From b4915dcb7d90e3388ea22c4223f261af7fa41f51 Mon Sep 17 00:00:00 2001 From: arjun Date: Thu, 26 Sep 2024 11:23:18 +0530 Subject: [PATCH] 20 templates added --- .../AWSOpenSearchLoginPageExposure.yml | 52 ++++++++ .../AnsibleConfigExposure.yml | 54 ++++++++ .../ApacheFileNameEnumeration.yml | 57 +++++++++ .../ApacheServerStatus.yml | 59 +++++++++ .../ApacheServerStatusLocalhost.yml | 66 ++++++++++ .../ApacheYarnResourceManagerExpose.yml | 52 ++++++++ .../ArangoDBInterfaceExposure.yml | 52 ++++++++ .../DrupalAPIUserListExposure.yml | 52 ++++++++ .../DrupalUserEnumerationRedirect.yml | 62 +++++++++ .../EclipseBIRTPanelExposure.yml | 54 ++++++++ .../F5AdminPanelExposure.yml | 54 ++++++++ .../GrafanaLoginPanelExposure.yml | 50 ++++++++ .../KibanaLoginPanelExposure.yml | 59 +++++++++ Security-Misconfiguration/OpenAPIExposure.yml | 61 +++++++++ .../PHPMyAdminPanelExposure.yml | 67 ++++++++++ .../PrometheusPanelExposure.yml | 54 ++++++++ .../ServiceNowLoginPanelExposure.yml | 54 ++++++++ .../SwaggerAPIExposure.yml | 121 ++++++++++++++++++ Security-Misconfiguration/WADLExposure.yml | 59 +++++++++ Security-Misconfiguration/WSDLDetect.yml | 50 ++++++++ 20 files changed, 1189 insertions(+) create mode 100644 Security-Misconfiguration/AWSOpenSearchLoginPageExposure.yml create mode 100644 Security-Misconfiguration/AnsibleConfigExposure.yml create mode 100644 Security-Misconfiguration/ApacheFileNameEnumeration.yml create mode 100644 Security-Misconfiguration/ApacheServerStatus.yml create mode 100644 Security-Misconfiguration/ApacheServerStatusLocalhost.yml create mode 100644 Security-Misconfiguration/ApacheYarnResourceManagerExpose.yml create mode 100644 Security-Misconfiguration/ArangoDBInterfaceExposure.yml create mode 100644 Security-Misconfiguration/DrupalAPIUserListExposure.yml create mode 100644 Security-Misconfiguration/DrupalUserEnumerationRedirect.yml create mode 100644 Security-Misconfiguration/EclipseBIRTPanelExposure.yml create mode 100644 Security-Misconfiguration/F5AdminPanelExposure.yml create mode 100644 Security-Misconfiguration/GrafanaLoginPanelExposure.yml create mode 100644 Security-Misconfiguration/KibanaLoginPanelExposure.yml create mode 100644 Security-Misconfiguration/OpenAPIExposure.yml create mode 100644 Security-Misconfiguration/PHPMyAdminPanelExposure.yml create mode 100644 Security-Misconfiguration/PrometheusPanelExposure.yml create mode 100644 Security-Misconfiguration/ServiceNowLoginPanelExposure.yml create mode 100644 Security-Misconfiguration/SwaggerAPIExposure.yml create mode 100644 Security-Misconfiguration/WADLExposure.yml create mode 100644 Security-Misconfiguration/WSDLDetect.yml diff --git a/Security-Misconfiguration/AWSOpenSearchLoginPageExposure.yml b/Security-Misconfiguration/AWSOpenSearchLoginPageExposure.yml new file mode 100644 index 0000000..9ea54c3 --- /dev/null +++ b/Security-Misconfiguration/AWSOpenSearchLoginPageExposure.yml @@ -0,0 +1,52 @@ +id: AWS_OPENSEARCH_LOGIN_PAGE_EXPOSURE +info: + name: "AWS OpenSearch Login Page Exposure" + description: "This test refers to the unintentional exposure of the login page for AWS OpenSearch, making it accessible over the internet without proper access controls. This could allow unauthorized users to attempt brute force attacks or exploit vulnerabilities to gain access to the OpenSearch dashboard. Ensuring secure network configurations and multi-factor authentication is essential to prevent such exposure." + details: "AWS OpenSearch Login Page Exposure occurs when the login page for an OpenSearch cluster is publicly accessible without adequate security measures like IP restrictions or multi-factor authentication. This can allow attackers to target the login page, attempting unauthorized access via brute force or credential stuffing attacks. To mitigate this risk, administrators should enforce strict access controls, use strong credentials, and apply network security measures like VPC peering or private endpoints." + impact: "The impact of AWS OpenSearch Login Page Exposure can be critical, as attackers may exploit the publicly accessible login page to gain unauthorized access to the OpenSearch cluster. This could lead to data theft, index tampering, or the complete compromise of the search infrastructure. In addition, attackers may disrupt services, modify search analytics, or escalate their access to other AWS resources, resulting in operational downtime and potential financial loss." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: AWS_OPENSEARCH_LOGIN_PAGE_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/_dashboards/app/login" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_either: + - "Please login to OpenSearch Dashboards" \ No newline at end of file diff --git a/Security-Misconfiguration/AnsibleConfigExposure.yml b/Security-Misconfiguration/AnsibleConfigExposure.yml new file mode 100644 index 0000000..b9eb505 --- /dev/null +++ b/Security-Misconfiguration/AnsibleConfigExposure.yml @@ -0,0 +1,54 @@ +id: ANSIBLE_CONFIG_EXPOSURE +info: + name: "Ansible Configuration Page Exposure" + description: "This test refers to the unintended public accessibility of the Ansible web interface or configuration files, which manage and automate IT infrastructure. If exposed without proper security measures, unauthorized users can view sensitive configuration details, including inventory files, playbooks, and variable data. This exposure poses significant risks, as attackers can exploit this information to manipulate configurations, launch unauthorized automation tasks, or disrupt services. To mitigate these risks, organizations should implement strong access controls, secure the interface with authentication, and restrict visibility to trusted users only." + details: "Ansible Configuration Page Exposure occurs when the web interface or configuration files of Ansible are accessible to the public without adequate security controls, such as authentication or IP whitelisting. This vulnerability allows unauthorized users to view critical information, including inventory configurations, playbooks, and execution parameters. The exposed data can be exploited by attackers to execute unauthorized commands, modify configurations, or disrupt automated processes. To protect against this exposure, organizations should enforce strict access controls, utilize encryption, and ensure that sensitive configurations are secured from public access." + impact: "The impact of Ansible Configuration Page Exposure can be severe, as unauthorized access to Ansible's configuration details can lead to malicious manipulation of IT infrastructure and automated tasks. Attackers may exploit this exposure to execute unauthorized playbooks, modify inventory settings, or disrupt service operations, potentially causing significant downtime and operational disruptions. Additionally, the compromise of sensitive configuration information can result in data breaches, financial losses, and reputational damage for the organization. Furthermore, it may lead to compliance violations if sensitive data or configurations are misused." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: ANSIBLE_CONFIG_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal + +execute: + type: single + requests: + - req: + - modify_url: "/ansible.cfg" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_all: + - '[defaults]' + - '[inventory]' \ No newline at end of file diff --git a/Security-Misconfiguration/ApacheFileNameEnumeration.yml b/Security-Misconfiguration/ApacheFileNameEnumeration.yml new file mode 100644 index 0000000..197715c --- /dev/null +++ b/Security-Misconfiguration/ApacheFileNameEnumeration.yml @@ -0,0 +1,57 @@ +id: APACHE_FILENAME_ENUM +info: + name: "Apache Filename Enumeration Test" + description: "This test refers to a security assessment conducted to identify potential vulnerabilities in an Apache server's configuration that may allow unauthorized users to enumerate or access sensitive files through predictable naming conventions. During this test, security professionals attempt to access various files using known patterns or extensions, checking if the server improperly reveals directory contents or file structures. This type of enumeration can lead to the exposure of sensitive information, such as configuration files, backups, or scripts. To mitigate these risks, it's essential to implement proper access controls, disable directory listing, and secure sensitive files from public access." + details: "Apache Filename Enumeration Test involves systematically probing an Apache server to identify vulnerabilities that allow unauthorized access to files through predictable naming patterns or URLs. Security testers typically attempt to access known or common filenames, extensions, and directories to determine if the server is configured to expose sensitive files. Successful enumeration can reveal critical information, such as configuration files, database credentials, and backup files, which may be exploited by attackers. To safeguard against such risks, server administrators should ensure proper security configurations, restrict access to sensitive files, and implement error handling to prevent revealing information through server responses." + impact: "The impact of an Apache Filename Enumeration Test can be substantial, as successful exploitation may lead to unauthorized access to sensitive files and information. Attackers could obtain critical data such as configuration files, API keys, or user credentials, which can facilitate further attacks on the system or network. Additionally, exposure of sensitive information can lead to data breaches, operational disruptions, and significant financial losses for the organization. Furthermore, the reputational damage and potential regulatory penalties resulting from such vulnerabilities can have long-lasting effects on the organization’s trustworthiness and compliance standing." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: APACHE_FILENAME_ENUM + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal + +execute: + type: single + requests: + - req: + - modify_url: "/index" + - modify_method: GET + - replace_body: '{}' + - add_header: + accept: "fake/value" +validate: + response_code: + eq: 406 + response_payload: + length: + gt: 0 + contains_all: + - "Not Acceptable" + - "Available variants:" + - "
Apache Server at" \ No newline at end of file diff --git a/Security-Misconfiguration/ApacheServerStatus.yml b/Security-Misconfiguration/ApacheServerStatus.yml new file mode 100644 index 0000000..1f1863b --- /dev/null +++ b/Security-Misconfiguration/ApacheServerStatus.yml @@ -0,0 +1,59 @@ +id: APACHE_SERVER_STATUS +info: + name: "Apache Server Status Exposure" + description: "This test refers to the unintended public accessibility of the Apache server status page, which provides detailed information about the server's performance, active connections, and resource usage. This page is typically intended for internal use only, but if misconfigured, it can be exposed to unauthorized users. Accessing this information can aid attackers in understanding the server's operational state and identifying potential weaknesses. To mitigate this risk, it's crucial to restrict access to the status page using proper authentication and network security measures." + details: "Apache Server Status Exposure occurs when the status page, designed to provide insights into server health and performance, is accessible to the public instead of being restricted to internal networks. This page reveals crucial information, such as server load, current requests, and resource usage statistics. If exposed, unauthorized users could exploit this information to plan targeted attacks, such as denial of service or resource exhaustion attacks. To protect against this exposure, administrators should ensure that access to the status page is limited to trusted IP addresses and secured with authentication mechanisms." + impact: "The impact of Apache Server Status Exposure can be significant, as unauthorized access to the status page allows attackers to gather detailed information about the server's performance and activity. This information can be leveraged to identify vulnerabilities, enabling attackers to execute targeted attacks such as denial of service or exploit weaknesses in server configurations. Additionally, exposing performance metrics may lead to service disruptions, data breaches, and operational inefficiencies. The potential financial losses, reputational damage, and regulatory implications resulting from such exposure can have lasting effects on the organization’s credibility and security posture." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: APACHE_SERVER_STATUS + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + paths: + - '/server-info' + - '/server-status' +execute: + type: single + requests: + - req: + - modify_url: "${paths}" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_either: + - "Apache Server Status" + - "Apache Server Information" + contains_all: + - "Server Version" \ No newline at end of file diff --git a/Security-Misconfiguration/ApacheServerStatusLocalhost.yml b/Security-Misconfiguration/ApacheServerStatusLocalhost.yml new file mode 100644 index 0000000..ef04438 --- /dev/null +++ b/Security-Misconfiguration/ApacheServerStatusLocalhost.yml @@ -0,0 +1,66 @@ +id: APACHE_SERVER_STATUS_LOCALHOST +info: + name: "Apache Server Status Exposure via localhost" + description: "This test refers to the unintended accessibility of the Apache server status page over a public network, despite it being intended for local access only. This status page provides detailed information about server performance, resource usage, and active connections, which can be valuable for monitoring but also poses a security risk if exposed externally. If unauthorized users can access this information, they may identify potential weaknesses in the server configuration or exploit vulnerabilities. To mitigate this risk, it is essential to restrict access to the status page using proper firewall rules or authentication mechanisms." + details: "Apache Server Status Exposure via localhost occurs when the Apache server status page, which is designed to provide insights into server performance and activity, is inadvertently made accessible from public networks instead of being restricted to local access. This status page reveals critical information, including server load, active requests, and resource usage metrics, which can aid attackers in identifying potential vulnerabilities. If exploited, attackers could craft targeted attacks based on the insights gained from this exposure. To prevent this risk, organizations should ensure that access to the status page is strictly limited to trusted IP addresses or protected by authentication mechanisms." + impact: "The impact of Apache Server Status Exposure via localhost can be significant, as unauthorized access to the server status page can provide attackers with valuable insights into the server's operational state and performance metrics. This information may be used to identify weaknesses in server configurations or exploit existing vulnerabilities, potentially leading to unauthorized access or denial of service attacks. Additionally, the exposure can result in data leakage about active connections and resource usage, increasing the risk of targeted attacks that could disrupt services or compromise sensitive information. Ultimately, such exposure may lead to operational downtime, financial losses, and reputational damage for the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: APACHE_SERVER_STATUS_LOCALHOST + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + headersTest: + - Forwarded + - X-Client-IP + - X-Forwarded-By + - "X-Forwarded-For" + - "X-Forwarded-For-IP" + - "X-Forwarded-Host" + - "X-Host" + - "X-Originating-IP" + - "X-Remote-Addr" + - "X-Remote-IP" + - "X-True-IP" +execute: + type: single + requests: + - req: + - modify_url: "/server-status" + - modify_method: GET + - replace_body: '{}' + - add_header: + ${headersTest}: 127.0.0.1 +validate: + response_payload: + length: + gt: 0 + contains_all: + - "Apache Server Status" + - "Server Version" \ No newline at end of file diff --git a/Security-Misconfiguration/ApacheYarnResourceManagerExpose.yml b/Security-Misconfiguration/ApacheYarnResourceManagerExpose.yml new file mode 100644 index 0000000..2db0d86 --- /dev/null +++ b/Security-Misconfiguration/ApacheYarnResourceManagerExpose.yml @@ -0,0 +1,52 @@ +id: APACHE_YARN_RESOURCEMANAGER_EXPOSE +info: + name: "Apache Yarn Resource Manager Exposure" + description: "This test refers to the unprotected access of the Yarn Resource Manager interface, which manages and allocates resources in a Hadoop cluster. When exposed to the internet without proper security measures, unauthorized users can gain access to critical cluster management functionalities and metrics. This vulnerability can lead to unauthorized resource manipulation, data theft, or disruption of services. To mitigate risks, it's essential to enforce strong authentication, use network restrictions, and secure the interface behind firewalls." + details: "Apache Yarn Resource Manager Exposure occurs when the Yarn Resource Manager interface is accessible without adequate security controls, such as authentication or IP whitelisting. This exposure allows unauthorized users to view sensitive resource allocation details, monitor running applications, and potentially modify cluster settings or configurations. Attackers could exploit this access to launch denial-of-service attacks or manipulate resource allocations to disrupt Hadoop operations. To protect against this exposure, organizations should implement strong access controls, use encryption, and restrict access to trusted IP addresses or networks." + impact: "The impact of Apache Yarn Resource Manager Exposure can be substantial, as unauthorized access may allow attackers to manipulate resource allocations and disrupt critical Hadoop operations. This could lead to performance degradation, denial of service, and potential data loss if resources are mismanaged or maliciously altered. Additionally, attackers gaining insight into cluster metrics and configurations could exploit vulnerabilities in running applications, resulting in further security breaches and significant financial and operational repercussions for the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: APACHE_YARN_RESOURCEMANAGER_EXPOSE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/cluster/cluster" + - modify_method: GET + - replace_body: '{}' +validate: + response_payload: + length: + gt: 0 + contains_all: + - 'hadoop' + - 'resourcemanager' + - 'logged in as: dr.who' \ No newline at end of file diff --git a/Security-Misconfiguration/ArangoDBInterfaceExposure.yml b/Security-Misconfiguration/ArangoDBInterfaceExposure.yml new file mode 100644 index 0000000..cec4b8e --- /dev/null +++ b/Security-Misconfiguration/ArangoDBInterfaceExposure.yml @@ -0,0 +1,52 @@ +id: ARANGODB_INTERFACE_EXPOSURE +info: + name: "ArangoDB Web Interface Exposure" + description: "This test refers to the unintended exposure of the database’s web interface to unauthorized access, often due to misconfigurations or lack of proper security controls. This can allow attackers to interact with the ArangoDB web UI, potentially accessing, modifying, or deleting data. Ensuring proper authentication, firewalls, and network restrictions is crucial to mitigating such vulnerabilities." + details: "ArangoDB Web Interface Exposure occurs when the database's web interface is accessible over the internet without adequate security, such as proper authentication or IP whitelisting. This exposure allows attackers to interact with the database’s user interface, potentially leading to unauthorized access, data leaks, or system compromise. To prevent this, administrators should secure access through network restrictions, strong credentials, and encryption mechanisms." + impact: "The impact of ArangoDB Web Interface Exposure can be severe, as attackers may gain unauthorized access to sensitive data or administrative functions. This could lead to data breaches, unauthorized data modification, or complete system compromise. In worst-case scenarios, attackers can exploit this exposure to escalate privileges, disrupt services, or even delete critical data, resulting in significant operational and financial losses." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: ARANGODB_INTERFACE_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/_db/_system/_admin/aardvark/index.html" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_either: + - "ArangoDB Web Interface" \ No newline at end of file diff --git a/Security-Misconfiguration/DrupalAPIUserListExposure.yml b/Security-Misconfiguration/DrupalAPIUserListExposure.yml new file mode 100644 index 0000000..d6ef655 --- /dev/null +++ b/Security-Misconfiguration/DrupalAPIUserListExposure.yml @@ -0,0 +1,52 @@ +id: DRUPAL_API_USER_LIST_EXPOSE +info: + name: "Drupal JSON API Username Listing Endpoint Exposure" + description: "This test refers to the unintended accessibility of a JSON API endpoint in Drupal that lists user information, including usernames. If this endpoint is exposed without proper security controls, unauthorized users can access sensitive user data, which may lead to privacy violations and potential account enumeration attacks. To mitigate this risk, it is crucial to implement authentication, authorization checks, and restrict access to sensitive endpoints." + details: "Drupal JSON API Username Listing Endpoint Exposure occurs when the endpoint that provides a list of usernames is accessible to the public without adequate security measures, such as authentication or permission checks. This vulnerability can enable attackers to enumerate valid usernames, making it easier to target accounts for brute force or phishing attacks. Additionally, exposure of this information could lead to privacy breaches, as it reveals the existence of user accounts within the system. To safeguard against this risk, developers should ensure that proper access controls are implemented for sensitive API endpoints." + impact: "The impact of Drupal JSON API Username Listing Endpoint Exposure can be significant, as unauthorized access to usernames allows attackers to compile a list of valid accounts for further exploitation. This can lead to increased risks of brute force attacks, phishing attempts, or social engineering, as attackers may target specific users with tailored attacks. Additionally, the exposure of user data can result in privacy violations and reputational damage for the organization, along with potential regulatory repercussions if sensitive information is mishandled." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: DRUPAL_API_USER_LIST_EXPOSE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/jsonapi/user/user" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + regex: + - '\{"display_name":"([A-Sa-z0-9-_]+)"\}' \ No newline at end of file diff --git a/Security-Misconfiguration/DrupalUserEnumerationRedirect.yml b/Security-Misconfiguration/DrupalUserEnumerationRedirect.yml new file mode 100644 index 0000000..e77c05e --- /dev/null +++ b/Security-Misconfiguration/DrupalUserEnumerationRedirect.yml @@ -0,0 +1,62 @@ +id: DRUPAL_USER_ENUM_REDIRECTION +info: + name: "Drupal User Enumeration with Redirection" + description: "This test refers to a security vulnerability in Drupal applications where attackers can exploit the system to enumerate user accounts by observing redirection responses. When specific URLs are accessed, the application may provide different responses based on whether a username exists, enabling attackers to determine valid usernames without authentication. This type of enumeration can lead to targeted attacks, such as brute force or social engineering, as attackers gain insights into the user base. To mitigate this risk, it is essential to implement proper error handling and response normalization to prevent user identification through redirection patterns." + details: "Drupal User Enumeration with Redirection occurs when an attacker can manipulate URL requests to the Drupal application and observe how the system responds to different usernames. The application may redirect or provide unique error messages based on whether a user exists or not, making it easier for attackers to compile a list of valid usernames. This enumeration can be exploited to perform further attacks, such as brute force login attempts or phishing. To protect against this vulnerability, developers should implement uniform responses for both existing and non-existing users and enhance overall security practices within the application." + impact: "The impact of Drupal User Enumeration with Redirection can be considerable, as it allows attackers to identify valid usernames within the application, facilitating targeted attacks. Once valid usernames are known, attackers can launch brute force attacks to gain unauthorized access to user accounts or employ phishing tactics to compromise credentials. Additionally, this enumeration can lead to privacy violations if sensitive user data is exposed, resulting in reputational damage for the organization. Furthermore, the increased risk of account takeovers may lead to significant financial losses and regulatory implications if user data is mishandled." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: DRUPAL_USER_ENUM_REDIRECTION + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + paths: + - "/user/0" + - "/user/1" + - "/user/2" + - "/user/3" +execute: + type: single + requests: + - req: + - modify_url: "${paths}" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 301 + response_payload: + length: + gt: 0 + response_headers: + for_one: + key: + eq: "location" + value: + regex: "https?://[\\w\\.\\-]+[:/w-]*/users/\\w+" \ No newline at end of file diff --git a/Security-Misconfiguration/EclipseBIRTPanelExposure.yml b/Security-Misconfiguration/EclipseBIRTPanelExposure.yml new file mode 100644 index 0000000..3b403f2 --- /dev/null +++ b/Security-Misconfiguration/EclipseBIRTPanelExposure.yml @@ -0,0 +1,54 @@ +id: ECLIPSE_BIRT_PANEL_EXPOSURE +info: + name: "Eclipse BIRT panel Exposure" + description: "This test refers to the unprotected access of the Eclipse BIRT (Business Intelligence and Reporting Tools) panel over the internet. If improperly secured, this exposure allows unauthorized users to interact with the reporting dashboard, potentially viewing or altering sensitive reports and data. Ensuring proper authentication and network restrictions is essential to prevent unauthorized access to the BIRT panel." + details: "Eclipse BIRT Panel Exposure occurs when the reporting panel of Eclipse BIRT is accessible over the internet without adequate security controls, such as authentication or IP restrictions. This can allow unauthorized users to view, generate, or manipulate reports containing sensitive business data. To protect against this, administrators should enforce strong authentication mechanisms, secure the panel behind firewalls, and limit access to trusted networks only." + impact: "The impact of Eclipse BIRT Panel Exposure can be significant, as unauthorized users could gain access to sensitive business reports and analytics. This can result in data leaks, manipulation of critical business insights, and even alteration of financial or operational reports. If exploited, it may lead to reputational damage, financial loss, and compromised decision-making due to tampered or stolen data." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: ECLIPSE_BIRT_PANEL_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/reportviewer/" + - modify_method: GET + - replace_body: '{}' + - follow_redirect: true +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_either: + - 'alt="Eclipse Logo' + - 'Eclipse BIRT Home' \ No newline at end of file diff --git a/Security-Misconfiguration/F5AdminPanelExposure.yml b/Security-Misconfiguration/F5AdminPanelExposure.yml new file mode 100644 index 0000000..5629286 --- /dev/null +++ b/Security-Misconfiguration/F5AdminPanelExposure.yml @@ -0,0 +1,54 @@ +id: F5_ADMIN_PANEL_EXPOSURE +info: + name: "F5 Admin Interface Exposure" + description: "This test refers to the unintended exposure of the administrative interface of F5 systems, which manage traffic and security for networks and applications. If left accessible without proper security controls, unauthorized users can potentially gain access to critical configurations, manage traffic settings, and even disrupt services. To mitigate risks, the interface should be secured with strong authentication, network segmentation, and restricted access." + details: "F5 Admin Interface Exposure occurs when the administrative interface of F5 devices, such as BIG-IP, is publicly accessible without sufficient security measures like firewalls or authentication protocols. This vulnerability allows unauthorized users to attempt access and manipulate configurations, which can compromise network security and application performance. Administrators should implement strict access controls, including IP whitelisting and multi-factor authentication, to safeguard the admin interface from unauthorized access." + impact: "The impact of F5 Admin Interface Exposure can be severe, as unauthorized access to the admin interface allows attackers to modify critical configurations and security settings. This could lead to traffic manipulation, denial of service attacks, and exposure of sensitive data. Additionally, attackers might exploit the compromised interface to launch further attacks on connected systems, resulting in significant operational disruptions and potential financial losses for the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: F5_ADMIN_PANEL_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/tmui/login.jsp" + - modify_method: GET + - replace_body: '{}' + - follow_redirect: true +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_all: + - 'Configuration Utility' + - 'F5 Networks' \ No newline at end of file diff --git a/Security-Misconfiguration/GrafanaLoginPanelExposure.yml b/Security-Misconfiguration/GrafanaLoginPanelExposure.yml new file mode 100644 index 0000000..d15424f --- /dev/null +++ b/Security-Misconfiguration/GrafanaLoginPanelExposure.yml @@ -0,0 +1,50 @@ +id: GRAFANA_LOGIN_PANEL_EXPOSURE +info: + name: "Grafana Login Panel Exposure" + description: "This test refers to the unintended exposure of the Grafana dashboard's login panel, making it accessible over the internet without adequate security measures. This vulnerability can allow unauthorized users to attempt login through brute force or credential stuffing attacks, potentially gaining access to sensitive visualizations and data sources. To mitigate these risks, it is essential to implement strong authentication, enforce IP restrictions, and secure the login panel behind firewalls." + details: "Grafana Login Panel Exposure occurs when the login interface for Grafana is left accessible without proper security controls, such as IP whitelisting or robust authentication mechanisms. This vulnerability enables attackers to target the panel with brute force attempts, seeking to compromise accounts that may have weak passwords. Organizations should protect the login panel by enforcing strong password policies, implementing multi-factor authentication, and limiting access to trusted networks to minimize the risk of unauthorized access." + impact: "The impact of Grafana Login Panel Exposure can be significant, as unauthorized access may allow attackers to view and manipulate sensitive data visualizations and dashboards. This could lead to data leaks, misrepresentation of critical business metrics, and unauthorized modifications to data sources. Furthermore, attackers gaining access could escalate privileges to other systems connected to Grafana, resulting in broader security breaches and potential financial and reputational damage to the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: GRAFANA_LOGIN_PANEL_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/graph/login" + - modify_method: GET + - replace_body: '{}' +validate: + response_payload: + length: + gt: 0 + contains_either: + - "Grafana" \ No newline at end of file diff --git a/Security-Misconfiguration/KibanaLoginPanelExposure.yml b/Security-Misconfiguration/KibanaLoginPanelExposure.yml new file mode 100644 index 0000000..ca99917 --- /dev/null +++ b/Security-Misconfiguration/KibanaLoginPanelExposure.yml @@ -0,0 +1,59 @@ +id: KIBANA_LOGIN_PANEL_EXPOSE +info: + name: "Kibana Login Panel Exposure" + description: "This test refers to the unprotected access of the Kibana dashboard's login panel, allowing it to be reachable over the internet without adequate security measures. This exposure can enable unauthorized users to attempt brute force attacks or exploit vulnerabilities to gain access to sensitive data visualizations and analytics. To mitigate this risk, it's crucial to enforce strong authentication, implement IP whitelisting, and secure the login panel behind firewalls." + details: "Kibana Login Panel Exposure occurs when the login interface for Kibana is publicly accessible without sufficient security controls, such as proper authentication mechanisms or network restrictions. This vulnerability can allow attackers to launch brute force attacks to compromise user accounts, especially if weak passwords are used. To protect against this exposure, organizations should implement strong password policies, use multi-factor authentication, and restrict access to trusted IP addresses or networks, ensuring that the login panel is adequately secured." + impact: "The impact of Kibana Login Panel Exposure can be severe, as unauthorized access may allow attackers to manipulate or steal sensitive data visualizations and analytics. This could result in data breaches, unauthorized modifications of dashboards, and potential disruption of business operations. Additionally, attackers gaining access could escalate privileges to underlying Elasticsearch data, leading to broader security vulnerabilities and significant financial and reputational damage to the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: KIBANA_LOGIN_PANEL_EXPOSE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/app/kibana" + - modify_method: GET + - replace_body: '{}' + - follow_redirect: true +validate: + or: + - response_payload: + length: + gt: 0 + contains_either: + - "Kibana" + - "Elastic" + - "Kibana Login" + - response_payload: + length: + gt: 0 + regex: + - "(?i)(Kbn-Name)" \ No newline at end of file diff --git a/Security-Misconfiguration/OpenAPIExposure.yml b/Security-Misconfiguration/OpenAPIExposure.yml new file mode 100644 index 0000000..1364357 --- /dev/null +++ b/Security-Misconfiguration/OpenAPIExposure.yml @@ -0,0 +1,61 @@ +id: OPENAPI_EXPOSURE +info: + name: "OpenAPI Documentation Exposure" + description: "This test refers to the unintended public accessibility of OpenAPI documentation, which describes the APIs available in an application, including their endpoints, request/response formats, and security requirements. If this documentation is exposed without adequate security measures, it can provide attackers with valuable insights into the application’s architecture and functionality. This information can be exploited to launch targeted attacks or identify vulnerabilities. To mitigate risks, it is essential to restrict access to OpenAPI documentation and implement proper authentication and authorization controls." + details: "OpenAPI Documentation Exposure occurs when the API documentation is publicly accessible without proper security controls, allowing anyone to view detailed information about the API endpoints, methods, parameters, and response structures. This exposure can give attackers a roadmap of the application, enabling them to identify potential vulnerabilities or weaknesses in the API. Additionally, it may expose sensitive data models or business logic, further increasing the risk of exploitation. To protect against this exposure, organizations should implement access controls, secure the documentation behind authentication, and limit visibility to authorized users only." + impact: "The impact of OpenAPI Documentation Exposure can be severe, as it provides attackers with detailed insights into the API’s structure, making it easier to exploit vulnerabilities and craft targeted attacks. This can lead to unauthorized access, data breaches, and the potential for service disruptions. Moreover, the exposed documentation may reveal sensitive information about the application's architecture and business logic, increasing the risk of exploitation and significant financial and reputational damage to the organization. Additionally, regulatory consequences may arise if sensitive data is compromised due to inadequate security measures." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: OPENAPI_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/openapi.json" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_all: + - openapi + - paths + response_headers: + for_one: + key: + eq: "content-type" + value: + contains_either: + - application/openapi+json + - application/json \ No newline at end of file diff --git a/Security-Misconfiguration/PHPMyAdminPanelExposure.yml b/Security-Misconfiguration/PHPMyAdminPanelExposure.yml new file mode 100644 index 0000000..1861dbf --- /dev/null +++ b/Security-Misconfiguration/PHPMyAdminPanelExposure.yml @@ -0,0 +1,67 @@ +id: PHPMYADMIN_PANEL_EXPOSURE +info: + name: "phpmyadmin Panel Exposure" + description: "This test refers to the unprotected access of the phpMyAdmin interface, a popular tool for managing MySQL databases, making it reachable over the internet without proper security measures. This exposure can allow unauthorized users to attempt to log in, potentially gaining access to sensitive database information, executing malicious queries, or altering data. To mitigate risks, it's essential to implement strong authentication, use IP whitelisting, and secure the panel behind firewalls." + details: "phpMyAdmin Panel Exposure occurs when the phpMyAdmin interface is accessible to the public without sufficient security controls, such as robust authentication mechanisms or restricted IP access. This vulnerability can enable attackers to attempt brute force login attempts, gaining unauthorized access to MySQL databases. Once inside, they could execute harmful SQL queries, delete critical data, or extract sensitive information. To protect against such exposure, administrators should enforce strong passwords, implement multi-factor authentication, and limit access to trusted IP addresses." + impact: "The impact of phpMyAdmin Panel Exposure can be catastrophic, as unauthorized access may allow attackers to manipulate, delete, or extract sensitive data from MySQL databases. This could lead to data breaches, loss of critical information, and disruptions to business operations. Additionally, attackers might leverage the compromised interface to escalate privileges or compromise other connected systems, resulting in significant financial and reputational damage to the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: PHPMYADMIN_PANEL_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + paths: + - "/phpmyadmin/" + - "/admin/phpmyadmin/" + - "/_phpmyadmin/" + - "/administrator/components/com_joommyadmin/phpmyadmin/" + - "/apache-default/phpmyadmin/" + - "/blog/phpmyadmin/" + - "/forum/phpmyadmin/" + - "/php/phpmyadmin/" + - "/typo3/phpmyadmin/" + - "/web/phpmyadmin/" + - "/xampp/phpmyadmin/" + - "/phpMyAdmin/" + - "/phpma/" + - "/phpMyAdmin/index.php" +execute: + type: single + requests: + - req: + - modify_url: "${paths}" + - modify_method: GET + - replace_body: '{}' +validate: + response_payload: + length: + gt: 0 + contains_either: + - "phpMyAdmin" + - "pmahomme" \ No newline at end of file diff --git a/Security-Misconfiguration/PrometheusPanelExposure.yml b/Security-Misconfiguration/PrometheusPanelExposure.yml new file mode 100644 index 0000000..f4303c8 --- /dev/null +++ b/Security-Misconfiguration/PrometheusPanelExposure.yml @@ -0,0 +1,54 @@ +id: PROMETHEUS_PANEL_EXPOSE +info: + name: "Prometheus Panel Exposure" + description: "Prometheus Panel Exposure refers to the unintended exposure of the Prometheus monitoring system's web interface, making it accessible over the internet without proper security measures. This vulnerability can allow unauthorized users to view sensitive metrics and potentially manipulate configurations or queries. To mitigate this risk, it is essential to implement strong authentication, use network restrictions, and secure the panel with firewalls." + details: "Prometheus Panel Exposure occurs when the Prometheus web interface is publicly accessible without adequate security controls, such as proper authentication or IP whitelisting. This vulnerability can enable attackers to access sensitive monitoring data, view system metrics, and potentially exploit exposed endpoints to modify queries or configurations. To protect against this exposure, organizations should enforce strong access controls, utilize encryption for data in transit, and restrict access to trusted networks or IP addresses." + impact: "The impact of Prometheus Panel Exposure can be significant, as unauthorized access may allow attackers to view sensitive metrics related to application performance and infrastructure health. This information can be leveraged for further attacks, such as targeting specific vulnerabilities within the system. Additionally, if attackers can modify configurations or queries, they could disrupt monitoring services, leading to operational downtime and potentially causing critical failures in systems being monitored. This exposure could result in substantial financial and reputational damage to the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: PROMETHEUS_PANEL_EXPOSE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + paths: + - '/graph' + - "/prometheus/graph" +execute: + type: single + requests: + - req: + - modify_url: "${paths}" + - modify_method: GET + - replace_body: '{}' +validate: + response_payload: + length: + gt: 0 + contains_either: + - "<title>Prometheus Time Series Collection and Processing Server" \ No newline at end of file diff --git a/Security-Misconfiguration/ServiceNowLoginPanelExposure.yml b/Security-Misconfiguration/ServiceNowLoginPanelExposure.yml new file mode 100644 index 0000000..495c012 --- /dev/null +++ b/Security-Misconfiguration/ServiceNowLoginPanelExposure.yml @@ -0,0 +1,54 @@ +id: SERVICENOW_LOGIN_PANEL_EXPOSE +info: + name: "ServiceNow Login Panel Exposure" + description: "This test refers to the unintended accessibility of the ServiceNow platform's login interface over the internet without proper security measures. This exposure can enable unauthorized users to attempt login via brute force or credential stuffing attacks, potentially gaining access to sensitive incident management and IT service data. To mitigate these risks, it is crucial to implement strong authentication, enforce IP restrictions, and secure the login panel behind firewalls." + details: "ServiceNow Login Panel Exposure occurs when the login interface for the ServiceNow platform is left open to public access without adequate security controls, such as multi-factor authentication or network restrictions. This vulnerability allows attackers to target the login panel with brute force attacks, trying to compromise user accounts, especially if weak passwords are in use. To protect against this exposure, organizations should enforce strong password policies, utilize account lockout mechanisms, and restrict access to the login panel from trusted IP addresses only." + impact: "The impact of ServiceNow Login Panel Exposure can be serious, as unauthorized access may allow attackers to gain entry to sensitive IT service management data, incident records, and user information. This could result in data breaches, unauthorized modifications to service requests, and potential disruptions to business operations. Furthermore, compromised accounts could be used to escalate privileges and launch further attacks on connected systems, leading to significant financial and reputational damage to the organization." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: SERVICENOW_LOGIN_PANEL_EXPOSE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/login.do" + - modify_method: GET + - replace_body: '{}' +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_all: + - 'ServiceNow' + - 'window.NOW.' + - 'NOW.user.userID' \ No newline at end of file diff --git a/Security-Misconfiguration/SwaggerAPIExposure.yml b/Security-Misconfiguration/SwaggerAPIExposure.yml new file mode 100644 index 0000000..c74d8dd --- /dev/null +++ b/Security-Misconfiguration/SwaggerAPIExposure.yml @@ -0,0 +1,121 @@ +id: SWAGGER_API_EXPOSURE +info: + name: "Swagger API Documentation Exposure" + description: "This test refers to the unintended public accessibility of Swagger-generated API documentation, which details the endpoints, request/response formats, and authentication methods of an application’s APIs. When exposed without proper security controls, this documentation can provide attackers with critical insights into the API's functionality and structure. Such exposure increases the risk of targeted attacks, as attackers can identify potential vulnerabilities to exploit. To mitigate these risks, it is essential to restrict access to Swagger documentation through authentication and authorization mechanisms." + details: "Swagger API Documentation Exposure occurs when the Swagger UI or JSON file is accessible to the public without adequate security measures, allowing unauthorized users to view detailed API specifications. This can include information about available endpoints, parameters, response types, and security protocols, making it easier for attackers to understand the application's architecture. The exposed documentation can facilitate targeted attacks, such as injection or exploitation of vulnerabilities. To protect against this exposure, organizations should implement strong access controls, secure the documentation behind authentication, and limit visibility to trusted users only." + impact: "The impact of Swagger API Documentation Exposure can be significant, as it provides attackers with detailed knowledge of the API’s structure and functionality, making it easier to exploit vulnerabilities. This can lead to unauthorized access to sensitive data, manipulation of application behavior, and potential data breaches. Additionally, the exposure can result in targeted attacks, such as denial of service or injection attacks, causing operational disruptions and financial losses. Furthermore, organizations may face reputational damage and regulatory consequences if sensitive information is compromised due to insufficient security measures." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: SWAGGER_API_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + paths: + - "/swagger-ui/swagger-ui.js" + - "/swagger/swagger-ui.js" + - "/swagger-ui.js" + - "/swagger/ui/swagger-ui.js" + - "/swagger/ui/index" + - "/swagger/index.html" + - "/swagger-ui.html" + - "/swagger/swagger-ui.html" + - "/api/swagger-ui.html" + - "/api-docs/swagger.json" + - "/api-docs/swagger.yaml" + - "/api_docs" + - "/swagger.json" + - "/swagger.yaml" + - "/swagger/v1/swagger.json" + - "/swagger/v1/swagger.yaml" + - "/api/index.html" + - "/api/doc" + - "/api/docs/" + - "/api/swagger.json" + - "/api/swagger.yaml" + - "/api/swagger.yml" + - "/api/swagger/index.html" + - "/api/swagger/swagger-ui.html" + - "/api/api-docs/swagger.json" + - "/api/api-docs/swagger.yaml" + - "/api/swagger-ui/swagger.json" + - "/api/swagger-ui/swagger.yaml" + - "/api/apidocs/swagger.json" + - "/api/apidocs/swagger.yaml" + - "/api/swagger-ui/api-docs" + - "/api/doc.json" + - "/api/api-docs" + - "/api/apidocs" + - "/api/swagger" + - "/api/swagger/static/index.html" + - "/api/swagger-resources" + - "/api/swagger-resources/restservices/v2/api-docs" + - "/api/__swagger__/" + - "/api/_swagger_/" + - "/api/spec/swagger.json" + - "/api/spec/swagger.yaml" + - "/api/swagger/ui/index" + - "/__swagger__/" + - "/_swagger_/" + - "/api/v1/swagger-ui/swagger.json" + - "/api/v1/swagger-ui/swagger.yaml" + - "/swagger-resources/restservices/v2/api-docs" + - "/api/swagger_doc.json" + - "/docu" + - "/docs" + - "/swagger" + - "/api-doc" + - "/doc/" + - "/swagger-ui/springfox.js" + - "/swagger-ui/swagger-ui-standalone-preset.js" + - "/swagger-ui/swagger-ui/swagger-ui-bundle.js" + - "/webjars/swagger-ui/swagger-ui-bundle.js" + - "/webjars/swagger-ui/index.html" +execute: + type: single + requests: + - req: + - modify_url: "${paths}" + - modify_method: GET + - replace_body: '{}' + - add_header: + accept: "text/html" +validate: + response_code: + eq: 200 + response_payload: + length: + gt: 0 + contains_either: + - "swagger:" + - "Swagger 2.0" + - "\"swagger\":" + - "Swagger UI" + - "loadSwaggerUI" + - "**token**:" + - "id=\"swagger-ui" \ No newline at end of file diff --git a/Security-Misconfiguration/WADLExposure.yml b/Security-Misconfiguration/WADLExposure.yml new file mode 100644 index 0000000..5f6e98a --- /dev/null +++ b/Security-Misconfiguration/WADLExposure.yml @@ -0,0 +1,59 @@ +id: WADL_EXPOSURE +info: + name: "WADL File Exposure" + description: "This test refers to the unintended public accessibility of the Web Application Description Language (WADL) files, which describe the resources and services provided by a RESTful web application. If these files are exposed without proper security measures, they can reveal detailed information about the application's endpoints, methods, and parameters to unauthorized users. This exposure can increase the risk of targeted attacks by providing attackers with insights into potential vulnerabilities. To mitigate these risks, organizations should implement access controls and secure WADL files behind authentication mechanisms." + details: "WADL Exposure occurs when the WADL files, which outline the RESTful web services of an application, are publicly accessible without sufficient security controls. This can allow unauthorized users to view detailed information about available endpoints, including their operations, parameters, and data formats. Such exposure can be exploited by attackers to identify vulnerabilities within the application, making it easier to execute targeted attacks or unauthorized operations. To safeguard against this exposure, developers should ensure proper access controls and restrict visibility of WADL files to authorized users only." + impact: "The impact of WADL Exposure can be substantial, as unauthorized access to WADL files allows attackers to gain detailed insights into the application's architecture and available services. This information can facilitate targeted attacks, such as exploiting vulnerabilities or performing unauthorized operations on the API. Additionally, exposed WADL files may lead to data breaches or manipulation of sensitive information, resulting in significant operational disruptions and potential financial losses. Organizations may also face reputational damage and compliance issues if exposed data includes personally identifiable information (PII) or other sensitive data." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: WADL_EXPOSURE + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +wordLists: + paths: + - "/application.wadl" + - "/application.wadl?detail=true" + - "/api/application.wadl" + - "/api/v1/application.wadl" + - "/api/v2/application.wadl" +execute: + type: single + requests: + - req: + - modify_url: "${paths}" + - modify_method: GET + - replace_body: '{}' +validate: + response_payload: + length: + gt: 0 + contains_either: + - "This is simplified WADL with user and core resources only" + - "http://jersey.java.net" + - "http://wadl.dev.java.net/2009/02" \ No newline at end of file diff --git a/Security-Misconfiguration/WSDLDetect.yml b/Security-Misconfiguration/WSDLDetect.yml new file mode 100644 index 0000000..baea356 --- /dev/null +++ b/Security-Misconfiguration/WSDLDetect.yml @@ -0,0 +1,50 @@ +id: WSDL_DETECT +info: + name: "WSDL File Exposure" + description: "This test refers to the unintended public accessibility of Web Services Description Language (WSDL) files, which define the structure, operations, and messages of a web service. When these files are exposed without proper security measures, they can provide unauthorized users with detailed information about the web service's operations and endpoints. This exposure can increase the risk of targeted attacks, as attackers may exploit vulnerabilities identified through the information contained in the WSDL files. To mitigate these risks, organizations should implement strong access controls and secure WSDL files behind authentication mechanisms." + details: "WSDL File Exposure occurs when WSDL files, which specify the web service's interface, operations, and binding information, are publicly accessible without adequate security controls. This vulnerability allows unauthorized users to view sensitive information about the web service, including available methods, input parameters, and endpoint URLs. Such exposure can be exploited by attackers to identify potential weaknesses in the service, facilitating targeted attacks like injection or denial of service. To protect against this exposure, organizations should enforce strict access controls and limit visibility to WSDL files through authentication and IP restrictions." + impact: "The impact of WSDL File Exposure can be significant, as unauthorized access to WSDL files enables attackers to gather detailed information about the web service's functionality and structure. This can lead to exploitation of vulnerabilities within the service, resulting in unauthorized access, data breaches, or service disruptions. Additionally, attackers may use the exposed information to craft targeted attacks, such as SQL injection or service manipulation, which can have serious operational and financial repercussions. Furthermore, organizations may face reputational damage and regulatory penalties if sensitive data is compromised due to inadequate security measures." + category: + name: SM + shortName: Misconfiguration + displayName: Security Misconfiguration (SM) + subCategory: WSDL_DETECT + severity: MEDIUM + references: + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md" + cwe: + - CWE-200 + - CWE-16 + cve: + - CVE-2021-43798 + +api_selection_filters: + method: + neq: "OPTIONS" + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + url: + extract: urlVar + request_headers: + for_one: + key: + eq: "host" + value: + extract: hostHeaderVal +execute: + type: single + requests: + - req: + - modify_url: "/?wsdl" + - modify_method: GET + - replace_body: '{}' +validate: + response_payload: + length: + gt: 0 + contains_either: + - "wsdl:definitions" \ No newline at end of file