From a5ea29b88d395f1fd87e2c3801dea0cf8aee98aa Mon Sep 17 00:00:00 2001 From: vmfunc Date: Sat, 3 Jan 2026 00:54:53 -0800 Subject: [PATCH] feat: add built-in yaml modules for security scanning --- modules/http/lfi-basic.yaml | 49 ++++++++++++++++++++++ modules/http/sqli-error.yaml | 66 ++++++++++++++++++++++++++++++ modules/http/xss-reflected.yaml | 41 +++++++++++++++++++ modules/info/cms-drupal.yaml | 35 ++++++++++++++++ modules/info/cms-wordpress.yaml | 37 +++++++++++++++++ modules/info/security-headers.yaml | 50 ++++++++++++++++++++++ modules/recon/backup-files.yaml | 45 ++++++++++++++++++++ modules/recon/git-exposed.yaml | 39 ++++++++++++++++++ 8 files changed, 362 insertions(+) create mode 100644 modules/http/lfi-basic.yaml create mode 100644 modules/http/sqli-error.yaml create mode 100644 modules/http/xss-reflected.yaml create mode 100644 modules/info/cms-drupal.yaml create mode 100644 modules/info/cms-wordpress.yaml create mode 100644 modules/info/security-headers.yaml create mode 100644 modules/recon/backup-files.yaml create mode 100644 modules/recon/git-exposed.yaml diff --git a/modules/http/lfi-basic.yaml b/modules/http/lfi-basic.yaml new file mode 100644 index 0000000..f12bac6 --- /dev/null +++ b/modules/http/lfi-basic.yaml @@ -0,0 +1,49 @@ +# Basic LFI Detection Module + +id: lfi-basic +info: + name: Basic LFI Detection + author: sif + severity: high + description: Detects basic Local File Inclusion vulnerabilities + tags: [lfi, injection, file-inclusion, owasp-top10] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}/?file={{payload}}" + - "{{BaseURL}}/?page={{payload}}" + - "{{BaseURL}}/?path={{payload}}" + - "{{BaseURL}}/?include={{payload}}" + - "{{BaseURL}}/?doc={{payload}}" + - "{{BaseURL}}/?template={{payload}}" + + payloads: + - "../../../../../../../etc/passwd" + - "....//....//....//....//....//etc/passwd" + - "..%2f..%2f..%2f..%2f..%2fetc/passwd" + - "/etc/passwd" + - "../../../../../../../etc/shadow" + - "../../../../../../../windows/system32/drivers/etc/hosts" + + threads: 10 + + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + - "daemon:.*:1:1:" + - "nobody:.*:65534:" + - "127\\.0\\.0\\.1\\s+localhost" + condition: or + + extractors: + - type: regex + name: detected_file + part: body + regex: + - "(root|daemon|nobody):.*:[0-9]+:[0-9]+:" + group: 0 diff --git a/modules/http/sqli-error.yaml b/modules/http/sqli-error.yaml new file mode 100644 index 0000000..2b69cf8 --- /dev/null +++ b/modules/http/sqli-error.yaml @@ -0,0 +1,66 @@ +# SQL Injection Error-Based Detection Module + +id: sqli-error-based +info: + name: SQL Injection (Error-Based) + author: sif + severity: high + description: Detects SQL injection via database error messages + tags: [sqli, injection, database, owasp-top10] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}/?id={{payload}}" + - "{{BaseURL}}/?user={{payload}}" + - "{{BaseURL}}/?search={{payload}}" + - "{{BaseURL}}/?q={{payload}}" + - "{{BaseURL}}/?query={{payload}}" + - "{{BaseURL}}/?cat={{payload}}" + + payloads: + - "'" + - "''" + - "1'" + - "1' OR '1'='1" + - "1' OR '1'='1'--" + - "1' OR '1'='1'/*" + - "1; DROP TABLE--" + - "' UNION SELECT NULL--" + - "1 AND 1=1" + - "1 AND 1=2" + + threads: 10 + + matchers: + - type: regex + part: body + regex: + - "SQL syntax.*MySQL" + - "Warning.*mysql_" + - "MySqlException" + - "valid MySQL result" + - "ORA-[0-9]+" + - "Oracle.*Driver" + - "Oracle.*Error" + - "PostgreSQL.*ERROR" + - "pg_query.*failed" + - "Microsoft SQL Server" + - "ODBC SQL Server Driver" + - "SQLite3::" + - "sqlite_query" + - "SQLite/JDBCDriver" + - "SQL Server.*Driver" + - "Unclosed quotation mark" + - "quoted string not properly terminated" + condition: or + + extractors: + - type: regex + name: db_type + part: body + regex: + - "(MySQL|PostgreSQL|Oracle|MSSQL|SQLite|MariaDB)" + group: 1 diff --git a/modules/http/xss-reflected.yaml b/modules/http/xss-reflected.yaml new file mode 100644 index 0000000..4d48774 --- /dev/null +++ b/modules/http/xss-reflected.yaml @@ -0,0 +1,41 @@ +# Reflected XSS Detection Module + +id: xss-reflected +info: + name: Reflected XSS Detection + author: sif + severity: medium + description: Detects reflected Cross-Site Scripting vulnerabilities + tags: [xss, injection, javascript, owasp-top10] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}/?q={{payload}}" + - "{{BaseURL}}/?search={{payload}}" + - "{{BaseURL}}/?name={{payload}}" + - "{{BaseURL}}/?input={{payload}}" + - "{{BaseURL}}/?message={{payload}}" + - "{{BaseURL}}/?text={{payload}}" + + payloads: + - "" + - "'>" + - "\">" + - "" + - "" + - "javascript:alert('XSS')" + - "" + + threads: 10 + + matchers: + - type: word + part: body + words: + - "" + - "" + - "" + condition: or diff --git a/modules/info/cms-drupal.yaml b/modules/info/cms-drupal.yaml new file mode 100644 index 0000000..0fa6bec --- /dev/null +++ b/modules/info/cms-drupal.yaml @@ -0,0 +1,35 @@ +# Drupal CMS Detection Module + +id: cms-drupal +info: + name: Drupal Detection + author: sif + severity: info + description: Detects Drupal CMS installations + tags: [cms, drupal, detection, info] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}" + + matchers: + - type: word + part: all + words: + - "Drupal.settings" + - "X-Drupal-Cache" + - "/sites/default/files" + - "drupal.js" + condition: or + + extractors: + - type: regex + name: drupal_version + part: body + regex: + - 'Drupal ([0-9.]+)' + - 'content="Drupal ([0-9.]+)"' + group: 1 diff --git a/modules/info/cms-wordpress.yaml b/modules/info/cms-wordpress.yaml new file mode 100644 index 0000000..2eb4af3 --- /dev/null +++ b/modules/info/cms-wordpress.yaml @@ -0,0 +1,37 @@ +# WordPress CMS Detection Module + +id: cms-wordpress +info: + name: WordPress Detection + author: sif + severity: info + description: Detects WordPress CMS installations + tags: [cms, wordpress, detection, info] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}" + - "{{BaseURL}}/wp-login.php" + - "{{BaseURL}}/wp-admin/" + + matchers: + - type: word + part: body + words: + - "wp-content" + - "wp-includes" + - "wp-json" + - "wordpress" + condition: or + + extractors: + - type: regex + name: wp_version + part: body + regex: + - 'content="WordPress ([0-9.]+)"' + - 'wp-includes/js/wp-embed.min.js\?ver=([0-9.]+)' + group: 1 diff --git a/modules/info/security-headers.yaml b/modules/info/security-headers.yaml new file mode 100644 index 0000000..b3046b8 --- /dev/null +++ b/modules/info/security-headers.yaml @@ -0,0 +1,50 @@ +# Security Headers Check Module +# Checks for missing or misconfigured security headers + +id: security-headers +info: + name: Security Headers Analysis + author: sif + severity: info + description: Checks for presence and configuration of security headers + tags: [headers, security, info, owasp] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}" + + matchers: + - type: regex + part: header + regex: + - "X-Frame-Options" + - "X-Content-Type-Options" + - "Strict-Transport-Security" + - "Content-Security-Policy" + - "X-XSS-Protection" + condition: or + + extractors: + - type: regex + name: x_frame_options + part: header + regex: + - "X-Frame-Options: (.+)" + group: 1 + + - type: regex + name: content_security_policy + part: header + regex: + - "Content-Security-Policy: (.+)" + group: 1 + + - type: regex + name: strict_transport_security + part: header + regex: + - "Strict-Transport-Security: (.+)" + group: 1 diff --git a/modules/recon/backup-files.yaml b/modules/recon/backup-files.yaml new file mode 100644 index 0000000..249766d --- /dev/null +++ b/modules/recon/backup-files.yaml @@ -0,0 +1,45 @@ +# Backup Files Detection Module + +id: backup-files +info: + name: Backup Files Detection + author: sif + severity: medium + description: Detects common backup files that may expose sensitive information + tags: [backup, exposure, misconfiguration, recon] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}/backup.sql" + - "{{BaseURL}}/backup.zip" + - "{{BaseURL}}/backup.tar.gz" + - "{{BaseURL}}/database.sql" + - "{{BaseURL}}/db.sql" + - "{{BaseURL}}/dump.sql" + - "{{BaseURL}}/.env" + - "{{BaseURL}}/.env.backup" + - "{{BaseURL}}/config.php.bak" + - "{{BaseURL}}/web.config.bak" + - "{{BaseURL}}/wp-config.php.bak" + - "{{BaseURL}}/settings.py.bak" + + threads: 5 + + matchers: + - type: status + status: + - 200 + + - type: regex + part: body + regex: + - "CREATE TABLE" + - "INSERT INTO" + - "DB_PASSWORD" + - "APP_KEY" + - "SECRET_KEY" + - "database_password" + condition: or diff --git a/modules/recon/git-exposed.yaml b/modules/recon/git-exposed.yaml new file mode 100644 index 0000000..b00dfbc --- /dev/null +++ b/modules/recon/git-exposed.yaml @@ -0,0 +1,39 @@ +# Exposed Git Repository Detection Module + +id: git-exposed +info: + name: Exposed Git Repository + author: sif + severity: high + description: Detects exposed .git directories that may leak source code + tags: [git, exposure, source-code, misconfiguration] + +type: http + +http: + method: GET + paths: + - "{{BaseURL}}/.git/HEAD" + - "{{BaseURL}}/.git/config" + - "{{BaseURL}}/.git/index" + + matchers: + - type: word + part: body + words: + - "ref: refs/" + - "[core]" + - "repositoryformatversion" + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + name: git_branch + part: body + regex: + - "ref: refs/heads/(.+)" + group: 1