diff --git a/other/Apache Tomcat Manager Path Normalization Panel.bcheck b/other/Apache Tomcat Manager Path Normalization Panel.bcheck new file mode 100644 index 0000000..9749533 --- /dev/null +++ b/other/Apache Tomcat Manager Path Normalization Panel.bcheck @@ -0,0 +1,31 @@ +metadata: + language: v1-beta + name: "Apache Tomcat Manager Path Normalization Panel - Detect" + author: "Parimal Shaw" + description: "Apache Tomcat Manager Path Normalization login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it confirms to a valid path on the target operating system." + tags: "Apache Tomcat Misconfiguration" + +run for each: + potential_path = + "/..;/manager/html", + "/..;/..;/manager/html;/", + "/..;/hostmanager/html", + "/..;/..;/hostmanager/html;/", + "/bchecktest/..;/manager/html", + "/bchecktest/..;/hostmanager/html" + + +given host then + send request called check: + method: "GET" + path: {potential_path} + + if {check.response.status_code} is "403" + and "username=\"tomcat\" password=\"s3cret\"" in {check.response.body} + and "manager-gui" in {check.response.body} then + report issue: + severity: info + confidence: certain + detail: "Apache Tomcat Manager Path Normalization login panel was discovered via path normalization. Normalizing a path involves modifying the string that identifies a path or file so that it conforms to a valid path on the target operating system." + remediation: "Ensure to accept only the whitelisted path and directory or implement proper access control to the following directory" + end if \ No newline at end of file diff --git a/other/Cloudflare External Image Resizing Misconfiguration.bcheck b/other/Cloudflare External Image Resizing Misconfiguration.bcheck new file mode 100644 index 0000000..3422b0e --- /dev/null +++ b/other/Cloudflare External Image Resizing Misconfiguration.bcheck @@ -0,0 +1,26 @@ +metadata: + language: v1-beta + name: "Cloudflare External Image Resizing Misconfiguration" + author: "Parimal Shaw" + description: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin." + tags: "Cloudflare Misconfiguration" + +define: + potential_path = `/cdn-cgi/image/width/https://{generate_collaborator_address()}` + + +given host then + send request called check: + method: "GET" + replacing headers: + "Accept": "*/*" + path: {potential_path} + + + if http interactions then + report issue: + severity: info + confidence: certain + detail: "Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin." + remediation: "Disable image Resizing from all origin or restrict it to certain doamins in Cloudflare." +end if \ No newline at end of file diff --git a/other/Etcd Server - Unauthenticated Access.bcheck b/other/Etcd Server - Unauthenticated Access.bcheck new file mode 100644 index 0000000..ad3077d --- /dev/null +++ b/other/Etcd Server - Unauthenticated Access.bcheck @@ -0,0 +1,27 @@ +metadata: + language: v1-beta + name: "Etcd Server - Unauthenticated Access" + author: "Parimal Shaw" + description: "A Kubernetes etcd server stores the cluster secrets and configurations files. Anonymous access on etcd allows unauthenticated access the data without providing any authentication credentials." + tags: "Kubernetes Misconfiguration" + +define: + potential_path = "/v2/keys/" + + +given host then + send request called check: + method: "GET" + path: {potential_path} + + + if {check.response.status_code} is "200" + and "\"node\":" in {check.response.body} + and "\"key\":" in {check.response.body} + and "application/json" in {check.response.headers} then + report issue: + severity: high + confidence: certain + detail: "A Kubernetes etcd server cluster secrets and configurations files are accessible." + remediation: "Implement the following remediation https://etcd.io/docs/v2.3/authentication/" +end if \ No newline at end of file diff --git a/other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck b/other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck new file mode 100644 index 0000000..901a7ed --- /dev/null +++ b/other/Kubernetes_Pods_API_Discovery_&_Remote_Code_Execution.bcheck @@ -0,0 +1,29 @@ +metadata: + language: v1-beta + name: "Kubernetes Pods - API Discovery & Remote Code Execution" + author: "Parimal Shaw" + description: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container." + tags: "Kubernetes Misconfiguration" + + +run for each: + potential_path = + "/pods", + "/api/v1/pods" + + +given host then + send request called check: + method: "GET" + path: {potential_path} + + + if {check.response.status_code} is "200" + and "apiVersion" in {check.response.body} + and "application/json" in {check.response.headers} then + report issue: + severity: high + confidence: certain + detail: "A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container." + remediation: "Ensure to Disable access to following instances in Kubernetes." +end if \ No newline at end of file diff --git a/other/Rails CRLF and XSS.bcheck b/other/Rails CRLF and XSS.bcheck new file mode 100644 index 0000000..3e93825 --- /dev/null +++ b/other/Rails CRLF and XSS.bcheck @@ -0,0 +1,24 @@ +metadata: + language: v1-beta + name: "Ruby on Rails - CRLF Injection and Cross-Site Scripting" + author: "Parimal Shaw" + description: "Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting." + tags: "Rails CRLF and XSS" + +define: + potential_path = "/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa" + + +given host then + send request called check: + method: "POST" + path: {potential_path} + + + if {check.response.status_code} is "302" and "javascript:alert(1)" in {check.response.body} and "Location: aaaaa" in {check.response.headers} and "text/html" in {check.response.headers} then + report issue: + severity: medium + confidence: certain + detail: `Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting.` + remediation: "Ensure the location value is set as default value and XSS,CRLF payloads should be Blocked by application" +end if \ No newline at end of file diff --git a/other/SAP Directory Listing.bcheck b/other/SAP Directory Listing.bcheck new file mode 100644 index 0000000..0127c0f --- /dev/null +++ b/other/SAP Directory Listing.bcheck @@ -0,0 +1,27 @@ +metadata: + language: v1-beta + name: "SAP Directory Listing" + author: "Parimal Shaw" + description: "Within SAP NetWeaver, directory listing is enabled." + tags: "SAP NetWeaver Misconfiguration" + +define: + potential_path = "/irj/go/km/navigation/" + + +given host then + send request called check: + method: "GET" + path: {potential_path} + + + if {check.response.status_code} is "200" + and "title=\"~system\"" in {check.response.body} + and "NetWeaver" in {check.response.body} + and "text/html" in {check.response.headers} then + report issue: + severity: medium + confidence: certain + detail: "In SAP NetWeaver the directory listing is enabled or not configured properly." + remediation: "Ensure to Disable directory listing." +end if \ No newline at end of file diff --git a/other/Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck b/other/Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck new file mode 100644 index 0000000..6496ddd --- /dev/null +++ b/other/Xdebug_remote_code_execution_via_xdebug_remote_connect_back.bcheck @@ -0,0 +1,28 @@ +metadata: + language: v1-beta + name: "Xdebug remote code execution via xdebug.remote_connect_back" + author: "Parimal Shaw" + description: "The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network." + tags: "Cloudflare Misconfiguration" + +define: + potential_path = "/?XDEBUG_SESSION_START=bchecks" + + +given host then + send request called check: + method: "GET" + headers: + "X-Forwarded-For:": `{generate_collaborator_address()}` + path: {potential_path} + + + if dns interactions + and {check.response.status_code} is "200" + and "Set-Cookie: XDEBUG_SESSION=" in {check.response.headers} then + report issue: + severity: high + confidence: certain + detail: "The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network." + remediation: "Upgrade the XDebug extension to the latest version." +end if \ No newline at end of file