Adding the scan for Graphql Introspection Query Enabled

other/GraphQL/graphql-introspection-enabled.bcheck

@@ -0,0 +1,42 @@
+metadata:
+    language: v1-beta
+    name: "Graphql Introspection Query Enabled"
+    description: "Refers to the condition where the GraphQL server allows introspection queries, potentially exposing sensitive schema information"
+    author: "j3ssie"
+    tags: "exposure", "graphql", "introspection"
+
+define:
+    introQuery = "{\"query\":\"\n    query IntrospectionQuery {\n      __schema {\n        \n        queryType { name }\n        mutationType { name }\n        subscriptionType { name }\n        types {\n          ...FullType\n        }\n        directives {\n          name\n          description\n          \n          locations\n          args {\n            ...InputValue\n          }\n        }\n      }\n    }\n\n    fragment FullType on __Type {\n      kind\n      name\n      description\n      \n      fields(includeDeprecated: true) {\n        name\n        description\n        args {\n          ...InputValue\n        }\n        type {\n          ...TypeRef\n        }\n        isDeprecated\n        deprecationReason\n      }\n      inputFields {\n        ...InputValue\n      }\n      interfaces {\n        ...TypeRef\n      }\n      enumValues(includeDeprecated: true) {\n        name\n        description\n        isDeprecated\n        deprecationReason\n      }\n      possibleTypes {\n        ...TypeRef\n      }\n    }\n\n    fragment InputValue on __InputValue {\n      name\n      description\n      type { ...TypeRef }\n      defaultValue\n      \n      \n    }\n\n    fragment TypeRef on __Type {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n                ofType {\n                  kind\n                  name\n                  ofType {\n                    kind\n                    name\n                  }\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  \"}"
+
+run for each:
+    potential_path =
+        "/",
+        "/api",
+        "/api/graphql",
+        "/console",
+        "/graph",
+        "/graphiql",
+        "/graphql",
+        "/graphql/console/",
+        "/v1/explorer",
+        "/v1/graphiql"
+
+given request then
+    send request called check:
+        method: "POST"
+        path: `{potential_path}`
+        replacing headers:
+            "Content-Type": "application/json"
+        body: `{introQuery}`
+
+    if {latest.response.status_code} is "200" and
+        {latest.response.headers} matches "application/json" then
+        if {latest.response.body} matches "__schema" and
+            {latest.response.body} matches "defaultValue" and
+            {latest.response.body} matches "queryType" then
+            report issue:
+                severity: low
+                confidence: firm
+                detail: `Graphql Introspection Query Enabled`
+        end if
+    end if

other/files/ds-store-exposed.bcheck

@@ -0,0 +1,32 @@
+metadata:
+    language: v1-beta
+    name: ".DS_Store Configuration Check"
+    description: "Tests for exposed svn config in current path and at the root directory of site"
+    author: "j3ssie"
+    tags: "exposure", "ds_store", "config", "file"
+
+run for each:
+    potential_path = ".DS_Store"
+
+given request then
+    # replace the potential path with the last path
+    send request called check:
+        method: "GET"
+        replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}`
+
+    # replace the potential path with entire URI
+    send request called check1:
+        method: "GET"
+        replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}`
+
+    if {latest.response.status_code} is "200" and
+        "Bud1" in {latest.response.body} and
+        "DSDB" in {latest.response.body} then
+        if {latest.response.headers} matches "Accept-Ranges: bytes" or
+            {latest.response.headers} matches "octet-stream" then
+            report issue:
+                severity: low
+                confidence: certain
+                detail: `.DS_Store configuration found at {potential_path}.`
+        end if
+    end if

other/files/svn-exposed.bcheck

@@ -0,0 +1,32 @@
+metadata:
+    language: v1-beta
+    name: "SVN Configuration File Exposed"
+    description: "Tests for exposed svn config in current path and at the root directory of site"
+    author: "j3ssie"
+    tags: "exposure", "svn", "config", "file"
+
+run for each:
+    potential_path = ".svn/entries", ".svn/text", ".svn/all-wcprops", "CVS/Entries"
+
+given request then
+    # replace the potential path with the last path
+    send request called check:
+        method: "GET"
+        replacing path: `{regex_replace({regex_replace({base.request.url}, "^.*?\/.*?\/.*?\/", "/")}, "([^/]+)$", "")}{potential_path}`
+
+    # replace the potential path with entire URI
+    send request called check1:
+        method: "GET"
+        replacing path: `{regex_replace({base.request.url}, "^.*", "")}/{potential_path}`
+
+    if {latest.response.status_code} is "200" then
+        if ("END" in {latest.response.body} and
+            "svn:" in {latest.response.body}) or
+            ("dir" in {latest.response.body} and
+            "<entry:" in {latest.response.body}) then
+            report issue:
+                severity: low
+                confidence: tentative
+                detail: `SVN configuration found at {potential_path}.`
+        end if
+    end if