 |     extLoader = Control.getSingleton().getExtensionLoader()
 204 |     extScript = extLoader.getExtension("ExtensionScript")
 205 |     script_source = extScript.getScript(script_name).getContents()
 206 | 
 207 |     h = ctypes.c_uint32(hash(script_source)).value % 0xffffff
 208 |     return hex(h)[2:].zfill(6)
 209 | 
 210 | 
 211 | def str_to_lines(string):
 212 |     """yield non-empty lines from a multi-line string
 213 |     """
 214 |     for line in string.splitlines():
 215 |         if not line.strip():
 216 |             continue
 217 |         # ignore indentation spaces
 218 |         while line[:4] == "    ":
 219 |             line = line[4:]
 220 |         yield line
 221 | 
 222 | 
 223 | def sanitize_regex(regex):
 224 |     # this will not work anyway with current implementation
 225 |     assert not regex.startswith("^")
 226 |     assert not regex.endswith("$")
 227 | 
 228 |     # make internal groups non-capturing to limit overhead
 229 |     assert not "\\\\(" in regex
 230 |     regex = regex.replace("\\(", "_-*placeholder1*-_")
 231 |     regex = regex.replace("(?:", "_-*placeholder2*-_")
 232 |     regex = regex.replace("(", "(?:")
 233 |     regex = regex.replace("_-*placeholder1*-_", "\\(")
 234 |     regex = regex.replace("_-*placeholder2*-_", "(?:")
 235 | 
 236 |     # limit wildcards (.* & .+ can considerably slow down processing time)
 237 |     regex = regex.replace(".+", ".{1,40}")
 238 |     regex = regex.replace(".*", ".{,40}")
 239 | 
 240 |     return regex
 241 | 
 242 | 
 243 | def test_fail(obj, regex, line):
 244 |     global _GLOB
 245 |     word = "IGNORED" if obj else "FOUND"
 246 |     out  = "-"*50 + "\n"
 247 |     out += "[-] Test Failed: line should be %s by regex\n" % word
 248 | 
 249 |     if regex:
 250 |         out += "    REGEX: %s\n" % regex
 251 |     if line:
 252 |         out += "    LINE:  %s\n" % line
 253 |     if obj:
 254 |         out += "    MATCH: %r\n\n" % obj
 255 |     _GLOB["ERRORS"] += out
 256 | 
 257 | 
 258 | def process_regex(raw_regex, issue,
 259 |         test_finds="", test_ignores="", flags=0):
 260 |     global _GLOB
 261 | 
 262 |     issue_id = issue.replace(" ", "_kw_") + str(uuid.uuid4())[:8]
 263 | 
 264 |     assert issue_id not in _GLOB["REG_BY_IDS"]
 265 |     _GLOB["REG_BY_IDS"][issue_id] = raw_regex
 266 | 
 267 |     regex = "(?P<%s>%s)" % (issue_id, sanitize_regex(raw_regex))
 268 | 
 269 |     # execute unit tests
 270 |     test = re.compile(regex, flags)
 271 |     for line in str_to_lines(test_finds):
 272 |         res = test.findall("\n"+line+"\n")
 273 |         if not res:
 274 |             test_fail(res, regex, line)
 275 |     for line in str_to_lines(test_ignores):
 276 |         res = test.findall("\n"+line+"\n")
 277 |         if res:
 278 |             test_fail(res, regex, line)
 279 | 
 280 |     return regex
 281 | 
 282 | 
 283 | def add_strings(issue_name, strings):
 284 |     global _GLOB
 285 |     for line in str_to_lines(strings):
 286 |         regex = process_regex(r"\b%s\b" % line, issue_name)
 287 |         for t in DATA_TYPES:
 288 |             if _GLOB["REGEX"][t]:
 289 |                 _GLOB["REGEX"][t] += "|"
 290 |             _GLOB["REGEX"][t] += regex
 291 | 
 292 | 
 293 | def add_regex(issue_name, regex,
 294 |         test_finds, test_ignores="", ignored_types=""):
 295 |     global _GLOB
 296 |     regex = process_regex(regex, issue_name,
 297 |             test_finds, test_ignores)
 298 | 
 299 |     ignored_types = ignored_types.split()
 300 |     for t in DATA_TYPES:
 301 |         if t in ignored_types:
 302 |             continue
 303 |         if _GLOB["REGEX"][t]:
 304 |             _GLOB["REGEX"][t] += "|"
 305 |         _GLOB["REGEX"][t] += regex
 306 | 
 307 | 
 308 | def add_iregex(issue_name, regex,
 309 |         test_finds, test_ignores="", ignored_types=""):
 310 |     global _GLOB
 311 |     regex = process_regex(regex, issue_name,
 312 |             test_finds, test_ignores, re.I)
 313 | 
 314 |     ignored_types = ignored_types.split()
 315 |     for t in DATA_TYPES:
 316 |         if t in ignored_types:
 317 |             continue
 318 |         if _GLOB["IREGEX"][t]:
 319 |             _GLOB["IREGEX"][t] += "|"
 320 |         _GLOB["IREGEX"][t] += regex
 321 | 
 322 | 
 323 | def build_matcher():
 324 | 
 325 |     ############################################################
 326 |     name = "PHP Source code disclosure"
 327 | 
 328 |     add_regex(name, r"<\?(php\s|\=)",
 329 |         test_finds = """
 330 |         data="<?php
 331 |         <?=$data;?>
 332 |         """,
 333 |         test_ignores = """
 334 |         <?PhP
 335 |         <?PhPa
 336 |         <?PhP0
 337 |         <?
 338 |         < ? php
 339 |         < ? =
 340 |         """)
 341 | 
 342 |     add_strings(name, " => Array")
 343 | 
 344 |     add_regex(name, r"\$[a-zA-Z_][a-zA-Z0-9_]+\[",
 345 |         test_finds = """
 346 |         &nbsp;mysqli_connect($config['host'],&nbsp;
 347 |         $_POST[0]
 348 |         $_GET["x"]
 349 |         $ee[
 350 |         """,
 351 |         test_ignores = """
 352 |         $#[
 353 |         $1[
 354 |         $$_GET  ["x"]
 355 |         $_GET  ["x"]
 356 |         a$a[
 357 |         $e[
 358 |         """,
 359 |         ignored_types = "js")
 360 | 
 361 | 
 362 |     ############################################################
 363 |     name = "JAVA Source code disclosure"
 364 | 
 365 |     add_regex(name, r'\bimport javax?\.[a-zA-Z0-9.]+;',
 366 |         test_finds = """
 367 |         import java.io.File;
 368 |         import java.net.MalformedURLException;
 369 |         import javax.servlet.http.HttpServlet;
 370 |         """,
 371 |         test_ignores = """
 372 |         Ximport javax.servlet.http.HttpServlet;
 373 |         """)
 374 | 
 375 |     add_regex(name, r'\bclass( \w+){1,3}\s*\{',
 376 |         test_finds = """
 377 |         public class SimpleServlet extends HttpServlet {
 378 |         public class TestGate {
 379 |         public class TestGate{
 380 |         """,
 381 |         test_ignores = """
 382 |         public class {
 383 |         """)
 384 | 
 385 | 
 386 |     ############################################################
 387 |     name = "ASP Source code disclosure"
 388 | 
 389 |     add_strings(name, "On Error Resume Next")
 390 | 
 391 | 
 392 |     ############################################################
 393 |     name = "ASP NET Source code disclosure"
 394 | 
 395 |     add_regex(name, r'@Render[A-Z][a-z]+',
 396 |         test_finds = """
 397 |         @RenderPage
 398 |         @RenderBody
 399 |         @RenderSection
 400 |         """)
 401 | 
 402 | 
 403 |     ############################################################
 404 |     name = "C Source code disclosure"
 405 | 
 406 |     add_regex(name, r'#(include|define|ifn?def|endif)\b',
 407 |         test_finds = """
 408 |         #include x
 409 |         #define
 410 |         #ifdef
 411 |         #ifndef
 412 |         #endif
 413 |         """,
 414 |         test_ignores = """
 415 |         #includes
 416 |         """)
 417 | 
 418 | 
 419 |     ############################################################
 420 |     name = "Cold Fusion Source code disclosure"
 421 | 
 422 |     add_regex(name, r'<cf(argument|component|dump|else|elseif|execute|exit|function|if|loop|output|query|queryparam|return|script|set)\b',
 423 |         test_finds = """
 424 |         <cfargument
 425 |         <cfcomponent
 426 |         <cfdump
 427 |         <cfelse
 428 |         <cfelseif
 429 |         <cfexecute
 430 |         <cfexit
 431 |         <cffunction
 432 |         <cfif
 433 |         <cfloop
 434 |         <cfloop
 435 |         <cfoutput
 436 |         <cfquery
 437 |         <cfqueryparam
 438 |         <cfreturn
 439 |         <cfscript
 440 |         <cfset
 441 |         """,
 442 |         test_ignores = """
 443 |         <cfX
 444 |         <cfx
 445 |         <cf
 446 |         <CFIF
 447 |         <CfDump
 448 |         """)
 449 | 
 450 | 
 451 |     ############################################################
 452 |     name = "Source code disclosure"
 453 | 
 454 |     add_regex(name, r'[A-Za-z._]+(Exception|Error|Controller|Servlet|Object|Client|Connection|Driver)([^a-z]|$)',
 455 |         test_finds = """
 456 |         System.Exception
 457 |         SQLException
 458 |         SQLite/JDBCDriver
 459 |         AppDomain.CurrentDomain.UnhandledException
 460 |         java.lang.RuntimeException
 461 |         Type: RuntimeException
 462 |         aspController()
 463 |         MysqlController.CheckMysqlIsRunning()
 464 |         ErrorController.php5</b> on line <b>73</b><br />
 465 |         AuthPluginController.php on line <i>58</i>
 466 |         RuntimeError: Expected object of type
 467 |         (RuntimeError) Element does not exist in cache
 468 |         @WebServlet
 469 |         HTTPServlet
 470 |         Server.CreateObject 
 471 |         of type 'System.__ComObject
 472 |         The type or namespace name `Data.MySqlClient' could not be found.
 473 |          Class 'mysqlConnection' not found.
 474 |         Zend_Db_Statement_Db2_Exception
 475 |         Zend_Db_Adapter_Db2_Exception
 476 |         ArrayObject Object
 477 |         Servlet error : java.lang.IndexOutOfBoundsException
 478 |         """,
 479 |         test_ignores = """
 480 |         Exception
 481 |         XExceptions
 482 |         Errors
 483 |         Bad Error.
 484 |         Controllers
 485 |         #Controller
 486 |         """,
 487 |         ignored_types = "js css")
 488 | 
 489 |     add_regex(name, r' runat=',
 490 |         test_finds = """
 491 |         <umbraco:Macro runat="server" language="cshtml">
 492 |         <script runat="server">
 493 |         <asp:Foo runat="server">
 494 |         <head id="Head1" runat="server">
 495 |         """)
 496 | 
 497 |     add_regex(name, r"<%(@|=)?\s*[A-Za-z]{2,}",
 498 |         test_finds = """
 499 |         <%@ taglib prefix="jcr"
 500 |         <%@ include file="webftpclass.jsp"
 501 |         <%@ page errorPage
 502 |         <%@ Page Language="C#" %>
 503 |         <% int x = 5; %>
 504 |         <%@ Page Inherits="ParentPageClass" %>
 505 |         <% Sub SomeProcedure() %>
 506 |         <% End Sub %>
 507 |         <%Assembly
 508 |         <%OutputCache
 509 |         <%Implements
 510 |         """)
 511 | 
 512 |     add_regex(name, r'\b(static\s+void|void\s+static)\b',
 513 |         test_finds = """
 514 |         public void static main(
 515 |         public static void main(
 516 |         public  static  void  main(
 517 |         """)
 518 | 
 519 |     add_regex(name, r"<[aj]sp:[a-zA-Z]",
 520 |         test_finds = """
 521 |         <jsp:directive.taglib uri = "uri" prefix = "prefixOfTag" />
 522 |         <asp:TreeView id="SiteTreeView" DataSourceID=
 523 |         <asp:SiteMapDataSource id="MenuSource"
 524 |         """)
 525 | 
 526 |     add_iregex(name, r'\s@(for\s?each|switch|select|interface|implementation|protocol|private|synthesize|property)\s',
 527 |         test_finds = """
 528 |         @interface Foo : NSObject {
 529 |         @PRIVATE
 530 |         @foreach
 531 |         @For Each
 532 |         @property
 533 |         @synthesize
 534 |         """,
 535 |         test_ignores = """
 536 |         @For EachX
 537 |         @foreachX
 538 |         @ends
 539 |         admin@private.com
 540 |         admin@privates.com
 541 |         """)
 542 | 
 543 |     add_iregex(name, r'\b(connection|query)string\b',
 544 |         test_finds = """
 545 |         ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & m_strDatabase & ";Persist Security Info=False"
 546 |         Convert.ToInt32(Request.QueryString["pID"]);
 547 |         oledb.oledbConnection(connectionString)'
 548 |         oRequest.querystring 
 549 |         """,
 550 |         test_ignores = """
 551 |         Parse and stringify URL query strings
 552 |         A query string is the portion of ...
 553 |         connection string
 554 |         """,
 555 |         ignored_types = "js")
 556 | 
 557 |     add_iregex(name, r'\bdata\s*source\s*=',
 558 |         test_finds = """
 559 |         ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & m_strDatabase & ";Persist Security Info=False"
 560 |         Data Source={DataDirectory}\test.db;
 561 |         "Data Source=(local);Database=Northwind;User ID=springqa;Password=springqa;
 562 |         """)
 563 | 
 564 | 
 565 |     ############################################################
 566 |     name = "ASP Error message"
 567 | 
 568 |     add_regex(name, r"\bASP [01]\d{3}\b",
 569 |         test_finds = """
 570 |         ctive Server Pages error 'ASP 0131', Disallowed Parent
 571 |         Error Message: ASP 0131, Disallowed Parent 
 572 |         Active Server Pages error 'ASP 0131'
 573 |         Active Server Pages error 'ASP 0113' 
 574 |         'ASP 0115' Unexpected Error
 575 |         """,
 576 |         test_ignores = """
 577 |         ASP 2008
 578 |         ASP 2000
 579 |         """)
 580 | 
 581 |     add_strings(name, """
 582 |         Active Server Pages error
 583 |         Disallowed Parent Path
 584 |         """)
 585 | 
 586 | 
 587 |     ############################################################
 588 |     name = "PHP Error message"
 589 | 
 590 |     add_regex(name, r"<b>(Notice|Deprecated)</b>: ",
 591 |         test_finds = """
 592 |         <b>Notice</b>:  Undefined offset: 6
 593 |         <b>Deprecated</b>:  Non-static method
 594 |         """,
 595 |         test_ignores = """
 596 |         """)
 597 | 
 598 |     add_iregex(name, r"\b(warning|error)\b.*?: +(<.+?>)?[a-zA-Z_][a-zA-Z0-9_]+\(",
 599 |         test_finds = """
 600 |         <b>Warning</b>:  require_once(../body.asp)
 601 |         ;;Warning: require_once(../body.asp)
 602 |         /Warning: require_once(../body.asp)
 603 |         Warning: require_once(../body.asp)
 604 |         <b>Fatal error</b>:  require_once() 
 605 |         <b>Warning</b> (2)</a>: mysqli_connect() 
 606 |         &nbsp;Error: </td><td colspan='2'>mysql_connect(): Lost connection to MySQL server
 607 |         <b>Warning</b>:  mysqli_fetch_assoc()
 608 |         """,
 609 |         test_ignores = """
 610 |         error: x()
 611 |         fatal error:  require_once ()
 612 |         """,
 613 |         ignored_types = "js")
 614 | 
 615 |     add_regex(name, r'</b> on line <b>[0-9]+</b>',
 616 |         test_finds = """
 617 |         in <b>D:\wwwroot\test.asp</b> on line <b>2</b>
 618 |         ErrorController.php5</b> on line <b>73</b><br />
 619 |         errorhandler.php</b> on line <b>218</b><br>
 620 |         wp-config.php.old</b> on line <b>61</b><br />
 621 |         /dvds.cfm</b> on line <b>166</b><br>
 622 |         main_index.cgi</b> on line <b>75</b><br>
 623 |         WebCalendar.class</b> on line <b>18</b>
 624 |         """,
 625 |         test_ignores = """
 626 |         """)
 627 | 
 628 |     # [10-May-2014 04:58:13 UTC] PHP Warning: Module 'newrelic' already loaded in Unknown on line 0
 629 |     # Warning: Cannot modify header information - headers already sent
 630 |     # Warning: Supplied argument is not a valid File-Handle resource in
 631 |     add_strings(name, """
 632 |         PHP Warning
 633 |         Cannot modify header information
 634 |         Supplied argument is not a valid
 635 |         include_path
 636 |         The script whose uid is
 637 |         """)
 638 | 
 639 | 
 640 |     ############################################################
 641 |     name = "Error message"
 642 | 
 643 |     add_regex(name, r"\.(aspx?|php[0-9]?|inc|cfm|old|cgi|jsp|html?|class)\b.*?\b[Ll]ine\b.*?[0-9]+",
 644 |         test_finds = """
 645 |         /download.asp</font><font face="Arial" size=2>, line 12</font>
 646 |         /download.asp, line 12
 647 |         route.php, line 12
 648 |         route.inc, line 12
 649 |         APP/webroot/index.php, line 87</pre>
 650 |         C:\html\pdf.aspx<b> &nbsp;&nbsp; Line: </b> 334
 651 |         \SQLServer_connection.aspx Line: 33 
 652 |         events.aspx:line 14 -->
 653 |         AuthPluginController.php on line <i>58</i>
 654 |         should not be called statically in file /home/storage/handler.php line 230<br>
 655 |         Error in C:\inetpub\Default.aspx on line 322
 656 |         /new.php on line 2
 657 |         """,
 658 |         test_ignores = """
 659 |         asp, line
 660 |         aspon line
 661 |         xasp, line
 662 |         Xphp, lineXX3X
 663 |         XPHPXLINE
 664 |         """,
 665 |         ignored_types="css")
 666 | 
 667 |     add_regex(name, r"\.(aspx?|php[0-9]?|inc|cfm|old|cgi|jsp|html?|class)\b\s*(<.*?>)?\s*:\s*(<.*?>)?\s*[0-9]+",
 668 |         test_finds = """
 669 |         in e:\WWW\pdf.aspx:380
 670 |         (output started at /wwwroot/err.php:272)
 671 |         in /home/storage/2/21/af/sbmp/public_html/cbab/siscbab/include/common.php:63
 672 |         >../Bootstrap.php<b>:</b>97</td></tr>
 673 |         undefined function mysql_connect() in /home1/dbi.php:105
 674 |         """,
 675 |         test_ignores = """
 676 |         """)
 677 | 
 678 |     add_iregex(name, r"\bbacktrace\b",
 679 |         test_finds = """
 680 |         X backTrace X
 681 |         class.backTrace
 682 |         """,
 683 |         test_ignores = """
 684 |         backtraces
 685 |         xbackTrace
 686 |         """)
 687 | 
 688 |     add_iregex(name, r"\bstack.trace\b",
 689 |         test_finds = """
 690 |         <b>Stack Trace:</b> <br><br>
 691 |         Please review the stack trace for more information
 692 |         stack-trace
 693 |         """,
 694 |         test_ignores = """
 695 |         """,
 696 |         ignored_types = "js")
 697 | 
 698 |     add_iregex(name, r"\bunable to cast ",
 699 |         test_finds = """
 700 |         Unable to cast object of type 
 701 |         Unable to cast object of type 'proje.hesap' to type
 702 |         Unable to cast COM object of type 'System.__ComObject'
 703 |         """,
 704 |         test_ignores = """
 705 |         """)
 706 | 
 707 |     add_iregex(name, r"\b(internal|fatal|unhandled|unexpected|uncaught) ?(exception|error)\b",
 708 |         test_finds = """
 709 |         An unexpected error occurred on a send.
 710 |         unhandled error
 711 |         internal error
 712 |         Connection Lost: Internal Exception: java.io.IOException: An established connection was aborted
 713 |         """,
 714 |         test_ignores = """
 715 |         Xinternal error
 716 |         """,
 717 |         ignored_types = "js")
 718 | 
 719 |     add_iregex(name, r"\b(syntax|parse|runtime) error\b",
 720 |         test_finds = """
 721 |         syntax error near unexpected token `('
 722 |         Error: syntax error near \":=\" : expected '.'
 723 |         org.postgresql.util.PSQLException: ERROR: syntax error at or near "$1"
 724 |         Error :: ERROR: syntax error at or near "TYPE" at character 51
 725 |         ERROR: parser: parse error at or near
 726 |         Microsoft VBScript runtime error '800a000d' Type mismatch
 727 |         """,
 728 |         test_ignores = """
 729 |         runtime X error
 730 |         runtime errors
 731 |         """,
 732 |         ignored_types = "js")
 733 | 
 734 |     add_iregex(name, r"\b(error|exception)\b.*?\bwhile (attempting|trying) to ",
 735 |         test_finds = """
 736 |         ERROR: I/O or zip error while attempting to read entry
 737 |         Error while attempting to commit transaction.
 738 |         There was an unexpected error while trying to repair Trusted
 739 |         Error while trying to run project : Unable to start debugging.
 740 |         NamingException: Exception while trying to get InitialContext. 
 741 |         threw an exception while trying to deserialize the 
 742 |         WARNING: Exception while attempting to add an entry
 743 |         [CASSANDRA-12152] Unknown exception caught while attempting to update
 744 |         Exception thrown while attempting to traverse the result set [
 745 |         An unexpected exception occurred while attempting to communicate
 746 |         MODx encountered the following error while attempting to '
 747 |         """,
 748 |         ignored_types = "js")
 749 | 
 750 |     add_iregex(name, r"\b(error|exception) (\w+ )?(encountered|occurr?ed)\b",
 751 |         test_finds = """
 752 |         A PHP Error was encountered
 753 |         <h4>A PHP Error was encountered</h4>
 754 |         Warning. Error encountered while saving cache
 755 |         Exception encountered during initialization
 756 |         An unexpected exception occurred while attempting to communicate
 757 |         A COM exception has occured.
 758 |         """,
 759 |         test_ignores = """
 760 |         Xerrror was encountered
 761 |         """,
 762 |         ignored_types = "js")
 763 | 
 764 |     add_iregex(name, r"\error (occurr?ed|loading|encountered|report|message|converting|diagnostic)",
 765 |         test_finds = """
 766 |         error messages
 767 |         error loadinG
 768 |         Error Diagnostic Information
 769 |         Error Report
 770 |         """,
 771 |         ignored_types = "js")
 772 | 
 773 |     add_regex(name, r'\b[Ee]ncountered an? (\w+ )?(error|exception)\b',
 774 |         test_finds = """
 775 |         BackupManager encountered an exception
 776 |         Sorry, we encountered an error....
 777 |         TypeError: ServiceWorker script encountered an error during
 778 |         NTVDM encountered a hard error
 779 |         [Server thread/ERROR]: Encountered an unexpected exception net.
 780 |         encountered a declaration exception
 781 |         Debugger encountered an exception: Exception at 0x7ffd21349e08
 782 |         DJLDAPv3Repo encountered an ldap exception.
 783 |         The server encountered a temporary error and could not complete your request
 784 |         """,
 785 |         test_ignores = """
 786 |         But I encountered with a strange error, it says,
 787 |         If the error encountered is a softer error, such as an ...
 788 |         """)
 789 | 
 790 |     add_iregex(name, r'\bconnection (was |is )?closed\b',
 791 |         test_finds = """
 792 |         The underlying connection was closed
 793 |         An unrecoverable IOException occurred so the connection was closed.
 794 |         System.Net.WebException: The underlying connection was closed
 795 |         Database connection closed on port
 796 |         Connection closed by foreign host.
 797 |         Exception:Message: The connection is closed
 798 |         """,
 799 |         test_ignores = """
 800 |         Xconnection was closed
 801 |         connection was closedX
 802 |         """)
 803 | 
 804 |     add_iregex(name, r'\b(php|server) (\w+ )?error\b',
 805 |         test_finds = """
 806 |         &laquo; PHP Parse Error &raquo;</b>
 807 |         <b>PHP error debug</b>
 808 |         <H1>Server Error in '/EMCFLEXQUOTE' Application.<hr
 809 |         """,
 810 |         test_ignores = """
 811 |         some php errors
 812 |         observer error
 813 |         servererror
 814 |         server errors
 815 |         """,
 816 |         ignored_types = "js")
 817 | 
 818 |     add_iregex(name, r'(login|access|authentication|permission) (failed|failure|denied)',
 819 |         test_finds = """
 820 |         Authentication failed for user root@localhost.localdomain.
 821 |         FATAL: Ident authentication failed for user "pgadmin" 
 822 |         Access denied for user 
 823 |         Microsoft VBScript runtime (0x800A0046). Permission denied.
 824 |         SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'
 825 |         """,
 826 |         ignored_types = "js")
 827 | 
 828 |     add_iregex(name, r'\b(unterminated|unexpected) (end|token|string)\b',
 829 |         test_finds = """
 830 |         Parse error: syntax error, unexpected end of file in
 831 |         compile error: unexpected end of script
 832 |         unexpected end-of-file occurred
 833 |         ORA-00921: unexpected end of SQL command
 834 |         syntax error near unexpected token `('
 835 |         An unexpected token "END-OF-STATEMENT" was found
 836 |         Unterminated string constant 
 837 |         SyntaxError: unterminated string literal
 838 |         error: unterminated string
 839 |         """,
 840 |         ignored_types = "js")
 841 | 
 842 |     add_strings(name, """
 843 |         is not allowed to access
 844 |         """)
 845 | 
 846 | 
 847 |     ############################################################
 848 |     name = "Microsoft Error message"
 849 | 
 850 |     add_iregex(name, r'[x\W\b]800(40|a0|04)[a-f0-9]{3}\b',
 851 |         test_finds = """
 852 |         Microsoft VBScript runtime error '800a000d' Type mismatch
 853 |         6 Microsoft JET Database Engine Error '80004005' 
 854 |         Microsoft SQL Native Client error '80004005' Named Pipes
 855 |         Microsoft VBScript runtime (0x800A0046). Permission denied.
 856 |         Microsoft SQL Native Client error '80004005'. Cannot open database
 857 |         Microsoft SQL Native Client error '80004005'. Login failed for user 'Admin'
 858 |         Microsoft SQL Native Client error '80040e37'.
 859 |         """,
 860 |         test_ignores = """
 861 |         """)
 862 | 
 863 | 
 864 |     ############################################################
 865 |     name = "DB2 SQL Error message"
 866 | 
 867 |     add_regex(name, r"\bSQL\d{4}N\b",
 868 |         test_finds = """
 869 |         [IBM][CLI Driver][DB2] SQL0443N Routine "SQLTABLES" (specific name "SQLTABLES") has returned an error SQLSTATE with
 870 |         During SQL processing it returned: SQL0204N
 871 |         nput Data (33) Error SQLExtendedFetch: [IBM][CLI Driver][DB2/AIX64] SQL0420N Invalid character found in a character string argument of the function "DECFLOAT". SQLSTATE=22018
 872 |         """)
 873 | 
 874 |     ############################################################
 875 |     name = "Oracle SQL Error message"
 876 | 
 877 |     add_regex(name, r"(\b|^)ORA-\d{5}(\b|$)",
 878 |         test_finds = """
 879 |         ORA-00921: unexpected end of SQL command
 880 |         ORA-29282: invalid file ID
 881 |         ORA-00933: SQL command not properly terminated. 
 882 |         ou,ORA-28002:,the,password,
 883 |         """)
 884 | 
 885 | 
 886 |     ############################################################
 887 |     name = "SQL Error message"
 888 | 
 889 |     #check the manual that corresponds to your MySQL server version for
 890 |     #check the manual that corresponds to your MariaDB server version for
 891 |     #error in your SQL syntax
 892 |     add_strings(name, """
 893 |         error in your SQL syntax
 894 |         check the manual that corresponds to your
 895 |         Can't find record in
 896 |         Type mismatch
 897 |         mix of collations
 898 |         Unable to jump to row
 899 |         missing expression
 900 |         Can't connect to local
 901 |         Invalid Path Character
 902 |         Column count doesn't match value count at row
 903 |         Unclosed quotation mark before the character string
 904 |         An illegal character has been found in the statement
 905 |         No database selected
 906 |         """)
 907 | 
 908 |     add_iregex(name, r"\b(unknown|invalid|incorrect) (column|table|query|sql|parameter|procedure|syntax|database|file)",
 909 |         test_finds = """
 910 |         Error 1054 Unknown column 'a.category' in 'where clause'
 911 |         Debug info: Unknown column 'groupmembersonly' in 'where clause' SELECT
 912 |         Unknown column 'a.id' in 'on clause' 
 913 |         PHP Fatal error: 1054 :Unknown column 'status' in 'where clause'
 914 |         Data.SqlClient.SqlException: Invalid column name 'apikeytime'.
 915 |         [Microsoft][SQL Server Native Client 10.0][SQL Server]Invalid column name 'U_FOC'.
 916 |         Warning: Requested unknown parameter
 917 |         stored procedure: Invalid Parameter Type.
 918 |         Invalid procedure call or argument
 919 |         Incorrect syntax near
 920 |         ORA-29282: invalid file ID
 921 |         """,
 922 |         ignored_types = "js")
 923 | 
 924 |     add_iregex(name, r"sql[ _]?(state|code)\b",
 925 |         test_finds = """
 926 |         Connection failed : SQL state S1 T00 SQL SERVER ERROR 0
 927 |         SQL State 3000
 928 |         SQL STATE: S1000 ERROR CODE: -25. ERROR IN SCRIPT LINE FILE: 78'
 929 |         Database error: SQL State 'HYC00';
 930 |         [SQLDriverConnect]{SQL_STATE: IM002}[Microsoft][ODBC Driver Manager]'
 931 |         Warning C4251 'sql::SQLException::sql_state': class 'std::
 932 |         SQLSTATE[HY000] [14] unable to open database file
 933 |         SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'
 934 |         SQLSTATE[42000]: Syntax error or access violation: 1064
 935 |         mysql state: 28000
 936 |         [IBM][CLI Driver][DB2] SQL0443N Routine "SQLTABLES" (specific name "SQLTABLES") has returned an error SQLSTATE with
 937 |         Exception: [Informix][Informix ODBC Driver]Driver not capable. SQLCODE=-11092
 938 |         nput Data (33) Error SQLExtendedFetch: [IBM][CLI Driver][DB2/AIX64] SQL0420N Invalid character found in a character string argument of the function "DECFLOAT". SQLSTATE=22018
 939 |         """,
 940 |         test_ignores = """
 941 |         sqlstates
 942 |         sql states
 943 |         sql codes
 944 |         """)
 945 | 
 946 |     add_regex(name, r"\b not properly (ended|terminated)\b",
 947 |         test_finds = """
 948 |         quoted string not properly terminated
 949 |         SQL command not properly ended
 950 |         ORA-00933: SQL command not properly terminated. 
 951 |         """,
 952 |         test_ignores = """
 953 |         """)
 954 | 
 955 |     add_iregex(name, r"\b[jo]dbc\b",
 956 |         test_finds = """
 957 |         com.mysql.jdbc
 958 |         org.postgresql.jdbc
 959 |         SQLServer JDBC Driver
 960 |         macromedia.jdbc.sqlserver
 961 |         com.microsoft.sqlserver.jdbc
 962 |         macromedia.jdbc.oracle
 963 |         oracle.jdbc
 964 |         com.informix.jdbc
 965 |         weblogic.jdbc.informix
 966 |         org.firebirdsql.jdbc
 967 |         org.sqlite.JDBC
 968 |         com.sap.dbtech.jdbc
 969 |         com.sybase.jdbc
 970 |         com.ingres.gcf.jdbc
 971 |         com.frontbase.jdbc
 972 |         org.hsqldb.jdbc
 973 |         org.h2.jdbc
 974 |         com.microsoft.sqlserver.jdbc.SQLServerException: Violation of PRIMARY KEY constraint
 975 |         .jdbc'
 976 |         Exception: [Informix][Informix ODBC Driver]Driver not capable. SQLCODE=-11092
 977 |         [Microsoft][ODBC SQL Server Driver][SQL Server]
 978 |         PostgreSQL ODBC error
 979 |         [SQLDriverConnect]{SQL_STATE: IM002}[Microsoft][ODBC Driver Manager]'
 980 |         Warning: SQL error: [INTERSOLV][ODBC SQL Server driver][SQL Server]Invalid column name 'projanfang'
 981 |         [S1090] [Microsoft][ODBC DB2 Driver] Invalid string or buffer length.
 982 |         """,
 983 |         test_ignores = """
 984 |         xjdbc
 985 |         jdbcx
 986 |         """)
 987 | 
 988 |     add_iregex(name, r'(sql|\bdb2|\b[oj]dbc|\bsqlite|\bdatabase|\boracle|\bdb|\bquery)\s+(\w+\s+)?(driver|failed|error|exception|warning|engine)\b',
 989 |         test_finds = """
 990 |         Access Database Engine
 991 |         <b>Database error:</b> Invalid SQL:
 992 |         <b>MySQL Error</b>: 
 993 |         Database error occured: #1950 (2627) Generic db error: "2627 
 994 |         Database error: SQL State 'HYC00';
 995 |         Dynamic SQL Error SQL Error code = -204 Table UNKNOW
 996 |         Exception: [Informix][Informix ODBC Driver]Driver not capable. SQLCODE=-11092
 997 |         JET Database Engine
 998 |         >&laquo; Execution of a query to the database failed &raquo;
 999 |         [Microsoft][ODBC SQL Server Driver][SQL Server]
1000 |         Postgresql CDC Error
1001 |         PostgreSQL ODBC error
1002 |         PostgreSQL query failed
1003 |         [SQLDriverConnect]{SQL_STATE: IM002}[Microsoft][ODBC Driver Manager]
1004 |         SQLite error 11: database disk 
1005 |         The Microsoft Jet database engine cannot open the file
1006 |         Warning: SQL error: [INTERSOLV][ODBC SQL Server driver][SQL Server]Invalid column name 'projanfang'
1007 |         """,
1008 |         test_ignores = """
1009 |         some sql errors
1010 |         """)
1011 | 
1012 |     add_regex(name, r'(oledb|OLE[\W_]?DB)\b',
1013 |         test_finds = """
1014 |         oraOLEDB.Oracle: Provider not found: Oracle 1
1015 |         provider=MYSQLOLEDB; Driver={MySQL};SERVER=localhost
1016 |         Codigo de Excepcion OLE IDispatch 0 de Microsoft OLE DB Provider SQL Server
1017 |         oledb.oledbConnection(connectionString)'
1018 |         OraOLEDB
1019 |         Provider=Microsoft.Jet.OLEDB.4.0;
1020 |         OLE_DB
1021 |         """,
1022 |         test_ignores = """
1023 |         OLE_DBX
1024 |         XOLE_DBX
1025 |         OL_DBX
1026 |         """)
1027 | 
1028 |     # removed 'ingres' because of false positives
1029 |     add_iregex(name, r'(^|[\W\s_])(adodb|informix|sybase|sqlite|mssql|mysql|oracle|hsqldb)([\W\s_]|$)',
1030 |         test_finds = """
1031 |         X_INFORMIX_X
1032 |         com.informix.jdbc
1033 |         weblogic.jdbc.informix
1034 |         Exception: [Informix][Informix ODBC Driver]Driver not capable. SQLCODE=-11092
1035 |         [ADODB.Connection]
1036 |         """,
1037 |         test_ignores = """
1038 |         sybaseX
1039 |         Xsybase
1040 |         """)
1041 | 
1042 | 
1043 |     ############################################################
1044 |     name = "SQL Query disclosure"
1045 | 
1046 |     add_iregex(name, r'\b(create|drop)\s+(database|table|view|index|procedure|function)\b',
1047 |         test_finds = """
1048 |         create Database
1049 |         create table
1050 |         CREATE view
1051 |         creAte  index
1052 |         create  procedure
1053 |          create\tfunction
1054 |         drop Database
1055 |         drop table
1056 |         DROP view
1057 |         drop index
1058 |         drop  procedure
1059 |         drop function
1060 |         """,
1061 |         test_ignores = """
1062 |          create\tfunctions
1063 |         Xdrop Database
1064 |         """)
1065 | 
1066 | 
1067 |     ############################################################
1068 |     name = "Leaked file path"
1069 | 
1070 |     add_strings(name, "file://")
1071 | 
1072 |     add_regex(name, r'(/|\\)Users(/|\\)',
1073 |         test_finds = """
1074 |         marketplace_file:///C:/Users/sh
1075 |         """,
1076 |         test_ignores = """
1077 |         inetpubX
1078 |         """)
1079 | 
1080 |     add_regex(name, r'\b[CDE]:(/|\\)',
1081 |         test_finds = r"""
1082 |         /C:/bla
1083 |         E:\bla
1084 |         """,
1085 |         test_ignores = """
1086 |         C:
1087 |         XC:/bla
1088 |         """)
1089 | 
1090 |     add_regex(name, r"/(home|var|www|usr)/",
1091 |         test_finds = """
1092 |         /home/www/
1093 |         daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
1094 |         """,
1095 |         test_ignores = """
1096 |         homepage
1097 |         /HOME/
1098 |         # www.google.com/support/webmasters/bin/answer.py?hl=en&answer=156449
1099 |         """)
1100 | 
1101 |     add_regex(name, r"\b(public_html|wwwroot|inetpub|xampp|htdocs)\b",
1102 |         test_finds = """
1103 |         /var/www/public_html/index.php
1104 |         on wwwroot
1105 |         in c:/inetpub/wwwroot
1106 |         in D:\Inetpub\wwwroot
1107 |         """,
1108 |         test_ignores = """
1109 |         wwwroots
1110 |         Public_Html
1111 |         """)
1112 | 
1113 | 
1114 |     ############################################################
1115 |     name = "Unix Shebang disclosure"
1116 | 
1117 |     add_regex(name, r"[\s^]#!/(bin|usr)/",
1118 |         test_finds = """
1119 |         #!/usr/bin/perl
1120 |         #!/bin/bash
1121 |         """,
1122 |         test_ignores = """
1123 |         $#!/usr/bin/perl
1124 |         "#!/usr/bin/perl"
1125 |         """)
1126 | 
1127 | 
1128 |     ############################################################
1129 |     name = "Directory Listing"
1130 | 
1131 |     add_regex(name, r'\b(Index of|Parent Directory|Directory [Ll]isting)\b',
1132 |         test_finds = """
1133 |         <title>Directory Listing For /</title>
1134 |         <H1>Directory listing for /</H1>
1135 |         <title>Directory Listing</title>
1136 |         <h1>Index of /phy
1137 |         >Parent Directory</a>
1138 |         Parent Directory
1139 |         <h1>Index of /p
1140 |         """,
1141 |         ignored_types= "js")
1142 | 
1143 |     add_regex(name, r' alt="\[(DIR|PARENTDIR|IMG)\]"',
1144 |         test_finds = """
1145 |         <td style="padding-right:15px"><img src="/layout/i/folder.gif" alt="[DIR]"></td>
1146 |         <img src="/__ovh_icons/back.gif" alt="[PARENTDIR]"> <a href="/content/">Parent Directory</a> 
1147 |         <img src="/__ovh_icons/image2.gif" alt="[IMG]"> 
1148 |         """)
1149 | 
1150 | 
1151 |     ############################################################
1152 |     name = "Product disclosure"
1153 | 
1154 |     add_iregex(name, r"\bpowered by\b",
1155 |         test_finds = """
1156 |         Powered by: vBulletin v3.8.4
1157 |         """,
1158 |         test_ignores = """
1159 |         """)
1160 | 
1161 |     add_iregex(name, r" server at ",
1162 |         test_finds = """
1163 |         Proudly Served by LiteSpeed Web Server at xxx.com
1164 |         """)
1165 | 
1166 | 
1167 |     ############################################################
1168 |     name = "Google Analytics UA Tracking ID"
1169 | 
1170 |     # https://stackoverflow.com/questions/2497294/regular-expression-to-validate-a-google-analytics-ua-number
1171 |     # https://www.drupal.org/project/google_analytics/issues/1336252
1172 |     add_regex(name, r"\WUA-\d{4,10}(-\d{1,4})?[^\w-]",
1173 |         test_finds = """
1174 |         "UA-12345678"
1175 |         "UA-12345678-12"
1176 |         """,
1177 |         test_ignores = """
1178 |         XUA-12345678"
1179 |         "UA-12345678-12X"
1180 |         "UA-12345678X"
1181 |         """)
1182 | 
1183 | 
1184 |     ############################################################
1185 |     name = "E Mail disclosure"
1186 | 
1187 |     add_regex(name, r"(?:\bmailto:)[^'\" ]+",
1188 |         test_finds = """
1189 |         maintained by <A HREF="mailto:lonsa@ncu.edu">
1190 |         """)
1191 | 
1192 |     add_regex(name, r"\b[\w.+-]+@[a-zA-Z0-9]+[a-zA-Z0-9-]*\.[a-zA-Z0-9-.]*[a-zA-Z0-9]{2,}",
1193 |         test_finds = """
1194 |         "admin@test.com"
1195 |         """,
1196 |         test_ignores = """
1197 |         *@123
1198 |         $@#!.
1199 |         """)
1200 | 
1201 |     # build `matcher` (regex_list, regex_ids)
1202 |     regex_list = {"REGEX": {}, "IREGEX": {}}
1203 |     for dt in DATA_TYPES.keys():
1204 |         regex_list["REGEX"][dt] = _GLOB["REGEX"][dt]
1205 |         regex_list["IREGEX"][dt] = _GLOB["IREGEX"][dt]
1206 |     regex_ids = _GLOB["REG_BY_IDS"]
1207 |     matcher = (regex_list, regex_ids)
1208 | 
1209 |     # nonreg test: ensure all lines are matched as suspicious
1210 |     for line in str_to_lines(_NONREG_STRINGS):
1211 |         if line.startswith("#"):
1212 |             continue
1213 |         res = scan_body(line, "default", matcher)
1214 |         if not res:
1215 |             test_fail(res, None, line)
1216 |             
1217 |     # display errors if any test failed
1218 |     if _GLOB["ERRORS"]:
1219 |         print(_GLOB["ERRORS"])
1220 |         raise Exception("Some tests failed")
1221 |     if DEV_MODE:
1222 |         print("[+] build_matcher(): Matcher successfully built")
1223 |     return matcher
1224 | 
1225 | 
1226 | def scan_body(data, data_type, matcher):
1227 |     regex_list, regex_ids = matcher
1228 |     matches = {}
1229 |     for regex_type in regex_list.keys():
1230 |         regex = regex_list[regex_type][data_type]
1231 |         flags = re.I if regex_type == "IREGEX" else 0
1232 |         regex = re.compile(regex, flags)
1233 |         for m in regex.finditer(data):
1234 |             start_pos = m.start()
1235 |             issue_id = m.lastgroup
1236 |             matches[start_pos] = {
1237 |                     "str": m.group(issue_id),
1238 |                     "regex": regex_ids[issue_id],
1239 |                     "issue": issue_id[:-8].replace("_kw_", " "),
1240 |                     }
1241 |     return matches
1242 | 
1243 | 
1244 | def get_data_type(content_type):
1245 |     """get the data type (one of DATA_TYPES keys)
1246 |     """
1247 |     for key, val in DATA_TYPES.items():
1248 |         if key == "default":
1249 |             continue
1250 |         for match in val:
1251 |             if match in content_type:
1252 |                 return key
1253 |     return "default"
1254 | 
1255 | @exception_handler
1256 | def scan(ps, msg, src):
1257 |     if DEV_MODE:
1258 |         print("\n--------------------")
1259 |         print("[*] %s script started" % NAME)
1260 |     # Docs on alert raising function:
1261 |     #  raiseAlert(int risk, int confidence, str name, str description, str uri,
1262 |     #             str param, str attack, str otherInfo, str solution,
1263 |     #             str evidence, int cweId, int wascId, HttpMessage msg)
1264 |     #  risk: 0: info, 1: low, 2: medium, 3: high
1265 |     #  confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed
1266 | 
1267 |     old_script_hash = max(ScriptVars.getGlobalVar(NAME+"_hash"), "")
1268 |     script_hash = hash_source_code()
1269 | 
1270 |     if script_hash == old_script_hash:
1271 |         matcher = pickle.loads(ScriptVars.getGlobalVar(NAME+"_matcher"))
1272 |     else:
1273 |         ScriptVars.setGlobalVar(NAME+"_hash", script_hash)
1274 |         matcher = build_matcher()
1275 |         ScriptVars.setGlobalVar(NAME+"_matcher", pickle.dumps(matcher))
1276 | 
1277 |     if DEV_MODE:
1278 |         print("[+] Got matcher, now scanning body")
1279 |     body = msg.getResponseBody()
1280 |     hdr = msg.getResponseHeader()
1281 |     uri = msg.getRequestHeader().getURI().toString()
1282 |     if DEV_MODE:
1283 |         print("[*] URI = %s" % uri)
1284 | 
1285 |     content_type = max(hdr.getHeader(hdr.CONTENT_TYPE), "")
1286 |     content_type = content_type.split(";", 1)[0].strip()
1287 |     blacklist = ["audio/", "video/"]
1288 |     if any(s in content_type for s in blacklist):
1289 |         if DEV_MODE:
1290 |             print("[-] Blacklisted content-type %r: aborting" % content_type)
1291 |         return
1292 | 
1293 |     data = body.toString()[:MAX_BODY_SIZE]
1294 |     data_type = get_data_type(content_type)
1295 |     if DEV_MODE:
1296 |         print("[*] data_type = %s" % data_type)
1297 |     matches = scan_body(data, data_type, matcher)
1298 | 
1299 |     found_evidences = []
1300 |     for start_pos in sorted(matches):
1301 |         match = matches[start_pos]
1302 |         title = "%s: %s (script)" % (NAME, match["issue"])
1303 |         desc = "Regular Expression:\n  %s" % match["regex"]
1304 |         evidence = match["str"]
1305 |         if evidence in found_evidences:
1306 |             continue
1307 |         found_evidences.append(evidence)
1308 |         if DEV_MODE:
1309 |             print("  -> GOT MATCH: %s" % title)
1310 |         ps.raiseAlert(0, 1, title, desc, uri, None,
1311 |                         None, None, None, evidence, 0, 0, msg)
1312 |     if DEV_MODE:
1313 |         print("[+] Body correctly scanned")
1314 | 
1315 | 
1316 | def appliesToHistoryType(histType):
1317 |     """
1318 |     Limit scanned history types, which otherwise default to
1319 |     types in `PluginPassiveScanner.getDefaultHistoryTypes()`
1320 |     """
1321 |     #from org.parosproxy.paros.model import HistoryReference as hr
1322 |     from org.zaproxy.zap.extension.pscan import PluginPassiveScanner
1323 | 
1324 |     #return histType in [hr.TYPE_PROXIED, hr.TYPE_SPIDER]
1325 |     return histType in PluginPassiveScanner.getDefaultHistoryTypes()
1326 | 
1327 | 
1328 | 


--------------------------------------------------------------------------------
/passive/exPscan/README:
--------------------------------------------------------------------------------
 1 | # vi: ft=conf
 2 | 
 3 | =====
 4 | NOTE:
 5 | =====
 6 | This directory contains some aggregate of regex lists taken.
 7 | They serve as a memento of suspicious strings coverage.
 8 | 
 9 | If you find any list interesting list, they are very welcome
10 | and i'll manage to implement them on exPscan.py
11 | 
12 | ## SPECIAL FILES
13 | nonreg-strings.txt
14 |     aggregate of raw strings for non-regression tests.
15 | 
16 | 
17 | ## EXTERNAL SOURCES
18 | sqlmap-errors.xml:
19 |     https://github.com/sqlmapproject/sqlmap/blob/master/xml/errors.xml
20 |     #XXX: MOSTLY DONE
21 | 
22 | zaproxy-pscanrules-application_errors.xml:
23 |     https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/pscanrules/resources/application_errors.xml
24 |     #XXX: DONE, ADDRD TO nonreg-strings.txt
25 | 
26 | zaproxy-pscanrulesAlpha-SourceCodeDisclosureScanner.java:
27 |     https://github.com/zaproxy/zap-extensions/blob/alpha/src/org/zaproxy/zap/extension/pscanrulesAlpha/SourceCodeDisclosureScanner.java
28 |     #XXX: MOSTLY DONE
29 | 
30 | fuzzdb-errors.txt:
31 |     https://github.com/fuzzdb-project/fuzzdb/blob/master/regex/errors.txt
32 |     #XXX: DONE, ADDED TO nonreg-strings.txt
33 | 
34 | TODO:
35 |     [ ] https://github.com/noobexploiter/gsqli/blob/main/main.go
36 |     [ ] https://github.com/noobexploiter/gofinder/blob/main/main.go
37 |     [ ] INCLUDE INTERESTING REGEXES FROM THIS PR: https://github.com/zaproxy/community-scripts/pull/278/files#
38 |     #XXX: NOTHING DONE
39 |     search for:
40 |         /_debugbar
41 |         /_profiler
42 | 


--------------------------------------------------------------------------------
/passive/exPscan/fuzzdb-errors.txt:
--------------------------------------------------------------------------------
 1 | A syntax error has occurred
 2 | Active Server Pages error
 3 | ADODB.Field error
 4 | An illegal character has been found in the statement
 5 | An unexpected token "END-OF-STATEMENT" was found
 6 | ASP.NET is configured to show verbose error messages
 7 | ASP.NET_SessionId
 8 | Can't connect to local
 9 | CLI Driver
10 | Custom Error Message
11 | data source=
12 | database error
13 | DB2 Driver
14 | DB2 Error
15 | DB2 ODBC
16 | detected an internal error
17 | detected an internal error [IBM][CLI Driver][DB2/6000]
18 | Died at
19 | Disallowed Parent Path
20 | error
21 | Error converting data type varchar to numeric
22 | Error Diagnostic Information
23 | Error Message : Error loading required libraries.
24 | Error Report
25 | Fatal error
26 | include_path
27 | Incorrect syntax near
28 | Index of
29 | Internal Server Error
30 | Invalid Path Character
31 | Invalid procedure call or argument
32 | invalid query
33 | Invision Power Board Database Error
34 | is not allowed to access
35 | JDBC Driver
36 | JDBC Error
37 | JDBC MySQL
38 | JDBC Oracle
39 | JDBC SQL
40 | line
41 | Microsoft OLE DB Provider for ODBC Drivers
42 | Microsoft VBScript compilation error
43 | Microsoft VBScript error
44 | missing expression
45 | mix of collations
46 | MySQL Driver
47 | mysql error
48 | MySQL Error
49 | mySQL error with query
50 | MySQL ODBC
51 | ODBC DB2
52 | ODBC Driver
53 | ODBC Error
54 | ODBC Microsoft Access
55 | ODBC Oracle
56 | ODBC SQL
57 | ODBC SQL Server
58 | OLE/DB provider returned message
59 | on line
60 | on MySQL result index
61 | ORA-0
62 | ORA-1
63 | Oracle DB2
64 | Oracle Driver
65 | Oracle Error
66 | Oracle ODBC
67 | Parent Directory
68 | Permission denied: 'GetObject'
69 | PHP Error
70 | PHP Parse error
71 | PHP Warning
72 | PostgreSQL query failed: ERROR: parser: parse error
73 | server at
74 | server object error
75 | SQL command not properly ended
76 | SQL Server Driver
77 | SQL Server Driver][SQL Server
78 | SQLException
79 | supplied argument is not a valid MySQL result resource
80 | Supplied argument is not a valid PostgreSQL result
81 | Syntax error in query expression
82 | The error occurred in
83 | The script whose uid is
84 | Type mismatch
85 | Unable to jump to row
86 | Unclosed quotation mark before the character string
87 | unexpected end of SQL command
88 | unexpected error
89 | Unterminated string constant
90 | Warning: Cannot modify header information - headers already sent
91 | Warning: mysql_query
92 | Warning: mysql_query()
93 | Warning: pg_connect
94 | Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL
95 | Warning: Supplied argument is not a valid File-Handle resource in
96 | You have an error in your SQL syntax near
97 | 


--------------------------------------------------------------------------------
/passive/exPscan/nonreg-strings.txt:
--------------------------------------------------------------------------------
  1 | ## vi: ft=conf
  2 | ## NOTE:
  3 | ##  this file is a aggregate of strings that `should probably`
  4 | ##  be recognized.
  5 | ##  It is useful for non-regression tests
  6 | ##
  7 | ## vim tips:
  8 | ##  remove duplicates:
  9 | ##      :'<,'>!sort -u
 10 | ##  sort by line length:
 11 | ##      :'<,'>!awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2-
 12 | DB2 ODBC
 13 | Index of
 14 | JDBC SQL
 15 | ODBC DB2
 16 | ODBC SQL
 17 | #DB2 Error #(always contains SQLSTATE, or SQL0204N like strings)
 18 | PHP Error
 19 |  server at 
 20 | #CLI Driver # (always contains SQL0420N like str)
 21 | #DB2 Driver
 22 | JDBC Error
 23 | JDBC MySQL
 24 | MySQL ODBC
 25 | ODBC Error
 26 | #Oracle DB2 # useless
 27 | Fatal error
 28 | JDBC Driver
 29 | JDBC Oracle
 30 | mysql error
 31 | MySQL Error
 32 | ODBC Driver
 33 | ODBC Oracle
 34 | Oracle ODBC
 35 | PHP Warning
 36 | data source=
 37 | Error Report
 38 | include_path
 39 | Invalid SQL:
 40 | MySQL Driver
 41 | Oracle Error
 42 | SQLException
 43 | invalid query
 44 | Oracle Driver
 45 | Type mismatch
 46 | Unknown table
 47 | database error
 48 | internal error
 49 | ODBC SQL Server
 50 | PHP Parse error
 51 | Parent Directory
 52 | unexpected error
 53 | ADODB.Field error
 54 | #ASP.NET_SessionId # irrelevant
 55 | mix of collations
 56 | SQL Server Driver
 57 | missing expression
 58 | server object error
 59 | #Warning: pg_connect # already detected to "on line [0-9]" regex in real life
 60 | Can't find record in
 61 | #Custom Error Message #???
 62 | #Warning: mysql_query # already detected ty "on line [0-9]" regex in real life
 63 | Incorrect column name
 64 | Incorrect syntax near
 65 | Internal Server Error
 66 | ODBC Microsoft Access
 67 | on MySQL result index
 68 | The error occurred in
 69 | Unable to jump to row
 70 | Can't connect to local
 71 | Disallowed Parent Path
 72 | Invalid parameter type
 73 | Invalid Path Character
 74 | mySQL error with query
 75 | ODBC SQL Server Driver
 76 | #Warning: mysql_query()
 77 | The script whose uid is
 78 | is not allowed to access
 79 | #Microsoft VBScript error # already caught in real life by microsoft regex '800a0400'
 80 | Microsoft VBScript error '800a0400'
 81 | Active Server Pages error
 82 | detected an internal error
 83 | A syntax error has occurred
 84 | Error Diagnostic Information
 85 | ODBC Microsoft Access Driver
 86 | Unterminated string constant
 87 | ): encountered SQLException [
 88 | SQL Server Driver][SQL Server
 89 | unexpected end of SQL command
 90 | Permission denied: 'GetObject'
 91 | SQL command not properly ended
 92 | [ODBC Informix driver][Informix]
 93 | OLE/DB provider returned message
 94 | Syntax error in query expression
 95 | Invalid procedure call or argument
 96 | Invision Power Board Database Error
 97 | #Microsoft VBScript compilation error # already caught in real life by microsoft regex '800a0400'
 98 | You have an error in your SQL syntax
 99 | ERROR: parser: parse error at or near
100 | Incorrect column specifier for column
101 | Error Occurred While Processing Request
102 | Microsoft OLE DB Provider for SQL Server
103 | Unexpected end of command in statement [
104 | You have an error in your SQL syntax near
105 | internal error [IBM][CLI Driver][DB2/6000]
106 | Microsoft OLE DB Provider for ODBC Drivers
107 | [Microsoft][ODBC Microsoft Access 97 Driver]
108 | Column count doesn't match value count at row
109 | Error converting data type varchar to numeric
110 | supplied argument is not a valid MySQL result
111 | An unexpected token "END-OF-STATEMENT" was found
112 | Error Message : Error loading required libraries.
113 | java.lang.NumberFormatException: For input string:
114 | Supplied argument is not a valid PostgreSQL result
115 | PostgreSQL query failed: ERROR: parser: parse error
116 | Unclosed quotation mark before the character string
117 | An illegal character has been found in the statement
118 | ASP.NET is configured to show verbose error messages
119 | detected an internal error [IBM][CLI Driver][DB2/6000]
120 | supplied argument is not a valid MySQL result resource
121 | [SQL Server Driver][SQL Server]Line 1: Incorrect syntax near
122 | Warning: Cannot modify header information - headers already sent
123 | Warning: Supplied argument is not a valid File-Handle resource in
124 | Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL
125 | Incorrect syntax near
126 | query failed
127 | #not an object # too much false positives
128 | error occurred
129 | ERROR OCCURRED
130 | Server Error
131 | invalid file name
132 | fatal error
133 | parse error
134 | ERROR 1049 (42000): Unknown database
135 | No database selected
136 | #exception report # not relevant on google hack search
137 | Servlet error : java.lang.IndexOutOfBoundsException
138 | 


--------------------------------------------------------------------------------
/passive/exPscan/nonreg-strings.txt.NOMATCH:
--------------------------------------------------------------------------------
1 | ADODB.Field error
2 | 


--------------------------------------------------------------------------------
/passive/exPscan/sqlmap-errors.xml:
--------------------------------------------------------------------------------
  1 | <!-- <?xml version="1.0" encoding="UTF&#45;8"?> -->
  2 | <!--  -->
  3 | <!-- <root> -->
  4 | <!--     <!&#45;&#45; MySQL &#45;&#45;> -->
  5 | <!--     <dbms value="MySQL"> -->
  6 |         <!-- <error regexp="SQL syntax.*?MySQL"/> -->
  7 |         <!-- <error regexp="Warning.*?\Wmysqli?_"/> -->
  8 |         <!-- <error regexp="MySQLSyntaxErrorException"/> -->
  9 |         <!-- <error regexp="valid MySQL result"/> -->
 10 |         <!-- <error regexp="check the manual that corresponds to your (MySQL|MariaDB) server version"/> -->
 11 |         <!-- <error regexp="Unknown column '[^ ]+' in 'field list'"/> -->
 12 |         <error regexp="MySqlClient\."/>
 13 |         <!-- <error regexp="com\.mysql\.jdbc"/> -->
 14 |         <!-- <error regexp="Zend_Db_(Adapter|Statement)_Mysqli_Exception"/> -->
 15 |         <error regexp="Pdo[./_\\]Mysql"/>
 16 |         <!-- <error regexp="MySqlException"/> -->
 17 |     </dbms>
 18 | 
 19 |     <!-- PostgreSQL -->
 20 |     <dbms value="PostgreSQL">
 21 |         <!-- <error regexp="PostgreSQL.*?ERROR"/> -->
 22 |         <!-- <error regexp="Warning.*?\Wpg_"/> -->
 23 |         <!-- <error regexp="valid PostgreSQL result"/> -->
 24 |         <error regexp="Npgsql\."/>
 25 |         <!-- <error regexp="PG::SyntaxError:"/> -->
 26 |         <!-- <error regexp="org\.postgresql\.util\.PSQLException"/> -->
 27 |         <!-- <error regexp="ERROR:\s\ssyntax error at or near"/> -->
 28 |         <!-- <error regexp="ERROR: parser: parse error at or near"/> -->
 29 |         <!-- <error regexp="PostgreSQL query failed"/> -->
 30 |         <!-- <error regexp="org\.postgresql\.jdbc"/> -->
 31 |         <error regexp="Pdo[./_\\]Pgsql"/>
 32 |         <!-- <error regexp="PSQLException"/> -->
 33 |     </dbms>
 34 | 
 35 |     <!-- Microsoft SQL Server -->
 36 |     <dbms value="Microsoft SQL Server">
 37 |         <error regexp="Driver.*? SQL[\-\_\ ]*Server"/>
 38 |         <!-- <error regexp="OLE DB.*? SQL Server"/> -->
 39 |         <!-- <error regexp="\bSQL Server[^&#38;lt;&#38;quot;]+Driver"/> -->
 40 |         <!-- <error regexp="Warning.*?\W(mssql|sqlsrv)_"/> -->
 41 |         <!-- <error regexp="\bSQL Server[^&#38;lt;&#38;quot;]+[0&#45;9a&#45;fA&#45;F]{8}"/> -->
 42 |         <!-- <error regexp="System\.Data\.SqlClient\.SqlException"/> -->
 43 |         <error regexp="(?s)Exception.*?\bRoadhouse\.Cms\."/>
 44 |         <!-- <error regexp="Microsoft SQL Native Client error '[0&#45;9a&#45;fA&#45;F]{8}"/> -->
 45 |         <error regexp="\[SQL Server\]"/>
 46 |         <!-- <error regexp="ODBC SQL Server Driver"/> -->
 47 |         <!-- <error regexp="ODBC Driver \d+ for SQL Server"/> -->
 48 |         <!-- <error regexp="SQLServer JDBC Driver"/> -->
 49 |         <!-- <error regexp="com\.jnetdirect\.jsql"/> -->
 50 |         <!-- <error regexp="macromedia\.jdbc\.sqlserver"/> -->
 51 |         <!-- <error regexp="Zend_Db_(Adapter|Statement)_Sqlsrv_Exception"/> -->
 52 |         <!-- <error regexp="com\.microsoft\.sqlserver\.jdbc"/> -->
 53 |         <error regexp="Pdo[./_\\](Mssql|SqlSrv)"/>
 54 |         <!-- <error regexp="SQL(Srv|Server)Exception"/> -->
 55 |     </dbms>
 56 | 
 57 |     <!-- Microsoft Access -->
 58 |     <dbms value="Microsoft Access">
 59 |         <!-- <error regexp="Microsoft Access (\d+ )?Driver"/> -->
 60 |         <!-- <error regexp="JET Database Engine"/> -->
 61 |         <!-- <error regexp="Access Database Engine"/> -->
 62 |         <!-- <error regexp="ODBC Microsoft Access"/> -->
 63 |         <!-- <error regexp="Syntax error \(missing operator\) in query expression"/> -->
 64 |     </dbms>
 65 | 
 66 |     <!-- Oracle -->
 67 |     <dbms value="Oracle">
 68 |         <!-- <error regexp="\bORA&#45;\d{5}"/> -->
 69 |         <!-- <error regexp="Oracle error"/> -->
 70 |         <!-- <error regexp="Oracle.*?Driver"/> -->
 71 |         <error regexp="Warning.*?\W(oci|ora)_"/>
 72 |         <!-- <error regexp="quoted string not properly terminated"/> -->
 73 |         <!-- <error regexp="SQL command not properly ended"/> -->
 74 |         <!-- <error regexp="macromedia\.jdbc\.oracle"/> -->
 75 |         <!-- <error regexp="oracle\.jdbc"/> -->
 76 |         <!-- <error regexp="Zend_Db_(Adapter|Statement)_Oracle_Exception"/> -->
 77 |         <error regexp="Pdo[./_\\](Oracle|OCI)"/>
 78 |         <!-- <error regexp="OracleException"/> -->
 79 |     </dbms>
 80 | 
 81 |     <!-- IBM DB2 -->
 82 |     <dbms value="IBM DB2">
 83 |         <error regexp="CLI Driver.*?DB2"/>
 84 |         <!-- <error regexp="DB2 SQL error"/> -->
 85 |         <error regexp="\bdb2_\w+\("/>
 86 |         <!-- <error regexp="SQLSTATE.+SQLCODE"/> -->
 87 |         <error regexp="com\.ibm\.db2\.jcc"/>
 88 |         <!-- <error regexp="Zend_Db_(Adapter|Statement)_Db2_Exception"/> -->
 89 |         <error regexp="Pdo[./_\\]Ibm"/>
 90 |         <error regexp="DB2Exception"/>
 91 |     </dbms>
 92 | 
 93 |     <!-- Informix -->
 94 |     <dbms value="Informix">
 95 |         <error regexp="Warning.*?\Wifx_"/>
 96 |         <!-- <error regexp="Exception.*?Informix"/> -->
 97 |         <!-- <error regexp="Informix ODBC Driver"/> -->
 98 |         <!-- <error regexp="ODBC Informix driver"/> -->
 99 |         <!-- <error regexp="com\.informix\.jdbc"/> -->
100 |         <!-- <error regexp="weblogic\.jdbc\.informix"/> -->
101 |         <!-- <error regexp="Pdo[./_\\]Informix"/> -->
102 |         <error regexp="IfxException"/>
103 |     </dbms>
104 | 
105 |     <!-- Interbase/Firebird -->
106 |     <dbms value="Firebird">
107 |         <!-- <error regexp="Dynamic SQL Error"/> -->
108 |         <error regexp="Warning.*?\Wibase_"/>
109 |         <!-- <error regexp="org\.firebirdsql\.jdbc"/> -->
110 |         <error regexp="Pdo[./_\\]Firebird"/>
111 |     </dbms>
112 | 
113 |     <!-- SQLite -->
114 |     <dbms value="SQLite">
115 |         <error regexp="SQLite/JDBCDriver"/>
116 |         <error regexp="SQLite\.Exception"/>
117 |         <error regexp="(Microsoft|System)\.Data\.SQLite\.SQLiteException"/>
118 |         <!-- <error regexp="Warning.*?\W(sqlite_|SQLite3::)"/> -->
119 |         <error regexp="\[SQLITE_ERROR\]"/>
120 |         <!-- <error regexp="SQLite error \d+:"/> -->
121 |         <!-- <error regexp="sqlite3.OperationalError:"/> -->
122 |         <!-- <error regexp="SQLite3::SQLException"/> -->
123 |         <!-- <error regexp="org\.sqlite\.JDBC"/> -->
124 |         <error regexp="Pdo[./_\\]Sqlite"/>
125 |         <!-- <error regexp="SQLiteException"/> -->
126 |     </dbms>
127 | 
128 |     <!-- SAP MaxDB -->
129 |     <dbms value="SAP MaxDB">
130 |         <!-- <error regexp="SQL error.*?POS([0&#45;9]+)"/> -->
131 |         <error regexp="Warning.*?\Wmaxdb_"/>
132 |         <error regexp="DriverSapDB"/>
133 |         <!-- <error regexp="com\.sap\.dbtech\.jdbc"/> -->
134 |     </dbms>
135 | 
136 |     <!-- Sybase -->
137 |     <dbms value="Sybase">
138 |         <!-- <error regexp="Warning.*?\Wsybase_"/> -->
139 |         <!-- <error regexp="Sybase message"/> -->
140 |         <!-- <error regexp="Sybase.*?Server message"/> -->
141 |         <!-- <error regexp="SybSQLException"/> -->
142 |         <!-- <error regexp="Sybase\.Data\.AseClient"/> -->
143 |         <!-- <error regexp="com\.sybase\.jdbc"/> -->
144 |     </dbms>
145 | 
146 |     <!-- Ingres -->
147 |     <dbms value="Ingres">
148 |         <!-- <error regexp="Warning.*?\Wingres_"/> -->
149 |         <!-- <error regexp="Ingres SQLSTATE"/> -->
150 |         <!-- <error regexp="Ingres\W.*?Driver"/> -->
151 |         <!-- <error regexp="com\.ingres\.gcf\.jdbc"/> -->
152 |     </dbms>
153 | 
154 |     <!-- Frontbase -->
155 |     <dbms value="Frontbase">
156 |         <error regexp="Exception (condition )?\d+\. Transaction rollback"/>
157 |         <!-- <error regexp="com\.frontbase\.jdbc"/> -->
158 |     </dbms>
159 | 
160 |     <!-- HSQLDB -->
161 |     <dbms value="HSQLDB">
162 |         <error regexp="Unexpected end of command in statement \["/>
163 |         <error regexp="Unexpected token.*?in statement \["/>
164 |         <!-- <error regexp="org\.hsqldb\.jdbc"/> -->
165 |     </dbms>
166 | 
167 |     <!-- H2 -->
168 |     <dbms value="H2">
169 |         <!-- <error regexp="org\.h2\.jdbc"/> -->
170 |     </dbms>
171 | </root>
172 | 


--------------------------------------------------------------------------------
/passive/exPscan/zaproxy-pscanrules-application_errors.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" standalone="no"?>
  2 | <!-- 
  3 | File structured thanks to fuzzdb and other
  4 | Internet resources regarding application errors
  5 | Elaborated by yhawke 2013
  6 | -->
  7 | <Patterns>
  8 |   <!-- Microsoft SQL Server errors -->
  9 |   <!-- <Pattern type="string">Microsoft OLE DB Provider for ODBC Drivers</Pattern> -->
 10 |   <!-- <Pattern type="string">Microsoft OLE DB Provider for SQL Server</Pattern> -->
 11 |   <!-- <Pattern type="string">ODBC Microsoft Access Driver</Pattern> -->
 12 |   <!-- <Pattern type="string">ODBC SQL Server Driver</Pattern> -->
 13 |   <!-- <!&#45;&#45; mysql errors &#45;&#45;> -->
 14 |   <!-- <Pattern type="string">supplied argument is not a valid MySQL result</Pattern> -->
 15 |   <!-- <Pattern type="string">Invalid parameter type</Pattern> -->
 16 |   <!-- <Pattern type="string">You have an error in your SQL syntax</Pattern> -->
 17 |   <!-- <Pattern type="string">Incorrect column name</Pattern> -->
 18 |   <!-- <Pattern type="string">Can't find record in</Pattern> -->
 19 |   <!-- <Pattern type="string">Unknown table</Pattern> -->
 20 |   <!-- <Pattern type="string">Incorrect column specifier for column</Pattern> -->
 21 |   <!-- <Pattern type="string">Column count doesn't match value count at row</Pattern> -->
 22 |   <!-- <Pattern type="string">Unclosed quotation mark before the character string</Pattern> -->
 23 |   <!-- <Pattern type="string">java.lang.NumberFormatException: For input string:</Pattern> -->
 24 |   <!-- <Pattern type="string">): encountered SQLException [</Pattern> -->
 25 |   <!-- <Pattern type="string">Unexpected end of command in statement [</Pattern> -->
 26 |   <!-- <Pattern type="string">Invalid SQL:</Pattern> -->
 27 |   <!-- <Pattern type="string">ERROR: parser: parse error at or near</Pattern> -->
 28 |   <!-- <Pattern type="string">[ODBC Informix driver][Informix]</Pattern> -->
 29 |   <!-- <Pattern type="string">[Microsoft][ODBC Microsoft Access 97 Driver]</Pattern> -->
 30 |   <!-- <Pattern type="string">[SQL Server Driver][SQL Server]Line 1: Incorrect syntax near</Pattern> -->
 31 |   <!-- <Pattern type="string">SQL command not properly ended</Pattern> -->
 32 |   <!-- <Pattern type="string">unexpected end of SQL command</Pattern> -->
 33 |   <!-- <Pattern type="string">Supplied argument is not a valid PostgreSQL result</Pattern> -->
 34 |   <!-- <Pattern type="string">internal error [IBM][CLI Driver][DB2/6000]</Pattern> -->
 35 |   <!-- <Pattern type="string">Error Occurred While Processing Request</Pattern> -->
 36 |   <!-- <Pattern type="string">internal error</Pattern> -->
 37 |   <!-- <Pattern type="string">A syntax error has occurred</Pattern> -->
 38 |   <!-- <Pattern type="string">ADODB.Field error</Pattern> -->
 39 |   <!-- <Pattern type="string">ASP.NET is configured to show verbose error messages</Pattern> -->
 40 |   <!-- <Pattern type="string">ASP.NET_SessionId</Pattern> -->
 41 |   <!-- <Pattern type="string">Active Server Pages error</Pattern> -->
 42 |   <!-- <Pattern type="string">An illegal character has been found in the statement</Pattern> -->
 43 |   <!-- <Pattern type="string">An unexpected token "END&#45;OF&#45;STATEMENT" was found</Pattern> -->
 44 |   <!-- <Pattern type="string">Can't connect to local</Pattern> -->
 45 |   <!-- <Pattern type="string">Custom Error Message</Pattern> -->
 46 |   <!-- <Pattern type="string">DB2 Driver</Pattern> -->
 47 |   <!-- <Pattern type="string">DB2 Error</Pattern> -->
 48 |   <!-- <Pattern type="string">DB2 ODBC</Pattern> -->
 49 |   <!-- <Pattern type="string">Disallowed Parent Path</Pattern> -->
 50 |   <!-- <Pattern type="string">Error Diagnostic Information</Pattern> -->
 51 |   <!-- <Pattern type="string">Error Message : Error loading required libraries.</Pattern> -->
 52 |   <!-- <Pattern type="string">Error Report</Pattern> -->
 53 |   <!-- <Pattern type="string">Error converting data type varchar to numeric</Pattern> -->
 54 |   <!-- <Pattern type="string">Internal Server Error</Pattern> -->
 55 |   <!-- <Pattern type="string">Invalid Path Character</Pattern> -->
 56 |   <!-- <Pattern type="string">Invalid procedure call or argument</Pattern> -->
 57 |   <!-- <Pattern type="string">Invision Power Board Database Error</Pattern> -->
 58 |   <!-- <Pattern type="string">JDBC Driver</Pattern> -->
 59 |   <!-- <Pattern type="string">JDBC Error</Pattern> -->
 60 |   <!-- <Pattern type="string">JDBC MySQL</Pattern> -->
 61 |   <!-- <Pattern type="string">JDBC Oracle</Pattern> -->
 62 |   <!-- <Pattern type="string">JDBC SQL</Pattern> -->
 63 |   <!-- <Pattern type="string">Microsoft VBScript compilation error</Pattern> -->
 64 |   <!-- <Pattern type="string">Microsoft VBScript error</Pattern> -->
 65 |   <!-- <Pattern type="string">MySQL Driver</Pattern> -->
 66 |   <!-- <Pattern type="string">MySQL Error</Pattern> -->
 67 |   <!-- <Pattern type="string">MySQL ODBC</Pattern> -->
 68 |   <!-- <Pattern type="string">ODBC DB2</Pattern> -->
 69 |   <!-- <Pattern type="string">ODBC Driver</Pattern> -->
 70 |   <!-- <Pattern type="string">ODBC Error</Pattern> -->
 71 |   <!-- <Pattern type="string">ODBC Oracle</Pattern> -->
 72 |   <!-- <Pattern type="string">OLE/DB provider returned message</Pattern> -->
 73 |   <!-- <Pattern type="string">Oracle DB2</Pattern> -->
 74 |   <!-- <Pattern type="string">Oracle Driver</Pattern> -->
 75 |   <!-- <Pattern type="string">Oracle Error</Pattern> -->
 76 |   <!-- <Pattern type="string">Oracle ODBC</Pattern> -->
 77 |   <!-- <Pattern type="string">PHP Error</Pattern> -->
 78 |   <!-- <Pattern type="string">PHP Parse error</Pattern> -->
 79 |   <!-- <Pattern type="string">PHP Warning</Pattern> -->
 80 |   <!-- <Pattern type="string">Parent Directory</Pattern> -->
 81 |   <!-- <Pattern type="string">Permission denied: 'GetObject'</Pattern> -->
 82 |   <!-- <Pattern type="string">PostgreSQL query failed: ERROR: parser: parse error</Pattern> -->
 83 |   <!-- <Pattern type="string">The script whose uid is</Pattern> -->
 84 |   <!-- <Pattern type="string">Type mismatch</Pattern> -->
 85 |   <!-- <Pattern type="string">Unable to jump to row</Pattern> -->
 86 |   <!-- <Pattern type="string">Unterminated string constant</Pattern> -->
 87 |   <!-- <Pattern type="string">Warning: Cannot modify header information &#45; headers already sent</Pattern> -->
 88 |   <!-- <Pattern type="string">Warning: Supplied argument is not a valid File&#45;Handle resource in</Pattern> -->
 89 |   <!-- <Pattern type="string">Warning: mysql_query()</Pattern> -->
 90 |   <!-- <Pattern type="string">Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL</Pattern> -->
 91 |   <!-- <Pattern type="string">data source=</Pattern> -->
 92 |   <!-- <Pattern type="string">invalid query</Pattern> -->
 93 |   <!-- <Pattern type="string">is not allowed to access</Pattern> -->
 94 |   <!-- <Pattern type="string">mySQL error with query</Pattern> -->
 95 |   <!-- <Pattern type="string">on MySQL result index</Pattern> -->
 96 |   <!-- <Pattern type="string">server object error</Pattern> -->
 97 | <!--   <Pattern type="regex">(?i)Line\s\d+:\sIncorrect\ssyntax\snear\s'[^']*'</Pattern> -->
 98 | <!--   <Pattern type="regex">(?i)pg_query\(\)[:]*\squery\sfailed:\serror:\s</Pattern> -->
 99 | <!--   <Pattern type="regex">(?i)'[^']*'\sis\snull\sor\snot\san\sobject</Pattern> -->
100 | <!--   <Pattern type="regex">(?i)ORA\&#45;\d{4,5}:\s</Pattern> -->
101 | <!--   <Pattern type="regex">(?i)Microsoft\sJET\sDatabase\sEngine\s\([^\)]*\)&#38;lt;br&#38;gt;Syntax\serror(.*)\sin\squery\sexpression\s'.*\.&#38;lt;br&#38;gt;&#38;lt;b&#38;gt;.*,\sline\s\d+&#38;lt;/b&#38;gt;&#38;lt;br&#38;gt;</Pattern> -->
102 | <!--   <Pattern type="regex">(?i)&#38;lt;h2&#38;gt;\s&#38;lt;i&#38;gt;Syntax\serror\s(\([^\)]*\))?(in\sstring)?\sin\squery\sexpression\s'[^\.]*\.&#38;lt;/i&#38;gt;\s&#38;lt;/h2&#38;gt;&#38;lt;/span&#38;gt;</Pattern> -->
103 | <!--   <Pattern type="regex">(?i)&#38;lt;font\sface=\"Arial\"\ssize=2&#38;gt;Syntax\serror\s(.*)?in\squery\sexpression\s'(.*)\.&#38;lt;/font&#38;gt;</Pattern> -->
104 | <!--   <Pattern type="regex">(?i)&#38;lt;b&#38;gt;Warning&#38;lt;/b&#38;gt;:\s\spg_exec\(\)\s\[\&#38;lt;a\shref='function.pg\&#45;exec\'\&#38;gt;function\.pg&#45;exec\&#38;lt;/a&#38;gt;\]\:\sQuery failed:\sERROR:\s\ssyntax error at or near \&#38;amp;quot\;\\\&#38;amp;quot; at character \d+ in\s&#38;lt;b&#38;gt;.*&#38;lt;/b&#38;gt;</Pattern> -->
105 | <!--   <Pattern type="regex">(?i)System\.Data\.OleDb\.OleDbException\:\sSyntax\serror\s\([^)]*?\)\sin\squery\sexpression\s.*</Pattern> -->
106 | <!--   <Pattern type="regex">(?i)System\.Data\.OleDb\.OleDbException\:\sSyntax\serror\sin\sstring\sin\squery\sexpression\s</Pattern> -->
107 | <!--   <Pattern type="regex">&#38;lt;font style="COLOR: black; FONT: 8pt/11pt verdana"&#38;gt;\s+(\[Macromedia\]\[SQLServer\sJDBC\sDriver\]\[SQLServer\]|Syntax\serror\sin\sstring\sin\squery\sexpression\s)</Pattern> -->
108 | <!--   <Pattern type="regex">(?i)The Error Occurred in &#38;lt;b&#38;gt;(.*): line.*&#38;lt;\/b&#38;gt;&#38;lt;br&#38;gt;</Pattern> -->
109 | <!--   <Pattern type="regex">(?i)The error occurred while processing.*Template: (.*) &#38;lt;br&#38;gt;.</Pattern> -->
110 | <!--   <Pattern type="regex">(?i)The error occurred while processing.*in the template file (.*)\.&#38;lt;\/p&#38;gt;&#38;lt;br&#38;gt;</Pattern> -->
111 | <!--   <Pattern type="regex">(?i)&#38;lt;span&#38;gt;&#38;lt;H1&#38;gt;Server\sError\sin\s'[^']*'\sApplication\.&#38;lt;hr\swidth=100%\ssize=1\scolor=silver&#38;gt;&#38;lt;/H1&#38;gt;</Pattern> -->
112 | <!--   <Pattern type="regex">(?i)&#38;lt;title&#38;gt;Invalid\sfile\sname\sfor\smonitoring:\s'([^']*)'\.\sFile\snames\sfor\smonitoring\smust\shave\sabsolute\spaths\,\sand\sno\swildcards\.&#38;lt;/title&#38;gt;</Pattern> -->
113 | <!--   <Pattern type="regex">(?i)&#38;lt;b&#38;gt;(Warning|Fatal\serror|Parse\serror)&#38;lt;/b&#38;gt;:\s+.*?\sin\s&#38;lt;b&#38;gt;.*?&#38;lt;/b&#38;gt;\son\sline\s&#38;lt;b&#38;gt;\d*?&#38;lt;/b&#38;gt;&#38;lt;br\s/&#38;gt;</Pattern> -->
114 | <!--   <Pattern type="regex">(?:Unknown database '.*?')|(?:No database selected)|(?:Table '.*?' doesn't exist)|(?:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.*?' at line .*?)</Pattern> -->
115 | <!--   <Pattern type="regex">Exception report.*message.*description.*exception.*note.*</Pattern> -->
116 | <!--   <Pattern type="regex">(?i)&#38;lt;head&#38;gt;&#38;lt;title&#38;gt;JRun Servlet Error&#38;lt;/title&#38;gt;&#38;lt;/head&#38;gt;</Pattern> -->
117 | <!--   <Pattern type="regex">(?i)&#38;lt;h1&#38;gt;Servlet\sError:\s\w+?&#38;lt;/h1&#38;gt;</Pattern> -->
118 | <!--   <Pattern type="regex">(?i)Servlet\sError&#38;lt;/title&#38;gt;</Pattern> -->
119 | <!-- </Patterns> -->
120 | <!--  -->
121 | 


--------------------------------------------------------------------------------
/passive/exPscan/zaproxy-pscanrulesAlpha-SourceCodeDisclosureScanner.java:
--------------------------------------------------------------------------------
  1 | // #<{(|
  2 | //  * Zed Attack Proxy (ZAP) and its related class files.
  3 | //  *
  4 | //  * ZAP is an HTTP/HTTPS proxy for assessing web application security.
  5 | //  *
  6 | //  * Copyright 2012 The ZAP development team
  7 | //  *
  8 | //  * Licensed under the Apache License, Version 2.0 (the "License");
  9 | //  * you may not use this file except in compliance with the License.
 10 | //  * You may obtain a copy of the License at
 11 | //  *
 12 | //  *   http://www.apache.org/licenses/LICENSE-2.0
 13 | //  *
 14 | //  * Unless required by applicable law or agreed to in writing, software
 15 | //  * distributed under the License is distributed on an "AS IS" BASIS,
 16 | //  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 17 | //  * See the License for the specific language governing permissions and
 18 | //  * limitations under the License.
 19 | //  |)}>#
 20 | // package org.zaproxy.zap.extension.pscanrulesAlpha;
 21 | //
 22 | // import java.util.Iterator;
 23 | // import java.util.LinkedHashMap;
 24 | // import java.util.Map;
 25 | // import java.util.regex.Matcher;
 26 | // import java.util.regex.Pattern;
 27 | //
 28 | // import net.htmlparser.jericho.Source;
 29 | //
 30 | // import org.apache.log4j.Logger;
 31 | // import org.parosproxy.paros.Constant;
 32 | // import org.parosproxy.paros.core.scanner.Alert;
 33 | // import org.parosproxy.paros.network.HttpMessage;
 34 | // import org.zaproxy.zap.extension.pscan.PassiveScanThread;
 35 | // import org.zaproxy.zap.extension.pscan.PluginPassiveScanner;
 36 | //
 37 | //
 38 | // #<{(|*
 39 | //  * A class to passively scan response for application Source Code, using source code signatures
 40 | //  * @author 70pointer@gmail.com
 41 | //  *
 42 | //  |)}>#
 43 | // public class SourceCodeDisclosureScanner extends PluginPassiveScanner {
 44 | //
 45 | // 	private PassiveScanThread parent = null;
 46 | // 	
 47 | // 	private static final Logger log = Logger.getLogger(SourceCodeDisclosureScanner.class);
 48 | // 	
 49 | // 	#<{(|*
 50 | // 	 * a consistently ordered map of: a regular expression pattern to the Programming language (string) to which the pattern most likely corresponds
 51 | // 	 |)}>#
 52 | // 	static Map <Pattern, String> languagePatterns = new LinkedHashMap <Pattern, String> ();
 53 | // 	
 54 | // 	static {
 55 | // 		//PHP
 56 | // 		languagePatterns.put(Pattern.compile("<\\?php\\s*.+?;\\s*\\?>", Pattern.MULTILINE | Pattern.DOTALL), "PHP");  //PHP standard tags
 57 | // 		languagePatterns.put(Pattern.compile("<\\?=\\s*.+?\\s*\\?>", Pattern.MULTILINE | Pattern.DOTALL), "PHP");  //PHP "echo short tag"
 58 | // 		//languagePatterns.put(Pattern.compile("<\\?\\s*.+?\\s*\\?>", Pattern.MULTILINE | Pattern.DOTALL), "PHP");  //PHP "short tag", need short_open_tag enabled in php.ini - raises false positives with XML tags..		
 59 | // 		//languagePatterns.put(Pattern.compile("phpinfo\\s*\\(\\s*\\)"), "PHP");  //features in "/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000", which is not a Source Code Disclosure issue.  
 60 | // 		languagePatterns.put(Pattern.compile("\\$_POST\\s*\\["), "PHP");
 61 | // 		languagePatterns.put(Pattern.compile("\\$_GET\\s*\\["), "PHP");
 62 | // 		languagePatterns.put(Pattern.compile("<\\?php\\s*.+?;", Pattern.MULTILINE | Pattern.DOTALL), "PHP");  //PHP standard tags, without a closing tag (yes, it's apparently valid, and ZAP uses it!!)
 63 | 		
 64 | 		//JSP (Java based)
 65 | 		// languagePatterns.put(Pattern.compile("<%@\\s*page\\s+.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "JSP");
 66 | 		// languagePatterns.put(Pattern.compile("<%@\\s*include.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "JSP");
 67 | 		// languagePatterns.put(Pattern.compile("<%@\\s*taglib.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "JSP");
 68 | 		// languagePatterns.put(Pattern.compile("<jsp:directive\\.page.+?>", Pattern.MULTILINE | Pattern.DOTALL), "JSP");
 69 | 		// languagePatterns.put(Pattern.compile("<jsp:directive\\.include.+?>", Pattern.MULTILINE | Pattern.DOTALL), "JSP");
 70 | 		// languagePatterns.put(Pattern.compile("<jsp:directive\\.taglib.+?>", Pattern.MULTILINE | Pattern.DOTALL), "JSP");
 71 | 		
 72 | 		//Servlet (Java based)
 73 | 		// languagePatterns.put(Pattern.compile("import\\s+javax\\.servlet\\.http\\.HttpServlet\\s*;"), "Servlet");
 74 | 		// languagePatterns.put(Pattern.compile("import\\s+javax\\.servlet\\.http\\.\\*\\s*;"), "Servlet");
 75 | 		// languagePatterns.put(Pattern.compile("@WebServlet\\s*\\(\\s*\"/[a-z0-9]+\"\\s*\\)", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Servlet");
 76 | 		// languagePatterns.put(Pattern.compile("public\\s+class\\s+[a-z0-9]+\\s+extends\\s+(javax\\.servlet\\.http\\.)?HttpServlet", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Servlet");
 77 | 		// languagePatterns.put(Pattern.compile("public\\s+void\\s+doGet\\s*\\(\\s*HttpServletRequest\\s+[a-z0-9]+\\s*,\\s*HttpServletResponse\\s+[a-z0-9]+\\s*\\)", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Servlet");
 78 | 		// languagePatterns.put(Pattern.compile("public\\s+void\\s+doPost\\s*\\(\\s*HttpServletRequest\\s+[a-z0-9]+\\s*,\\s*HttpServletResponse\\s+[a-z0-9]+\\s*\\)", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Servlet");
 79 | 		//
 80 | 		// //Java
 81 | 		// languagePatterns.put(Pattern.compile("^package\\s+[a-z0-9.]+;", Pattern.CASE_INSENSITIVE), "Java");
 82 | 		// languagePatterns.put(Pattern.compile("^import\\s+[a-z0-9.]+;", Pattern.CASE_INSENSITIVE), "Java");
 83 | 		// languagePatterns.put(Pattern.compile("class\\s+[a-z0-9]+\\s*\\{.+\\}", Pattern.MULTILINE | Pattern.DOTALL ), "Java");
 84 | 		// languagePatterns.put(Pattern.compile("public\\s+static\\s+void\\s+main\\s*\\(\\s*String\\s+[a-z0-9]+\\s*\\[\\s*\\]\\s*\\)\\s*\\{", Pattern.MULTILINE | Pattern.DOTALL), "Java");
 85 | 		// languagePatterns.put(Pattern.compile("public\\s+static\\s+void\\s+main\\s*\\(\\s*String\\s*\\[\\s*\\]\\s*[a-z0-9]+\\s*\\)\\s*\\{", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Java");
 86 | 
 87 | 		//ASP
 88 | 		// languagePatterns.put(Pattern.compile("On\\s+Error\\s+Resume\\s+Next", Pattern.CASE_INSENSITIVE), "ASP");
 89 | 		// languagePatterns.put(Pattern.compile("Server.CreateObject\\s*\\(\\s*\"[a-z0-9.]+\"\\s*\\)", Pattern.CASE_INSENSITIVE), "ASP");
 90 | 		// languagePatterns.put(Pattern.compile("Request.QueryString\\s*\\(\\s*\"[a-z0-9]+\"\\s*\\)", Pattern.CASE_INSENSITIVE), "ASP");
 91 | 		// languagePatterns.put(Pattern.compile("If\\s*\\(\\s*Err.Number\\s*.+\\)\\s*Then", Pattern.CASE_INSENSITIVE), "ASP");
 92 | 		// languagePatterns.put(Pattern.compile("<%@\\s+LANGUAGE\\s*=\\s*\"VBSCRIPT\"\\s*%>", Pattern.CASE_INSENSITIVE), "ASP");
 93 | 		
 94 | 		//ASP.NET
 95 | 		// languagePatterns.put(Pattern.compile("<%@\\s+Page.*?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
 96 | 		// languagePatterns.put(Pattern.compile("<script\\s+runat\\s*=\\s*\"", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
 97 | 		// languagePatterns.put(Pattern.compile("<%Assembly.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
 98 | 		// languagePatterns.put(Pattern.compile("<%Control.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
 99 | 		// languagePatterns.put(Pattern.compile("<%Implements.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
100 | 		// languagePatterns.put(Pattern.compile("<%MasterType.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
101 | 		// languagePatterns.put(Pattern.compile("<%Master.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");		
102 | 		// languagePatterns.put(Pattern.compile("<%Page.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
103 | 		// languagePatterns.put(Pattern.compile("<%OutputCache.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
104 | 		// languagePatterns.put(Pattern.compile("<%PreviousPageType.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
105 | 		// languagePatterns.put(Pattern.compile("<%Reference.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
106 | 		// languagePatterns.put(Pattern.compile("<%Register.+?%>", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
107 | 		// languagePatterns.put(Pattern.compile("@RenderPage\\s*\\(\\s*\".*?\"\\)", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
108 | 		// languagePatterns.put(Pattern.compile("@RenderBody\\s*\\(\\s*\\)", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
109 | 		// languagePatterns.put(Pattern.compile("@RenderSection\\s*\\(\\s*\".+?\"\\s*\\)", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
110 | 		//languagePatterns.put(Pattern.compile("@\\{[\\u0000-\\u007F]{5,}?\\}", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");  //Too many false positives
111 | 		//languagePatterns.put(Pattern.compile("@if\\s*\\(.+?\\)\\s*\\{", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");        //false positives with IE conditional compilation directives in JavaScript
112 | 		languagePatterns.put(Pattern.compile("Request\\s*\\[\".+?\"\\]", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
113 | 		// languagePatterns.put(Pattern.compile("@foreach\\s*", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
114 | 		languagePatterns.put(Pattern.compile("Database.Open\\s*\\(\\s*\"", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
115 | 		languagePatterns.put(Pattern.compile("db.Query\\s*\\(\\s*\"", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");		
116 | 		// languagePatterns.put(Pattern.compile("@switch\\s*\\(.+?\\)\\s*\\{", Pattern.MULTILINE | Pattern.DOTALL), "ASP.NET");
117 | 		// languagePatterns.put(Pattern.compile("^\\s*<asp:Menu"), "ASP.NET");
118 | 		// languagePatterns.put(Pattern.compile("^\\s*<asp:TreeView"), "ASP.NET");
119 | 		// languagePatterns.put(Pattern.compile("^\\s*<asp:SiteMapPath"), "ASP.NET");
120 | 		
121 | 		//C#
122 | 		// languagePatterns.put(Pattern.compile("^<%@\\s+Page\\s+Language\\s*=\\s*\"C#\""), "C#");
123 | 		languagePatterns.put(Pattern.compile("^using\\s+System\\s*;"), "C#");
124 | 		languagePatterns.put(Pattern.compile("^namespace\\s+[a-z.]+\\s*\\{", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "C#");
125 | 		// languagePatterns.put(Pattern.compile("^static\\s+void\\s+Main\\s*\\(\\s*string\\s*\\[\\s*\\]\\s*[a-z0-9]+\\s*\\)", Pattern.MULTILINE ), "C#");
126 | 		//generates false positives for JavaScript code, which also uses "var" to declare variables. 
127 | 		//languagePatterns.put(Pattern.compile("var\\s+[a-z]+?\\s*=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), "C#");
128 | 		languagePatterns.put(Pattern.compile("@for\\s*\\(\\s*var\\s+", Pattern.MULTILINE | Pattern.DOTALL), "C#");
129 | 		// languagePatterns.put(Pattern.compile("@foreach\\s*\\(\\s*var\\s+", Pattern.MULTILINE | Pattern.DOTALL), "C#");
130 | 		
131 | 		//VB.NET
132 | 		languagePatterns.put(Pattern.compile("^Imports\\s+System[a-zA-Z0-9.]*\\s*$"), "VB.NET");
133 | 		languagePatterns.put(Pattern.compile("^dim\\s+[a-z0-9]+\\s*=", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "VB.NET");
134 | 		languagePatterns.put(Pattern.compile("@for\\s+[a-z0-9]+\\s*=\\s*[0-9]+\\s+to\\s+[0-9]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "VB.NET");
135 | 		languagePatterns.put(Pattern.compile("@for\\s+each\\s+[a-z0-9]+\\s+in\\s+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "VB.NET");
136 | 		// languagePatterns.put(Pattern.compile("@Select\\s+Case", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "VB.NET");
137 | 		//languagePatterns.put(Pattern.compile("end\\s+select", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "VB.NET");  //False positives. Insufficiently anchored.
138 | 		
139 | 		//SQL (ie, generic Structured Query Language, not "Microsoft SQL Server", which some incorrectly refer to as just "SQL")  
140 | 		//languagePatterns.put(Pattern.compile("select\\s+[a-z0-9., \"\'()*]+\\s+from\\s+[a-z0-9., ]+\\s+where\\s+", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "SQL");
141 | 		languagePatterns.put(Pattern.compile("select\\s+[a-z0-9., \"\'()*]+\\s+from\\s+[a-z0-9._, ]+", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "SQL");
142 | 		languagePatterns.put(Pattern.compile("select\\s+@@[a-z]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
143 | 		languagePatterns.put(Pattern.compile("insert\\s+into\\s+[a-z0-9._]+\\s+values\\s*\\(", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
144 | 		languagePatterns.put(Pattern.compile("insert\\s+into\\s+[a-z0-9._]+\\s*\\([a-z0-9_, \\t]+\\)\\s+values\\s*\\(", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
145 | 		//languagePatterns.put(Pattern.compile("insert\\s+into\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
146 | 		languagePatterns.put(Pattern.compile("insert\\s+[a-z0-9._]+\\s+\\(.+?\\)\\s+values\\s*\\(.+?\\)", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "SQL");
147 | 		languagePatterns.put(Pattern.compile("insert\\s+[a-z0-9._]+\\s+values\\s*\\(.+?\\)", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "SQL");
148 | 		languagePatterns.put(Pattern.compile("insert\\s+[a-z0-9._]+\\s+select\\s+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
149 | 		languagePatterns.put(Pattern.compile("update\\s+[a-z0-9._]+\\s+set\\s+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
150 | 		languagePatterns.put(Pattern.compile("update\\s+[a-z0-9._]+\\s+[a-z0-9_]+\\s+set\\s+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL"); //allow a table alias
151 | 		languagePatterns.put(Pattern.compile("delete\\s+from\\s+[a-z0-9._]+(\\s+where\\s+)?", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
152 | 		//causes false positives on normal JavaScript: delete B.fn;
153 | 		//languagePatterns.put(Pattern.compile("delete\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
154 | 		languagePatterns.put(Pattern.compile("truncate\\s+table\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
155 | 		// languagePatterns.put(Pattern.compile("create\\s+database\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
156 | 		// languagePatterns.put(Pattern.compile("create\\s+table\\s+[a-z0-9.]+\\s+\\(.+?\\)", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
157 | 		// languagePatterns.put(Pattern.compile("create\\s+table\\s+(if\\s+not\\s+exists\\s+)?[a-z0-9._]+\\s*\\([^)]+\\)", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
158 | 		// languagePatterns.put(Pattern.compile("create\\s+view\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
159 | 		// languagePatterns.put(Pattern.compile("create\\s+index\\s+[a-z0-9._]+\\s+on\\s+[a-z0-9._]+\\s*\\(", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
160 | 		// languagePatterns.put(Pattern.compile("create\\s+procedure\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
161 | 		// languagePatterns.put(Pattern.compile("create\\s+function\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");		
162 | 		// languagePatterns.put(Pattern.compile("drop\\s+database\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
163 | 		// languagePatterns.put(Pattern.compile("drop\\s+table\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
164 | 		// languagePatterns.put(Pattern.compile("drop\\s+view\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
165 | 		// languagePatterns.put(Pattern.compile("drop\\s+index\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
166 | 		// languagePatterns.put(Pattern.compile("drop\\s+procedure\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
167 | 		// languagePatterns.put(Pattern.compile("drop\\s+function\\s+[a-z0-9._]+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
168 | 		languagePatterns.put(Pattern.compile("grant\\s+[a-z]+\\s+on\\s+[a-z0-9._]+\\s+to\\s+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
169 | 		languagePatterns.put(Pattern.compile("revoke\\s+[a-z0-9 (),]+\\s+on\\s+", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "SQL");
170 | 				
171 | 		//Perl
172 | 		// languagePatterns.put(Pattern.compile("^#!/usr/bin/perl"), "Perl");
173 | 		languagePatterns.put(Pattern.compile("^use\\s+strict\\s*;\\s*$"), "Perl");
174 | 		languagePatterns.put(Pattern.compile("^use\\s+warnings\\s*;\\s*$"), "Perl");
175 | 		languagePatterns.put(Pattern.compile("^use\\s+[A-Za-z:]+\\s*;\\s*$"), "Perl");
176 | 		languagePatterns.put(Pattern.compile("foreach\\s+my\\s+\\$[a-z0-9]+\\s*\\(", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Perl");
177 | 		//languagePatterns.put(Pattern.compile("next unless"), "Perl");
178 | 		languagePatterns.put(Pattern.compile("^\\s*my\\s+\\$[a-z0-9]+\\s*", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Perl");
179 | 		languagePatterns.put(Pattern.compile("^\\s*my\\s+%[a-z0-9]+\\s*", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Perl");
180 | 		languagePatterns.put(Pattern.compile("^\\s*my\\s+@[a-z0-9]+\\s*", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Perl");		
181 | 		languagePatterns.put(Pattern.compile("@[a-z0-9]+\\s+[a-z0-9]+\\s*=\\s*\\(", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Perl");		
182 | 		languagePatterns.put(Pattern.compile("\\$#[a-z0-9]{4,}", Pattern.CASE_INSENSITIVE), "Perl"); 
183 | 		languagePatterns.put(Pattern.compile("\\$[a-z0-9]+\\s*\\{'[a-z0-9]+'\\}\\s*=\\s*", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Perl");
184 | 		languagePatterns.put(Pattern.compile("die\\s+\".*?\\$!.*?\""), "Perl");
185 | 		
186 | 		//Objective C (probably an iPhone app)
187 | 		languagePatterns.put(Pattern.compile("^#\\s+import\\s+<[a-zA-Z0-9/.]+>", Pattern.MULTILINE), "Objective C");
188 | 		languagePatterns.put(Pattern.compile("^#\\s+import\\s+\"[a-zA-Z0-9/.]+\"", Pattern.MULTILINE), "Objective C");
189 | 		//languagePatterns.put(Pattern.compile("^\\[+[a-zA-Z0-9 :]{5,}\\]", Pattern.MULTILINE), "Objective C");		//false positives for INI files. 
190 | 		// languagePatterns.put(Pattern.compile("@interface\\s*[a-zA-Z0-9]+\\s*:\\s*[a-zA-Z0-9]+\\s*\\{"), "Objective C");		
191 | 		//languagePatterns.put(Pattern.compile("\\+\\s*\\(\\s*[a-z]{5,}\\s*\\)"), "Objective C");
192 | 		//languagePatterns.put(Pattern.compile("\\-\\s*\\(\\s*[a-z]{5,}\\s*\\)"), "Objective C");
193 | 		// languagePatterns.put(Pattern.compile("@implementation\\s+[a-z]"), "Objective C");
194 | 		// languagePatterns.put(Pattern.compile("@interface\\s+[a-zA-Z0-9]+\\s*:\\s*[a-zA-Z0-9]+\\s*<[a-zA-Z0-9]+>"), "Objective C");
195 | 		// languagePatterns.put(Pattern.compile("@protocol\\s+[a-zA-Z0-9]+"), "Objective C");
196 | 		//languagePatterns.put(Pattern.compile("@public"), "Objective C");	//prone to false positives
197 | 		//languagePatterns.put(Pattern.compile("@private"), "Objective C"); //prone to false positives
198 | 		//languagePatterns.put(Pattern.compile("@property"), "Objective C");  //prone to false positives
199 | 		// languagePatterns.put(Pattern.compile("@end\\s*$"), "Objective C");  //anchor to $ to reduce false positives in C++ code comments.
200 | 		// languagePatterns.put(Pattern.compile("@synthesize"), "Objective C");
201 | 		
202 | 		//C
203 | 		//do not anchor the start pf the # lines with ^. This causes the match to fail. Why??
204 | 		// languagePatterns.put(Pattern.compile("#include\\s+<[a-zA-Z0-9/]+\\.h>"), "C");
205 | 		// languagePatterns.put(Pattern.compile("#include\\s+\"[a-zA-Z0-9/]+\\.h\""), "C");		
206 | 		// languagePatterns.put(Pattern.compile("#define\\s+.+?$"), "C");
207 | 		// languagePatterns.put(Pattern.compile("#ifndef\\s+.+?$"), "C");
208 | 		// languagePatterns.put(Pattern.compile("#endif\\s*$"), "C");
209 | 		languagePatterns.put(Pattern.compile("\\s*char\\s*\\*\\*\\s*[a-zA-Z0-9_]+\\s*;"), "C");
210 | 		
211 | 		//C++
212 | 		// languagePatterns.put(Pattern.compile("#include\\s+<iostream\\.h>"), "C++");
213 | 		languagePatterns.put(Pattern.compile("^[a-z0-9]+::[a-z0-9]+\\s*\\(\\s*\\).*?\\{.+?\\}", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "C++");  //constructor
214 | 		languagePatterns.put(Pattern.compile("(std::)?cout\\s*<<\\s*\".+?\"\\s*;"), "C++");				
215 | 
216 | 		// //Shell Script
217 | 		// languagePatterns.put(Pattern.compile("^#!/bin/[a-z]*sh"), "Shell Script");
218 | 		//
219 | 		// //Node.js
220 | 		// languagePatterns.put(Pattern.compile("^#!/usr/bin/env\\s+node"), "Node.js");
221 | 		//
222 | 		// //Python
223 | 		// languagePatterns.put(Pattern.compile("#!/usr/bin/python.*$"), "Python");
224 | 		// languagePatterns.put(Pattern.compile("#!/usr/bin/env\\s+python"), "Python");
225 | 		languagePatterns.put(Pattern.compile("^\\s*def\\s+[a-z0-9]+\\s*\\(\\s*[a-z0-9]+\\s*\\)\\s*:", Pattern.CASE_INSENSITIVE), "Python");
226 | 		languagePatterns.put(Pattern.compile("\\s*for\\s+[a-z0-9]+\\s+in\\s+[a-z0-9]+:", Pattern.CASE_INSENSITIVE), "Python");
227 | 		languagePatterns.put(Pattern.compile("^\\s*try\\s*:", Pattern.CASE_INSENSITIVE), "Python");
228 | 		languagePatterns.put(Pattern.compile("^\\s*except\\s*:", Pattern.CASE_INSENSITIVE), "Python");
229 | 		languagePatterns.put(Pattern.compile("^\\s*def\\s+main\\s*\\(\\s*\\)\\s*:", Pattern.CASE_INSENSITIVE), "Python");
230 | 
231 | 		//Ruby		
232 | 		languagePatterns.put(Pattern.compile("^\\s*require\\s+\".+?\"\\s*$", Pattern.CASE_INSENSITIVE), "Ruby");
233 | 		languagePatterns.put(Pattern.compile("^\\s*describe\\s+[a-z0-9:]+\\s+do", Pattern.CASE_INSENSITIVE), "Ruby");
234 | 		languagePatterns.put(Pattern.compile("^\\s*class\\s+[a-z0-9]+\\s+<\\s*[a-z0-9:]+", Pattern.CASE_INSENSITIVE), "Ruby");
235 | 		languagePatterns.put(Pattern.compile("^\\s*def\\s+[a-z0-9]+\\s*.+?^\\s*end\\s*$", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Ruby");
236 | 		languagePatterns.put(Pattern.compile("@@active\\s*=\\s*", Pattern.CASE_INSENSITIVE), "Ruby");
237 | 		
238 | 		// //Cold Fusion
239 | 		// languagePatterns.put(Pattern.compile("<cfoutput"), "Cold Fusion");		
240 | 		// languagePatterns.put(Pattern.compile("<cfset"), "Cold Fusion");
241 | 		// languagePatterns.put(Pattern.compile("<cfexecute"), "Cold Fusion");
242 | 		// languagePatterns.put(Pattern.compile("<cfexit"), "Cold Fusion");
243 | 		// languagePatterns.put(Pattern.compile("<cfcomponent"), "Cold Fusion");
244 | 		// languagePatterns.put(Pattern.compile("<cffunction"), "Cold Fusion");
245 | 		// languagePatterns.put(Pattern.compile("<cfreturn"), "Cold Fusion");
246 | 		// languagePatterns.put(Pattern.compile("<cfargument"), "Cold Fusion");
247 | 		// languagePatterns.put(Pattern.compile("<cfscript"), "Cold Fusion");
248 | 		// languagePatterns.put(Pattern.compile("<cfloop"), "Cold Fusion");
249 | 		// languagePatterns.put(Pattern.compile("<cfquery"), "Cold Fusion");
250 | 		// languagePatterns.put(Pattern.compile("<cfqueryparam"), "Cold Fusion");
251 | 		// languagePatterns.put(Pattern.compile("<cfdump"), "Cold Fusion");
252 | 		// languagePatterns.put(Pattern.compile("<cfloop"), "Cold Fusion");
253 | 		// languagePatterns.put(Pattern.compile("<cfif"), "Cold Fusion");
254 | 		// languagePatterns.put(Pattern.compile("<cfelseif"), "Cold Fusion");
255 | 		// languagePatterns.put(Pattern.compile("<cfelse"), "Cold Fusion");
256 | 		languagePatterns.put(Pattern.compile("writeOutput\\s*\\("), "Cold Fusion");
257 | 		//languagePatterns.put(Pattern.compile("component\\s*\\{"), "Cold Fusion");  //cannot find original example, and too prone to false positives.		
258 | 		
259 | 		//Visual FoxPro / ActiveVFP
260 | 		// languagePatterns.put(Pattern.compile("oRequest\\.querystring\\s*\\(\\s*\"[a-z0-9]+\"\\s*\\)", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActiveVFP");
261 | 		languagePatterns.put(Pattern.compile("define\\s+class\\s+[a-z0-9]+\\s+as\\s+[a-z0-9]+", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActiveVFP");
262 | 		languagePatterns.put(Pattern.compile("for\\s+[a-z0-9]+\\s*=\\s*[0-9]+\\s+to\\s+[0-9]+.+?\\s+endfor", Pattern.CASE_INSENSITIVE),"ActiveVFP");
263 | 		languagePatterns.put(Pattern.compile("do\\s+while\\s+.+?\\s+enddo", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActiveVFP");
264 | 		languagePatterns.put(Pattern.compile("if\\s+.+?\\s+endif", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActiveVFP");
265 | 		languagePatterns.put(Pattern.compile("do\\s+case\\s+case\\s+.+?\\s+endcase", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActiveVFP");
266 | 		languagePatterns.put(Pattern.compile("for\\s+each\\s+.+?\\s+endfor", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActiveVFP");
267 | 		//languagePatterns.put(Pattern.compile("oRequest"),"ActiveVFP");  //prone to false positives  
268 | 		//languagePatterns.put(Pattern.compile("oResponse"),"ActiveVFP"); //prone to false positives
269 | 		//languagePatterns.put(Pattern.compile("oSession"),"ActiveVFP");  //prone to false positives
270 | 		
271 | 		//Pascal
272 | 		languagePatterns.put(Pattern.compile("^program\\s+[a-z0-9]+;.*?begin.+?end", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE), "Pascal");
273 | 		
274 | 		//Latex (yes, this is a programming language)
275 | 		languagePatterns.put(Pattern.compile("\\documentclass\\s*\\{[a-z]+\\}", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Latex");
276 | 		languagePatterns.put(Pattern.compile("\\begin\\s*\\{[a-z]+\\}", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Latex");
277 | 		languagePatterns.put(Pattern.compile("\\end\\s*\\{[a-z]+\\}", Pattern.MULTILINE | Pattern.CASE_INSENSITIVE), "Latex");		
278 | 		
279 | 		//Actionscript 3
280 | 		languagePatterns.put(Pattern.compile("package\\s+[a-z0-9.]+\\s*\\{(.*import\\s+[a-z0-9.]+\\s*;)?.+\\}", Pattern.MULTILINE | Pattern.DOTALL | Pattern.CASE_INSENSITIVE),"ActionScript 3.0");
281 | 		
282 | 		//TODO: consider sorting the patterns by decreasing pattern length, so more specific patterns are tried before more general patterns
283 | 	}
284 | 
285 | 	/**
286 | 	 * Prefix for internationalized messages used by this rule
287 | 	 */
288 | 	private static final String MESSAGE_PREFIX = "pscanalpha.sourcecodedisclosure.";
289 | 
290 | 	/**
291 | 	 * construct the class, and register for i18n
292 | 	 */
293 | 	/**
294 | 	 * gets the name of the scanner
295 | 	 * @return
296 | 	 */
297 | 	@Override
298 | 	public String getName() {
299 | 		return Constant.messages.getString(MESSAGE_PREFIX + "name");
300 | 	}
301 | 
302 | 	/**
303 | 	 * scans the HTTP request sent (in fact, does nothing)
304 | 	 * @param msg
305 | 	 * @param id
306 | 	 */
307 | 	@Override
308 | 	public void scanHttpRequestSend(HttpMessage msg, int id) {
309 | 		// do nothing
310 | 	}
311 | 
312 | 	/**
313 | 	 * scans the HTTP response for Source Code signatures
314 | 	 * @param msg
315 | 	 * @param id
316 | 	 * @param source unused
317 | 	 */
318 | 	@Override
319 | 	public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
320 | 		//get the body contents as a String, so we can match against it
321 | 		String responsebody = msg.getResponseBody().toString();
322 | 		
323 | 		//try each of the patterns in turn against the response.
324 | 		//we deliberately do not assume that only status 200 responses will contain source code.
325 | 		String evidence = null;
326 | 		String programminglanguage = null;
327 | 		Iterator<Pattern> patternIterator = languagePatterns.keySet().iterator();
328 | 		while (patternIterator.hasNext()) {
329 | 			Pattern languagePattern = patternIterator.next();
330 | 			programminglanguage = languagePatterns.get(languagePattern);
331 | 			Matcher matcher = languagePattern.matcher(responsebody);
332 | 	        if (matcher.find()) {	        	
333 | 	            evidence = matcher.group();
334 | 	            if (log.isDebugEnabled()) {
335 | 	        		log.debug("Passive Source Code Disclosure on pattern "+ languagePattern + ", evidence: "+ evidence);
336 | 	        	}
337 | 	            break;	//use the first match
338 | 	        }	    
339 | 		}
340 | 		if (evidence!=null && evidence.length() > 0) {
341 | 			//we found something			
342 | 			Alert alert = new Alert(getPluginId(), Alert.RISK_HIGH, Alert.CONFIDENCE_MEDIUM, getName() + " - "+ programminglanguage );		
343 | 			     
344 | 			alert.setDetail(
345 | 					getDescription() + " - "+ programminglanguage, 
346 | 					msg.getRequestHeader().getURI().toString(), 
347 | 					"", //param
348 | 					"", //attack 
349 | 					getExtraInfo(msg, evidence),  //other info
350 | 					getSolution(), 
351 | 					getReference(), 
352 | 					evidence,	
353 | 					540,	//Information Exposure Through Source Code
354 | 					13,		//WASC-13: Information Leakage
355 | 					msg);  
356 | 			parent.raiseAlert(id, alert);
357 | 		}
358 | 		
359 | 	}
360 | 
361 | 	/**
362 | 	 * sets the parent
363 | 	 * @param parent
364 | 	 */
365 | 	@Override
366 | 	public void setParent(PassiveScanThread parent) {
367 | 		this.parent = parent;
368 | 	}
369 | 
370 | 	/**
371 | 	 * get the id of the scanner
372 | 	 * @return
373 | 	 */
374 | 	@Override
375 | 	public int getPluginId() {
376 | 		return 10099;
377 | 	}
378 | 
379 | 	/**
380 | 	 * get the description of the alert
381 | 	 * @return
382 | 	 */
383 | 	private String getDescription() {
384 | 		return Constant.messages.getString(MESSAGE_PREFIX + "desc");
385 | 	}
386 | 
387 | 	/**
388 | 	 * get the solution for the alert
389 | 	 * @return
390 | 	 */
391 | 	private String getSolution() {
392 | 		return Constant.messages.getString(MESSAGE_PREFIX + "soln");
393 | 	}
394 | 
395 | 	/**
396 | 	 * gets references for the alert
397 | 	 * @return
398 | 	 */
399 | 	private String getReference() {
400 | 		return Constant.messages.getString(MESSAGE_PREFIX + "refs");
401 | 	}
402 | 
403 | 	/**
404 | 	 * gets extra information associated with the alert
405 | 	 * @param msg
406 | 	 * @param arg0
407 | 	 * @return
408 | 	 */
409 | 	private String getExtraInfo(HttpMessage msg, String arg0) {		
410 | 		return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", arg0);        
411 | 	}
412 | 
413 | }
414 | 
415 | 


--------------------------------------------------------------------------------