diff --git a/src/HaENet/sources/src/main/java/hae/component/Config.java b/src/HaENet/sources/src/main/java/hae/component/Config.java index 2dc8635..8ff606b 100644 --- a/src/HaENet/sources/src/main/java/hae/component/Config.java +++ b/src/HaENet/sources/src/main/java/hae/component/Config.java @@ -468,7 +468,7 @@ private void reinitActionPerformed(ActionEvent e) { JOptionPane.YES_NO_OPTION ); if (retCode == JOptionPane.YES_OPTION) { - boolean ret = configLoader.initRules(); + boolean ret = configLoader.initTemplates(); if (ret) { rules.reloadRuleGroup(); } diff --git a/src/HaENet/sources/src/main/java/hae/utils/ConfigLoader.java b/src/HaENet/sources/src/main/java/hae/utils/ConfigLoader.java index 630da8a..2587433 100644 --- a/src/HaENet/sources/src/main/java/hae/utils/ConfigLoader.java +++ b/src/HaENet/sources/src/main/java/hae/utils/ConfigLoader.java @@ -21,7 +21,7 @@ public class ConfigLoader { private final MontoyaApi api; private final Yaml yaml; private final String configFilePath; - private final String rulesFilePath; + private final String templatesPath; private volatile Map configCache; public ConfigLoader(MontoyaApi api) { @@ -30,7 +30,7 @@ public ConfigLoader(MontoyaApi api) { String configPath = determineConfigPath(); this.configFilePath = String.format("%s/%s", configPath, "Config.yml"); - this.rulesFilePath = String.format("%s/%s", configPath, "Rules.yml"); + this.templatesPath = String.format("%s/%s", configPath, "templates"); // 构造函数,初始化配置 File configDir = new File(configPath); @@ -43,9 +43,9 @@ public ConfigLoader(MontoyaApi api) { initConfig(); } - File rulesFilePath = new File(this.rulesFilePath); - if (!(rulesFilePath.exists() && rulesFilePath.isFile())) { - initRules(); + File templatesDir = new File(this.templatesPath); + if (!(templatesDir.exists() && templatesDir.isDirectory())) { + initTemplates(); } } @@ -118,49 +118,85 @@ public void initConfig() { } public String getRulesFilePath() { - return rulesFilePath; + return templatesPath; + } + + public String getTemplatesPath() { + return templatesPath; } - // 获取规则配置 public Map> getRules() { - Map> rules = new HashMap<>(); + File templatesDir = new File(templatesPath); + if (!templatesDir.exists()) { + templatesDir.mkdirs(); + } + return loadRulesFromTemplates(templatesDir); + } - try { - InputStream inputStream = Files.newInputStream( - Paths.get(getRulesFilePath()) - ); - Map rulesMap = yaml.load(inputStream); - - Object rulesObj = rulesMap.get("rules"); - if (rulesObj instanceof List) { - List> groupData = (List< - Map - >) rulesObj; - for (Map groupFields : groupData) { - List data = new ArrayList<>(); - - Object ruleObj = groupFields.get("rule"); - if (ruleObj instanceof List) { - List> ruleData = (List< - Map - >) ruleObj; - for (Map ruleFields : ruleData) { - data.add(RuleDefinition.fromYamlMap(ruleFields)); - } - } + private Map> loadRulesFromTemplates(File templatesDir) { + Map> rules = new LinkedHashMap<>(); + + File[] groupDirs = templatesDir.listFiles(File::isDirectory); + if (groupDirs == null) return rules; - rules.put(groupFields.get("group").toString(), data); + for (File groupDir : groupDirs) { + String groupName = groupDirToName(groupDir.getName()); + List groupRules = new ArrayList<>(); + + File[] yamlFiles = groupDir.listFiles(f -> f.getName().endsWith(".yaml") || f.getName().endsWith(".yml")); + if (yamlFiles == null) continue; + + for (File yamlFile : yamlFiles) { + try (InputStream in = Files.newInputStream(yamlFile.toPath())) { + Map tmpl = yaml.load(in); + if (tmpl != null && tmpl.containsKey("file")) { + groupRules.add(RuleDefinition.fromTemplateYaml(tmpl, groupName)); + } + } catch (Exception e) { + api.logging().logToError("Failed to load template " + yamlFile.getName() + ": " + e.getMessage()); } } - return rules; - } catch (Exception e) { - api.logging().logToError("Failed to load rules: " + e.getMessage()); + if (!groupRules.isEmpty()) { + rules.put(groupName, groupRules); + } } return rules; } + private static String groupDirToName(String dirName) { + switch (dirName) { + case "fingerprint": return "Fingerprint"; + case "vulnerability": return "Maybe Vulnerability"; + case "basic-info": return "Basic Information"; + case "sensitive-info": return "Sensitive Information"; + case "other": return "Other"; + default: + StringBuilder sb = new StringBuilder(); + for (String part : dirName.split("-")) { + if (!part.isEmpty()) { + sb.append(Character.toUpperCase(part.charAt(0))); + sb.append(part.substring(1)); + sb.append(' '); + } + } + return sb.toString().trim(); + } + } + + public static String groupNameToDir(String groupName) { + switch (groupName) { + case "Fingerprint": return "fingerprint"; + case "Maybe Vulnerability": return "vulnerability"; + case "Basic Information": return "basic-info"; + case "Sensitive Information": return "sensitive-info"; + case "Other": return "other"; + default: + return groupName.toLowerCase().replace(' ', '-'); + } + } + public String getBlockHost() { return getValueFromConfig("BlockHost", AppConstants.host); } @@ -277,40 +313,47 @@ private Map loadCurrentConfig() { } } - public boolean initRules() { - boolean ret = copyRulesToFile(this.rulesFilePath); - if (!ret) { - api.extension().unload(); - } - return ret; - } - - private boolean copyRulesToFile(String targetFilePath) { - InputStream inputStream = getClass() - .getClassLoader() - .getResourceAsStream("rules/Rules.yml"); - File targetFile = new File(targetFilePath); + public boolean initTemplates() { + String[] groups = {"fingerprint", "vulnerability", "basic-info", "sensitive-info", "other"}; + boolean success = true; - try ( - inputStream; - OutputStream outputStream = new FileOutputStream(targetFile) - ) { - if (inputStream != null) { - byte[] buffer = new byte[1024]; - int length; + for (String group : groups) { + File groupDir = new File(templatesPath, group); + if (!groupDir.exists()) { + groupDir.mkdirs(); + } - while ((length = inputStream.read(buffer)) > 0) { - outputStream.write(buffer, 0, length); + String resourceBase = "templates/" + group + "/"; + try { + InputStream indexStream = getClass().getClassLoader().getResourceAsStream(resourceBase + "index.txt"); + if (indexStream == null) continue; + + String content = new String(indexStream.readAllBytes(), StandardCharsets.UTF_8); + for (String fileName : content.split("\n")) { + fileName = fileName.trim(); + if (fileName.isEmpty()) continue; + + InputStream fileStream = getClass().getClassLoader().getResourceAsStream(resourceBase + fileName); + if (fileStream == null) continue; + + File target = new File(groupDir, fileName); + try (fileStream; OutputStream out = new FileOutputStream(target)) { + byte[] buffer = new byte[1024]; + int len; + while ((len = fileStream.read(buffer)) > 0) { + out.write(buffer, 0, len); + } + } } - - return true; + } catch (Exception e) { + api.logging().logToError("Failed to init templates for " + group + ": " + e.getMessage()); + success = false; } - } catch (Exception e) { - api - .logging() - .logToError("Failed to copy rules file: " + e.getMessage()); } - return false; + if (!success) { + api.logging().logToError("Template init failed"); + } + return success; } } diff --git a/src/HaENet/sources/src/main/java/hae/utils/rule/RuleProcessor.java b/src/HaENet/sources/src/main/java/hae/utils/rule/RuleProcessor.java index 0bf087f..0929f7b 100644 --- a/src/HaENet/sources/src/main/java/hae/utils/rule/RuleProcessor.java +++ b/src/HaENet/sources/src/main/java/hae/utils/rule/RuleProcessor.java @@ -5,22 +5,16 @@ import hae.cache.DataCache; import hae.repository.RuleRepository; import hae.utils.ConfigLoader; -import hae.utils.rule.model.Group; import hae.utils.rule.model.RuleDefinition; import org.yaml.snakeyaml.DumperOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.representer.Representer; import java.io.File; -import java.io.OutputStreamWriter; import java.io.Writer; import java.nio.charset.StandardCharsets; import java.nio.file.Files; -import java.util.ArrayList; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.stream.Collectors; +import java.util.*; public class RuleProcessor { private final MontoyaApi api; @@ -36,30 +30,54 @@ public RuleProcessor(MontoyaApi api, ConfigLoader configLoader, RuleRepository r public void rulesFormatAndSave() { DataCache.clear(); + String templatesPath = configLoader.getTemplatesPath(); + File templatesDir = new File(templatesPath); + if (!templatesDir.exists()) { + templatesDir.mkdirs(); + } + saveAsTemplates(templatesDir); + } + + private void saveAsTemplates(File templatesDir) { DumperOptions dop = new DumperOptions(); dop.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK); Representer representer = new Representer(dop); Yaml yaml = new Yaml(representer, dop); - List ruleGroupList = new ArrayList<>(); - - ruleRepository.getAll().forEach((k, v) -> - ruleGroupList.add(new Group(k, v)) - ); - - List> outputGroupsMap = ruleGroupList.stream() - .map(Group::getFields) - .collect(Collectors.toList()); - - Map outputMap = new LinkedHashMap<>(); - outputMap.put("rules", outputGroupsMap); + Set writtenFiles = new java.util.HashSet<>(); + + ruleRepository.getAll().forEach((groupName, rules) -> { + String dirName = ConfigLoader.groupNameToDir(groupName); + File groupDir = new File(templatesDir, dirName); + if (!groupDir.exists()) { + groupDir.mkdirs(); + } + + for (RuleDefinition rule : rules) { + Map tmpl = rule.toTemplateYaml(groupName); + String fileName = slugify(rule.getName()) + ".yaml"; + File targetFile = new File(groupDir, fileName); + writtenFiles.add(targetFile.getAbsolutePath()); + + try (Writer writer = new java.io.OutputStreamWriter( + Files.newOutputStream(targetFile.toPath()), StandardCharsets.UTF_8)) { + yaml.dump(tmpl, writer); + } catch (Exception e) { + api.logging().logToError("Failed to save template " + fileName + ": " + e.getMessage()); + } + } + }); + } - File rulesFile = new File(configLoader.getRulesFilePath()); - try (Writer writer = new OutputStreamWriter(Files.newOutputStream(rulesFile.toPath()), StandardCharsets.UTF_8)) { - yaml.dump(outputMap, writer); - } catch (Exception e) { - api.logging().logToError("Failed to save rules file: " + e.getMessage()); + private static String slugify(String s) { + if (s == null) return "unknown"; + StringBuilder sb = new StringBuilder(s.length()); + for (char c : s.toCharArray()) { + if ((c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') || c == '-') sb.append(c); + else if (c >= 'A' && c <= 'Z') sb.append((char) (c + 32)); + else sb.append('-'); } + return sb.toString(); } public void changeRule(RuleDefinition rule, int select, String type) { diff --git a/src/HaENet/sources/src/main/resources/rules/Rules.yml b/src/HaENet/sources/src/main/resources/rules/Rules.yml deleted file mode 100644 index aa9bed0..0000000 --- a/src/HaENet/sources/src/main/resources/rules/Rules.yml +++ /dev/null @@ -1,370 +0,0 @@ -rules: - - group: Fingerprint - rule: - - name: Shiro - loaded: true - f_regex: (=deleteMe|rememberMe=) - s_regex: '' - format: '{0}' - color: green - scope: any header - engine: dfa - sensitive: true - - name: JSON Web Token - loaded: true - f_regex: (eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9._-]{10,}|eyJ[A-Za-z0-9_\/+-]{10,}\.[A-Za-z0-9._\/+-]{10,}) - s_regex: '' - format: '{0}' - color: green - scope: any - engine: nfa - sensitive: true - - name: Swagger UI - loaded: true - f_regex: ((swagger-ui.html)|(\"swagger\":)|(Swagger UI)|(swaggerUi)|(swaggerVersion)) - s_regex: '' - format: '{0}' - color: red - scope: response body - engine: dfa - sensitive: false - - name: Ueditor - loaded: true - f_regex: (ueditor\.(config|all)\.js) - s_regex: '' - format: '{0}' - color: green - scope: response body - engine: dfa - sensitive: false - - name: Druid - loaded: true - f_regex: (Druid Stat Index) - s_regex: '' - format: '{0}' - color: orange - scope: response body - engine: dfa - sensitive: false - - name: PDF.js Viewer - loaded: true - f_regex: (pdf.worker) - s_regex: '' - format: '{0}' - color: green - scope: response body - engine: dfa - sensitive: false - - name: Vite DevMode - loaded: true - f_regex: (/\@vite/client) - s_regex: '' - format: '{0}' - color: red - scope: response body - engine: dfa - sensitive: true - - group: Maybe Vulnerability - rule: - - name: Java Deserialization - loaded: true - f_regex: (javax\.faces\.ViewState) - s_regex: '' - format: '{0}' - color: yellow - scope: response body - engine: dfa - sensitive: false - - name: Debug Logic Parameters - loaded: true - f_regex: ((access=)|(adm=)|(admin=)|(alter=)|(cfg=)|(clone=)|(config=)|(create=)|(dbg=)|(debug=)|(delete=)|(disable=)|(edit=)|(enable=)|(exec=)|(execute=)|(grant=)|(load=)|(make=)|(modify=)|(rename=)|(reset=)|(root=)|(shell=)|(test=)|(toggl=)) - s_regex: '' - format: '{0}' - color: cyan - scope: request - engine: dfa - sensitive: false - - name: URL As A Value - loaded: true - f_regex: (=(https?)(://|%3a%2f%2f)) - s_regex: '' - format: '{0}' - color: cyan - scope: any - engine: nfa - sensitive: false - - name: Upload Form - loaded: true - f_regex: (type\=\"file\") - s_regex: '' - format: '{0}' - color: yellow - scope: response body - engine: dfa - sensitive: false - - name: DoS Paramters - loaded: true - f_regex: ((size=)|(page=)|(num=)|(limit=)|(start=)|(end=)|(count=)) - s_regex: '' - format: '{0}' - color: cyan - scope: request - engine: dfa - sensitive: false - - name: Passwd File - loaded: true - f_regex: (/root:/bin/bash) - s_regex: '' - format: '{0}' - color: red - scope: response body - engine: dfa - sensitive: true - - name: Win.ini File - loaded: true - f_regex: (for 16-bit app) - s_regex: '' - format: '{0}' - color: red - scope: response body - engine: dfa - sensitive: true - - group: Basic Information - rule: - - name: Email - loaded: true - f_regex: (\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,5}\b) - s_regex: ^((?!.*\.(jpg|jpeg|png|gif|bmp|webp|svg|tiff|ico?)$).*@.*\..*)$ - format: '{0}' - color: yellow - scope: response - engine: nfa - sensitive: false - - name: Chinese IDCard - loaded: true - f_regex: '[^0-9]((\d{8}(0\d|10|11|12)([0-2]\d|30|31)\d{3}$)|(\d{6}(18|19|20)\d{2}(0[1-9]|10|11|12)([0-2]\d|30|31)\d{3}(\d|X|x)))[^0-9]' - s_regex: '' - format: '{0}' - color: orange - scope: response body - engine: nfa - sensitive: true - - name: Chinese Mobile Number - loaded: true - f_regex: '[^\w]((?:(?:\+|0{0,2})86)?1(?:(?:3[\d])|(?:4[5-79])|(?:5[0-35-9])|(?:6[5-7])|(?:7[0-8])|(?:8[\d])|(?:9[189]))\d{8})[^\w]' - s_regex: '' - format: '{0}' - color: orange - scope: response body - engine: nfa - sensitive: false - - name: Internal IP Address - loaded: true - f_regex: '[^0-9]((127\.0\.0\.1)|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.((1[6-9])|(2\d)|(3[01]))\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3}))' - s_regex: '' - format: '{0}' - color: cyan - scope: response - engine: nfa - sensitive: true - - name: MAC Address - loaded: true - f_regex: (^([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5})|[^a-zA-Z0-9]([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5})) - s_regex: '' - format: '{0}' - color: green - scope: response - engine: nfa - sensitive: true - - group: Sensitive Information - rule: - - name: Cloud Key - loaded: true - f_regex: (((access)(|-|_)(key)(|-|_)(id|secret))|(LTAI[a-z0-9]{12,20})) - s_regex: '' - format: '{0}' - color: yellow - scope: any - engine: nfa - sensitive: false - - name: Windows File/Dir Path - loaded: true - f_regex: '[^\w]([a-zA-Z]:\\\\?(?:[^<>:/\\|?*]+\\\\?)*)([^<>:/\\|?*]+(?:\.[^<>:/\\|?*]+)?)' - s_regex: '' - format: '{0}' - color: green - scope: response - engine: nfa - sensitive: true - - name: Password Field - loaded: true - f_regex: (((|\\)(|'|")(|[\.\w]{1,32})([p](ass|wd|asswd|assword))(|[\.\w]{1,32})(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2}|[\)]{0,1}\.val\()( |)(|\\)('|")([^'"]+?)(|\\)('|")(|,|\)))|((|\\)('|")([^'"]+?)(|\\)('|")(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2})( |)(|[\.\w]{1,32})([p](ass|wd|asswd|assword))(|[\.\w]{1,32})(|\\)(|'|"))) - s_regex: '' - format: '{0}' - color: yellow - scope: response body - engine: nfa - sensitive: false - - name: Username Field - loaded: true - f_regex: (((|\\)(|'|")(|[\.\w]{1,32})(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator))))(|[\.\w]{1,32})(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2}|[\)]{0,1}\.val\()( |)(|\\)('|")([^'"]+?)(|\\)('|")(|,|\)))|((|\\)('|")([^'"]+?)(|\\)('|")(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2})( |)(|[\.\w]{1,32})(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator))))(|[\.\w]{1,32})(|\\)(|'|"))) - s_regex: '' - format: '{0}' - color: green - scope: response body - engine: nfa - sensitive: false - - name: WeCom Key - loaded: true - f_regex: ((corp)(id|secret)) - s_regex: '' - format: '{0}' - color: green - scope: response body - engine: dfa - sensitive: false - - name: JDBC Connection - loaded: true - f_regex: (jdbc:[a-z:]+://[a-z0-9\.\-_:;=/@?,&]+) - s_regex: '' - format: '{0}' - color: yellow - scope: any - engine: nfa - sensitive: false - - name: Authorization Header - loaded: true - f_regex: ((basic [a-z0-9=:_\+\/-]{5,100})|(bearer [a-z0-9_.=:_\+\/-]{5,100})) - s_regex: '' - format: '{0}' - color: yellow - scope: response body - engine: nfa - sensitive: false - - name: Sensitive Field - loaded: true - f_regex: (((|\\)(|'|")(|[\.\w]{1,32})(key|secret|token|config|auth|access|admin|ticket)(|[\.\w]{1,32})(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2}|[\)]{0,1}\.val\()( |)(|\\)('|")([^'"]+?)(|\\)('|")(|,|\)))|((|\\)('|")([^'"]+?)(|\\)('|")(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2})( |)(|[\.\w]{1,32})(key|secret|token|config|auth|access|admin|ticket)(|[\.\w]{1,32})(|\\)(|'|"))) - s_regex: '' - format: '{0}' - color: yellow - scope: response - engine: nfa - sensitive: false - - name: Mobile Number Field - loaded: true - f_regex: (((|\\)(|'|")(|[\.\w]{1,32})(mobile|phone|sjh|shoujihao|concat)(|[\.\w]{1,32})(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2}|[\)]{0,1}\.val\()( |)(|\\)('|")([^'"]+?)(|\\)('|")(|,|\)))|((|\\)('|")([^'"]+?)(|\\)('|")(|\\)(|'|")( - |)(:|[=]{1,3}|![=]{1,2})( |)(|[\.\w]{1,32})(mobile|phone|sjh|shoujihao|concat)(|[\.\w]{1,32})(|\\)(|'|"))) - s_regex: '' - format: '{0}' - color: green - scope: response body - engine: nfa - sensitive: false - - name: Userinfo In Link - loaded: true - f_regex: (?:"|'|\`)(((?:[a-zA-Z]{1,10}://|//)[^"'/]{1,}\.[a-zA-Z]{2,}[^"']{0,})|((?:/|\.\./|\./)[^"'><,;|*()(%%$^/\\\[\]][^"'><,;|()]{1,})|([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{1,}\.(?:[a-zA-Z]{1,4}|action)(?:[\?|#][^"|']{0,}|))|([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{3,}(?:[\?|#][^"|']{0,}|))|([a-zA-Z0-9_\-]{1,}\.(?:\w)(?:[\?|#][^"|']{0,}|)))(?:"|'|\`) - s_regex: ((([p](ass|wd|asswd|assword))|(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator)))))=[\.\w]{1,32}) - format: '{0}' - color: green - scope: response body - engine: nfa - sensitive: false - - name: User Identity - loaded: true - f_regex: (\b(?:(localStorage|sessionStorage)\.(setItem|getItem)|setCookie|Cookies\.set)\s*\(\s*['"](.+?)['"].*?) - s_regex: '' - format: '{0}' - color: green - scope: response body - engine: nfa - sensitive: false - - group: Other - rule: - - name: Linkfinder - loaded: true - f_regex: (?:"|'|\`)(((?:[a-zA-Z]{1,10}://|//)[^"'/]{1,}\.[a-zA-Z]{2,}[^"']{0,})|((?:/|\.\./|\./)[^"'><,;|*()(%%$^/\\\[\]][^"'><,;|()]{1,})|([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{1,}\.(?:[a-zA-Z]{1,4}|action)(?:[\?|#][^"|']{0,}|))|([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{3,}(?:[\?|#][^"|']{0,}|))|([a-zA-Z0-9_\-]{1,}\.(?:\w)(?:[\?|#][^"|']{0,}|)))(?:"|'|\`) - s_regex: '' - format: '{0}' - color: gray - scope: response body - engine: nfa - sensitive: true - - name: Source Map - loaded: true - f_regex: (\.js\.map) - s_regex: '' - format: '{0}' - color: pink - scope: response body - engine: dfa - sensitive: false - - name: Create Script - loaded: true - f_regex: (\{[^{}]*\}\s*\[[^\s]*\]\s*\+\s*"[^\s]*\.js") - s_regex: '"?([\w].*?)"?:"(.*?)"' - format: '{0}.{1}' - color: green - scope: response body - engine: nfa - sensitive: false - - name: URL Schemes - loaded: true - f_regex: (\b(?![\w]{0,10}?https?://)(([A-Za-z0-9-\.]{1,20})://([-\w+&@#/%?=~_|!:,.;]*[-\w+&@#/%=~_|])?)) - s_regex: '' - format: '{0}' - color: yellow - scope: response body - engine: nfa - sensitive: false - - name: Router Push - loaded: true - f_regex: (\$router\.push) - s_regex: '' - format: '{0}' - color: magenta - scope: response body - engine: dfa - sensitive: false - - name: All URL - loaded: true - f_regex: (https?://[-A-Za-z0-9+&@#/%?=~_|!:,.;\u4E00-\u9FFF]+[-A-Za-z0-9+&@#/%=~_|]) - s_regex: '' - format: '{0}' - color: gray - scope: response body - engine: nfa - sensitive: true - - name: Request URI - loaded: false - f_regex: ' ((?!.*\.js(\?.*)?$)(.*?[^.js$])) ' - s_regex: '' - format: '{0}' - color: gray - scope: request line - engine: nfa - sensitive: false - - name: 302 Location - loaded: true - f_regex: 'Location: ([^\r\n]*)' - s_regex: '' - format: '{0}' - color: gray - scope: response header - engine: nfa - sensitive: false - - name: OSKeys - loaded: true - f_regex: (.*?) - s_regex: '' - format: '{0}' - color: gray - scope: response body - engine: nfa - sensitive: true diff --git a/src/HaENet/sources/src/main/resources/templates/basic-info/chinese-idcard.yaml b/src/HaENet/sources/src/main/resources/templates/basic-info/chinese-idcard.yaml new file mode 100644 index 0000000..ce179e9 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/basic-info/chinese-idcard.yaml @@ -0,0 +1,22 @@ +id: hae-chinese-idcard + +info: + name: Chinese IDCard + severity: high + description: Extract Chinese national ID card numbers + tags: hae, basic-info + metadata: + color: orange + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: chinese-idcard + regex: + - '[^0-9]((\d{8}(0\d|10|11|12)([0-2]\d|30|31)\d{3}$)|(\d{6}(18|19|20)\d{2}(0[1-9]|10|11|12)([0-2]\d|30|31)\d{3}(\d|X|x)))[^0-9]' diff --git a/src/HaENet/sources/src/main/resources/templates/basic-info/chinese-mobile-number.yaml b/src/HaENet/sources/src/main/resources/templates/basic-info/chinese-mobile-number.yaml new file mode 100644 index 0000000..66fa700 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/basic-info/chinese-mobile-number.yaml @@ -0,0 +1,22 @@ +id: hae-chinese-mobile-number + +info: + name: Chinese Mobile Number + severity: high + description: Extract Chinese mobile phone numbers + tags: hae, basic-info + metadata: + color: orange + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: chinese-mobile-number + regex: + - '(?i)[^\w]((?:(?:\+|0{0,2})86)?1(?:(?:3[\d])|(?:4[5-79])|(?:5[0-35-9])|(?:6[5-7])|(?:7[0-8])|(?:8[\d])|(?:9[189]))\d{8})[^\w]' diff --git a/src/HaENet/sources/src/main/resources/templates/basic-info/email.yaml b/src/HaENet/sources/src/main/resources/templates/basic-info/email.yaml new file mode 100644 index 0000000..e841006 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/basic-info/email.yaml @@ -0,0 +1,26 @@ +id: hae-email + +info: + name: Email + severity: medium + description: Extract email addresses, filtering out image file references + tags: hae, basic-info + metadata: + color: yellow + scope: response + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: email + regex: + - '(?i)(\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,5}\b)' + matchers: + - type: regex + regex: + - '^((?!.*\.(jpg|jpeg|png|gif|bmp|webp|svg|tiff|ico?)$).*@.*\..*)$' diff --git a/src/HaENet/sources/src/main/resources/templates/basic-info/index.txt b/src/HaENet/sources/src/main/resources/templates/basic-info/index.txt new file mode 100644 index 0000000..4d72ffc --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/basic-info/index.txt @@ -0,0 +1,5 @@ +chinese-idcard.yaml +chinese-mobile-number.yaml +email.yaml +internal-ip-address.yaml +mac-address.yaml diff --git a/src/HaENet/sources/src/main/resources/templates/basic-info/internal-ip-address.yaml b/src/HaENet/sources/src/main/resources/templates/basic-info/internal-ip-address.yaml new file mode 100644 index 0000000..2e6f2ea --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/basic-info/internal-ip-address.yaml @@ -0,0 +1,30 @@ +id: hae-internal-ip-address + +info: + name: Internal IP Address + severity: info + description: Detect internal/private IP addresses (RFC1918) + tags: hae, basic-info + metadata: + color: cyan + scope: response + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '127.0.0.1' + - '10.' + - '172.' + - '192.168.' + condition: or + extractors: + - type: regex + name: internal-ip-address + regex: + - '[^0-9]((127\.0\.0\.1)|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.((1[6-9])|(2\d)|(3[01]))\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3}))' diff --git a/src/HaENet/sources/src/main/resources/templates/basic-info/mac-address.yaml b/src/HaENet/sources/src/main/resources/templates/basic-info/mac-address.yaml new file mode 100644 index 0000000..1746bef --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/basic-info/mac-address.yaml @@ -0,0 +1,22 @@ +id: hae-mac-address + +info: + name: MAC Address + severity: low + description: Extract MAC hardware addresses + tags: hae, basic-info + metadata: + color: green + scope: response + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: mac-address + regex: + - '(^([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5})|[^a-zA-Z0-9]([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}))' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/druid.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/druid.yaml new file mode 100644 index 0000000..2b2de29 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/druid.yaml @@ -0,0 +1,27 @@ +id: hae-druid + +info: + name: Druid + severity: high + description: Detect Alibaba Druid monitoring console + tags: hae, fingerprint + metadata: + color: orange + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'Druid Stat Index' + case-insensitive: true + extractors: + - type: regex + name: druid + regex: + - '(?i)(Druid Stat Index)' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/index.txt b/src/HaENet/sources/src/main/resources/templates/fingerprint/index.txt new file mode 100644 index 0000000..6c7792b --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/index.txt @@ -0,0 +1,7 @@ +druid.yaml +json-web-token.yaml +pdf-js-viewer.yaml +shiro.yaml +swagger-ui.yaml +ueditor.yaml +vite-devmode.yaml diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/json-web-token.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/json-web-token.yaml new file mode 100644 index 0000000..a1597e6 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/json-web-token.yaml @@ -0,0 +1,26 @@ +id: hae-json-web-token + +info: + name: JSON Web Token + severity: low + description: Detect JSON Web Tokens in HTTP traffic + tags: hae, fingerprint + metadata: + color: green + scope: any + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'eyJ' + extractors: + - type: regex + name: jwt + regex: + - '(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9._-]{10,}|eyJ[A-Za-z0-9_\/+-]{10,}\.[A-Za-z0-9._\/+-]{10,})' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/pdf-js-viewer.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/pdf-js-viewer.yaml new file mode 100644 index 0000000..21d78f1 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/pdf-js-viewer.yaml @@ -0,0 +1,27 @@ +id: hae-pdf-js-viewer + +info: + name: PDF.js Viewer + severity: low + description: Detect PDF.js viewer component + tags: hae, fingerprint + metadata: + color: green + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'pdf.worker' + case-insensitive: true + extractors: + - type: regex + name: pdf-js-viewer + regex: + - '(?i)(pdf.worker)' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/shiro.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/shiro.yaml new file mode 100644 index 0000000..86ef7d6 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/shiro.yaml @@ -0,0 +1,28 @@ +id: hae-shiro + +info: + name: Shiro + severity: low + description: Detect Apache Shiro framework cookie markers + tags: hae, fingerprint + metadata: + color: green + scope: any header + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'deleteMe' + - 'rememberMe' + condition: or + extractors: + - type: regex + name: shiro + regex: + - '(=deleteMe|rememberMe=)' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/swagger-ui.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/swagger-ui.yaml new file mode 100644 index 0000000..8f89e42 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/swagger-ui.yaml @@ -0,0 +1,32 @@ +id: hae-swagger-ui + +info: + name: Swagger UI + severity: critical + description: Detect Swagger UI API documentation endpoints + tags: hae, fingerprint + metadata: + color: red + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'swagger-ui.html' + - 'swagger' + - 'Swagger UI' + - 'swaggerUi' + - 'swaggerVersion' + condition: or + case-insensitive: true + extractors: + - type: regex + name: swagger-ui + regex: + - '(?i)((swagger-ui.html)|("swagger":)|(Swagger UI)|(swaggerUi)|(swaggerVersion))' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/ueditor.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/ueditor.yaml new file mode 100644 index 0000000..097f4a3 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/ueditor.yaml @@ -0,0 +1,27 @@ +id: hae-ueditor + +info: + name: Ueditor + severity: low + description: Detect UEditor rich text editor + tags: hae, fingerprint + metadata: + color: green + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'ueditor' + case-insensitive: true + extractors: + - type: regex + name: ueditor + regex: + - '(?i)(ueditor\.(config|all)\.js)' diff --git a/src/HaENet/sources/src/main/resources/templates/fingerprint/vite-devmode.yaml b/src/HaENet/sources/src/main/resources/templates/fingerprint/vite-devmode.yaml new file mode 100644 index 0000000..77e67d9 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/fingerprint/vite-devmode.yaml @@ -0,0 +1,26 @@ +id: hae-vite-devmode + +info: + name: Vite DevMode + severity: critical + description: Detect Vite development mode client + tags: hae, fingerprint + metadata: + color: red + scope: response body + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '@vite/client' + extractors: + - type: regex + name: vite-devmode + regex: + - '(/\@vite/client)' diff --git a/src/HaENet/sources/src/main/resources/templates/other/302-location.yaml b/src/HaENet/sources/src/main/resources/templates/other/302-location.yaml new file mode 100644 index 0000000..b5941e2 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/302-location.yaml @@ -0,0 +1,26 @@ +id: hae-302-location + +info: + name: 302 Location + severity: info + description: Extract redirect Location header values + tags: hae, other + metadata: + color: gray + scope: response header + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'Location:' + extractors: + - type: regex + name: 302-location + regex: + - 'Location: ([^\r\n]*)' diff --git a/src/HaENet/sources/src/main/resources/templates/other/all-url.yaml b/src/HaENet/sources/src/main/resources/templates/other/all-url.yaml new file mode 100644 index 0000000..b387b0a --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/all-url.yaml @@ -0,0 +1,28 @@ +id: hae-all-url + +info: + name: All URL + severity: info + description: Extract all HTTP/HTTPS URLs from responses + tags: hae, other + metadata: + color: gray + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'http://' + - 'https://' + condition: or + extractors: + - type: regex + name: all-url + regex: + - '(https?://[-A-Za-z0-9+&@#/%?=~_|!:,.;一-鿿]+[-A-Za-z0-9+&@#/%=~_|])' diff --git a/src/HaENet/sources/src/main/resources/templates/other/create-script.yaml b/src/HaENet/sources/src/main/resources/templates/other/create-script.yaml new file mode 100644 index 0000000..e39494c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/create-script.yaml @@ -0,0 +1,27 @@ +id: hae-create-script + +info: + name: Create Script + severity: low + description: Extract key-value pairs from dynamic script creation patterns + tags: hae, other + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: regex + regex: + - '(?i)(\{[^{}]*\}\s*\[[^\s]*\]\s*\+\s*"[^\s]*\.js")' + extractors: + - type: regex + name: create-script + regex: + - '"?([\w].*?)"?:"(.*?)"' + regex-group: 1 diff --git a/src/HaENet/sources/src/main/resources/templates/other/index.txt b/src/HaENet/sources/src/main/resources/templates/other/index.txt new file mode 100644 index 0000000..dcc907c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/index.txt @@ -0,0 +1,9 @@ +302-location.yaml +all-url.yaml +create-script.yaml +linkfinder.yaml +oskeys.yaml +request-uri.yaml +router-push.yaml +source-map.yaml +url-schemes.yaml diff --git a/src/HaENet/sources/src/main/resources/templates/other/linkfinder.yaml b/src/HaENet/sources/src/main/resources/templates/other/linkfinder.yaml new file mode 100644 index 0000000..fe244e5 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/linkfinder.yaml @@ -0,0 +1,22 @@ +id: hae-linkfinder + +info: + name: Linkfinder + severity: info + description: Extract URLs and endpoints from JavaScript responses + tags: hae, other + metadata: + color: gray + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: linkfinder + regex: + - "(?:\"|'|`)(((?:[a-zA-Z]{1,10}://|//)[^\"'/]{1,}\\.[a-zA-Z]{2,}[^\"']{0,})|((?:/|\\.\\./|\\./)[ ^\"'><,;|*()(%%$^/\\\\\\[\\]][^\"'><,;|()]{1,})|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{1,}\\.(?:[a-zA-Z]{1,4}|action)(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{3,}(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-]{1,}\\.(?:\\w)(?:[\\?|#][^\"|']{0,}|)))(?:\"|'|`)" diff --git a/src/HaENet/sources/src/main/resources/templates/other/oskeys.yaml b/src/HaENet/sources/src/main/resources/templates/other/oskeys.yaml new file mode 100644 index 0000000..266e7cd --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/oskeys.yaml @@ -0,0 +1,26 @@ +id: hae-oskeys + +info: + name: OSKeys + severity: info + description: Extract object storage key paths from XML responses + tags: hae, other + metadata: + color: gray + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '' + extractors: + - type: regex + name: oskeys + regex: + - '(.*?)' diff --git a/src/HaENet/sources/src/main/resources/templates/other/request-uri.yaml b/src/HaENet/sources/src/main/resources/templates/other/request-uri.yaml new file mode 100644 index 0000000..0d2835c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/request-uri.yaml @@ -0,0 +1,22 @@ +id: hae-request-uri + +info: + name: Request URI + severity: info + description: Extract request URI paths excluding static resources + tags: hae, other + metadata: + color: gray + scope: request line + engine: nfa + sensitive: false + loaded: false + +file: + - extensions: + - all + extractors: + - type: regex + name: request-uri + regex: + - '(?i) ((?!.*\.js(\?.*)?$)(.*?[^.js$])) ' diff --git a/src/HaENet/sources/src/main/resources/templates/other/router-push.yaml b/src/HaENet/sources/src/main/resources/templates/other/router-push.yaml new file mode 100644 index 0000000..094d8cc --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/router-push.yaml @@ -0,0 +1,27 @@ +id: hae-router-push + +info: + name: Router Push + severity: info + description: Detect Vue.js router push calls + tags: hae, other + metadata: + color: magenta + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '$router.push' + case-insensitive: true + extractors: + - type: regex + name: router-push + regex: + - '(?i)(\$router\.push)' diff --git a/src/HaENet/sources/src/main/resources/templates/other/source-map.yaml b/src/HaENet/sources/src/main/resources/templates/other/source-map.yaml new file mode 100644 index 0000000..f6484c9 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/source-map.yaml @@ -0,0 +1,27 @@ +id: hae-source-map + +info: + name: Source Map + severity: info + description: Detect JavaScript source map file references + tags: hae, other + metadata: + color: pink + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '.js.map' + case-insensitive: true + extractors: + - type: regex + name: source-map + regex: + - '(?i)(\.js\.map)' diff --git a/src/HaENet/sources/src/main/resources/templates/other/url-schemes.yaml b/src/HaENet/sources/src/main/resources/templates/other/url-schemes.yaml new file mode 100644 index 0000000..28cfe30 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/other/url-schemes.yaml @@ -0,0 +1,22 @@ +id: hae-url-schemes + +info: + name: URL Schemes + severity: medium + description: Detect non-HTTP URL schemes (ftp, ldap, etc.) + tags: hae, other + metadata: + color: yellow + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: url-schemes + regex: + - '(?i)(\b(?![\w]{0,10}?https?://)(([A-Za-z0-9-\.]{1,20})://([-\w+&@#/%?=~_|!:,.;]*[-\w+&@#/%=~_|])?))' diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/authorization-header.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/authorization-header.yaml new file mode 100644 index 0000000..6fc520e --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/authorization-header.yaml @@ -0,0 +1,29 @@ +id: hae-authorization-header + +info: + name: Authorization Header + severity: medium + description: Extract Basic/Bearer authorization tokens + tags: hae, sensitive-info + metadata: + color: yellow + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'basic ' + - 'bearer ' + condition: or + case-insensitive: true + extractors: + - type: regex + name: authorization-header + regex: + - '(?i)((basic [a-z0-9=:_\+\/-]{5,100})|(bearer [a-z0-9_.=:_\+\/-]{5,100}))' diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/cloud-key.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/cloud-key.yaml new file mode 100644 index 0000000..df12faa --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/cloud-key.yaml @@ -0,0 +1,29 @@ +id: hae-cloud-key + +info: + name: Cloud Key + severity: medium + description: Detect cloud provider access keys (AWS, Aliyun, etc.) + tags: hae, sensitive-info + metadata: + color: yellow + scope: any + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'access' + - 'LTAI' + condition: or + case-insensitive: true + extractors: + - type: regex + name: cloud-key + regex: + - '(?i)(((access)(|-|_)(key)(|-|_)(id|secret))|(LTAI[a-z0-9]{12,20}))' diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/index.txt b/src/HaENet/sources/src/main/resources/templates/sensitive-info/index.txt new file mode 100644 index 0000000..d742d0c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/index.txt @@ -0,0 +1,11 @@ +authorization-header.yaml +cloud-key.yaml +jdbc-connection.yaml +mobile-number-field.yaml +password-field.yaml +sensitive-field.yaml +user-identity.yaml +userinfo-in-link.yaml +username-field.yaml +wecom-key.yaml +windows-file-dir-path.yaml diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/jdbc-connection.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/jdbc-connection.yaml new file mode 100644 index 0000000..dbb9170 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/jdbc-connection.yaml @@ -0,0 +1,27 @@ +id: hae-jdbc-connection + +info: + name: JDBC Connection + severity: medium + description: Extract JDBC database connection strings + tags: hae, sensitive-info + metadata: + color: yellow + scope: any + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'jdbc:' + case-insensitive: true + extractors: + - type: regex + name: jdbc-connection + regex: + - '(?i)(jdbc:[a-z:]+://[a-z0-9\.\-_:;=/@?,&]+)' diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/mobile-number-field.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/mobile-number-field.yaml new file mode 100644 index 0000000..c7a3216 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/mobile-number-field.yaml @@ -0,0 +1,30 @@ +id: hae-mobile-number-field + +info: + name: Mobile Number Field + severity: low + description: Detect mobile/phone number field assignments + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'mobile' + - 'phone' + - 'concat' + condition: or + case-insensitive: true + extractors: + - type: regex + name: mobile-number-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})(mobile|phone|sjh|shoujihao|concat)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})(mobile|phone|sjh|shoujihao|concat)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/password-field.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/password-field.yaml new file mode 100644 index 0000000..436d057 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/password-field.yaml @@ -0,0 +1,31 @@ +id: hae-password-field + +info: + name: Password Field + severity: medium + description: Detect password field assignments in responses + tags: hae, sensitive-info + metadata: + color: yellow + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'pass' + - 'pwd' + - 'passwd' + - 'password' + condition: or + case-insensitive: true + extractors: + - type: regex + name: password-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})([p](ass|wd|asswd|assword))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})([p](ass|wd|asswd|assword))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/sensitive-field.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/sensitive-field.yaml new file mode 100644 index 0000000..bfdfa0c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/sensitive-field.yaml @@ -0,0 +1,35 @@ +id: hae-sensitive-field + +info: + name: Sensitive Field + severity: medium + description: Detect generic sensitive field assignments (key, secret, token, etc.) + tags: hae, sensitive-info + metadata: + color: yellow + scope: response + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'key' + - 'secret' + - 'token' + - 'config' + - 'auth' + - 'access' + - 'admin' + - 'ticket' + condition: or + case-insensitive: true + extractors: + - type: regex + name: sensitive-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})(key|secret|token|config|auth|access|admin|ticket)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})(key|secret|token|config|auth|access|admin|ticket)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/user-identity.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/user-identity.yaml new file mode 100644 index 0000000..028caac --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/user-identity.yaml @@ -0,0 +1,30 @@ +id: hae-user-identity + +info: + name: User Identity + severity: low + description: Detect client-side identity storage (localStorage, cookies) + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'localStorage' + - 'sessionStorage' + - 'setCookie' + - 'Cookies.set' + condition: or + extractors: + - type: regex + name: user-identity + regex: + - "(?i)(\\b(?:(localStorage|sessionStorage)\\.(setItem|getItem)|setCookie|Cookies\\.set)\\s*\\(\\s*['\"](.+?)['\"].*?)" diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/userinfo-in-link.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/userinfo-in-link.yaml new file mode 100644 index 0000000..bbee6c0 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/userinfo-in-link.yaml @@ -0,0 +1,26 @@ +id: hae-userinfo-in-link + +info: + name: Userinfo In Link + severity: low + description: Extract URLs containing credential parameters + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: userinfo-in-link + regex: + - "(?i)(?:\"|'|`)(((?:[a-zA-Z]{1,10}://|//)[^\"'/]{1,}\\.[a-zA-Z]{2,}[^\"']{0,})|((?:/|\\.\\./|\\./)[ ^\"'><,;|*()(%%$^/\\\\\\[\\]][^\"'><,;|()]{1,})|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{1,}\\.(?:[a-zA-Z]{1,4}|action)(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{3,}(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-]{1,}\\.(?:\\w)(?:[\\?|#][^\"|']{0,}|)))(?:\"|'|`)" + matchers: + - type: regex + regex: + - '(?i)((([p](ass|wd|asswd|assword))|(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator)))))=[\.\w]{1,32})' diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/username-field.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/username-field.yaml new file mode 100644 index 0000000..66fce33 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/username-field.yaml @@ -0,0 +1,32 @@ +id: hae-username-field + +info: + name: Username Field + severity: low + description: Detect username/account field assignments in responses + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'user' + - 'name' + - 'username' + - 'account' + - 'creator' + condition: or + case-insensitive: true + extractors: + - type: regex + name: username-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator))))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator))))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/wecom-key.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/wecom-key.yaml new file mode 100644 index 0000000..c77d16a --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/wecom-key.yaml @@ -0,0 +1,29 @@ +id: hae-wecom-key + +info: + name: WeCom Key + severity: low + description: Detect WeCom (Enterprise WeChat) credential fields + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'corpid' + - 'corpsecret' + condition: or + case-insensitive: true + extractors: + - type: regex + name: wecom-key + regex: + - '(?i)((corp)(id|secret))' diff --git a/src/HaENet/sources/src/main/resources/templates/sensitive-info/windows-file-dir-path.yaml b/src/HaENet/sources/src/main/resources/templates/sensitive-info/windows-file-dir-path.yaml new file mode 100644 index 0000000..0f45d96 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/sensitive-info/windows-file-dir-path.yaml @@ -0,0 +1,22 @@ +id: hae-windows-file-dir-path + +info: + name: Windows File/Dir Path + severity: low + description: Extract Windows filesystem paths + tags: hae, sensitive-info + metadata: + color: green + scope: response + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: windows-file-dir-path + regex: + - '[^\w]([a-zA-Z]:\\\\?(?:[^<>:/\\|?*]+\\\\?)*)([^<>:/\\|?*]+(?:\.[^<>:/\\|?*]+)?)' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/debug-logic-parameters.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/debug-logic-parameters.yaml new file mode 100644 index 0000000..75617fe --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/debug-logic-parameters.yaml @@ -0,0 +1,35 @@ +id: hae-debug-logic-parameters + +info: + name: Debug Logic Parameters + severity: info + description: Detect debug and admin logic parameters in requests + tags: hae, vulnerability + metadata: + color: cyan + scope: request + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'access=' + - 'admin=' + - 'debug=' + - 'config=' + - 'exec=' + - 'shell=' + - 'test=' + - 'root=' + condition: or + case-insensitive: true + extractors: + - type: regex + name: debug-logic-parameters + regex: + - '(?i)((access=)|(adm=)|(admin=)|(alter=)|(cfg=)|(clone=)|(config=)|(create=)|(dbg=)|(debug=)|(delete=)|(disable=)|(edit=)|(enable=)|(exec=)|(execute=)|(grant=)|(load=)|(make=)|(modify=)|(rename=)|(reset=)|(root=)|(shell=)|(test=)|(toggl=))' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/dos-parameters.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/dos-parameters.yaml new file mode 100644 index 0000000..4a810cb --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/dos-parameters.yaml @@ -0,0 +1,32 @@ +id: hae-dos-parameters + +info: + name: DoS Parameters + severity: info + description: Detect parameters that may enable denial of service + tags: hae, vulnerability + metadata: + color: cyan + scope: request + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'size=' + - 'page=' + - 'num=' + - 'limit=' + - 'count=' + condition: or + case-insensitive: true + extractors: + - type: regex + name: dos-parameters + regex: + - '(?i)((size=)|(page=)|(num=)|(limit=)|(start=)|(end=)|(count=))' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/index.txt b/src/HaENet/sources/src/main/resources/templates/vulnerability/index.txt new file mode 100644 index 0000000..c45586c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/index.txt @@ -0,0 +1,7 @@ +debug-logic-parameters.yaml +dos-parameters.yaml +java-deserialization.yaml +passwd-file.yaml +upload-form.yaml +url-as-a-value.yaml +win-ini-file.yaml diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/java-deserialization.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/java-deserialization.yaml new file mode 100644 index 0000000..dc0f863 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/java-deserialization.yaml @@ -0,0 +1,27 @@ +id: hae-java-deserialization + +info: + name: Java Deserialization + severity: medium + description: Detect Java deserialization indicators (ViewState) + tags: hae, vulnerability + metadata: + color: yellow + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'javax.faces.ViewState' + case-insensitive: true + extractors: + - type: regex + name: java-deserialization + regex: + - '(?i)(javax\.faces\.ViewState)' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/passwd-file.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/passwd-file.yaml new file mode 100644 index 0000000..9308939 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/passwd-file.yaml @@ -0,0 +1,27 @@ +id: hae-passwd-file + +info: + name: Passwd File + severity: critical + description: Detect Unix passwd file content disclosure + tags: hae, vulnerability + metadata: + color: red + scope: response body + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '/root:' + - '/bin/bash' + extractors: + - type: regex + name: passwd-file + regex: + - '(/root:/bin/bash)' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/upload-form.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/upload-form.yaml new file mode 100644 index 0000000..31ccc4c --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/upload-form.yaml @@ -0,0 +1,27 @@ +id: hae-upload-form + +info: + name: Upload Form + severity: medium + description: Detect file upload form elements + tags: hae, vulnerability + metadata: + color: yellow + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'type="file"' + case-insensitive: true + extractors: + - type: regex + name: upload-form + regex: + - '(?i)(type=\"file\")' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/url-as-a-value.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/url-as-a-value.yaml new file mode 100644 index 0000000..9d6d507 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/url-as-a-value.yaml @@ -0,0 +1,22 @@ +id: hae-url-as-a-value + +info: + name: URL As A Value + severity: info + description: Detect URLs used as parameter values (potential SSRF/redirect) + tags: hae, vulnerability + metadata: + color: cyan + scope: any + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: url-as-a-value + regex: + - '(?i)(=(https?)(://|%3a%2f%2f))' diff --git a/src/HaENet/sources/src/main/resources/templates/vulnerability/win-ini-file.yaml b/src/HaENet/sources/src/main/resources/templates/vulnerability/win-ini-file.yaml new file mode 100644 index 0000000..9319052 --- /dev/null +++ b/src/HaENet/sources/src/main/resources/templates/vulnerability/win-ini-file.yaml @@ -0,0 +1,26 @@ +id: hae-win-ini-file + +info: + name: Win.ini File + severity: critical + description: Detect Windows win.ini file content disclosure + tags: hae, vulnerability + metadata: + color: red + scope: response body + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'for 16-bit app' + extractors: + - type: regex + name: win-ini-file + regex: + - '(for 16-bit app)' diff --git a/templates/basic-info/chinese-idcard.yaml b/templates/basic-info/chinese-idcard.yaml new file mode 100644 index 0000000..ce179e9 --- /dev/null +++ b/templates/basic-info/chinese-idcard.yaml @@ -0,0 +1,22 @@ +id: hae-chinese-idcard + +info: + name: Chinese IDCard + severity: high + description: Extract Chinese national ID card numbers + tags: hae, basic-info + metadata: + color: orange + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: chinese-idcard + regex: + - '[^0-9]((\d{8}(0\d|10|11|12)([0-2]\d|30|31)\d{3}$)|(\d{6}(18|19|20)\d{2}(0[1-9]|10|11|12)([0-2]\d|30|31)\d{3}(\d|X|x)))[^0-9]' diff --git a/templates/basic-info/chinese-mobile-number.yaml b/templates/basic-info/chinese-mobile-number.yaml new file mode 100644 index 0000000..66fa700 --- /dev/null +++ b/templates/basic-info/chinese-mobile-number.yaml @@ -0,0 +1,22 @@ +id: hae-chinese-mobile-number + +info: + name: Chinese Mobile Number + severity: high + description: Extract Chinese mobile phone numbers + tags: hae, basic-info + metadata: + color: orange + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: chinese-mobile-number + regex: + - '(?i)[^\w]((?:(?:\+|0{0,2})86)?1(?:(?:3[\d])|(?:4[5-79])|(?:5[0-35-9])|(?:6[5-7])|(?:7[0-8])|(?:8[\d])|(?:9[189]))\d{8})[^\w]' diff --git a/templates/basic-info/email.yaml b/templates/basic-info/email.yaml new file mode 100644 index 0000000..e841006 --- /dev/null +++ b/templates/basic-info/email.yaml @@ -0,0 +1,26 @@ +id: hae-email + +info: + name: Email + severity: medium + description: Extract email addresses, filtering out image file references + tags: hae, basic-info + metadata: + color: yellow + scope: response + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: email + regex: + - '(?i)(\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,5}\b)' + matchers: + - type: regex + regex: + - '^((?!.*\.(jpg|jpeg|png|gif|bmp|webp|svg|tiff|ico?)$).*@.*\..*)$' diff --git a/templates/basic-info/internal-ip-address.yaml b/templates/basic-info/internal-ip-address.yaml new file mode 100644 index 0000000..2e6f2ea --- /dev/null +++ b/templates/basic-info/internal-ip-address.yaml @@ -0,0 +1,30 @@ +id: hae-internal-ip-address + +info: + name: Internal IP Address + severity: info + description: Detect internal/private IP addresses (RFC1918) + tags: hae, basic-info + metadata: + color: cyan + scope: response + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '127.0.0.1' + - '10.' + - '172.' + - '192.168.' + condition: or + extractors: + - type: regex + name: internal-ip-address + regex: + - '[^0-9]((127\.0\.0\.1)|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.((1[6-9])|(2\d)|(3[01]))\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3}))' diff --git a/templates/basic-info/mac-address.yaml b/templates/basic-info/mac-address.yaml new file mode 100644 index 0000000..1746bef --- /dev/null +++ b/templates/basic-info/mac-address.yaml @@ -0,0 +1,22 @@ +id: hae-mac-address + +info: + name: MAC Address + severity: low + description: Extract MAC hardware addresses + tags: hae, basic-info + metadata: + color: green + scope: response + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: mac-address + regex: + - '(^([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5})|[^a-zA-Z0-9]([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}))' diff --git a/templates/fingerprint/druid.yaml b/templates/fingerprint/druid.yaml new file mode 100644 index 0000000..2b2de29 --- /dev/null +++ b/templates/fingerprint/druid.yaml @@ -0,0 +1,27 @@ +id: hae-druid + +info: + name: Druid + severity: high + description: Detect Alibaba Druid monitoring console + tags: hae, fingerprint + metadata: + color: orange + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'Druid Stat Index' + case-insensitive: true + extractors: + - type: regex + name: druid + regex: + - '(?i)(Druid Stat Index)' diff --git a/templates/fingerprint/json-web-token.yaml b/templates/fingerprint/json-web-token.yaml new file mode 100644 index 0000000..a1597e6 --- /dev/null +++ b/templates/fingerprint/json-web-token.yaml @@ -0,0 +1,26 @@ +id: hae-json-web-token + +info: + name: JSON Web Token + severity: low + description: Detect JSON Web Tokens in HTTP traffic + tags: hae, fingerprint + metadata: + color: green + scope: any + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'eyJ' + extractors: + - type: regex + name: jwt + regex: + - '(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9._-]{10,}|eyJ[A-Za-z0-9_\/+-]{10,}\.[A-Za-z0-9._\/+-]{10,})' diff --git a/templates/fingerprint/pdf-js-viewer.yaml b/templates/fingerprint/pdf-js-viewer.yaml new file mode 100644 index 0000000..21d78f1 --- /dev/null +++ b/templates/fingerprint/pdf-js-viewer.yaml @@ -0,0 +1,27 @@ +id: hae-pdf-js-viewer + +info: + name: PDF.js Viewer + severity: low + description: Detect PDF.js viewer component + tags: hae, fingerprint + metadata: + color: green + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'pdf.worker' + case-insensitive: true + extractors: + - type: regex + name: pdf-js-viewer + regex: + - '(?i)(pdf.worker)' diff --git a/templates/fingerprint/shiro.yaml b/templates/fingerprint/shiro.yaml new file mode 100644 index 0000000..86ef7d6 --- /dev/null +++ b/templates/fingerprint/shiro.yaml @@ -0,0 +1,28 @@ +id: hae-shiro + +info: + name: Shiro + severity: low + description: Detect Apache Shiro framework cookie markers + tags: hae, fingerprint + metadata: + color: green + scope: any header + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'deleteMe' + - 'rememberMe' + condition: or + extractors: + - type: regex + name: shiro + regex: + - '(=deleteMe|rememberMe=)' diff --git a/templates/fingerprint/swagger-ui.yaml b/templates/fingerprint/swagger-ui.yaml new file mode 100644 index 0000000..8f89e42 --- /dev/null +++ b/templates/fingerprint/swagger-ui.yaml @@ -0,0 +1,32 @@ +id: hae-swagger-ui + +info: + name: Swagger UI + severity: critical + description: Detect Swagger UI API documentation endpoints + tags: hae, fingerprint + metadata: + color: red + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'swagger-ui.html' + - 'swagger' + - 'Swagger UI' + - 'swaggerUi' + - 'swaggerVersion' + condition: or + case-insensitive: true + extractors: + - type: regex + name: swagger-ui + regex: + - '(?i)((swagger-ui.html)|("swagger":)|(Swagger UI)|(swaggerUi)|(swaggerVersion))' diff --git a/templates/fingerprint/ueditor.yaml b/templates/fingerprint/ueditor.yaml new file mode 100644 index 0000000..097f4a3 --- /dev/null +++ b/templates/fingerprint/ueditor.yaml @@ -0,0 +1,27 @@ +id: hae-ueditor + +info: + name: Ueditor + severity: low + description: Detect UEditor rich text editor + tags: hae, fingerprint + metadata: + color: green + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'ueditor' + case-insensitive: true + extractors: + - type: regex + name: ueditor + regex: + - '(?i)(ueditor\.(config|all)\.js)' diff --git a/templates/fingerprint/vite-devmode.yaml b/templates/fingerprint/vite-devmode.yaml new file mode 100644 index 0000000..77e67d9 --- /dev/null +++ b/templates/fingerprint/vite-devmode.yaml @@ -0,0 +1,26 @@ +id: hae-vite-devmode + +info: + name: Vite DevMode + severity: critical + description: Detect Vite development mode client + tags: hae, fingerprint + metadata: + color: red + scope: response body + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '@vite/client' + extractors: + - type: regex + name: vite-devmode + regex: + - '(/\@vite/client)' diff --git a/templates/other/302-location.yaml b/templates/other/302-location.yaml new file mode 100644 index 0000000..b5941e2 --- /dev/null +++ b/templates/other/302-location.yaml @@ -0,0 +1,26 @@ +id: hae-302-location + +info: + name: 302 Location + severity: info + description: Extract redirect Location header values + tags: hae, other + metadata: + color: gray + scope: response header + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'Location:' + extractors: + - type: regex + name: 302-location + regex: + - 'Location: ([^\r\n]*)' diff --git a/templates/other/all-url.yaml b/templates/other/all-url.yaml new file mode 100644 index 0000000..b387b0a --- /dev/null +++ b/templates/other/all-url.yaml @@ -0,0 +1,28 @@ +id: hae-all-url + +info: + name: All URL + severity: info + description: Extract all HTTP/HTTPS URLs from responses + tags: hae, other + metadata: + color: gray + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'http://' + - 'https://' + condition: or + extractors: + - type: regex + name: all-url + regex: + - '(https?://[-A-Za-z0-9+&@#/%?=~_|!:,.;一-鿿]+[-A-Za-z0-9+&@#/%=~_|])' diff --git a/templates/other/create-script.yaml b/templates/other/create-script.yaml new file mode 100644 index 0000000..e39494c --- /dev/null +++ b/templates/other/create-script.yaml @@ -0,0 +1,27 @@ +id: hae-create-script + +info: + name: Create Script + severity: low + description: Extract key-value pairs from dynamic script creation patterns + tags: hae, other + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: regex + regex: + - '(?i)(\{[^{}]*\}\s*\[[^\s]*\]\s*\+\s*"[^\s]*\.js")' + extractors: + - type: regex + name: create-script + regex: + - '"?([\w].*?)"?:"(.*?)"' + regex-group: 1 diff --git a/templates/other/linkfinder.yaml b/templates/other/linkfinder.yaml new file mode 100644 index 0000000..fe244e5 --- /dev/null +++ b/templates/other/linkfinder.yaml @@ -0,0 +1,22 @@ +id: hae-linkfinder + +info: + name: Linkfinder + severity: info + description: Extract URLs and endpoints from JavaScript responses + tags: hae, other + metadata: + color: gray + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: linkfinder + regex: + - "(?:\"|'|`)(((?:[a-zA-Z]{1,10}://|//)[^\"'/]{1,}\\.[a-zA-Z]{2,}[^\"']{0,})|((?:/|\\.\\./|\\./)[ ^\"'><,;|*()(%%$^/\\\\\\[\\]][^\"'><,;|()]{1,})|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{1,}\\.(?:[a-zA-Z]{1,4}|action)(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{3,}(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-]{1,}\\.(?:\\w)(?:[\\?|#][^\"|']{0,}|)))(?:\"|'|`)" diff --git a/templates/other/oskeys.yaml b/templates/other/oskeys.yaml new file mode 100644 index 0000000..266e7cd --- /dev/null +++ b/templates/other/oskeys.yaml @@ -0,0 +1,26 @@ +id: hae-oskeys + +info: + name: OSKeys + severity: info + description: Extract object storage key paths from XML responses + tags: hae, other + metadata: + color: gray + scope: response body + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '' + extractors: + - type: regex + name: oskeys + regex: + - '(.*?)' diff --git a/templates/other/request-uri.yaml b/templates/other/request-uri.yaml new file mode 100644 index 0000000..0d2835c --- /dev/null +++ b/templates/other/request-uri.yaml @@ -0,0 +1,22 @@ +id: hae-request-uri + +info: + name: Request URI + severity: info + description: Extract request URI paths excluding static resources + tags: hae, other + metadata: + color: gray + scope: request line + engine: nfa + sensitive: false + loaded: false + +file: + - extensions: + - all + extractors: + - type: regex + name: request-uri + regex: + - '(?i) ((?!.*\.js(\?.*)?$)(.*?[^.js$])) ' diff --git a/templates/other/router-push.yaml b/templates/other/router-push.yaml new file mode 100644 index 0000000..094d8cc --- /dev/null +++ b/templates/other/router-push.yaml @@ -0,0 +1,27 @@ +id: hae-router-push + +info: + name: Router Push + severity: info + description: Detect Vue.js router push calls + tags: hae, other + metadata: + color: magenta + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '$router.push' + case-insensitive: true + extractors: + - type: regex + name: router-push + regex: + - '(?i)(\$router\.push)' diff --git a/templates/other/source-map.yaml b/templates/other/source-map.yaml new file mode 100644 index 0000000..f6484c9 --- /dev/null +++ b/templates/other/source-map.yaml @@ -0,0 +1,27 @@ +id: hae-source-map + +info: + name: Source Map + severity: info + description: Detect JavaScript source map file references + tags: hae, other + metadata: + color: pink + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '.js.map' + case-insensitive: true + extractors: + - type: regex + name: source-map + regex: + - '(?i)(\.js\.map)' diff --git a/templates/other/url-schemes.yaml b/templates/other/url-schemes.yaml new file mode 100644 index 0000000..28cfe30 --- /dev/null +++ b/templates/other/url-schemes.yaml @@ -0,0 +1,22 @@ +id: hae-url-schemes + +info: + name: URL Schemes + severity: medium + description: Detect non-HTTP URL schemes (ftp, ldap, etc.) + tags: hae, other + metadata: + color: yellow + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: url-schemes + regex: + - '(?i)(\b(?![\w]{0,10}?https?://)(([A-Za-z0-9-\.]{1,20})://([-\w+&@#/%?=~_|!:,.;]*[-\w+&@#/%=~_|])?))' diff --git a/templates/sensitive-info/authorization-header.yaml b/templates/sensitive-info/authorization-header.yaml new file mode 100644 index 0000000..6fc520e --- /dev/null +++ b/templates/sensitive-info/authorization-header.yaml @@ -0,0 +1,29 @@ +id: hae-authorization-header + +info: + name: Authorization Header + severity: medium + description: Extract Basic/Bearer authorization tokens + tags: hae, sensitive-info + metadata: + color: yellow + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'basic ' + - 'bearer ' + condition: or + case-insensitive: true + extractors: + - type: regex + name: authorization-header + regex: + - '(?i)((basic [a-z0-9=:_\+\/-]{5,100})|(bearer [a-z0-9_.=:_\+\/-]{5,100}))' diff --git a/templates/sensitive-info/cloud-key.yaml b/templates/sensitive-info/cloud-key.yaml new file mode 100644 index 0000000..df12faa --- /dev/null +++ b/templates/sensitive-info/cloud-key.yaml @@ -0,0 +1,29 @@ +id: hae-cloud-key + +info: + name: Cloud Key + severity: medium + description: Detect cloud provider access keys (AWS, Aliyun, etc.) + tags: hae, sensitive-info + metadata: + color: yellow + scope: any + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'access' + - 'LTAI' + condition: or + case-insensitive: true + extractors: + - type: regex + name: cloud-key + regex: + - '(?i)(((access)(|-|_)(key)(|-|_)(id|secret))|(LTAI[a-z0-9]{12,20}))' diff --git a/templates/sensitive-info/jdbc-connection.yaml b/templates/sensitive-info/jdbc-connection.yaml new file mode 100644 index 0000000..dbb9170 --- /dev/null +++ b/templates/sensitive-info/jdbc-connection.yaml @@ -0,0 +1,27 @@ +id: hae-jdbc-connection + +info: + name: JDBC Connection + severity: medium + description: Extract JDBC database connection strings + tags: hae, sensitive-info + metadata: + color: yellow + scope: any + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'jdbc:' + case-insensitive: true + extractors: + - type: regex + name: jdbc-connection + regex: + - '(?i)(jdbc:[a-z:]+://[a-z0-9\.\-_:;=/@?,&]+)' diff --git a/templates/sensitive-info/mobile-number-field.yaml b/templates/sensitive-info/mobile-number-field.yaml new file mode 100644 index 0000000..c7a3216 --- /dev/null +++ b/templates/sensitive-info/mobile-number-field.yaml @@ -0,0 +1,30 @@ +id: hae-mobile-number-field + +info: + name: Mobile Number Field + severity: low + description: Detect mobile/phone number field assignments + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'mobile' + - 'phone' + - 'concat' + condition: or + case-insensitive: true + extractors: + - type: regex + name: mobile-number-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})(mobile|phone|sjh|shoujihao|concat)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})(mobile|phone|sjh|shoujihao|concat)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/templates/sensitive-info/password-field.yaml b/templates/sensitive-info/password-field.yaml new file mode 100644 index 0000000..436d057 --- /dev/null +++ b/templates/sensitive-info/password-field.yaml @@ -0,0 +1,31 @@ +id: hae-password-field + +info: + name: Password Field + severity: medium + description: Detect password field assignments in responses + tags: hae, sensitive-info + metadata: + color: yellow + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'pass' + - 'pwd' + - 'passwd' + - 'password' + condition: or + case-insensitive: true + extractors: + - type: regex + name: password-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})([p](ass|wd|asswd|assword))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})([p](ass|wd|asswd|assword))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/templates/sensitive-info/sensitive-field.yaml b/templates/sensitive-info/sensitive-field.yaml new file mode 100644 index 0000000..bfdfa0c --- /dev/null +++ b/templates/sensitive-info/sensitive-field.yaml @@ -0,0 +1,35 @@ +id: hae-sensitive-field + +info: + name: Sensitive Field + severity: medium + description: Detect generic sensitive field assignments (key, secret, token, etc.) + tags: hae, sensitive-info + metadata: + color: yellow + scope: response + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'key' + - 'secret' + - 'token' + - 'config' + - 'auth' + - 'access' + - 'admin' + - 'ticket' + condition: or + case-insensitive: true + extractors: + - type: regex + name: sensitive-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})(key|secret|token|config|auth|access|admin|ticket)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})(key|secret|token|config|auth|access|admin|ticket)(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/templates/sensitive-info/user-identity.yaml b/templates/sensitive-info/user-identity.yaml new file mode 100644 index 0000000..028caac --- /dev/null +++ b/templates/sensitive-info/user-identity.yaml @@ -0,0 +1,30 @@ +id: hae-user-identity + +info: + name: User Identity + severity: low + description: Detect client-side identity storage (localStorage, cookies) + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'localStorage' + - 'sessionStorage' + - 'setCookie' + - 'Cookies.set' + condition: or + extractors: + - type: regex + name: user-identity + regex: + - "(?i)(\\b(?:(localStorage|sessionStorage)\\.(setItem|getItem)|setCookie|Cookies\\.set)\\s*\\(\\s*['\"](.+?)['\"].*?)" diff --git a/templates/sensitive-info/userinfo-in-link.yaml b/templates/sensitive-info/userinfo-in-link.yaml new file mode 100644 index 0000000..bbee6c0 --- /dev/null +++ b/templates/sensitive-info/userinfo-in-link.yaml @@ -0,0 +1,26 @@ +id: hae-userinfo-in-link + +info: + name: Userinfo In Link + severity: low + description: Extract URLs containing credential parameters + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: userinfo-in-link + regex: + - "(?i)(?:\"|'|`)(((?:[a-zA-Z]{1,10}://|//)[^\"'/]{1,}\\.[a-zA-Z]{2,}[^\"']{0,})|((?:/|\\.\\./|\\./)[ ^\"'><,;|*()(%%$^/\\\\\\[\\]][^\"'><,;|()]{1,})|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{1,}\\.(?:[a-zA-Z]{1,4}|action)(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{3,}(?:[\\?|#][^\"|']{0,}|))|([a-zA-Z0-9_\\-]{1,}\\.(?:\\w)(?:[\\?|#][^\"|']{0,}|)))(?:\"|'|`)" + matchers: + - type: regex + regex: + - '(?i)((([p](ass|wd|asswd|assword))|(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator)))))=[\.\w]{1,32})' diff --git a/templates/sensitive-info/username-field.yaml b/templates/sensitive-info/username-field.yaml new file mode 100644 index 0000000..66fce33 --- /dev/null +++ b/templates/sensitive-info/username-field.yaml @@ -0,0 +1,32 @@ +id: hae-username-field + +info: + name: Username Field + severity: low + description: Detect username/account field assignments in responses + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'user' + - 'name' + - 'username' + - 'account' + - 'creator' + condition: or + case-insensitive: true + extractors: + - type: regex + name: username-field + regex: + - "(?i)(((|\\\\)(|'|\")(|[\\.\\ w]{1,32})(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator))))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2}|[\\)]{0,1}\\.val\\()( |)(|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|,|\\)))|((|\\\\)('|\")([^'\"]+?)(|\\\\)('|\")(|\\\\)(|'|\")(\\n |)(:|[=]{1,3}|![=]{1,2})( |)(|[\\.\\ w]{1,32})(([u](ser|name|sername))|(account)|((((create|update)((d|r)|(by|on|at)))|(creator))))(|[\\.\\ w]{1,32})(|\\\\)(|'|\")))" diff --git a/templates/sensitive-info/wecom-key.yaml b/templates/sensitive-info/wecom-key.yaml new file mode 100644 index 0000000..c77d16a --- /dev/null +++ b/templates/sensitive-info/wecom-key.yaml @@ -0,0 +1,29 @@ +id: hae-wecom-key + +info: + name: WeCom Key + severity: low + description: Detect WeCom (Enterprise WeChat) credential fields + tags: hae, sensitive-info + metadata: + color: green + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'corpid' + - 'corpsecret' + condition: or + case-insensitive: true + extractors: + - type: regex + name: wecom-key + regex: + - '(?i)((corp)(id|secret))' diff --git a/templates/sensitive-info/windows-file-dir-path.yaml b/templates/sensitive-info/windows-file-dir-path.yaml new file mode 100644 index 0000000..0f45d96 --- /dev/null +++ b/templates/sensitive-info/windows-file-dir-path.yaml @@ -0,0 +1,22 @@ +id: hae-windows-file-dir-path + +info: + name: Windows File/Dir Path + severity: low + description: Extract Windows filesystem paths + tags: hae, sensitive-info + metadata: + color: green + scope: response + engine: nfa + sensitive: true + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: windows-file-dir-path + regex: + - '[^\w]([a-zA-Z]:\\\\?(?:[^<>:/\\|?*]+\\\\?)*)([^<>:/\\|?*]+(?:\.[^<>:/\\|?*]+)?)' diff --git a/templates/vulnerability/debug-logic-parameters.yaml b/templates/vulnerability/debug-logic-parameters.yaml new file mode 100644 index 0000000..75617fe --- /dev/null +++ b/templates/vulnerability/debug-logic-parameters.yaml @@ -0,0 +1,35 @@ +id: hae-debug-logic-parameters + +info: + name: Debug Logic Parameters + severity: info + description: Detect debug and admin logic parameters in requests + tags: hae, vulnerability + metadata: + color: cyan + scope: request + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'access=' + - 'admin=' + - 'debug=' + - 'config=' + - 'exec=' + - 'shell=' + - 'test=' + - 'root=' + condition: or + case-insensitive: true + extractors: + - type: regex + name: debug-logic-parameters + regex: + - '(?i)((access=)|(adm=)|(admin=)|(alter=)|(cfg=)|(clone=)|(config=)|(create=)|(dbg=)|(debug=)|(delete=)|(disable=)|(edit=)|(enable=)|(exec=)|(execute=)|(grant=)|(load=)|(make=)|(modify=)|(rename=)|(reset=)|(root=)|(shell=)|(test=)|(toggl=))' diff --git a/templates/vulnerability/dos-parameters.yaml b/templates/vulnerability/dos-parameters.yaml new file mode 100644 index 0000000..4a810cb --- /dev/null +++ b/templates/vulnerability/dos-parameters.yaml @@ -0,0 +1,32 @@ +id: hae-dos-parameters + +info: + name: DoS Parameters + severity: info + description: Detect parameters that may enable denial of service + tags: hae, vulnerability + metadata: + color: cyan + scope: request + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'size=' + - 'page=' + - 'num=' + - 'limit=' + - 'count=' + condition: or + case-insensitive: true + extractors: + - type: regex + name: dos-parameters + regex: + - '(?i)((size=)|(page=)|(num=)|(limit=)|(start=)|(end=)|(count=))' diff --git a/templates/vulnerability/java-deserialization.yaml b/templates/vulnerability/java-deserialization.yaml new file mode 100644 index 0000000..dc0f863 --- /dev/null +++ b/templates/vulnerability/java-deserialization.yaml @@ -0,0 +1,27 @@ +id: hae-java-deserialization + +info: + name: Java Deserialization + severity: medium + description: Detect Java deserialization indicators (ViewState) + tags: hae, vulnerability + metadata: + color: yellow + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'javax.faces.ViewState' + case-insensitive: true + extractors: + - type: regex + name: java-deserialization + regex: + - '(?i)(javax\.faces\.ViewState)' diff --git a/templates/vulnerability/passwd-file.yaml b/templates/vulnerability/passwd-file.yaml new file mode 100644 index 0000000..9308939 --- /dev/null +++ b/templates/vulnerability/passwd-file.yaml @@ -0,0 +1,27 @@ +id: hae-passwd-file + +info: + name: Passwd File + severity: critical + description: Detect Unix passwd file content disclosure + tags: hae, vulnerability + metadata: + color: red + scope: response body + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - '/root:' + - '/bin/bash' + extractors: + - type: regex + name: passwd-file + regex: + - '(/root:/bin/bash)' diff --git a/templates/vulnerability/upload-form.yaml b/templates/vulnerability/upload-form.yaml new file mode 100644 index 0000000..31ccc4c --- /dev/null +++ b/templates/vulnerability/upload-form.yaml @@ -0,0 +1,27 @@ +id: hae-upload-form + +info: + name: Upload Form + severity: medium + description: Detect file upload form elements + tags: hae, vulnerability + metadata: + color: yellow + scope: response body + engine: dfa + sensitive: false + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'type="file"' + case-insensitive: true + extractors: + - type: regex + name: upload-form + regex: + - '(?i)(type=\"file\")' diff --git a/templates/vulnerability/url-as-a-value.yaml b/templates/vulnerability/url-as-a-value.yaml new file mode 100644 index 0000000..9d6d507 --- /dev/null +++ b/templates/vulnerability/url-as-a-value.yaml @@ -0,0 +1,22 @@ +id: hae-url-as-a-value + +info: + name: URL As A Value + severity: info + description: Detect URLs used as parameter values (potential SSRF/redirect) + tags: hae, vulnerability + metadata: + color: cyan + scope: any + engine: nfa + sensitive: false + loaded: true + +file: + - extensions: + - all + extractors: + - type: regex + name: url-as-a-value + regex: + - '(?i)(=(https?)(://|%3a%2f%2f))' diff --git a/templates/vulnerability/win-ini-file.yaml b/templates/vulnerability/win-ini-file.yaml new file mode 100644 index 0000000..9319052 --- /dev/null +++ b/templates/vulnerability/win-ini-file.yaml @@ -0,0 +1,26 @@ +id: hae-win-ini-file + +info: + name: Win.ini File + severity: critical + description: Detect Windows win.ini file content disclosure + tags: hae, vulnerability + metadata: + color: red + scope: response body + engine: dfa + sensitive: true + loaded: true + +file: + - extensions: + - all + matchers: + - type: word + words: + - 'for 16-bit app' + extractors: + - type: regex + name: win-ini-file + regex: + - '(for 16-bit app)'