-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathHTTP Methods and Server Detection.bcheck
109 lines (100 loc) · 3.68 KB
/
HTTP Methods and Server Detection.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
metadata:
language: v2-beta
name: "HTTP Methods and Server Detection"
description: "Checks multiple HTTP methods, detects server/proxy types, identifies enabled TRACE method, examines headers for software versions and custom values, and inspects for redirections"
author: "Kaustubh"
define:
desc = "The service that the application uses was detected"
run for each:
method_list =
"GET",
"POST",
"PUT",
"DELETE",
"OPTIONS",
"TRACE",
"PATCH",
"HEAD",
"CHECKIN",
"CHECKOUT",
"COPY",
"INDEX",
"LINK",
"LOCK",
"MKCOL",
"MOVE",
"NOEXISTE",
"ORDERPATCH",
"PROPFIND",
"PROPPATCH",
"REPORT",
"SEARCH",
"SHOWMETHOD",
"SPACEJUMP",
"TEXTSEARCH",
"TRACK",
"UNCHECKOUT",
"UNLINK",
"UNLOCK",
"VERSION-CONTROL",
"BAMBOOZLE",
"CONNECT"
given request then
send request called check:
method: {method_list}
# Server and X-Powered-By header checks
if {check.response.headers} matches "[Xx](-|_)[Pp]owered(-|_)[Bb]y:[^\n]+" then
report issue and continue:
severity: info
confidence: firm
detail: `{desc} via {method_list} method. Detected from HTTP X-Powered-By header.`
remediation: "Review and configure server headers."
end if
if {check.response.headers} matches "([Xx](-|_)|)[Ss]erver:[^\n]+" then
report issue and continue:
severity: info
confidence: firm
detail: `{desc} via {method_list} method. Detected from HTTP Server header.`
remediation: "Review and configure server headers."
end if
# Error page check
if {check.response.status_code} is "400" and
{check.response.body} matches "center>[NnAa](ginx|pache)" then
report issue and continue:
severity: info
confidence: firm
detail: `{desc} via {method_list} method. Detected from 400 status code response.`
remediation: "Review server configuration and error pages."
end if
# TRACE method check
if {method_list} is "TRACE" and
{check.response.status_code} is "200" then
report issue and continue:
severity: medium
confidence: firm
detail: "TRACE method enabled on the server. Potential for Cross-Site Tracing attacks."
remediation: "Disable TRACE method to prevent potential vulnerabilities."
end if
# Server version disclosure check
if {check.response.headers} matches "([Xx](-|_)|)[Ss]erver:[^\n]+" and
{check.response.headers} matches "([0-9]{1,2}\\.[0-9]{1,2}\\.[0-9]{1,2})" then
report issue and continue:
severity: info
confidence: firm
detail: "Server version disclosed via {method_list} method."
remediation: "Avoid disclosing software versions in headers."
end if
# Redirection check
if {check.response.status_code} is "301" or
{check.response.status_code} is "302" or
{check.response.status_code} is "303" or
{check.response.status_code} is "307" or
{check.response.status_code} is "308" then
if {check.response.headers} matches "Location: [^\n]+" then
report issue and continue:
severity: info
confidence: firm
detail: "Redirection observed for {method_list} method. Further investigation might reveal the exact redirection endpoint."
remediation: "Review the purpose and security implications of redirections."
end if
end if