akto-api-security · arjun-akto · Sep 26, 2024
diff --git a/Security-Misconfiguration/AWSOpenSearchLoginPageExposure.yml b/Security-Misconfiguration/AWSOpenSearchLoginPageExposure.yml
@@ -0,0 +1,52 @@
+id: AWS_OPENSEARCH_LOGIN_PAGE_EXPOSURE
+info:
+  name: "AWS OpenSearch Login Page Exposure"
+  description: "This test refers to the unintentional exposure of the login page for AWS OpenSearch, making it accessible over the internet without proper access controls. This could allow unauthorized users to attempt brute force attacks or exploit vulnerabilities to gain access to the OpenSearch dashboard. Ensuring secure network configurations and multi-factor authentication is essential to prevent such exposure."
+  details:  "AWS OpenSearch Login Page Exposure occurs when the login page for an OpenSearch cluster is publicly accessible without adequate security measures like IP restrictions or multi-factor authentication. This can allow attackers to target the login page, attempting unauthorized access via brute force or credential stuffing attacks. To mitigate this risk, administrators should enforce strict access controls, use strong credentials, and apply network security measures like VPC peering or private endpoints."
+  impact: "The impact of AWS OpenSearch Login Page Exposure can be critical, as attackers may exploit the publicly accessible login page to gain unauthorized access to the OpenSearch cluster. This could lead to data theft, index tampering, or the complete compromise of the search infrastructure. In addition, attackers may disrupt services, modify search analytics, or escalate their access to other AWS resources, resulting in operational downtime and potential financial loss."
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: AWS_OPENSEARCH_LOGIN_PAGE_EXPOSURE
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+  url:
+    extract: urlVar
+  request_headers:
+    for_one:
+      key:
+        eq: "host"
+      value:
+        extract: hostHeaderVal
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_url: "/_dashboards/app/login"
+      - modify_method: GET
+      - replace_body: '{}'
+validate:
+  response_code:
+    eq: 200
+  response_payload:
+    length:
+      gt: 0
+    contains_either:
+      - "Please login to OpenSearch Dashboards"
diff --git a/Security-Misconfiguration/AnsibleConfigExposure.yml b/Security-Misconfiguration/AnsibleConfigExposure.yml
@@ -0,0 +1,54 @@
+id: ANSIBLE_CONFIG_EXPOSURE
+info:
+  name: "Ansible Configuration Page Exposure"
+  description: "This test refers to the unintended public accessibility of the Ansible web interface or configuration files, which manage and automate IT infrastructure. If exposed without proper security measures, unauthorized users can view sensitive configuration details, including inventory files, playbooks, and variable data. This exposure poses significant risks, as attackers can exploit this information to manipulate configurations, launch unauthorized automation tasks, or disrupt services. To mitigate these risks, organizations should implement strong access controls, secure the interface with authentication, and restrict visibility to trusted users only."
+  details:  "Ansible Configuration Page Exposure occurs when the web interface or configuration files of Ansible are accessible to the public without adequate security controls, such as authentication or IP whitelisting. This vulnerability allows unauthorized users to view critical information, including inventory configurations, playbooks, and execution parameters. The exposed data can be exploited by attackers to execute unauthorized commands, modify configurations, or disrupt automated processes. To protect against this exposure, organizations should enforce strict access controls, utilize encryption, and ensure that sensitive configurations are secured from public access."
+  impact: "The impact of Ansible Configuration Page Exposure can be severe, as unauthorized access to Ansible's configuration details can lead to malicious manipulation of IT infrastructure and automated tasks. Attackers may exploit this exposure to execute unauthorized playbooks, modify inventory settings, or disrupt service operations, potentially causing significant downtime and operational disruptions. Additionally, the compromise of sensitive configuration information can result in data breaches, financial losses, and reputational damage for the organization. Furthermore, it may lead to compliance violations if sensitive data or configurations are misused."
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: ANSIBLE_CONFIG_EXPOSURE
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+  url:
+    extract: urlVar
+  request_headers:
+    for_one:
+      key:
+        eq: "host"
+      value:
+        extract: hostHeaderVal
+
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_url: "/ansible.cfg"
+      - modify_method: GET
+      - replace_body: '{}'
+validate:
+  response_code:
+    eq: 200
+  response_payload:
+    length:
+      gt: 0
+    contains_all:
+      - '[defaults]'
+      - '[inventory]'
diff --git a/Security-Misconfiguration/ApacheFileNameEnumeration.yml b/Security-Misconfiguration/ApacheFileNameEnumeration.yml
@@ -0,0 +1,57 @@
+id: APACHE_FILENAME_ENUM
+info:
+  name: "Apache Filename Enumeration Test"
+  description: "This test refers to a security assessment conducted to identify potential vulnerabilities in an Apache server's configuration that may allow unauthorized users to enumerate or access sensitive files through predictable naming conventions. During this test, security professionals attempt to access various files using known patterns or extensions, checking if the server improperly reveals directory contents or file structures. This type of enumeration can lead to the exposure of sensitive information, such as configuration files, backups, or scripts. To mitigate these risks, it's essential to implement proper access controls, disable directory listing, and secure sensitive files from public access."
+  details:  "Apache Filename Enumeration Test involves systematically probing an Apache server to identify vulnerabilities that allow unauthorized access to files through predictable naming patterns or URLs. Security testers typically attempt to access known or common filenames, extensions, and directories to determine if the server is configured to expose sensitive files. Successful enumeration can reveal critical information, such as configuration files, database credentials, and backup files, which may be exploited by attackers. To safeguard against such risks, server administrators should ensure proper security configurations, restrict access to sensitive files, and implement error handling to prevent revealing information through server responses."
+  impact: "The impact of an Apache Filename Enumeration Test can be substantial, as successful exploitation may lead to unauthorized access to sensitive files and information. Attackers could obtain critical data such as configuration files, API keys, or user credentials, which can facilitate further attacks on the system or network. Additionally, exposure of sensitive information can lead to data breaches, operational disruptions, and significant financial losses for the organization. Furthermore, the reputational damage and potential regulatory penalties resulting from such vulnerabilities can have long-lasting effects on the organization’s trustworthiness and compliance standing."
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: APACHE_FILENAME_ENUM
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+  url:
+    extract: urlVar
+  request_headers:
+    for_one:
+      key:
+        eq: "host"
+      value:
+        extract: hostHeaderVal
+
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_url: "/index"
+      - modify_method: GET
+      - replace_body: '{}'
+      - add_header:
+          accept: "fake/value"
+validate:
+  response_code:
+    eq: 406
+  response_payload:
+    length:
+      gt: 0
+    contains_all:
+      - "Not Acceptable"
+      - "Available variants:"
+      - "<address>Apache Server at"
diff --git a/Security-Misconfiguration/ApacheServerStatus.yml b/Security-Misconfiguration/ApacheServerStatus.yml
@@ -0,0 +1,59 @@
+id: APACHE_SERVER_STATUS
+info:
+  name: "Apache Server Status Exposure"
+  description: "This test refers to the unintended public accessibility of the Apache server status page, which provides detailed information about the server's performance, active connections, and resource usage. This page is typically intended for internal use only, but if misconfigured, it can be exposed to unauthorized users. Accessing this information can aid attackers in understanding the server's operational state and identifying potential weaknesses. To mitigate this risk, it's crucial to restrict access to the status page using proper authentication and network security measures."
+  details:  "Apache Server Status Exposure occurs when the status page, designed to provide insights into server health and performance, is accessible to the public instead of being restricted to internal networks. This page reveals crucial information, such as server load, current requests, and resource usage statistics. If exposed, unauthorized users could exploit this information to plan targeted attacks, such as denial of service or resource exhaustion attacks. To protect against this exposure, administrators should ensure that access to the status page is limited to trusted IP addresses and secured with authentication mechanisms."
+  impact: "The impact of Apache Server Status Exposure can be significant, as unauthorized access to the status page allows attackers to gather detailed information about the server's performance and activity. This information can be leveraged to identify vulnerabilities, enabling attackers to execute targeted attacks such as denial of service or exploit weaknesses in server configurations. Additionally, exposing performance metrics may lead to service disruptions, data breaches, and operational inefficiencies. The potential financial losses, reputational damage, and regulatory implications resulting from such exposure can have lasting effects on the organization’s credibility and security posture."
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: APACHE_SERVER_STATUS
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+  url:
+    extract: urlVar
+  request_headers:
+    for_one:
+      key:
+        eq: "host"
+      value:
+        extract: hostHeaderVal
+wordLists:
+  paths:
+    - '/server-info'
+    - '/server-status'
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_url: "${paths}"
+      - modify_method: GET
+      - replace_body: '{}'
+validate:
+  response_code:
+    eq: 200
+  response_payload:
+    length:
+      gt: 0
+    contains_either:
+      - "Apache Server Status"
+      - "Apache Server Information"
+    contains_all:
+      - "Server Version"
diff --git a/Security-Misconfiguration/ApacheServerStatusLocalhost.yml b/Security-Misconfiguration/ApacheServerStatusLocalhost.yml
@@ -0,0 +1,66 @@
+id: APACHE_SERVER_STATUS_LOCALHOST
+info:
+  name: "Apache Server Status Exposure via localhost"
+  description: "This test refers to the unintended accessibility of the Apache server status page over a public network, despite it being intended for local access only. This status page provides detailed information about server performance, resource usage, and active connections, which can be valuable for monitoring but also poses a security risk if exposed externally. If unauthorized users can access this information, they may identify potential weaknesses in the server configuration or exploit vulnerabilities. To mitigate this risk, it is essential to restrict access to the status page using proper firewall rules or authentication mechanisms."
+  details:  "Apache Server Status Exposure via localhost occurs when the Apache server status page, which is designed to provide insights into server performance and activity, is inadvertently made accessible from public networks instead of being restricted to local access. This status page reveals critical information, including server load, active requests, and resource usage metrics, which can aid attackers in identifying potential vulnerabilities. If exploited, attackers could craft targeted attacks based on the insights gained from this exposure. To prevent this risk, organizations should ensure that access to the status page is strictly limited to trusted IP addresses or protected by authentication mechanisms."
+  impact: "The impact of Apache Server Status Exposure via localhost can be significant, as unauthorized access to the server status page can provide attackers with valuable insights into the server's operational state and performance metrics. This information may be used to identify weaknesses in server configurations or exploit existing vulnerabilities, potentially leading to unauthorized access or denial of service attacks. Additionally, the exposure can result in data leakage about active connections and resource usage, increasing the risk of targeted attacks that could disrupt services or compromise sensitive information. Ultimately, such exposure may lead to operational downtime, financial losses, and reputational damage for the organization."
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: APACHE_SERVER_STATUS_LOCALHOST
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+  url:
+    extract: urlVar
+  request_headers:
+    for_one:
+      key:
+        eq: "host"
+      value:
+        extract: hostHeaderVal
+wordLists:
+  headersTest:
+    - Forwarded
+    - X-Client-IP
+    - X-Forwarded-By
+    - "X-Forwarded-For"
+    - "X-Forwarded-For-IP"
+    - "X-Forwarded-Host"
+    - "X-Host"
+    - "X-Originating-IP"
+    - "X-Remote-Addr"
+    - "X-Remote-IP"
+    - "X-True-IP"
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_url: "/server-status"
+      - modify_method: GET
+      - replace_body: '{}'
+      - add_header:
+          ${headersTest}: 127.0.0.1
+validate:
+  response_payload:
+    length:
+      gt: 0
+    contains_all:
+      - "Apache Server Status"
+      - "Server Version"
diff --git a/Security-Misconfiguration/ApacheYarnResourceManagerExpose.yml b/Security-Misconfiguration/ApacheYarnResourceManagerExpose.yml
@@ -0,0 +1,52 @@
+id: APACHE_YARN_RESOURCEMANAGER_EXPOSE
+info:
+  name: "Apache Yarn Resource Manager Exposure"
+  description: "This test refers to the unprotected access of the Yarn Resource Manager interface, which manages and allocates resources in a Hadoop cluster. When exposed to the internet without proper security measures, unauthorized users can gain access to critical cluster management functionalities and metrics. This vulnerability can lead to unauthorized resource manipulation, data theft, or disruption of services. To mitigate risks, it's essential to enforce strong authentication, use network restrictions, and secure the interface behind firewalls."
+  details:  "Apache Yarn Resource Manager Exposure occurs when the Yarn Resource Manager interface is accessible without adequate security controls, such as authentication or IP whitelisting. This exposure allows unauthorized users to view sensitive resource allocation details, monitor running applications, and potentially modify cluster settings or configurations. Attackers could exploit this access to launch denial-of-service attacks or manipulate resource allocations to disrupt Hadoop operations. To protect against this exposure, organizations should implement strong access controls, use encryption, and restrict access to trusted IP addresses or networks."
+  impact: "The impact of Apache Yarn Resource Manager Exposure can be substantial, as unauthorized access may allow attackers to manipulate resource allocations and disrupt critical Hadoop operations. This could lead to performance degradation, denial of service, and potential data loss if resources are mismanaged or maliciously altered. Additionally, attackers gaining insight into cluster metrics and configurations could exploit vulnerabilities in running applications, resulting in further security breaches and significant financial and operational repercussions for the organization."
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: APACHE_YARN_RESOURCEMANAGER_EXPOSE
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+  url:
+    extract: urlVar
+  request_headers:
+    for_one:
+      key:
+        eq: "host"
+      value:
+        extract: hostHeaderVal
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_url: "/cluster/cluster"
+      - modify_method: GET
+      - replace_body: '{}'
+validate:
+  response_payload:
+    length:
+      gt: 0
+    contains_all:
+      - 'hadoop'
+      - 'resourcemanager'
+      - 'logged in as: dr.who'