From f8f41d1320b87ec31581000178a8dbad3c6be493 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Wed, 4 Oct 2023 15:52:55 +0530 Subject: [PATCH 01/14] add error messages for failing test results and update summary if test failed --- .../akto/test_editor/execution/Executor.java | 17 +++++- .../src/main/java/com/akto/testing/Main.java | 41 +++++++++++++- .../java/com/akto/testing/TestExecutor.java | 55 +++++++++++++------ .../yaml_tests/SecurityTestTemplate.java | 5 ++ .../java/com/akto/dto/testing/TestResult.java | 5 +- 5 files changed, 101 insertions(+), 22 deletions(-) diff --git a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java index 27b86f1c95..079d44f771 100644 --- a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java +++ b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java @@ -9,6 +9,7 @@ import com.akto.dto.test_editor.*; import com.akto.dto.testing.AuthMechanism; import com.akto.dto.testing.TestResult; +import com.akto.dto.testing.TestResult.TestError; import com.akto.dto.testing.TestingRunConfig; import com.akto.log.LoggerMaker; import com.akto.log.LoggerMaker.LogDb; @@ -18,6 +19,7 @@ import com.akto.utils.RedactSampleData; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -32,6 +34,7 @@ public List execute(ExecutorNode node, RawApi rawApi, Map execute(ExecutorNode node, RawApi rawApi, Map sampleRawApis = new ArrayList<>(); @@ -61,6 +67,7 @@ public List execute(ExecutorNode node, RawApi rawApi, Map execute(ExecutorNode node, RawApi rawApi, Map testingRunResults = TestingRunResultDao.instance.findAll( + Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId) + ); + + if(testingRunResults == null){ + testingRunResults = new ArrayList<>(); + } + + Map totalCountIssues = TestExecutor.calculateCountIssues(testingRunResults); + + int totalApis = 0; + try { + totalApis = testingRun.getTestingEndpoints().returnApis().size(); + } catch (Exception e) { + totalApis = 0; + } + + Bson updates = Updates.combine( + Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), + Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), + Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues), + Updates.set(TestingRunResultSummary.TOTAL_APIS, totalApis), + Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResults.size()) + ); + + TestingRunResultSummariesDao.instance.updateOne( + Filters.eq(TestingRunResultSummary.ID, summaryId), updates); + } + } + loggerMaker.infoAndAddToDb("Tests completed in " + (Context.now() - start) + " seconds", LogDb.TESTING); }, "testing"); Thread.sleep(1000); diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index ff46f2e9e1..11ff1838f0 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -17,6 +17,7 @@ import com.akto.dto.test_editor.TestConfig; import com.akto.dto.testing.*; import com.akto.dto.testing.TestResult.Confidence; +import com.akto.dto.testing.TestResult.TestError; import com.akto.dto.testing.TestingRun.State; import com.akto.dto.type.RequestTemplate; import com.akto.dto.type.SingleTypeInfo; @@ -243,18 +244,7 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) { loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); - Map totalCountIssues = new HashMap<>(); - totalCountIssues.put("HIGH", 0); - totalCountIssues.put("MEDIUM", 0); - totalCountIssues.put("LOW", 0); - - for (TestingRunResult testingRunResult: testingRunResults) { - if (testingRunResult.isVulnerable()) { - String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); - int initialCount = totalCountIssues.get(severity); - totalCountIssues.put(severity, initialCount + 1); - } - } + Map totalCountIssues = calculateCountIssues(testingRunResults); TestingRunResultSummariesDao.instance.updateOne( Filters.eq("_id", summaryId), @@ -279,6 +269,26 @@ public static Severity getSeverityFromTestingRunResult(TestingRunResult testingR return severity; } + public static Map calculateCountIssues(List testingRunResults){ + Map totalCountIssues = new HashMap<>(); + totalCountIssues.put("HIGH", 0); + totalCountIssues.put("MEDIUM", 0); + totalCountIssues.put("LOW", 0); + + if(testingRunResults == null){ + return totalCountIssues; + } + + for (TestingRunResult testingRunResult : testingRunResults) { + if (testingRunResult.isVulnerable()) { + String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); + int initialCount = totalCountIssues.get(severity); + totalCountIssues.put(severity, initialCount + 1); + } + } + return totalCountIssues; + } + public static String findHost(ApiInfo.ApiInfoKey apiInfoKey, Map> sampleMessagesMap, SampleMessageStore sampleMessageStore) throws URISyntaxException { List sampleMessages = sampleMessagesMap.get(apiInfoKey); if (sampleMessages == null || sampleMessagesMap.isEmpty()) return null; @@ -551,8 +561,19 @@ public boolean applyRunOnceCheck(ApiInfoKey apiInfoKey, TestConfig testConfig, C public TestingRunResult runTestNew(ApiInfo.ApiInfoKey apiInfoKey, ObjectId testRunId, TestingUtil testingUtil, ObjectId testRunResultSummaryId, TestConfig testConfig, TestingRunConfig testingRunConfig) { + String testSuperType = testConfig.getInfo().getCategory().getName(); + String testSubType = testConfig.getInfo().getSubCategory(); + List messages = testingUtil.getSampleMessages().get(apiInfoKey); - if (messages == null || messages.size() == 0) return null; + if (messages == null || messages.isEmpty()){ + List testResults = new ArrayList<>(); + testResults.add(new TestResult(null, null, Collections.singletonList(TestError.NO_PATH.getMessage()),0, false, Confidence.HIGH, null)); + return new TestingRunResult( + testRunId, apiInfoKey, testSuperType, testSubType ,testResults, + false,new ArrayList<>(),100,Context.now(), + Context.now(), testRunResultSummaryId + ); + } String message = messages.get(0); @@ -573,9 +594,6 @@ public TestingRunResult runTestNew(ApiInfo.ApiInfoKey apiInfoKey, ObjectId testR varMap.put("wordList_" + key, wordListsMap.get(key)); } - String testSuperType = testConfig.getInfo().getCategory().getName(); - String testSubType = testConfig.getInfo().getSubCategory(); - String testExecutionLogId = UUID.randomUUID().toString(); loggerMaker.infoAndAddToDb("triggering test run for apiInfoKey " + apiInfoKey + "test " + @@ -585,8 +603,9 @@ public TestingRunResult runTestNew(ApiInfo.ApiInfoKey apiInfoKey, ObjectId testR YamlTestTemplate yamlTestTemplate = new YamlTestTemplate(apiInfoKey,filterNode, validatorNode, executorNode, rawApi, varMap, auth, testingUtil.getAuthMechanism(), testExecutionLogId, testingRunConfig, customAuthTypes); List testResults = yamlTestTemplate.run(); - if (testResults == null || testResults.size() == 0) { - return null; + if (testResults == null || testResults.isEmpty()) { + testResults = new ArrayList<>(); + testResults.add(new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.SOMETHING_WENT_WRONG.getMessage()), 0, false, TestResult.Confidence.HIGH, null)); } int endTime = Context.now(); diff --git a/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java b/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java index 1ce360da9a..87c51c9faf 100644 --- a/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java +++ b/apps/testing/src/main/java/com/akto/testing/yaml_tests/SecurityTestTemplate.java @@ -8,6 +8,7 @@ import com.akto.dto.testing.AuthMechanism; import com.akto.dto.testing.TestResult; import com.akto.dto.testing.TestingRunConfig; +import com.akto.dto.testing.TestResult.TestError; import java.util.Collections; @@ -62,6 +63,10 @@ public List run() { return testResults; } List attempts = executor(); + if(attempts == null || attempts.isEmpty()){ + attempts = new ArrayList<>(); + attempts.add(new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.EXECUTION_FAILED.getMessage()), 0, false, TestResult.Confidence.HIGH, null)); + } return attempts; } diff --git a/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java b/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java index 41c634bde8..7ba2dcf9e4 100644 --- a/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java +++ b/libs/dao/src/main/java/com/akto/dto/testing/TestResult.java @@ -30,7 +30,10 @@ public enum TestError { FAILED_DOWNLOADING_PAYLOAD_FILES("Failed downloading payload files"), FAILED_BUILDING_NUCLEI_TEMPLATE("Failed building nuclei template"), FAILED_BUILDING_URL_WITH_DOMAIN("Failed building URL with domain"), - FAILED_REPLACING_VARIABLES_IN_NUCLEI_TEMPLATE("Failed replacing variables in nuclei template"); + FAILED_REPLACING_VARIABLES_IN_NUCLEI_TEMPLATE("Failed replacing variables in nuclei template"), + EXECUTION_FAILED("Test execution failed"), + INVALID_EXECUTION_BLOCK("Invalid test execution block in template"), + NO_API_REQUEST("No test requests created"); private final String message; From 387462c9bc2ff32dd2a4271065468c0766a13d43 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Sat, 14 Oct 2023 12:13:40 +0530 Subject: [PATCH 02/14] add log levels to testing cli --- .../main/java/com/akto/testing_cli/Main.java | 81 +++++++++++++++++-- .../akto/dto/testing/TestingRunResult.java | 5 +- 2 files changed, 76 insertions(+), 10 deletions(-) diff --git a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java index b2d013adde..7ef74eedd0 100644 --- a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java +++ b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java @@ -80,6 +80,20 @@ public static T decode(Codec codec, Document doc){ return codec.decode(bsonReader, DecoderContext.builder().build()); } + public enum OUTPUT_LEVEL { + NONE, SUMMARY, DETAILED, DEBUG + } + + static String getSeverity(Map testConfigMap, TestingRunResult it) { + String severity = "HIGH"; + try { + severity = testConfigMap.get(it.getTestSubType()).getInfo().getSeverity(); + } catch (Exception e) { + severity = "HIGH"; + } + return severity; + } + public static void main(String[] args) { if (AKTO_DASHBOARD_URL == null || AKTO_DASHBOARD_URL.isEmpty() || AKTO_API_KEY == null @@ -337,17 +351,32 @@ public static void main(String[] args) { } } + Map> vulnerableTestToApiMap = new HashMap<>(); + for (TestingRunResult it : testingRunResults) { - String severity = "HIGH"; - try { - severity = testConfigMap.get(it.getTestSubType()).getInfo().getSeverity(); - } catch (Exception e){ - severity = "HIGH"; + String severity = getSeverity(testConfigMap, it); + + if(it.isVulnerable()){ + List tmp = vulnerableTestToApiMap.getOrDefault(it.getTestSubType(), new ArrayList<>()); + tmp.add(it.getApiInfoKey()); + vulnerableTestToApiMap.put(it.getTestSubType(), tmp); } String output = it.toConsoleString(severity); System.out.println(output); } + OUTPUT_LEVEL outputLevel = OUTPUT_LEVEL.SUMMARY; + + try { + outputLevel = OUTPUT_LEVEL.valueOf(System.getenv("OUTPUT_LEVEL")); + } catch (Exception e){ + logger.info("Using default output level: SUMMARY"); + } + + if(outputLevel.equals(OUTPUT_LEVEL.NONE)){ + return; + } + String fileDir = "../out/"; String filePath = fileDir + "output.txt"; @@ -363,9 +392,45 @@ public static void main(String[] args) { try (BufferedWriter writer = new BufferedWriter(new FileWriter(new File(filePath)))) { writer.write("Api collection: " + apiCollectionId + " " + apiCollection.getDisplayName() + "\n\n"); - for (TestingRunResult it : testingRunResults) { - String output = it.toOutputString() + "\n ------------------------------------ \n\n"; - writer.write(output); + + if (totalVulnerabilities > 0) { + writer.write("Vulnerabilities: \n"); + for (Map.Entry entry : severityMap.entrySet()) { + writer.write(entry.getKey() + ": " + entry.getValue() + "\n"); + } + writer.write("\n"); + + for (Map.Entry> entry : vulnerableTestToApiMap.entrySet()) { + TestConfig testConfig = testConfigMap.getOrDefault(entry.getKey(), null); + + writer.write("Test ID: " + entry.getKey() + "\n"); + + if(testConfig != null){ + writer.write("Test name: " + testConfig.getInfo().getName() + "\n"); + writer.write("Severity: " + testConfig.getInfo().getSeverity() + "\n"); + + if(!outputLevel.equals(OUTPUT_LEVEL.SUMMARY)){ + writer.write("Description: " + testConfig.getInfo().getDescription() + "\n"); + writer.write("Impact: " + testConfig.getInfo().getImpact() + "\n\n"); + } + + } + + writer.write("APIs affected: \n"); + for(ApiInfo.ApiInfoKey apiInfoKey: entry.getValue()){ + writer.write(apiInfoKey.getUrl() + " " + apiInfoKey.getMethod().toString() + "\n"); + } + writer.write("\n ********************* \n\n"); + } + } + + if(outputLevel.equals(OUTPUT_LEVEL.DEBUG)){ + writer.write("DEBUG result: \n"); + for (TestingRunResult it : testingRunResults) { + String severity = getSeverity(testConfigMap, it); + String output = it.toOutputString(severity) + "\n ------------------------------------ \n\n"; + writer.write(output); + } } System.out.println("Detailed result is written to output.txt"); } catch (Exception e) { diff --git a/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java b/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java index 8a9a7c6bfa..47bc59dfb3 100644 --- a/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java +++ b/libs/dao/src/main/java/com/akto/dto/testing/TestingRunResult.java @@ -191,11 +191,12 @@ public String toConsoleString(String severity) { "\n" + ColorConstants.RESET; } - public String toOutputString(){ + public String toOutputString(String severity){ StringBuilder bld = new StringBuilder(); bld.append("API: " + apiInfoKey.getUrl() + " " + apiInfoKey.getMethod().toString() + "\n"); - bld.append("Test: " + testSuperType + " " + testSubType + " " + "Vulnerable: " + vulnerable + "\n"); + bld.append("Test: " + testSuperType + " " + testSubType + " Vulnerable: " + vulnerable + + (vulnerable ? " Severity : " + severity : "") + "\n"); for (TestResult testResult : testResults) { Gson gson = new Gson(); Map json = gson.fromJson(testResult.getOriginalMessage(), new TypeToken>(){}.getType()); From 2b97d75f165a7393618d554cc7143a26f6eed03b Mon Sep 17 00:00:00 2001 From: notshivansh Date: Sat, 14 Oct 2023 22:31:54 +0530 Subject: [PATCH 03/14] add unit tests for cicd and scheduled tests and add more logs --- apps/dashboard/pom.xml | 6 + .../akto/action/testing/StartTestAction.java | 1 + .../action/testing/TestStartTestAction.java | 135 +++++++++++++++++- .../java/com/akto/testing/ApiExecutor.java | 5 + 4 files changed, 146 insertions(+), 1 deletion(-) diff --git a/apps/dashboard/pom.xml b/apps/dashboard/pom.xml index 7c25a66bc1..7524fb542c 100644 --- a/apps/dashboard/pom.xml +++ b/apps/dashboard/pom.xml @@ -215,6 +215,12 @@ mvc-auth-commons 1.9.5 + + org.mockito + mockito-core + 3.12.4 + test + src/main/java diff --git a/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java b/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java index e30754e777..0b0a84f9d8 100644 --- a/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/testing/StartTestAction.java @@ -200,6 +200,7 @@ public String startTest() { 0, localTestingRun.getId(), localTestingRun.getId().toHexString(), 0); summary.setState(TestingRun.State.SCHEDULED); if(metadata!=null){ + loggerMaker.infoAndAddToDb("CICD test triggered at " + Context.now(), LogDb.DASHBOARD); summary.setMetadata(metadata); } TestingRunResultSummariesDao.instance.insertOne(summary); diff --git a/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java b/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java index 5722832789..38b7bb9c24 100644 --- a/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java +++ b/apps/dashboard/src/test/java/com/akto/action/testing/TestStartTestAction.java @@ -1,22 +1,46 @@ package com.akto.action.testing; import com.akto.MongoBasedTest; +import com.akto.action.ApiTokenAction; +import com.akto.dao.AccountSettingsDao; +import com.akto.dao.ApiTokensDao; +import com.akto.dao.UsersDao; import com.akto.dao.context.Context; import com.akto.dao.testing.TestingRunDao; import com.akto.dao.testing.TestingRunResultSummariesDao; +import com.akto.dto.AccountSettings; import com.akto.dto.ApiInfo; +import com.akto.dto.ApiToken; +import com.akto.dto.User; +import com.akto.dto.UserAccountEntry; +import com.akto.dto.ApiToken.Utility; import com.akto.dto.testing.*; import com.akto.dto.testing.TestingRun.State; import com.akto.dto.type.URLMethods; +import com.akto.filter.UserDetailsFilter; +import com.akto.util.Constants; import com.mongodb.BasicDBObject; import com.mongodb.client.model.Filters; +import com.mongodb.client.model.Updates; +import com.opensymphony.xwork2.Action; + import org.bson.conversions.Bson; import org.bson.types.ObjectId; import org.junit.Test; +import java.io.IOException; import java.util.*; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + import static org.junit.Assert.assertEquals; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; public class TestStartTestAction extends MongoBasedTest { @@ -108,7 +132,116 @@ public void testStartTest() { startTestAction.setTestingRunHexId(testingRunHexId); startTestAction.startTest(); - assertEquals(1,TestingRunDao.instance.findAll(new BasicDBObject()).size()); + List testingRuns = TestingRunDao.instance.findAll(new BasicDBObject()); + assertEquals(1,testingRuns.size()); + + testingRun = testingRuns.get(0); + assertEquals(State.SCHEDULED, testingRun.getState()); + + TestingRunDao.instance.updateOne(Constants.ID, new ObjectId(testingRunHexId), Updates.set(TestingRun.STATE, State.COMPLETED.toString())); + + int startTimestamp = Context.now() + 10000; + startTestAction.setStartTimestamp(startTimestamp); + + startTestAction.startTest(); + testingRun = TestingRunDao.instance.findOne(Constants.ID, new ObjectId(testingRunHexId)); + assertEquals(State.SCHEDULED, testingRun.getState()); + assertEquals(startTimestamp, testingRun.getScheduleTimestamp()); + + } + + @Test + public void testStartCICDTest() throws IOException, ServletException { + TestingRunDao.instance.getMCollection().drop(); + ApiTokensDao.instance.getMCollection().drop(); + UsersDao.instance.getMCollection().drop(); + AccountSettingsDao.instance.getMCollection().drop(); + TestingRunResultSummariesDao.instance.getMCollection().drop(); + + // create an CICD API token, mock a server request with it and check if it recognizes it. + + UserAccountEntry userAccountEntry = new UserAccountEntry(); + userAccountEntry.setAccountId(ACCOUNT_ID); + userAccountEntry.setDefault(true); + Map accountAccessMap = new HashMap<>(); + accountAccessMap.put(ACCOUNT_ID+"", userAccountEntry); + + User user = new User(); + user.setLogin("test@akto.io"); + user.setAccounts(accountAccessMap); + + UsersDao.instance.insertOne(user); + AccountSettings acc = new AccountSettings(); + acc.setDashboardVersion("test - test - test"); + acc.setId(ACCOUNT_ID); + AccountSettingsDao.instance.insertOne(acc); + + Map userSession = new HashMap<>(); + userSession.put("user",user); + + ApiTokenAction apiTokenAction = new ApiTokenAction(); + apiTokenAction.setSession(userSession); + apiTokenAction.setTokenUtility(Utility.CICD); + String res = apiTokenAction.addApiToken(); + + assertEquals(Action.SUCCESS.toUpperCase(), res); + + List apiTokens = apiTokenAction.getApiTokenList(); + assertEquals(1, apiTokens.size()); + + ApiToken apiToken = apiTokens.get(0); + assertEquals(Utility.CICD, apiToken.getUtility()); + + HttpServletRequest httpServletRequest = mock(HttpServletRequest.class); + HttpServletResponse httpServletResponse = mock(HttpServletResponse.class); + HttpSession httpSession = mock(HttpSession.class); + FilterChain filterChain = mock(FilterChain.class); + + when(httpServletRequest.getHeader("X-API-KEY")).thenReturn(apiToken.getKey()); + when(httpServletRequest.getRequestURI()).thenReturn("/api/startTest"); + when(httpServletRequest.getSession(true)).thenReturn(httpSession); + when(httpServletRequest.getSession()).thenReturn(httpSession); + when(httpSession.getAttribute("accountId")).thenReturn(ACCOUNT_ID); + + UserDetailsFilter userDetailsFilter = new UserDetailsFilter(); + userDetailsFilter.doFilter(httpServletRequest, httpServletResponse, + filterChain); + + // verify if cicd token is recognized. + verify(httpSession).setAttribute("utility", Utility.CICD.toString()); + verify(httpSession).setAttribute("accountId", String.valueOf(ACCOUNT_ID)); + + // check completion of filter chain + verify(filterChain).doFilter(httpServletRequest, httpServletResponse); + + CollectionWiseTestingEndpoints collectionWiseTestingEndpoints = new CollectionWiseTestingEndpoints(1000); + TestingRun testingRun = new TestingRun(Context.now(), "", collectionWiseTestingEndpoints, 0, + TestingRun.State.COMPLETED, 0, "test", ""); + TestingRunDao.instance.insertOne(testingRun); + String testingRunHexId = testingRun.getHexId(); + + assertEquals(1, TestingRunDao.instance.findAll(new BasicDBObject()).size()); + + // trigger startTest API with CICD session. + StartTestAction startTestAction = new StartTestAction(); + Map testSession = new HashMap<>(); + testSession.put("utility", Utility.CICD.toString()); + startTestAction.setSession(testSession); + startTestAction.setTestingRunHexId(testingRunHexId); + Map metadata = new HashMap<>(); + metadata.put("test", "test"); + startTestAction.setMetadata(metadata); + startTestAction.startTest(); + + assertEquals(1, TestingRunDao.instance.findAll(new BasicDBObject()).size()); + + List summariesFromDb = TestingRunResultSummariesDao.instance.findAll(new BasicDBObject()); + assertEquals(1, summariesFromDb.size()); + + TestingRunResultSummary summary = summariesFromDb.get(0); + + assertEquals(metadata, summary.getMetadata()); + } } diff --git a/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java b/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java index d3c4e1d9cb..1e6731fb7e 100644 --- a/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/ApiExecutor.java @@ -25,7 +25,12 @@ private static OriginalHttpResponse common(Request request, boolean followRedire Integer accountId = Context.accountId.get(); if (accountId != null) { + boolean rateLimitHit = true; while (RateLimitHandler.getInstance(accountId).shouldWait(request)) { + if(rateLimitHit){ + loggerMaker.infoAndAddToDb("Rate limit hit, sleeping", LogDb.TESTING); + } + rateLimitHit = false; Thread.sleep(1000); } } From 4846aaa34396c4b568af78c4a8b884dc217a2775 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Mon, 16 Oct 2023 12:35:19 +0530 Subject: [PATCH 04/14] add support for enter key on create collection --- .../pages/observe/api_collections/ApiCollections.jsx | 4 ++-- apps/dashboard/web/polaris_web/web/src/util/func.js | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx index 41626613a5..0648d2ffc7 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/observe/api_collections/ApiCollections.jsx @@ -153,7 +153,7 @@ function ApiCollections() { }} > - +
func.handleKeyPress(e, createNewCollection)}> - +
) diff --git a/apps/dashboard/web/polaris_web/web/src/util/func.js b/apps/dashboard/web/polaris_web/web/src/util/func.js index 8e902ff39a..7e818977cb 100644 --- a/apps/dashboard/web/polaris_web/web/src/util/func.js +++ b/apps/dashboard/web/polaris_web/web/src/util/func.js @@ -1067,6 +1067,13 @@ getSizeOfFile(bytes) { } return duration.trim(); }, + handleKeyPress (event, funcToCall) { + const enterKeyPressed = event.keyCode === 13; + if (enterKeyPressed) { + event.preventDefault(); + funcToCall(); + } + } } export default func \ No newline at end of file From 15d97a05bdbf79aab0d9e7702e8445535bf4aaa9 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Mon, 16 Oct 2023 14:18:58 +0530 Subject: [PATCH 05/14] add statement for no vulnerabilities --- apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java index 7ef74eedd0..26b11a973e 100644 --- a/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java +++ b/apps/testing-cli/src/main/java/com/akto/testing_cli/Main.java @@ -422,6 +422,8 @@ public static void main(String[] args) { } writer.write("\n ********************* \n\n"); } + } else { + writer.write("No vulnerabilities found \n\n"); } if(outputLevel.equals(OUTPUT_LEVEL.DEBUG)){ From 9ac967b4733baa43eff1dd77e62271d6a6d3cbd4 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Wed, 18 Oct 2023 13:59:23 +0530 Subject: [PATCH 06/14] add code for cve support --- .../action/testing_issues/IssuesAction.java | 1 + .../components/editor_config/keywords.js | 2 +- .../pages/testing/ExportHtml/ExportHtml.jsx | 87 +------- .../TestRunResultPage/TestRunResultPage.jsx | 10 +- .../apps/dashboard/pages/testing/transform.js | 209 +++++++++++++----- .../src/apps/dashboard/tools/TextEditor.vue | 2 +- .../testing/components/PDFExportHTML.vue | 14 ++ .../testing/components/TestResultsDialog.vue | 21 +- .../java/com/akto/dto/test_editor/Info.java | 13 +- 9 files changed, 215 insertions(+), 144 deletions(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java b/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java index fe8aab3ec7..a7b3b59f9f 100644 --- a/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/testing_issues/IssuesAction.java @@ -197,6 +197,7 @@ public static BasicDBObject createSubcategoriesInfoObj(TestConfig testConfig) { infoObj.put("testName", info.getName()); infoObj.put("references", info.getReferences()); infoObj.put("cwe", info.getCwe()); + infoObj.put("cve", info.getCve()); infoObj.put("name", testConfig.getId()); infoObj.put("_name", testConfig.getId()); infoObj.put("content", testConfig.getContent()); diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js index 61e6bb94cb..4b6271e482 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/editor_config/keywords.js @@ -12,7 +12,7 @@ const keywords = [ "api_selection_filters", "execute", "type", "auth", "validate", "authenticated", "private_variable_context", "param_context", "endpoint_in_traffic_context", "sample_request_payload", "sample_response_payload", "sample_request_headers", "sample_response_headers", - "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe" + "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe", "cve" ] export default keywords \ No newline at end of file diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx index 5f69572f69..7b30503376 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/ExportHtml/ExportHtml.jsx @@ -4,7 +4,7 @@ import issuesApi from '../../issues/api'; import api from '../api'; import PersistStore from '../../../../main/PersistStore'; import { Avatar, Box, Button,Frame, HorizontalGrid, HorizontalStack, LegacyCard, Text, TopBar, VerticalStack, Icon, Badge, List, Link } from '@shopify/polaris' -import {FlagMajor, CollectionsMajor, ResourcesMajor, InfoMinor, CreditCardSecureMajor} from "@shopify/polaris-icons" +import {FlagMajor, CollectionsMajor, ResourcesMajor, InfoMinor, CreditCardSecureMajor, FraudProtectMajor} from "@shopify/polaris-icons" import func from '@/util/func' import './styles.css' import transform from '../transform'; @@ -34,6 +34,11 @@ function ExportHtml() { title: "CWE", content: "" }, + { + icon: FraudProtectMajor, + title: "CVE", + content: "" + }, { icon: ResourcesMajor, title: "References", @@ -183,85 +188,7 @@ function ExportHtml() { } const fillContent = (item) => { - let filledSection = [] - moreInfoSections.forEach((section) => { - let sectionLocal = {} - sectionLocal.icon = section.icon - sectionLocal.title = section.title - switch(section.title) { - case "Description": - sectionLocal.content = ( - - {replaceTags(item.category.issueDetails, item.category.vulnerableTestingRunResults) || "No impact found"} - - ) - break; - case "Impact": - sectionLocal.content = ( - - {item.category.issueImpact || "No impact found"} - - ) - break; - case "Tags": - sectionLocal.content = ( - - { - item?.category?.issueTags?.map((tag, index) => { - return ( - {tag} - ) - }) - } - - ) - - break; - case "CWE": - sectionLocal.content = ( - - { - transform.tagList(item?.category?.cwe, true) - } - - ) - break; - case "References": - sectionLocal.content = ( - - { - item?.category?.references?.map((reference) => { - return ( - - - - {reference} - - - - ) - }) - } - - ) - break; - } - filledSection.push(sectionLocal) - }) - return filledSection - } - - const replaceTags = (details, vulnerableRequests) => { - let percentageMatch = 0; - vulnerableRequests?.forEach((request) => { - let testRun = request['testResults'] - testRun?.forEach((runResult) => { - if (percentageMatch < runResult.percentageMatch) { - percentageMatch = runResult.percentageMatch - } - }) - }) - return details.replace(/{{percentageMatch}}/g, func.prettifyShort(percentageMatch)) + return transform.fillMoreInformation(item.category, moreInfoSections); } diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx index 6bca26bcbc..a14a195040 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx @@ -7,7 +7,8 @@ import { CollectionsMajor, FlagMajor, CreditCardSecureMajor, - MarketingMajor} from '@shopify/polaris-icons'; + MarketingMajor, + FraudProtectMajor} from '@shopify/polaris-icons'; import { Text, Button, @@ -83,6 +84,11 @@ let moreInfoSections = [ title: "CWE", content: "" }, + { + icon: FraudProtectMajor, + title: "CVE", + content: "" + }, { icon: MarketingMajor, title: "API endpoints affected", @@ -185,7 +191,7 @@ function TestRunResultPage(props) { await api.fetchAffectedEndpoints(runIssues.id).then((resp1) => { runIssuesArr = resp1['similarlyAffectedIssues']; }) - setInfoState(transform.fillMoreInformation(runIssues, runIssuesArr,subCategoryMap, moreInfoSections)) + setInfoState(transform.fillMoreInformation(subCategoryMap[runIssues?.id?.testSubCategory],moreInfoSections, runIssuesArr)) } else { setIssueDetails(...[{}]); } diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js index b0e7a4c866..b5e45e78e9 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/transform.js @@ -99,17 +99,32 @@ function checkTestFailure(summaryState, testRunState){ return false; } +function getCweLink(item){ + let linkUrl = "" + let cwe = item.split("-") + if(cwe[1]){ + linkUrl = `https://cwe.mitre.org/data/definitions/${cwe[1]}.html` + } + return linkUrl; +} + +function getCveLink(item){ + return `https://nvd.nist.gov/vuln/detail/${item}` +} + const transform = { - tagList : (list, cweLink) => { + tagList : (list, linkType) => { let ret = list?.map((tag, index) => { let linkUrl = "" - if(cweLink){ - let cwe = tag.split("-") - if(cwe[1]){ - linkUrl = `https://cwe.mitre.org/data/definitions/${cwe[1]}.html` - } + switch(linkType){ + case "CWE": + linkUrl = getCweLink(tag) + break; + case "CVE": + linkUrl = getCveLink(tag) + break; } return ( @@ -214,6 +229,8 @@ const transform = { obj['nextUrl'] = "/dashboard/testing/"+ hexId + "/result/" + data.hexId; obj['cwe'] = subCategoryMap[data.testSubType]?.cwe ? subCategoryMap[data.testSubType]?.cwe : [] obj['cweDisplay'] = minimizeTagList(obj['cwe']) + obj['cve'] = subCategoryMap[data.testSubType]?.cve ? subCategoryMap[data.testSubType]?.cve : [] + obj['cveDisplay'] = minimizeTagList(obj['cve']) return obj; }, prepareTestRunResults : (hexId, testingRunResults, subCategoryMap, subCategoryFromSourceConfigMap) => { @@ -256,58 +273,140 @@ const transform = { } return [] }, - fillMoreInformation(runIssues, runIssuesArr, subCategoryMap, moreInfoSections){ - moreInfoSections[0].content = ( - - {subCategoryMap[runIssues.id?.testSubCategory]?.issueImpact || "No impact found"} - - ) - moreInfoSections[1].content = ( - - { - transform.tagList(subCategoryMap[runIssues.id.testSubCategory]?.issueTags) + + replaceTags(details, vulnerableRequests) { + let percentageMatch = 0; + vulnerableRequests?.forEach((request) => { + let testRun = request['testResults'] + testRun?.forEach((runResult) => { + if (percentageMatch < runResult.percentageMatch) { + percentageMatch = runResult.percentageMatch + } + }) + }) + return details.replace(/{{percentageMatch}}/g, func.prettifyShort(percentageMatch)) + }, + + fillMoreInformation(category, moreInfoSections, affectedEndpoints) { + + let filledSection = [] + moreInfoSections.forEach((section) => { + let sectionLocal = {} + sectionLocal.icon = section.icon + sectionLocal.title = section.title + switch (section.title) { + case "Description": + + if(category?.issueDetails == null || category?.issueDetails == undefined){ + return; + } + + sectionLocal.content = ( + + {transform.replaceTags(category?.issueDetails, category?.vulnerableTestingRunResults) || "No impact found"} + + ) + break; + case "Impact": + + if(category?.issueImpact == null || category?.issueImpact == undefined){ + return; } - - ) - moreInfoSections[2].content = ( - - { - transform.tagList(subCategoryMap[runIssues.id.testSubCategory]?.cwe, true) + + sectionLocal.content = ( + + {category?.issueImpact || "No impact found"} + + ) + break; + case "Tags": + if (category?.issueTags == null || category?.issueTags == undefined || category?.issueTags.length == 0) { + return; } - - ) - moreInfoSections[4].content = ( - - { - subCategoryMap[runIssues.id?.testSubCategory]?.references?.map((reference) => { - return ( - - - - {reference} - - - - ) - }) + + sectionLocal.content = ( + + { + transform.tagList(category?.issueTags) + } + + ) + + break; + case "CWE": + if (category?.cwe == null || category?.cwe == undefined || category?.cwe.length == 0) { + return; } - - ) - moreInfoSections[3].content = ( - - { - runIssuesArr?.map((item, index) => { - return ( - - - {item.id.apiInfoKey.method} {item.id.apiInfoKey.url} - - ) - }) - } - - ) - return moreInfoSections; + sectionLocal.content = ( + + { + transform.tagList(category?.cwe, "CWE") + } + + ) + break; + case "CVE": + if (category?.cve == null || category?.cve == undefined || category?.cve.length == 0) { + return; + } + sectionLocal.content = ( + + { + transform.tagList(category?.cve, "CVE") + } + + ) + break; + case "References": + + if (category?.references == null || category?.references == undefined || category?.references.length == 0) { + return; + } + + sectionLocal.content = ( + + { + category?.references?.map((reference) => { + return ( + + + + {reference} + + + + ) + }) + } + + ) + break; + case "API endpoints affected": + + if (affectedEndpoints == null || affectedEndpoints == undefined || affectedEndpoints.length == 0) { + return; + } + + sectionLocal.content = ( + + { + affectedEndpoints?.map((item, index) => { + return ( + + + {item.id.apiInfoKey.method} {item.id.apiInfoKey.url} + + ) + }) + } + + ) + break; + } + filledSection.push(sectionLocal) + }) + + return filledSection; }, filterContainsConditions(conditions, operator) { //operator is string as 'OR' or 'AND' diff --git a/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue b/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue index 83927bf7c4..4931f4b7a0 100644 --- a/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue +++ b/apps/dashboard/web/src/apps/dashboard/tools/TextEditor.vue @@ -330,7 +330,7 @@ export default { "api_selection_filters", "execute", "type", "auth", "validate", "authenticated", "private_variable_context", "param_context", "endpoint_in_traffic_context", "sample_request_payload", "sample_response_payload", "sample_request_headers", "sample_response_headers", - "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe" + "test_request_payload", "test_response_payload", "test_request_headers", "test_response_headers", "cwe", "cve" ], textEditor: null, testCategories: [], diff --git a/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue b/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue index 50bc1f3edb..89363d47f8 100644 --- a/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue +++ b/apps/dashboard/web/src/apps/dashboard/views/testing/components/PDFExportHTML.vue @@ -76,6 +76,20 @@ + + + CVE + + + + {{ chipItem }} + + + diff --git a/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue b/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue index 36fe681636..1d0f401f01 100644 --- a/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue +++ b/apps/dashboard/web/src/apps/dashboard/views/testing/components/TestResultsDialog.vue @@ -40,7 +40,13 @@ + @@ -190,14 +196,21 @@ export default { return highlightPaths }, - goToCwePage(item){ + getCweLink(item){ let cwe = item.split("-") if(cwe[1]){ cwe = cwe[1] } else { - return; + return ""; } - return window.open(`https://cwe.mitre.org/data/definitions/${cwe}.html`, "_blank") + return `https://cwe.mitre.org/data/definitions/${cwe}.html` + }, + getCveLink(item){ + console.log(item); + return `https://nvd.nist.gov/vuln/detail/${item}` + }, + goToPage(link){ + return window.open(link, "_blank") } }, watch: { diff --git a/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java b/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java index 974504a882..3ba78bc8f6 100644 --- a/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java +++ b/libs/dao/src/main/java/com/akto/dto/test_editor/Info.java @@ -24,8 +24,10 @@ public class Info { private List cwe; + private List cve; + public Info(String name, String description, String details, String impact, Category category, String subCategory, - String severity, List tags, List references, List cwe) { + String severity, List tags, List references, List cwe, List cve) { this.name = name; this.description = description; this.details = details; @@ -36,6 +38,7 @@ public Info(String name, String description, String details, String impact, Cate this.tags = tags; this.references = references; this.cwe = cwe; + this.cve = cve; } public Info() { } @@ -120,4 +123,12 @@ public void setCwe(List cwe) { this.cwe = cwe; } + public List getCve() { + return cve; + } + + public void setCve(List cve) { + this.cve = cve; + } + } From 345f4c536ee817d401e0fa9a0692d8091bafef84 Mon Sep 17 00:00:00 2001 From: arjun Date: Thu, 19 Oct 2023 23:28:38 +0530 Subject: [PATCH 07/14] CVEs added to templates --- .../inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/AddUserId.yaml | 2 ++ .../AirflowConfigurationExposure.yaml | 2 ++ .../inbuilt_test_yaml_files/AmazonDockerConfig.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/AppendXSS.yaml | 4 ++++ .../inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml | 2 ++ .../src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml | 3 +++ .../inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml | 3 +++ .../inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml | 3 +++ .../CORSMisconfigurationInvalidOrigin.yaml | 3 +++ .../CORSMisconfigurationWhitelistOrigin.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml | 2 ++ .../CommandInjectionByAddingQueryParams.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/ConfigJson.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml | 2 ++ .../inbuilt_test_yaml_files/ConfigurationListing.yaml | 3 +++ .../inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml | 3 +++ .../inbuilt_test_yaml_files/CookieMisconfiguration.yaml | 3 +++ .../inbuilt_test_yaml_files/DefaultLoginCredentials.yml | 3 +++ .../DescriptiveErrorMessageInvalidPayloads.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml | 2 ++ .../inbuilt_test_yaml_files/DockerComposeConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml | 2 ++ .../inbuilt_test_yaml_files/FirebaseConfigExposure.yaml | 3 +++ .../inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml | 3 +++ .../inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/FtpCredentialsExposure.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/GitConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml | 3 +++ .../inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml | 2 ++ .../inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml | 3 +++ .../GraphqlDevelopmentConsoleExposed.yaml | 2 ++ .../GraphqlFieldSuggestionEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml | 2 ++ .../GraphqlTypeIntrospectionAllowed.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/HeadMethodTest.yaml | 2 ++ .../inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml | 4 +++- .../inbuilt_test_yaml_files/HttpResponseSplitting.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/InvalidFileInput.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml | 2 ++ .../inbuilt_test_yaml_files/JwtInvalidSignature.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml | 5 ++++- .../inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml | 3 +++ .../KubernetesKustomizationDisclosure.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/LFIInParameter.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/LFIInPath.yaml | 2 ++ .../inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml | 2 ++ .../inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml | 3 +++ .../inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml | 3 +++ .../inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml | 3 +++ .../MassAssignmentCreateAdminUser.yaml | 3 +++ .../inbuilt_test_yaml_files/MisconfiguredDocker.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/MustContainResponseHeaders.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/NginxConfig.yaml | 3 +++ .../inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml | 2 ++ .../inbuilt_test_yaml_files/NginxStatusVisible.yaml | 3 +++ .../src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/OldApiVersion.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml | 3 +++ .../OpenRedirectHostHeaderInjection.yaml | 3 +++ .../inbuilt_test_yaml_files/OpenRedirectInPath.yaml | 2 ++ .../OpenRedirectSubdomainWhitelist.yaml | 2 ++ .../inbuilt_test_yaml_files/OracleEbsCredentials.yaml | 3 +++ .../src/main/resources/inbuilt_test_yaml_files/PageDos.yaml | 3 +++ .../inbuilt_test_yaml_files/ParameterPollution.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/ParametersConfig.yaml | 4 +++- .../inbuilt_test_yaml_files/PortScanningViaSSRF.yaml | 3 +++ .../inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/RandomMethodTest.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/RedisConfig.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml | 3 +++ .../inbuilt_test_yaml_files/RobomongoCredential.yaml | 3 +++ .../SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml | 3 +++ .../inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml | 2 ++ .../main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml | 2 ++ .../inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml | 2 ++ .../inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml | 2 ++ .../inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml | 3 +++ .../inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml | 2 ++ .../inbuilt_test_yaml_files/ServerVersionExposedValid.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/SessionFixation.yaml | 3 +++ .../inbuilt_test_yaml_files/SftpConfigExposure.yaml | 2 ++ .../inbuilt_test_yaml_files/SonarqubePublicProjects.yaml | 2 ++ .../SpringBootBeansActuatorExposed.yaml | 3 +++ .../SpringBootConfigPropsActuatorExposed.yaml | 3 +++ .../SpringBootEnvActuatorExposed.yaml | 3 +++ .../SpringBootHttpTraceActuatorExposed.yaml | 3 +++ .../SpringBootThreadDumpActuatorExposed.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/SshKnownHosts.yaml | 2 ++ .../inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/TraceMethodTest.yaml | 3 +++ .../resources/inbuilt_test_yaml_files/TrackMethodTest.yaml | 2 ++ .../inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml | 3 +++ .../inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml | 4 ++++ .../resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml | 3 +++ .../main/resources/inbuilt_test_yaml_files/XSSInPath.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/XSSViaFilename.yaml | 3 +++ 116 files changed, 298 insertions(+), 3 deletions(-) diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml index d341aea33a..56b0339ab7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml @@ -24,6 +24,9 @@ info: - CWE-93 - CWE-74 - CWE-20 + cve: + - CVE-2020-15693 + - CVE-2023-0040 api_selection_filters: query_param: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml index 9183922eb9..f03515a02a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AddUserId.yaml @@ -28,6 +28,8 @@ info: - CWE-639 - CWE-284 - CWE-285 + cve: + - CVE-2022-34621 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml index a62fd6c5d1..f9564ce42e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AirflowConfigurationExposure.yaml @@ -18,6 +18,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2023-35005 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml index e97a30c606..6a130f5efd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AmazonDockerConfig.yaml @@ -16,6 +16,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2020-14329 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml index e8e1b29a88..db17034c57 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ApacheConfig.yaml @@ -16,6 +16,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2018-10245 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml index 7439d816fa..1610595208 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AppendXSS.yaml @@ -21,6 +21,10 @@ info: - "https://hackerone.com/reports/840759" cwe: - CWE-79 + cve: + - CVE-2015-1159 + - CVE-2023-24737 + - CVE-2020-25495 api_selection_filters: method: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml index 0fdddbb559..1e54705636 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BOLAByChangingAuthToken.yaml @@ -32,6 +32,8 @@ info: - CWE-284 - CWE-285 - CWE-639 + cve: + - CVE-2023-39349 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml index 88e676c2fb..48320b3373 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BasicXSS.yaml @@ -20,6 +20,9 @@ info: - "https://owasp.org/www-community/attacks/xss/" cwe: - CWE-79 + cve: + - CVE-2022-34196 + - CVE-2023-44764 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml index fc9e74388a..f78b3ab81b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaRemovingCookie.yaml @@ -19,6 +19,9 @@ info: references: cwe: - CWE-307 + cve: + - CVE-2023-0085 + - CVE-2021-37417 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml index 1cd5c54eb8..b1941989a8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/BypassCaptchaUsingHeader.yaml @@ -20,6 +20,9 @@ info: - "https://hackerone.com/reports/210417" cwe: - CWE-287 + cve: + - CVE-2022-39955 + - CVE-2023-0085 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml index 0523a9f4a1..2377296956 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml @@ -24,6 +24,9 @@ info: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2021-27786 + - CVE-2021-26991 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml index b4af904478..02cb20967e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml @@ -23,6 +23,8 @@ info: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2021-27786 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml index 838cdba9a1..255c020849 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CSRFLoginAttack.yaml @@ -23,6 +23,9 @@ info: - "https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/cross-site-request-forgery-in-login-form-invicti/" cwe: - CWE-352 + cve: + - CVE-2023-33212 + - CVE-2023-42270 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml index 5841473a47..7e3121ed54 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CgiPrintEnv.yaml @@ -15,6 +15,8 @@ info: - https://www.acunetix.com/vulnerabilities/web/test-cgi-script-leaking-environment-variables/ cwe: - CWE-16 + cve: + - CVE-2023-22897 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml index 7cb93b2f8a..d3f2fcdf30 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CommandInjectionByAddingQueryParams.yaml @@ -21,6 +21,9 @@ info: - "https://twitter.com/trbughunters/status/1283133356922884096" cwe: - CWE-77 + cve: + - CVE-2023-25826 + - CVE-2023-41031 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml index 527776a077..2894021caf 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigJson.yaml @@ -16,6 +16,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2021-31567 + - CVE-2023-35005 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml index 0bfdacac6f..aba7d85308 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigRuby.yaml @@ -16,6 +16,8 @@ info: - https://www.acunetix.com/vulnerabilities/web/ruby-on-rails-database-configuration-file/ cwe: - CWE-538 + cve: + - CVE-2019-5418 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml index 97368833f3..09e15f96f3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml @@ -15,6 +15,9 @@ info: - https://www.exploit-db.com/ghdb/7014 cwe: - CWE-16 + cve: + - CVE-2021-1126 + - CVE-2021-33214 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml index 8c2d1ead21..fd41930845 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml @@ -28,6 +28,9 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-16 + cve: + - CVE-2023-38199 + - CVE-2023-26130 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml index f2ad85ba3b..0c6e5f174f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml @@ -19,6 +19,9 @@ info: - "https://hackerone.com/reports/58679" cwe: - CWE-16 + cve: + - CVE-2023-4654 + - CVE-2023-28708 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml index 1c540f58c9..a75a9a6f60 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml @@ -25,6 +25,9 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-1392 + cve: + - CVE-2023-41878 + - CVE-2023-37755 wordLists: usernames: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml index c351fcf86a..f064b69244 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml @@ -20,6 +20,9 @@ info: - "https://owasp.org/www-community/Improper_Error_Handling" cwe: - CWE-209 + cve: + - CVE-2020-11883 + - CVE-2020-15652 api_selection_filters: method: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml index a26d73a629..db5a84fd34 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml @@ -24,6 +24,8 @@ info: - "https://hackerone.com/reports/1033423" cwe: - CWE-16 + cve: + - CVE-2017-12794 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml index 65b6619475..7afe668612 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml @@ -16,6 +16,8 @@ info: - https://secapps.com/vulndb/docker-compose-exposure cwe: - CWE-16 + cve: + - CVE-2023-37273 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml index 5d18935634..d5499069c8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FetchSensitiveFilesViaSSRF.yaml @@ -26,6 +26,8 @@ info: - "https://www.cobalt.io/blog/from-ssrf-to-port-scanner" cwe: - CWE-918 + cve: + - CVE-2023-27163 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml index 75da4d9732..bcaa80650b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml @@ -15,6 +15,9 @@ info: - https://github.com/firebase/firebaseui-web/blob/master/demo/public/sample-config.js cwe: - CWE-16 + cve: + - CVE-2020-7765 + - CVE-2021-46743 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml index c2a540d5b6..fbf37552bb 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml @@ -20,6 +20,9 @@ info: - "http://ghostlulz.com/google-exposed-firebase-database/" cwe: - CWE-16 + cve: + - CVE-2020-7765 + - CVE-2021-46743 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml index 5fce26995e..285d58af44 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "http://ghostlulz.com/flask-rce-debug-mode/" cwe: - CWE-16 + cve: + - CVE-2015-5306 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml index 73064deab1..e114f36aa9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml @@ -16,6 +16,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2023-2061 + - CVE-2018-18371 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml index 4152bf4a6a..96643281e7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfig.yaml @@ -15,6 +15,8 @@ info: - https://pentester.land/blog/source-code-disclosure-via-exposed-git-folder/ cwe: - CWE-16 + cve: + - CVE-2023-29007 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml index 009dc2e5e4..ef332fd62a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml @@ -17,6 +17,9 @@ info: - https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py cwe: - CWE-16 + cve: + - CVE-2021-23017 + api_selection_filters: response_code: gte: 200 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml index b187ec1acd..6fd0257c98 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml @@ -16,6 +16,8 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2020-5260 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml index 02448faaf4..5b631299d6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml @@ -15,6 +15,9 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json cwe: - CWE-16 + cve: + - CVE-2023-34111 + - CVE-2022-46258 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml index 26b8b49476..984608c6f9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml @@ -27,6 +27,8 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + cve: + - CVE-2021-41248 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml index 6ffd3c989e..133d47d974 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml @@ -24,6 +24,8 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + cve: + - CVE-2023-5192 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml index 1c898e5949..b7a980263e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml @@ -26,6 +26,8 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + cve: + - CVE-2023-5192 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml index 2d2b25cd11..f16f568795 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml @@ -25,6 +25,8 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + cve: + - CVE-2021-41248 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml index 624f37b9f5..edbec8cbcd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml @@ -35,6 +35,8 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-16 + cve: + - CVE-2022-45956 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml index b47a79b64f..7b9d5d51e0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml @@ -19,7 +19,9 @@ info: references: - "https://hackerone.com/reports/792998" cwe: - - "CWE-16" + - CWE-16 + cve: + - CVE-2022-37724 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml index 7179d16c99..1f452600ae 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml @@ -21,6 +21,8 @@ info: - "https://www.invicti.com/blog/web-security/crlf-http-header/" cwe: - CWE-93 + cve: + - CVE-2023-41834 api_selection_filters: query_param: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml index 1809512235..479c8a77ef 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml @@ -27,6 +27,8 @@ info: cwe: - CWE-728 - CWE-388 + cve: + - CVE-2020-10097 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml index d09a252e30..ab37b27a90 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml @@ -29,6 +29,8 @@ info: - "https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection" cwe: - CWE-287 + cve: + - CVE-2018-0114 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml index 97923cb9aa..dfdccf89c0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml @@ -27,6 +27,9 @@ info: - "https://portswigger.net/kb/issues/00200900_jwt-signature-not-verified#:~:text=Description%3A%20JWT%20signature%20not%20verified&text=However%2C%20some%20servers%20fail%20to,privileges%20or%20impersonate%20other%20users." cwe: - CWE-287 + cve: + - CVE-2022-25898 + - CVE-2021-29455 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml index 43825f03df..ac10724845 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml @@ -25,7 +25,10 @@ info: - "https://redhuntlabs.com/a-practical-guide-to-attack-jwt-json-web-token" - "https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported" cwe: - - CWE-287 + - CWE-287 + cve: + - CVE-2022-23540 + - CVE-2015-9235 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml index a33484aedb..9c749b3512 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml @@ -19,6 +19,9 @@ info: - HackerOne top 10 cwe: - CWE-77 + cve: + - CVE-2021-31799 + api_selection_filters: or: - request_payload: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml index bb2d366cb6..7be9ec26b0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml @@ -15,6 +15,8 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/kubernetes-kustomization-disclosure.json cwe: - CWE-16 + cve: + - CVE-2021-41254 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml index 2e238bce01..507ec4b97c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml @@ -21,6 +21,9 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + cve: + - CVE-2021-39433 + - CVE-2023-22973 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml index 7c932fbd02..22e10a4bcf 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml @@ -21,6 +21,8 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + cve: + - CVE-2022-29597 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml index 1661bd0039..30d54cc9d0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml @@ -21,6 +21,8 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + cve: + - CVE-2023-2453 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml index 221b353a7b..f20c4bbdf0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "https://laravel.com/docs/10.x/deployment#debug-mode" cwe: - CWE-16 + cve: + - CVE-2021-3129 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml index 665fe3a58f..d855a79880 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml @@ -16,6 +16,8 @@ info: - https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel cwe: - CWE-16 + cve: + - CVE-2017-16894 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml index 7541168d48..b541f076e7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAccount.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml index 9045ed126c..9e5dc000b8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeAdmin.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml index 6f472c8de5..f1e89a23e6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentChangeRole.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml index 4fd3cd087a..7e4a7aa39e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MassAssignmentCreateAdminUser.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md" cwe: - CWE-915 + cve: + - CVE-2023-32079 + - CVE-2023-42768 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml index 3ae8094931..a2923bb09a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MisconfiguredDocker.yaml @@ -15,6 +15,9 @@ info: - https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html cwe: - CWE-16 + cve: + - CVE-2021-41092 + - CVE-2023-5165 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml index 257630d297..c429f5a5b9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MsmtpConfig.yaml @@ -15,6 +15,8 @@ info: - https://wiki.archlinux.org/title/Msmtp cwe: - CWE-16 + cve: + - CVE-2019-8337 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml index 381a852ce5..18ed0054fa 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml @@ -27,6 +27,9 @@ info: - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" cwe: - CWE-16 + cve: + - CVE-2022-41915 + - CVE-2022-37436 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml index da91b0e985..e21dcd1a12 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml @@ -15,6 +15,9 @@ info: - https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx cwe: - CWE-16 + cve: + - CVE-2020-11959 + api_selection_filters: response_code: gte: 200 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml index 2b8fa9dda7..eb77c5d518 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml @@ -25,6 +25,8 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2013-0337 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml index 091587cc83..5b74383440 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml @@ -25,6 +25,8 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2017-7529 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml index d677bb3ef2..dd0fed34dd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml @@ -21,6 +21,9 @@ info: - "https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-status-module/" cwe: - CWE-16 + cve: + - CVE-2022-41741 + - CVE-2019-20372 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml index 75b42bb581..6113f17848 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml @@ -25,6 +25,8 @@ info: - "https://cwe.mitre.org/data/definitions/798.html" cwe: - CWE-287 + cve: + - CVE-2023-22501 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml index 80e32349ae..9ba59b1f5e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml @@ -31,6 +31,8 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-937 + cve: + - CVE-2022-31690 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml index 092a8e82a7..e1d4efb795 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirect.yaml @@ -22,6 +22,9 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2023-45909 + - CVE-2022-46683 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml index f12ffacdce..d4b8845069 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectHostHeaderInjection.yaml @@ -23,6 +23,9 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2023-24044 + - CVE-2022-23237 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml index a8ce69e654..8462021cc3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectInPath.yaml @@ -23,6 +23,8 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2021-28861 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml index 6d78794976..1b45b317e1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OpenRedirectSubdomainWhitelist.yaml @@ -22,6 +22,8 @@ info: cwe: - CWE-601 - CWE-610 + cve: + - CVE-2021-21291 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml index 5e745731b6..2069d4b060 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml @@ -17,6 +17,9 @@ info: - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf cwe: - CWE-16 + cve: + - CVE-2023-21849 + - CVE-2023-21847 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml index b8d2056f42..86bff2a6f8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PageDos.yaml @@ -18,6 +18,9 @@ info: - "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md#scenario-2" cwe: - CWE-400 + cve: + - CVE-2023-4647 + - CVE-2023-38254 api_selection_filters: query_param: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml index 3161cae808..cf54b230ad 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParameterPollution.yaml @@ -26,6 +26,8 @@ info: cwe: - CWE-88 - CWE-235 + cve: + - CVE-2019-13143 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml index c4566038bd..e3ebe87fa6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml @@ -14,7 +14,9 @@ info: references: - https://www.exploit-db.com/ghdb/5986 cwe: - - CWE-16 + - CWE-16 + cve: + - CVE-2015-4050 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml index 4ddb1c5089..306af484a2 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PortScanningViaSSRF.yaml @@ -26,6 +26,9 @@ info: - "https://www.cobalt.io/blog/from-ssrf-to-port-scanner" cwe: - CWE-918 + cve: + - CVE-2023-26492 + - CVE-2023-45152 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml index 02fd7cc3a4..75f5c58659 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "https://beaglesecurity.com/blog/vulnerability/rails-debug-mode-enabled.html" cwe: - CWE-16 + cve: + - CVE-2019-5420 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml index 4ec1071c36..a41904b6ec 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml @@ -26,6 +26,8 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + cve: + - CVE-2019-5418 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml index 2a8afab483..dac0785014 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml @@ -32,6 +32,9 @@ info: - "https://capec.mitre.org/data/definitions/274.html" cwe: - CWE-274 + cve: + - CVE-2020-35239 + - CVE-2018-19908 auth: authenticated: true diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml index 5868ac47a5..6a1f1f4622 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml @@ -15,6 +15,9 @@ info: - https://redis.io/docs/manual/config/ cwe: - CWE-16 + cve: + - CVE-2023-36824 + - CVE-2022-0543 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml index 97f9b57df2..a0ffdf40f6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCSRF.yaml @@ -24,6 +24,9 @@ info: - "https://owasp.org/www-community/attacks/csrf" cwe: - CWE-352 + cve: + - CVE-2023-41942 + - CVE-2022-26180 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml index 450327e5e5..183b24f433 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml @@ -20,6 +20,8 @@ info: - "https://hackerone.com/reports/124173" cwe: - CWE-287 + cve: + - CVE-2021-37417 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml index 2cd8ea832d..9c8319f5b6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplaceCSRF.yaml @@ -24,6 +24,9 @@ info: - "https://owasp.org/www-community/attacks/csrf" cwe: - CWE-352 + cve: + - CVE-2023-27495 + - CVE-2020-27379 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml index f4afe86fe9..acdf9e7d5d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml @@ -19,6 +19,9 @@ info: - "https://hackerone.com/reports/223324" cwe: - CWE-287 + cve: + - CVE-2021-29047 + - CVE-2022-34983 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml index 3d955a989b..64167c378d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml @@ -15,6 +15,9 @@ info: - https://web.cystack.net/vulnerability/cystack.remote.robomongo_cred_disclosure cwe: - CWE-16 + cve: + - CVE-2023-4009 + - CVE-2021-32039 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml index 89fd3b91ec..49bdc2df25 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAWSMetaEndpointAbusingEnclosedAlphanumerics.yaml @@ -26,6 +26,9 @@ info: - "https://github.com/cujanovic/SSRF-Testing/tree/master#abusing-enclosed-alphanumerics" cwe: - CWE-918 + cve: + - CVE-2022-4725 + api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml index 6b655bc3f3..b4038debbc 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnAwsMetaEndpoint.yaml @@ -25,6 +25,8 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml index 27226df45b..63de15e456 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnCSVUpload.yaml @@ -25,6 +25,8 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml index 709bc47073..10e0de40bc 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnFiles.yaml @@ -25,6 +25,9 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 + api_selection_filters: response_code: and: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml index 7943232a78..4322b045e1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnImageUpload.yaml @@ -25,6 +25,8 @@ info: - "https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml index 1d3c737d98..812ab62eea 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhost.yaml @@ -22,6 +22,8 @@ info: - HackerOne top 10 cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml index 934437cd91..0837444872 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostDNSPinning.yaml @@ -22,6 +22,8 @@ info: - HackerOne top 10 cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml index e3c94d0364..19d5d1cff1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnLocalhostEncoded.yaml @@ -22,6 +22,8 @@ info: - HackerOne top 10 cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml index 84d17a024a..3063953dd3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnPDFUpload.yaml @@ -24,6 +24,8 @@ info: - "https://github.com/cujanovic/SSRF-Testing#htaccess---redirect-test-for-various-cases" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml index c7e26f5203..bbe1af070c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSRFOnXMLUpload.yaml @@ -24,6 +24,8 @@ info: - "https://github.com/cujanovic/SSRF-Testing#htaccess---redirect-test-for-various-cases" cwe: - CWE-918 + cve: + - CVE-2022-4725 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml index 69bc89ace8..fbc58cf132 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml @@ -20,6 +20,9 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + cve: + - CVE-2019-8341 + - CVE-2022-34625 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml index 7d8ccc4d57..c8f41b8172 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml @@ -20,6 +20,9 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + cve: + - CVE-2022-24442 + - CVE-2021-25770 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml index 4573505a1b..dfcb50119b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml @@ -20,6 +20,9 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + cve: + - CVE-2018-13818 + - CVE-2023-34448 api_selection_filters: or: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml index 2be014f277..b1c8b6827d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerPrivateKeys.yaml @@ -17,6 +17,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2022-22424 + - CVE-2022-23529 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml index 6adbdcd8ca..471d8d0301 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedInvalid.yaml @@ -29,6 +29,8 @@ info: - "https://github.com/ASRG/asrg.io/issues/200" cwe: - CWE-209 + cve: + - CVE-2017-4013 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml index 737ec96be8..4bbe28838c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ServerVersionExposedValid.yaml @@ -29,6 +29,8 @@ info: - "https://github.com/ASRG/asrg.io/issues/200" cwe: - CWE-209 + cve: + - CVE-2020-14183 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml index 1c83c15049..9b9d3f7fd6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SessionFixation.yaml @@ -20,6 +20,9 @@ info: - "https://hackerone.com/reports/2421" cwe: - CWE-384 + cve: + - CVE-2021-35046 + - CVE-2021-46279 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml index d0c5a85bdb..cb642d621b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml @@ -17,6 +17,8 @@ info: - https://codexns.io/products/sftp_for_sublime/settings cwe: - CWE-16 + cve: + - CVE-2023-38951 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml index 38f9d8ddeb..2eb0325c6f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml @@ -15,6 +15,8 @@ info: - https://next.sonarqube.com/sonarqube/web_api/api/components/suggestions?internal=true cwe: - CWE-16 + cve: + - CVE-2020-28002 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml index af35ea43fc..7b8806bab7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml @@ -26,6 +26,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml index 678f7dbba6..75c2738e4f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml @@ -27,6 +27,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml index 2643e78618..e4f1a294b3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml @@ -27,6 +27,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml index 82338fef0d..ed52f8f0c5 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml @@ -28,6 +28,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml index 50637c1e45..818d678830 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml @@ -28,6 +28,9 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + cve: + - CVE-2021-21234 + - CVE-2023-29986 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml index c0d924b75e..eadd66d43d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml @@ -15,6 +15,9 @@ info: - https://www.ssh.com/academy/ssh/authorized-key cwe: - CWE-16 + cve: + - CVE-2023-43619 + - CVE-2022-29154 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml index 5aaf20232d..d06786477e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml @@ -15,6 +15,8 @@ info: - https://datacadamia.com/ssh/known_hosts cwe: - CWE-16 + cve: + - CVE-2005-2666 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml index 57c6af53d6..6f74771242 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml @@ -21,6 +21,9 @@ info: - "https://infosecwriteups.com/text-based-injection-content-spoofing-96e9eb1615d8" cwe: - CWE-345 + cve: + - CVE-2019-1680 + - CVE-2022-42889 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml index c7c4232331..adb974a3d9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml @@ -24,6 +24,9 @@ info: - "https://hackerone.com/reports/109054" cwe: - CWE-274 + cve: + - CVE-2022-38115 + - CVE-2018-11039 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml index f9cd534767..dca25972d9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml @@ -24,6 +24,8 @@ info: - "https://hackerone.com/reports/83837" cwe: - CWE-274 + cve: + - CVE-2021-35233 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml index 01fc128cd6..0edfc7fa38 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml @@ -15,6 +15,9 @@ info: - https://www.exploit-db.com/ghdb/5684 cwe: - CWE-16 + cve: + - CVE-2020-7925 + - CVE-2021-21422 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml index 32e8b52221..ea2d32027e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml @@ -24,6 +24,10 @@ info: - "https://blog.yeswehack.com/yeswerhackers/http-header-exploitation/" cwe: - CWE-16 + cve: + - CVE-2022-3215 + - CVE-2020-5247 + - CVE-2023-38039 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml index fcbdf82ce5..1f14cc36bb 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WpconfigAwsKeys.yaml @@ -16,6 +16,9 @@ info: cwe: - CWE-200 - CWE-213 + cve: + - CVE-2022-31159 + - CVE-2022-2582 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml index d32f81632a..e372adbb87 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSInPath.yaml @@ -21,6 +21,8 @@ info: - "https://www.codegrazer.com/blog/7-reflected-xss.html" cwe: - CWE-79 + cve: + - CVE-2021-35976 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml index 810472147c..d93b8c5128 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/XSSViaFilename.yaml @@ -21,6 +21,9 @@ info: - "https://infosecwriteups.com/all-about-file-upload-xss-c72c797aaba3" cwe: - CWE-79 + cve: + - CVE-2023-43309 + - CVE-2021-38143 api_selection_filters: and: From 81685ba546e48a73da1aeeca386c5d5fcdf9822a Mon Sep 17 00:00:00 2001 From: Adarsh Jha <132337675+adarsh-jha-dev@users.noreply.github.com> Date: Fri, 20 Oct 2023 10:21:46 +0530 Subject: [PATCH 08/14] Update CONTRIBUTING.md --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e4f7434c5f..6bfd068f08 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -36,7 +36,7 @@ If you find a bug or have an idea for a new feature, please open an issue on Git ## License -By contributing to this project, you agree that your contributions will be licensed under the [LICENSE](LICENSE) file. +By contributing to this project, you agree that your contributions will be licensed under the [LICENSE](https://github.com/akto-api-security/akto/blob/master/LICENSE.md) file. ## Contact From c804e48ff6dd0d87d023a7874b7fea109c687e87 Mon Sep 17 00:00:00 2001 From: ayushaga14 Date: Thu, 26 Oct 2023 12:44:19 +0530 Subject: [PATCH 09/14] modify day_of_month to month --- apps/dashboard/src/main/java/com/akto/action/LoginAction.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java index d62165e8d4..a2d42ee8f0 100644 --- a/apps/dashboard/src/main/java/com/akto/action/LoginAction.java +++ b/apps/dashboard/src/main/java/com/akto/action/LoginAction.java @@ -120,7 +120,7 @@ public static String loginUser(User user, HttpServletResponse servletResponse, b claims, "Akto", "refreshToken", - Calendar.DAY_OF_MONTH, + Calendar.MONTH, 6 ); From 84ee899fcb53e041ae38ade7a30c24b0f43e5a8a Mon Sep 17 00:00:00 2001 From: notshivansh Date: Thu, 26 Oct 2023 12:57:20 +0530 Subject: [PATCH 10/14] add test errors card --- .../testing/TestRunResultPage/TestRunResultPage.jsx | 13 +++++++++++++ .../src/apps/dashboard/pages/testing/transform.js | 1 + 2 files changed, 14 insertions(+) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx index 6bca26bcbc..959729e17c 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/TestRunResultPage/TestRunResultPage.jsx @@ -211,6 +211,18 @@ function TestRunResultPage(props) { fetchData(); }, [subCategoryMap, subCategoryFromSourceConfigMap, props]) + const testErrorComponent = ( + + { + selectedTestRunResult?.errors?.map((error, i) => { + return ( + {error} + ) + }) + } + + ) + const components = loading ? [] : [ issueDetails.id && @@ -220,6 +232,7 @@ function TestRunResultPage(props) { , + ( selectedTestRunResult.errors && selectedTestRunResult.errors.length > 0 ) ? testErrorComponent : <>, selectedTestRunResult.testResults && (res.errors && res.errors.length > 0)).map((res) => res.errors.join(", ")) obj['singleTypeInfos'] = data['singleTypeInfos'] || [] obj['vulnerable'] = data['vulnerable'] || false obj['nextUrl'] = "/dashboard/testing/"+ hexId + "/result/" + data.hexId; From c5848b9f9c5b3e85a49da6888decf000f46dbbee Mon Sep 17 00:00:00 2001 From: arjun Date: Thu, 26 Oct 2023 13:43:39 +0530 Subject: [PATCH 11/14] CWEs updated --- .../inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml | 1 + .../CORSMisconfigurationInvalidOrigin.yaml | 2 +- .../CORSMisconfigurationWhitelistOrigin.yaml | 2 +- .../inbuilt_test_yaml_files/ConfigurationListing.yaml | 2 +- .../inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml | 3 ++- .../inbuilt_test_yaml_files/CookieMisconfiguration.yaml | 4 +++- .../main/resources/inbuilt_test_yaml_files/DebugVars.yaml | 3 ++- .../inbuilt_test_yaml_files/DefaultLoginCredentials.yml | 1 + .../DescriptiveErrorMessageInvalidPayloads.yaml | 1 + .../resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml | 3 ++- .../inbuilt_test_yaml_files/DockerComposeConfig.yaml | 3 +++ .../inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml | 2 ++ .../resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml | 2 ++ .../inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/FirebaseConfigExposure.yaml | 1 + .../inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml | 1 + .../inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml | 2 ++ .../inbuilt_test_yaml_files/FtpCredentialsExposure.yaml | 2 +- .../inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml | 2 +- .../inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml | 3 +-- .../inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml | 1 + .../inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml | 1 + .../GraphqlDevelopmentConsoleExposed.yaml | 1 + .../GraphqlFieldSuggestionEnabled.yaml | 1 + .../inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml | 1 + .../GraphqlTypeIntrospectionAllowed.yaml | 1 + .../resources/inbuilt_test_yaml_files/HeadMethodTest.yaml | 2 +- .../inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml | 1 + .../inbuilt_test_yaml_files/HttpResponseSplitting.yaml | 1 + .../resources/inbuilt_test_yaml_files/InvalidFileInput.yaml | 5 +++-- .../inbuilt_test_yaml_files/JWTSigningInClientSide.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml | 1 + .../inbuilt_test_yaml_files/JwtInvalidSignature.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml | 1 + .../inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml | 2 +- .../KubernetesKustomizationDisclosure.yaml | 1 + .../resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml | 1 + .../resources/inbuilt_test_yaml_files/LFIInParameter.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/LFIInPath.yaml | 1 + .../inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml | 2 +- .../main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml | 1 + .../inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml | 1 + .../inbuilt_test_yaml_files/MustContainResponseHeaders.yaml | 2 +- .../main/resources/inbuilt_test_yaml_files/NginxConfig.yaml | 1 + .../inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml | 1 + .../inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml | 1 + .../inbuilt_test_yaml_files/NginxStatusVisible.yaml | 1 + .../src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml | 1 + .../resources/inbuilt_test_yaml_files/OldApiVersion.yaml | 2 ++ .../inbuilt_test_yaml_files/OracleEbsCredentials.yaml | 1 + .../resources/inbuilt_test_yaml_files/ParametersConfig.yaml | 1 + .../resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml | 1 + .../inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml | 1 + .../resources/inbuilt_test_yaml_files/RandomMethodTest.yaml | 4 +++- .../main/resources/inbuilt_test_yaml_files/RedisConfig.yaml | 1 + .../resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml | 1 + .../resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml | 1 + .../inbuilt_test_yaml_files/RobomongoCredential.yaml | 1 + .../inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml | 1 + .../resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml | 1 + .../inbuilt_test_yaml_files/SftpConfigExposure.yaml | 1 + .../inbuilt_test_yaml_files/SonarqubePublicProjects.yaml | 1 + .../SpringBootBeansActuatorExposed.yaml | 1 + .../SpringBootConfigPropsActuatorExposed.yaml | 1 + .../SpringBootEnvActuatorExposed.yaml | 1 + .../SpringBootHttpTraceActuatorExposed.yaml | 1 + .../SpringBootThreadDumpActuatorExposed.yaml | 1 + .../resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml | 1 + .../resources/inbuilt_test_yaml_files/SshKnownHosts.yaml | 1 + .../inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml | 2 +- .../inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml | 2 +- .../resources/inbuilt_test_yaml_files/TraceMethodTest.yaml | 2 +- .../resources/inbuilt_test_yaml_files/TrackMethodTest.yaml | 2 +- .../inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml | 2 +- .../inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml | 1 + .../main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml | 1 + 79 files changed, 94 insertions(+), 26 deletions(-) diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml index 56b0339ab7..bf32b55e8b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/AbusingCRLFInHeaders.yaml @@ -24,6 +24,7 @@ info: - CWE-93 - CWE-74 - CWE-20 + - CWE-113 cve: - CVE-2020-15693 - CVE-2023-0040 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml index 2377296956..e6a16b1d13 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationInvalidOrigin.yaml @@ -23,7 +23,7 @@ info: references: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - - CWE-16 + - CWE-942 cve: - CVE-2021-27786 - CVE-2021-26991 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml index 02cb20967e..3c58e06899 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CORSMisconfigurationWhitelistOrigin.yaml @@ -22,7 +22,7 @@ info: references: - "https://crashtest-security.com/cors-misconfiguration/" cwe: - - CWE-16 + - CWE-942 cve: - CVE-2021-27786 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml index 09e15f96f3..9cbb14d6e6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ConfigurationListing.yaml @@ -14,7 +14,7 @@ info: references: - https://www.exploit-db.com/ghdb/7014 cwe: - - CWE-16 + - CWE-548 cve: - CVE-2021-1126 - CVE-2021-33214 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml index fd41930845..0722e92dde 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ContentTypeHeaderMissing.yaml @@ -27,7 +27,8 @@ info: - "https://cwe.mitre.org/data/definitions/285.html" - "https://cwe.mitre.org/data/definitions/639.html" cwe: - - CWE-16 + - CWE-116 + - CWE-430 cve: - CVE-2023-38199 - CVE-2023-26130 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml index 0c6e5f174f..ca79c25db7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/CookieMisconfiguration.yaml @@ -18,7 +18,9 @@ info: references: - "https://hackerone.com/reports/58679" cwe: - - CWE-16 + - CWE-614 + - CWE-1004 + - CWE-315 cve: - CVE-2023-4654 - CVE-2023-28708 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml index cc67c0ac8d..e4767aef0c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DebugVars.yaml @@ -14,7 +14,8 @@ info: references: - https://hackerone.com/reports/1650035 cwe: - - CWE-16 + - CWE-200 + - CWE-538 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml index a75a9a6f60..17607acae1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DefaultLoginCredentials.yml @@ -25,6 +25,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-1392 + - CWE-521 cve: - CVE-2023-41878 - CVE-2023-37755 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml index f064b69244..7afe67d964 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DescriptiveErrorMessageInvalidPayloads.yaml @@ -20,6 +20,7 @@ info: - "https://owasp.org/www-community/Improper_Error_Handling" cwe: - CWE-209 + - CWE-200 cve: - CVE-2020-11883 - CVE-2020-15652 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml index db5a84fd34..cf30a49b35 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DjangoUrlExposed.yaml @@ -23,7 +23,8 @@ info: - "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling" - "https://hackerone.com/reports/1033423" cwe: - - CWE-16 + - CWE-215 + - CWE-489 cve: - CVE-2017-12794 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml index 7afe668612..a021855cfa 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerComposeConfig.yaml @@ -16,6 +16,9 @@ info: - https://secapps.com/vulndb/docker-compose-exposure cwe: - CWE-16 + - CWE-530 + - CWE-538 + - CWE-552 cve: - CVE-2023-37273 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml index a6bdbc0e10..bb490ff207 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/DockerfileHiddenDisclosure.yaml @@ -15,6 +15,8 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/dockerfile-hidden-disclosure.json cwe: - CWE-16 + - CWE-200 + - CWE-552 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml index 21fd976a6c..86cd33c67b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/EsmtprcConfig.yaml @@ -15,6 +15,8 @@ info: - https://linux.die.net/man/5/esmtprc cwe: - CWE-16 + - CWE-200 + - CWE-538 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml index ec95bc0c35..8060c8302a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ExpressStackTraceEnabled.yaml @@ -23,7 +23,7 @@ info: references: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - - CWE-16 + - CWE-209 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml index bcaa80650b..30fb6626e0 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseConfigExposure.yaml @@ -15,6 +15,7 @@ info: - https://github.com/firebase/firebaseui-web/blob/master/demo/public/sample-config.js cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-7765 - CVE-2021-46743 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml index fbf37552bb..387ffdbb80 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FirebaseUnauthenticated.yaml @@ -20,6 +20,7 @@ info: - "http://ghostlulz.com/google-exposed-firebase-database/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-7765 - CVE-2021-46743 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml index 285d58af44..590ad92a81 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FlaskDebugModeEnabled.yaml @@ -28,6 +28,8 @@ info: - "http://ghostlulz.com/flask-rce-debug-mode/" cwe: - CWE-16 + - CWE-11 + - CWE-215 cve: - CVE-2015-5306 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml index e114f36aa9..901c9e716b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/FtpCredentialsExposure.yaml @@ -15,7 +15,7 @@ info: - https://www.acunetix.com/vulnerabilities/web/sftp-ftp-credentials-exposure/ cwe: - CWE-200 - - CWE-213 + - CWE-256 cve: - CVE-2023-2061 - CVE-2018-18371 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml index ef332fd62a..26c522f294 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitConfigNginxoffbyslash.yaml @@ -16,7 +16,7 @@ info: - https://twitter.com/Random_Robbie/status/1262676628167110656 - https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py cwe: - - CWE-16 + - CWE-22 cve: - CVE-2021-23017 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml index 6fd0257c98..38096a241f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GitCredentialsDisclosure.yaml @@ -14,8 +14,7 @@ info: references: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/git-credentials-disclosure.json cwe: - - CWE-200 - - CWE-213 + - CWE-256 cve: - CVE-2020-5260 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml index 5b631299d6..64a68292b4 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GithubWorkflowsDisclosure.yaml @@ -15,6 +15,7 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-34111 - CVE-2022-46258 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml index e748048fe6..98fd23531d 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDebugModeEnabled.yaml @@ -30,6 +30,7 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + - CWE-200 api_selection_filters: url: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml index 984608c6f9..6dbcaac1f3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlDevelopmentConsoleExposed.yaml @@ -27,6 +27,7 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-41248 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml index 133d47d974..2b9062aea6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlFieldSuggestionEnabled.yaml @@ -24,6 +24,7 @@ info: - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities" cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-5192 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml index b7a980263e..db2f73d23c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlIntrospectionEnabled.yaml @@ -26,6 +26,7 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-5192 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml index f16f568795..a2c4af8af5 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/GraphqlTypeIntrospectionAllowed.yaml @@ -25,6 +25,7 @@ info: - "https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-41248 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml index edbec8cbcd..8933149431 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeadMethodTest.yaml @@ -34,7 +34,7 @@ info: - "https://cwe.mitre.org/data/definitions/285.html" - "https://cwe.mitre.org/data/definitions/639.html" cwe: - - CWE-16 + - CWE-284 cve: - CVE-2022-45956 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml index 7b9d5d51e0..5400750c95 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HeaderReflectedInInvalidUrl.yaml @@ -19,6 +19,7 @@ info: references: - "https://hackerone.com/reports/792998" cwe: + - CWE-113 - CWE-16 cve: - CVE-2022-37724 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml index 1f452600ae..3dc90628f8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/HttpResponseSplitting.yaml @@ -21,6 +21,7 @@ info: - "https://www.invicti.com/blog/web-security/crlf-http-header/" cwe: - CWE-93 + - CWE-113 cve: - CVE-2023-41834 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml index 479c8a77ef..7ae9d7befd 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/InvalidFileInput.yaml @@ -25,8 +25,9 @@ info: - "https://owasp.org/www-community/Improper_Error_Handling" - "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_For_Improper_Error_Handling" cwe: - - CWE-728 - - CWE-388 + - CWE-209 + - CWE-200 + - CWE-22 cve: - CVE-2020-10097 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml index bbbe10562f..f8f57928b6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JWTSigningInClientSide.yaml @@ -20,6 +20,7 @@ info: - "https://hackerone.com/reports/638635" cwe: - CWE-287 + - CWE-347 api_selection_filters: response_payload: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml index ab37b27a90..6baf07ec79 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtAddJku.yaml @@ -29,6 +29,7 @@ info: - "https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection" cwe: - CWE-287 + - CWE-295 cve: - CVE-2018-0114 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml index dfdccf89c0..34b84d1979 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtInvalidSignature.yaml @@ -27,6 +27,7 @@ info: - "https://portswigger.net/kb/issues/00200900_jwt-signature-not-verified#:~:text=Description%3A%20JWT%20signature%20not%20verified&text=However%2C%20some%20servers%20fail%20to,privileges%20or%20impersonate%20other%20users." cwe: - CWE-287 + - CWE-295 cve: - CVE-2022-25898 - CVE-2021-29455 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml index ac10724845..d090fdac57 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/JwtNoneAlgo.yaml @@ -26,6 +26,7 @@ info: - "https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported" cwe: - CWE-287 + - CWE-347 cve: - CVE-2022-23540 - CVE-2015-9235 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml index 9c749b3512..65ba614b1c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KernelOpenCommandInjection.yaml @@ -18,7 +18,7 @@ info: - OWASP top 10 - HackerOne top 10 cwe: - - CWE-77 + - CWE-78 cve: - CVE-2021-31799 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml index 7be9ec26b0..6e02efc49f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/KubernetesKustomizationDisclosure.yaml @@ -15,6 +15,7 @@ info: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/kubernetes-kustomization-disclosure.json cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-41254 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml index 507ec4b97c..c5a5a2cda9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIAddingNewParam.yaml @@ -21,6 +21,7 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + - CWE-22 cve: - CVE-2021-39433 - CVE-2023-22973 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml index 22e10a4bcf..63d72761c7 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInParameter.yaml @@ -21,6 +21,7 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + - CWE-22 cve: - CVE-2022-29597 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml index 30d54cc9d0..c914a348c9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LFIInPath.yaml @@ -21,6 +21,7 @@ info: - "https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt" cwe: - CWE-98 + - CWE-22 cve: - CVE-2023-2453 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml index f20c4bbdf0..32412afb7e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelDebugModeEnabled.yaml @@ -27,7 +27,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" - "https://laravel.com/docs/10.x/deployment#debug-mode" cwe: - - CWE-16 + - CWE-215 cve: - CVE-2021-3129 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml index d855a79880..9008f9b9d8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelEnv.yaml @@ -15,6 +15,7 @@ info: - https://laravel.com/docs/master/configuration#environment-configuration - https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel cwe: + - CWE-200 - CWE-16 cve: - CVE-2017-16894 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml index 0737c6cd0d..827fb2c2a3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/LaravelTelescopeEnabled.yaml @@ -28,6 +28,7 @@ info: - "https://laravel.com/docs/10.x/telescope" cwe: - CWE-16 + - CWE-215 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml index 18ed0054fa..6921fb9772 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/MustContainResponseHeaders.yaml @@ -26,7 +26,7 @@ info: - "https://www.keycdn.com/blog/http-security-headers" - "https://www.invicti.com/white-papers/whitepaper-http-security-headers" cwe: - - CWE-16 + - CWE-693 cve: - CVE-2022-41915 - CVE-2022-37436 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml index e21dcd1a12..e63cacaf7f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxConfig.yaml @@ -15,6 +15,7 @@ info: - https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/nginx cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-11959 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml index eb77c5d518..d0cb1da8ba 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxDefaultPageEnabled.yaml @@ -25,6 +25,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + - CWE-276 cve: - CVE-2013-0337 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml index 5b74383440..d4396e2651 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxServerVersionDisclosed.yaml @@ -25,6 +25,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2017-7529 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml index dd0fed34dd..361990f884 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NginxStatusVisible.yaml @@ -21,6 +21,7 @@ info: - "https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-status-module/" cwe: - CWE-16 + - CWE-200 cve: - CVE-2022-41741 - CVE-2019-20372 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml index 6113f17848..2219c5ec2f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/NoAuth.yaml @@ -25,6 +25,7 @@ info: - "https://cwe.mitre.org/data/definitions/798.html" cwe: - CWE-287 + - CWE-306 cve: - CVE-2023-22501 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml index 9ba59b1f5e..1576bbf077 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OldApiVersion.yaml @@ -31,6 +31,8 @@ info: - "https://cwe.mitre.org/data/definitions/639.html" cwe: - CWE-937 + - CWE-285 + - CWE-862 cve: - CVE-2022-31690 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml index 2069d4b060..412b5ad781 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/OracleEbsCredentials.yaml @@ -17,6 +17,7 @@ info: - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-21849 - CVE-2023-21847 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml index e3ebe87fa6..0b1e982bf9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ParametersConfig.yaml @@ -15,6 +15,7 @@ info: - https://www.exploit-db.com/ghdb/5986 cwe: - CWE-16 + - CWE-200 cve: - CVE-2015-4050 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml index aed63c6dcb..7723f706e8 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/PrometheusMetrics.yaml @@ -16,6 +16,7 @@ info: - https://hackerone.com/reports/1026196 cwe: - CWE-16 + - CWE-200 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml index 75f5c58659..319bbce287 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDebugModeEnabled.yaml @@ -27,7 +27,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" - "https://beaglesecurity.com/blog/vulnerability/rails-debug-mode-enabled.html" cwe: - - CWE-16 + - CWE-215 cve: - CVE-2019-5420 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml index a41904b6ec..a2711c9ed6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RailsDefaultHomepageEnabled.yaml @@ -26,6 +26,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" cwe: - CWE-16 + - CWE-276 cve: - CVE-2019-5418 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml index dac0785014..28cf733c70 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RandomMethodTest.yaml @@ -31,7 +31,9 @@ info: - "https://web.archive.org/web/20081116154150/http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf" - "https://capec.mitre.org/data/definitions/274.html" cwe: - - CWE-274 + - CWE-288 + - CWE-287 + - CWE-285 cve: - CVE-2020-35239 - CVE-2018-19908 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml index 6a1f1f4622..f16193e80c 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RedisConfig.yaml @@ -15,6 +15,7 @@ info: - https://redis.io/docs/manual/config/ cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-36824 - CVE-2022-0543 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml index 183b24f433..4db363a924 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RemoveCaptcha.yaml @@ -20,6 +20,7 @@ info: - "https://hackerone.com/reports/124173" cwe: - CWE-287 + - CWE-294 cve: - CVE-2021-37417 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml index acdf9e7d5d..b3e6a9cdd6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/ReplayCaptcha.yaml @@ -19,6 +19,7 @@ info: - "https://hackerone.com/reports/223324" cwe: - CWE-287 + - CWE-294 cve: - CVE-2021-29047 - CVE-2022-34983 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml index 64167c378d..b8372d90c6 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/RobomongoCredential.yaml @@ -15,6 +15,7 @@ info: - https://web.cystack.net/vulnerability/cystack.remote.robomongo_cred_disclosure cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-4009 - CVE-2021-32039 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml index fbc58cf132..bad31d4d8f 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFlaskAndJinja.yaml @@ -20,6 +20,7 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + - CWE-94 cve: - CVE-2019-8341 - CVE-2022-34625 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml index c8f41b8172..0aa75b536e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInFreemarker.yaml @@ -20,6 +20,7 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + - CWE-94 cve: - CVE-2022-24442 - CVE-2021-25770 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml index dfcb50119b..802acfeb1b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SSTIInTwig.yaml @@ -20,6 +20,7 @@ info: - "https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti" cwe: - CWE-1336 + - CWE-94 cve: - CVE-2018-13818 - CVE-2023-34448 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml index cb642d621b..2d2468f313 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SftpConfigExposure.yaml @@ -17,6 +17,7 @@ info: - https://codexns.io/products/sftp_for_sublime/settings cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-38951 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml index 2eb0325c6f..04e9d7a16b 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SonarqubePublicProjects.yaml @@ -15,6 +15,7 @@ info: - https://next.sonarqube.com/sonarqube/web_api/api/components/suggestions?internal=true cwe: - CWE-16 + - CWE-200 cve: - CVE-2020-28002 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml index 7b8806bab7..5e90fb92ae 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootBeansActuatorExposed.yaml @@ -26,6 +26,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml index 75c2738e4f..19017fff3a 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootConfigPropsActuatorExposed.yaml @@ -27,6 +27,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml index e4f1a294b3..a891493074 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootEnvActuatorExposed.yaml @@ -27,6 +27,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml index ed52f8f0c5..55a91eedbe 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootHttpTraceActuatorExposed.yaml @@ -28,6 +28,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml index 818d678830..395e90ab71 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SpringBootThreadDumpActuatorExposed.yaml @@ -28,6 +28,7 @@ info: - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html" cwe: - CWE-16 + - CWE-200 cve: - CVE-2021-21234 - CVE-2023-29986 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml index eadd66d43d..43d57d6c10 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshAuthorizedKeys.yaml @@ -15,6 +15,7 @@ info: - https://www.ssh.com/academy/ssh/authorized-key cwe: - CWE-16 + - CWE-200 cve: - CVE-2023-43619 - CVE-2022-29154 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml index d06786477e..cc9641e74e 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/SshKnownHosts.yaml @@ -15,6 +15,7 @@ info: - https://datacadamia.com/ssh/known_hosts cwe: - CWE-16 + - CWE-200 cve: - CVE-2005-2666 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml index 0f03a1d63d..f3c72b3ad3 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsDebugModeEnabled.yaml @@ -26,7 +26,7 @@ info: - "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/" - "https://struts.apache.org/core-developers/development-mode" cwe: - - CWE-16 + - CWE-215 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml index c9234390e7..270a784418 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/StrutsOgnlConsoleEnabled.yaml @@ -26,7 +26,7 @@ info: - "https://struts.apache.org/core-developers/development-mode" - "https://nvd.nist.gov/vuln/detail/CVE-2020-17530" cwe: - - CWE-16 + - CWE-215 api_selection_filters: response_code: diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml index 6f74771242..c4557d59ef 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TextInjectionViaInvalidUrls.yaml @@ -20,7 +20,7 @@ info: - "https://owasp.org/www-community/attacks/Content_Spoofing" - "https://infosecwriteups.com/text-based-injection-content-spoofing-96e9eb1615d8" cwe: - - CWE-345 + - CWE-74 cve: - CVE-2019-1680 - CVE-2022-42889 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml index adb974a3d9..8edb74aa26 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TraceMethodTest.yaml @@ -23,7 +23,7 @@ info: - "https://www.onwebsecurity.com/security/unsafe-http-methods.html" - "https://hackerone.com/reports/109054" cwe: - - CWE-274 + - CWE-16 cve: - CVE-2022-38115 - CVE-2018-11039 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml index dca25972d9..11e20c1c57 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/TrackMethodTest.yaml @@ -23,7 +23,7 @@ info: - "https://www.onwebsecurity.com/security/unsafe-http-methods.html" - "https://hackerone.com/reports/83837" cwe: - - CWE-274 + - CWE-16 cve: - CVE-2021-35233 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml index 0edfc7fa38..f7d32fe8e9 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnauthenticatedMongoExpress.yaml @@ -14,7 +14,7 @@ info: references: - https://www.exploit-db.com/ghdb/5684 cwe: - - CWE-16 + - CWE-306 cve: - CVE-2020-7925 - CVE-2021-21422 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml index ea2d32027e..cdfe1dcaaf 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/UnwantedResponseHeaders.yaml @@ -23,6 +23,7 @@ info: - "https://portswigger.net/web-security/host-header/exploiting" - "https://blog.yeswehack.com/yeswerhackers/http-header-exploitation/" cwe: + - CWE-200 - CWE-16 cve: - CVE-2022-3215 diff --git a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml index fff2298b92..3748e247e1 100644 --- a/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml +++ b/apps/dashboard/src/main/resources/inbuilt_test_yaml_files/WgetrcConfig.yaml @@ -15,6 +15,7 @@ info: - https://ubuntu.com/security/notices/USN-982-1 cwe: - CWE-16 + - CWE-200 api_selection_filters: response_code: From d47a803f7715b56cfe477a7e38f83d6d289f819d Mon Sep 17 00:00:00 2001 From: notshivansh Date: Thu, 26 Oct 2023 15:06:49 +0530 Subject: [PATCH 12/14] refractor PR --- .../akto/test_editor/execution/Executor.java | 6 ++- .../src/main/java/com/akto/testing/Main.java | 41 +------------------ .../java/com/akto/testing/TestExecutor.java | 33 ++++++--------- 3 files changed, 18 insertions(+), 62 deletions(-) diff --git a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java index 079d44f771..361ddb2aa6 100644 --- a/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java +++ b/apps/testing/src/main/java/com/akto/test_editor/execution/Executor.java @@ -32,9 +32,11 @@ public List execute(ExecutorNode node, RawApi rawApi, Map customAuthTypes) { List result = new ArrayList<>(); + TestResult invalidExecutionResult = new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.INVALID_EXECUTION_BLOCK.getMessage()), 0, false, TestResult.Confidence.HIGH, null); + if (node.getChildNodes().size() < 2) { loggerMaker.errorAndAddToDb("executor child nodes is less than 2, returning empty execution result " + logId, LogDb.TESTING); - result.add(new TestResult(null, rawApi.getOriginalMessage(), Collections.singletonList(TestError.INVALID_EXECUTION_BLOCK.getMessage()), 0, false, TestResult.Confidence.HIGH, null)); + result.add(invalidExecutionResult); return result; } ExecutorNode reqNodes = node.getChildNodes().get(1); @@ -42,7 +44,7 @@ public List execute(ExecutorNode node, RawApi rawApi, Map testingRunResults = TestingRunResultDao.instance.findAll( - Filters.eq(TestingRunResult.TEST_RUN_RESULT_SUMMARY_ID, summaryId) - ); - - if(testingRunResults == null){ - testingRunResults = new ArrayList<>(); - } - - Map totalCountIssues = TestExecutor.calculateCountIssues(testingRunResults); - - int totalApis = 0; - try { - totalApis = testingRun.getTestingEndpoints().returnApis().size(); - } catch (Exception e) { - totalApis = 0; - } - - Bson updates = Updates.combine( - Updates.set(TestingRunResultSummary.END_TIMESTAMP, Context.now()), - Updates.set(TestingRunResultSummary.STATE, State.COMPLETED), - Updates.set(TestingRunResultSummary.COUNT_ISSUES, totalCountIssues), - Updates.set(TestingRunResultSummary.TOTAL_APIS, totalApis), - Updates.set(TestingRunResultSummary.TEST_RESULTS_COUNT, testingRunResults.size()) - ); - - TestingRunResultSummariesDao.instance.updateOne( - Filters.eq(TestingRunResultSummary.ID, summaryId), updates); - } - } - loggerMaker.infoAndAddToDb("Tests completed in " + (Context.now() - start) + " seconds", LogDb.TESTING); }, "testing"); Thread.sleep(1000); diff --git a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java index 11ff1838f0..85600d93d8 100644 --- a/apps/testing/src/main/java/com/akto/testing/TestExecutor.java +++ b/apps/testing/src/main/java/com/akto/testing/TestExecutor.java @@ -244,7 +244,18 @@ public void apiWiseInit(TestingRun testingRun, ObjectId summaryId) { loggerMaker.infoAndAddToDb("Finished adding issues", LogDb.TESTING); - Map totalCountIssues = calculateCountIssues(testingRunResults); + Map totalCountIssues = new HashMap<>(); + totalCountIssues.put("HIGH", 0); + totalCountIssues.put("MEDIUM", 0); + totalCountIssues.put("LOW", 0); + + for (TestingRunResult testingRunResult: testingRunResults) { + if (testingRunResult.isVulnerable()) { + String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); + int initialCount = totalCountIssues.get(severity); + totalCountIssues.put(severity, initialCount + 1); + } + } TestingRunResultSummariesDao.instance.updateOne( Filters.eq("_id", summaryId), @@ -269,26 +280,6 @@ public static Severity getSeverityFromTestingRunResult(TestingRunResult testingR return severity; } - public static Map calculateCountIssues(List testingRunResults){ - Map totalCountIssues = new HashMap<>(); - totalCountIssues.put("HIGH", 0); - totalCountIssues.put("MEDIUM", 0); - totalCountIssues.put("LOW", 0); - - if(testingRunResults == null){ - return totalCountIssues; - } - - for (TestingRunResult testingRunResult : testingRunResults) { - if (testingRunResult.isVulnerable()) { - String severity = getSeverityFromTestingRunResult(testingRunResult).toString(); - int initialCount = totalCountIssues.get(severity); - totalCountIssues.put(severity, initialCount + 1); - } - } - return totalCountIssues; - } - public static String findHost(ApiInfo.ApiInfoKey apiInfoKey, Map> sampleMessagesMap, SampleMessageStore sampleMessageStore) throws URISyntaxException { List sampleMessages = sampleMessagesMap.get(apiInfoKey); if (sampleMessages == null || sampleMessagesMap.isEmpty()) return null; From d15365c525bd34c0811ffe37841a8df9e0a7e3c8 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Sat, 28 Oct 2023 11:29:04 +0530 Subject: [PATCH 13/14] added badge in test editor for total count of categories --- .../components/TestEditorFileExplorer.jsx | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx index 6b05767edf..01630a57ee 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx @@ -1,7 +1,7 @@ import { useEffect, useState } from "react" import { useNavigate } from "react-router-dom" -import { Box, Button, HorizontalStack, Icon, Navigation, Text, TextField, Tooltip, VerticalStack } from "@shopify/polaris" +import { Badge, Box, Button, HorizontalStack, Icon, Navigation, Text, TextField, Tooltip, VerticalStack } from "@shopify/polaris" import {ChevronDownMinor, ChevronRightMinor, SearchMinor, CirclePlusMinor} from "@shopify/polaris-icons" import TestEditorStore from "../testEditorStore" @@ -22,6 +22,7 @@ const TestEditorFileExplorer = ({addCustomTest}) => { const [searchText, setSearchText] = useState('') const [showCustom, setShowCustom] = useState(false) const [showAkto, setShowAkto] = useState(false) + const [count, setCount] = useState({"CUSTOM" : testObj.totalCustomTests, "Akto": testObj.totalAktoTests}) const navigate = useNavigate() @@ -83,6 +84,11 @@ const TestEditorFileExplorer = ({addCustomTest}) => { } } + setCount({ + Akto: aktoTotal, + CUSTOM: customTotal + }) + cloneObj.totalCustomTests = customTotal cloneObj.totalAktoTests = aktoTotal return cloneObj @@ -172,6 +178,9 @@ const TestEditorFileExplorer = ({addCustomTest}) => { Custom +
+ {count.CUSTOM.toString()} +
{/* addCustomTest(e)}> */} @@ -181,11 +190,16 @@ const TestEditorFileExplorer = ({addCustomTest}) => { {showAkto ? : null} From c19e2b469c83869b9884fff082c3ade83dc2caf1 Mon Sep 17 00:00:00 2001 From: Ark2307 Date: Sat, 28 Oct 2023 11:45:00 +0530 Subject: [PATCH 14/14] Fixed for case when custom test is added --- .../components/TestEditorFileExplorer.jsx | 19 ++++++------------- .../dashboard/pages/test_editor/transform.js | 5 ++++- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx index 01630a57ee..a6a4c328cb 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/components/TestEditorFileExplorer.jsx @@ -17,12 +17,11 @@ const TestEditorFileExplorer = ({addCustomTest}) => { const setSelectedTest = TestEditorStore(state => state.setSelectedTest) const [selectedCategory, setSelectedCategory] = useState('none') - const [customItems, setCustomItems] = useState([]) - const [aktoItems, setAktoItems] = useState([]) + const [customItems, setCustomItems] = useState({items: [] , count : 0}) + const [aktoItems, setAktoItems] = useState({items: [] , count : 0}) const [searchText, setSearchText] = useState('') const [showCustom, setShowCustom] = useState(false) const [showAkto, setShowAkto] = useState(false) - const [count, setCount] = useState({"CUSTOM" : testObj.totalCustomTests, "Akto": testObj.totalAktoTests}) const navigate = useNavigate() @@ -84,11 +83,6 @@ const TestEditorFileExplorer = ({addCustomTest}) => { } } - setCount({ - Akto: aktoTotal, - CUSTOM: customTotal - }) - cloneObj.totalCustomTests = customTotal cloneObj.totalAktoTests = aktoTotal return cloneObj @@ -154,7 +148,6 @@ const TestEditorFileExplorer = ({addCustomTest}) => { })) return arr } - return (
@@ -179,14 +172,14 @@ const TestEditorFileExplorer = ({addCustomTest}) => { Custom
- {count.CUSTOM.toString()} + {customItems.count.toString()}
{/* addCustomTest(e)}> */} - {showCustom ? : null} + {showCustom ? : null} - {showAkto ? : null} + {showAkto ? : null} diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js index 5fbae5f9a7..ae455bd2ed 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/test_editor/transform.js @@ -57,6 +57,7 @@ const convertFunc = { getNavigationItems(testObj,param,selectedFunc){ let arr = [] + let count = 0; if(param === 'CUSTOM'){ for(const key in testObj?.customTests){ if(testObj.customTests.hasOwnProperty(key)){ @@ -86,6 +87,7 @@ const convertFunc = { } } } + count = testObj?.totalCustomTests; }else{ for(const key in testObj?.aktoTests){ if(testObj.aktoTests.hasOwnProperty(key)){ @@ -115,8 +117,9 @@ const convertFunc = { } } } + count = testObj?.totalAktoTests; } - return arr + return {items: arr, count: count} }, mapVulnerableRequests(vulnerableRequests){