-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added Multiple misconfiguration checks
SAP Directory Listing.bcheck Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck Apache Tomcat Manager Path Normalization Panel.bcheck Cloudflare External Image Resizing Misconfiguration.bcheck Etcd Server - Unauthenticated Access.bcheck Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck Rails CRLF and XSS.bcheck
- Loading branch information
1 parent
dabd08f
commit 92f2395
Showing
7 changed files
with
192 additions
and
0 deletions.
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
other/Apache Tomcat Manager Path Normalization Panel.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "Apache Tomcat Manager Path Normalization Panel - Detect" | ||
author: "Parimal Shaw" | ||
description: "Apache Tomcat Manager Path Normalization login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it confirms to a valid path on the target operating system." | ||
tags: "Apache Tomcat Misconfiguration" | ||
|
||
run for each: | ||
potential_path = | ||
"/..;/manager/html", | ||
"/..;/..;/manager/html;/", | ||
"/..;/hostmanager/html", | ||
"/..;/..;/hostmanager/html;/", | ||
"/bchecktest/..;/manager/html", | ||
"/bchecktest/..;/hostmanager/html" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
if {check.response.status_code} is "403" | ||
and "username=\"tomcat\" password=\"s3cret\"" in {check.response.body} | ||
and "manager-gui" in {check.response.body} then | ||
report issue: | ||
severity: info | ||
confidence: certain | ||
detail: "Apache Tomcat Manager Path Normalization login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target operating system." | ||
remediation: "Ensure to accept only the whitelisted path and directory or implement proper access control to the following directory" | ||
end if |
26 changes: 26 additions & 0 deletions
26
other/Cloudflare External Image Resizing Misconfiguration.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "Cloudflare External Image Resizing Misconfiguration" | ||
author: "Parimal Shaw" | ||
description: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin." | ||
tags: "Cloudflare Misconfiguration" | ||
|
||
define: | ||
potential_path = `/cdn-cgi/image/width/https://{generate_collaborator_address()}` | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
replacing headers: | ||
"Accept": "*/*" | ||
path: {potential_path} | ||
|
||
|
||
if http interactions then | ||
report issue: | ||
severity: info | ||
confidence: certain | ||
detail: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin." | ||
remediation: "Disable image Resizing from all origin or restrict it to certain doamins in Cloudflare." | ||
end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "Etcd Server - Unauthenticated Access" | ||
author: "Parimal Shaw" | ||
description: "A Kubernetes etcd server stores the cluster secrets and configurations files. Anonymous access on etcd allows unauthenticated access the data without providing any authentication credentials." | ||
tags: "Kubernetes Misconfiguration" | ||
|
||
define: | ||
potential_path = "/v2/keys/" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "200" | ||
and "\"node\":" in {check.response.body} | ||
and "\"key\":" in {check.response.body} | ||
and "application/json" in {check.response.headers} then | ||
report issue: | ||
severity: high | ||
confidence: certain | ||
detail: "A Kubernetes etcd server cluster secrets and configurations files are accessible." | ||
remediation: "Implement the following remediation https://etcd.io/docs/v2.3/authentication/" | ||
end if |
29 changes: 29 additions & 0 deletions
29
other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "Kubernetes Pods - API Discovery & Remote Code Execution" | ||
author: "Parimal Shaw" | ||
description: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container." | ||
tags: "Kubernetes Misconfiguration" | ||
|
||
|
||
run for each: | ||
potential_path = | ||
"/pods", | ||
"/api/v1/pods" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "200" | ||
and "apiVersion" in {check.response.body} | ||
and "application/json" in {check.response.headers} then | ||
report issue: | ||
severity: high | ||
confidence: certain | ||
detail: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container." | ||
remediation: "Ensure to Disable access to following instances in Kubernetes." | ||
end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "Ruby on Rails - CRLF Injection and Cross-Site Scripting" | ||
author: "Parimal Shaw" | ||
description: "Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting." | ||
tags: "Rails CRLF and XSS" | ||
|
||
define: | ||
potential_path = "/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "POST" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "302" and "javascript:alert(1)" in {check.response.body} and "Location: aaaaa" in {check.response.headers} and "text/html" in {check.response.headers} then | ||
report issue: | ||
severity: medium | ||
confidence: certain | ||
detail: `Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting.` | ||
remediation: "Ensure the location value is set as default value and XSS,CRLF payloads should be Blocked by application" | ||
end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "SAP Directory Listing" | ||
author: "Parimal Shaw" | ||
description: "Within SAP NetWeaver, directory listing is enabled." | ||
tags: "SAP NetWeaver Misconfiguration" | ||
|
||
define: | ||
potential_path = "/irj/go/km/navigation/" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
path: {potential_path} | ||
|
||
|
||
if {check.response.status_code} is "200" | ||
and "title=\"~system\"" in {check.response.body} | ||
and "NetWeaver" in {check.response.body} | ||
and "text/html" in {check.response.headers} then | ||
report issue: | ||
severity: medium | ||
confidence: certain | ||
detail: "In SAP NetWeaver the directory listing is enabled or not configured properly." | ||
remediation: "Ensure to Disable directory listing." | ||
end if |
28 changes: 28 additions & 0 deletions
28
other/Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
metadata: | ||
language: v1-beta | ||
name: "Xdebug remote code execution via xdebug.remote_connect_back" | ||
author: "Parimal Shaw" | ||
description: "The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network." | ||
tags: "Cloudflare Misconfiguration" | ||
|
||
define: | ||
potential_path = "/?XDEBUG_SESSION_START=bchecks" | ||
|
||
|
||
given host then | ||
send request called check: | ||
method: "GET" | ||
headers: | ||
"X-Forwarded-For:": `{generate_collaborator_address()}` | ||
path: {potential_path} | ||
|
||
|
||
if dns interactions | ||
and {check.response.status_code} is "200" | ||
and "Set-Cookie: XDEBUG_SESSION=" in {check.response.headers} then | ||
report issue: | ||
severity: high | ||
confidence: certain | ||
detail: "The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network." | ||
remediation: "Upgrade the XDebug extension to the latest version." | ||
end if |