Merge pull request #102 from brumensywh/main

Added BCheck scripts (x5)

other/bypass/path-bypass.bcheck

@@ -0,0 +1,78 @@
+#Verified: Yes
+
+metadata:
+    language: v1-beta
+    name: "Path-bypass"
+    description: "Trying out techniques to bypass a restricted path discovered in the application. Except firewall 403 respones to avoid a lot of junk traffic."
+    tags: "active", "bypass", "path", "forbidden", "403"
+    author: "Brumens"
+
+define:
+    desc = "Possible that a bypass technique worked and that we accessed a restricted path in the application"
+    reme = "Manual testing is required to confirm the issue"
+    trackHeader = "X-BCheck"
+    trackValue = "path-bypass"
+
+run for each:
+    payload =
+        "/",
+        "//",
+        "/..;",
+        "/..",
+        "%2f..%2f",
+        "/notfound/%2f..%2f../",
+        "/;",
+        "/.",
+        "__EXT_PAYLOAD__.json",
+        "__EXT_PAYLOAD__.html",
+        "__FULL_URL__"
+
+given request then
+    #Check if we triggered a 403/401 path that isen't a response from a firewall (Akamai, CloudFlare, CloudFront and pattern detection)
+    if {latest.response.status_code} matches "40(3|1)" and not( ("What happened?" in {latest.response.body} and "security" in {latest.response.body}) or "Ray ID:" in {latest.response.body} or "CloudFront" in {latest.response.body} ) then
+
+        if {payload} is "/" then
+            send request:
+            method: "GET"
+            path: {latest.request.url.path}
+            replacing headers: `{trackHeader}`:`{trackValue}`
+
+        #Extension bypass technique:
+        else if "__EXT_PAYLOAD__" in {payload} then
+            #Check if the path end with a forward slash:
+            if {latest.request.url.path} matches "^.*\/$" then
+                send request:
+                    method: "GET"
+                    path: `{regex_replace({latest.response.url.path}, "\/$", {regex_replace({payload}, "__EXT_PAYLOAD__", "")})}`
+                    replacing headers: `{trackHeader}`:`{trackValue}`
+            else then
+                send request:
+                    method: "GET"
+                    path: `{latest.response.url.path}{regex_replace({payload}, "__EXT_PAYLOAD__", "")}`
+                    replacing headers: `{trackHeader}`:`{trackValue}`
+            end if
+
+        #Use full URL in path technique:
+        else if "__FULL_URL__" in {payload} then
+            send request:
+		method: "GET"
+		path: `{latest.request.url}`
+                replacing headers: `{trackHeader}`:`{trackValue}`
+
+        #Prefix payload bypass technique:
+        else then
+            send request:
+                method: "GET"
+                path: `{payload}{latest.response.url.path}`
+                replacing headers: `{trackHeader}`:`{trackValue}`
+        end if
+
+        #Check if any technique was capable of bypassing the restricted endpoint:
+        if not( {latest.response.status_code} matches "(40[0134]|503)" ) and not( {payload} is "/" ) then
+            report issue:
+            severity: high
+            confidence: tentative
+            detail: {desc}
+            remediation: {reme}
+        end if
+    end if

other/recon/backend-language.bcheck

@@ -0,0 +1,20 @@
+#Verified: Yes
+metadata:
+    language: v1-beta
+    name: "Backend-language"
+    description: "Passive scan for the programming language used by the backend"
+    author: "Brumens"
+    tags: "passive", "live", "backend", "recon", "info", "lang", "language"
+
+define:
+    desc = "The programming language of the application has been discovered"
+    #reme = ""
+
+given response then
+    if {latest.response} matches "href(| )=(| )[\"'](?!((http[s]?:)?\/\/))[^\"'\r\n]+\.(php|asp(|x)|jsp|cfm|java|rb|py|go|erlang)([?#;&][^\"'\r\n]+|)[\"']" then
+        report issue:
+            severity: info
+            confidence: firm
+            detail: {desc}
+            #remediation: {reme}
+    end if

other/recon/server-detect.bcheck

@@ -0,0 +1,48 @@
+#Verified: Yes
+
+metadata:
+    language: v1-beta
+    name: "server-detect"
+    description: "Identify the server/proxy running on the application"
+    tags: "passive", "recon", "discovery", "header", "headers", "technology", "backend", "server", "proxy"
+    author: "Brumens"
+
+define:
+    desc = "The service that the application uses was detected"
+    trackHeader = "X-BCheck"
+    trackValue = "server-detect"
+
+run for each:
+    payload =
+        "/",
+        "\"",
+        "badRequest",
+        "/NotFound"
+
+given request then
+    send request called check:
+        method: "GET"
+        path: {payload}
+        replacing headers: `{trackHeader}`:`{trackValue}`
+
+    #Check if the HTTP header "X-Powered-By" is included in the response:
+    if {latest.response.headers} matches "[Xx](-|_)[Pp]owered(-|_)[Bb]y:[^\n]+" then
+        report issue:
+            severity: info
+            confidence: firm
+            detail: `{desc} (HTTP X-Powered-By header)`
+
+    #Check if the HTTP header "Server"/"X-Server" is included in the response:
+    else if {latest.response.headers} matches "([Xx](-|_)|)[Ss]erver:[^\n]+" then
+        report issue:
+            severity: info
+            confidence: firm
+            detail: `{desc} (HTTP Server header)`
+
+    #Detect possible reverse proxy that is being used from a "bad response" page (400 status code)
+    else if {latest.response.status_code} is "400" and {latest.response.body} matches "center>[NnAa](ginx|pache)" then
+        report issue:
+            severity: info
+            confidence: firm
+            detail: `{desc} (detected from 400 status code response)`
+    end if

vulnerability-classes/injection/template-injection.bcheck

@@ -0,0 +1,48 @@
+#Verified: Yes
+
+metadata:
+    language: v1-beta
+    name: "Template-injection"
+    description: "Scan for template injection vulnerabilities with a small amount of payloads (also supports detection of basic blind-based template injection)"
+    author: "Brumens"
+    tags: "active", "injection", "template", "template injection", "scan"
+
+#Use prefixes and suffixes with unusual letter combinations for better accuracy
+#Note : (The variables 'sum' and 'calc' need to be synchronized.)
+define:
+    desc = "Possible blind template injection"
+    reme = "Manual investigation is advised."
+    prefix = {random_str(6)}
+    suffix = {random_str(6)}
+    calc = `8846*9231`
+    sum = `81657426`
+
+run for each:
+    payload =
+        "${__calc__}",
+        "${{__calc__}}",
+        "<%__calc__%>",
+        "<%=__calc__%>"
+
+given query or body insertion point then
+    send payload:
+        appending: `{prefix}{regex_replace({payload}, "__calc__", {calc})}{suffix}`
+
+    if not({prefix} in {base.response} and {suffix} in {base.response}) then
+        #Check for the result
+        if `{sum}` in {latest.response} then
+            report issue:
+                severity: high
+                confidence: firm
+                detail: `Appears to be vulnerable to a template injection vulnerability. When the {payload} payload was inserted into the insertion point. The calculation specified in the payload "{calc}" was calculated and the result "{sum}" was given.`
+                remediation: "Manual investigation is advised."
+
+        #Check for basic blind template injection behavior:
+        else if `{prefix}{suffix}` in {latest.response} then
+            report issue:
+                severity: high
+                confidence: firm
+                detail: {desc}
+                remediation: {reme}
+        end if
+    end if