@soulofzephir/pi-skill-pentesting 1.0.0 โ†’ 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,183 @@
1
+ # CORS Security Checklist
2
+
3
+ ## ๐Ÿ” What is CORS?
4
+
5
+ Cross-Origin Resource Sharing (CORS) controls which domains can access resources from your site.
6
+
7
+ ---
8
+
9
+ ## โš ๏ธ Dangerous CORS Configurations
10
+
11
+ ### โŒ Wildcard Origin (DANGEROUS)
12
+ ```http
13
+ Access-Control-Allow-Origin: *
14
+ ```
15
+ **Risk:** Any website can access your resources
16
+
17
+ ### โŒ Multiple Origins with Null Origin
18
+ ```http
19
+ Access-Control-Allow-Origin: null
20
+ Access-Control-Allow-Credentials: true
21
+ ```
22
+ **Risk:** Can be exploited via sandboxed iframes
23
+
24
+ ### โŒ Wildcard with Credentials
25
+ ```http
26
+ Access-Control-Allow-Origin: *
27
+ Access-Control-Allow-Credentials: true
28
+ ```
29
+ **Risk:** Invalid - browsers block this, but indicates misconfiguration
30
+
31
+ ---
32
+
33
+ ## โœ… Secure CORS Configuration
34
+
35
+ ### โœ… Proper Config Example
36
+ ```http
37
+ Access-Control-Allow-Origin: https://trusted-domain.com
38
+ Access-Control-Allow-Methods: GET, POST
39
+ Access-Control-Allow-Headers: Content-Type
40
+ Access-Control-Max-Age: 86400
41
+ ```
42
+
43
+ ### โœ… Strict CSP as Backup
44
+ ```http
45
+ Content-Security-Policy: frame-ancestors 'self'
46
+ ```
47
+
48
+ ---
49
+
50
+ ## ๐Ÿงช Test Checklist
51
+
52
+ ### 1. Basic CORS Check
53
+ ```bash
54
+ # Check CORS headers
55
+ curl -I -s https://target.com | grep -iE "access-control"
56
+
57
+ # Test with Origin header
58
+ curl -I -s -H "Origin: https://evil.com" https://target.com | grep -iE "access-control"
59
+ ```
60
+
61
+ ### 2. Credential Leakage Test
62
+ ```bash
63
+ # Test if credentials are exposed with arbitrary origin
64
+ curl -I -s -H "Origin: https://evil.com" \
65
+ -H "Cookie: session=abc123" \
66
+ https://target.com
67
+ ```
68
+
69
+ ### 3. JSON Hijacking Test
70
+ ```javascript
71
+ // Test if sensitive data can be stolen
72
+ <script>
73
+ var req = new XMLHttpRequest();
74
+ req.onload = function() {
75
+ stealData(this.responseText);
76
+ };
77
+ req.open('GET', 'https://target.com/api/user/data', true);
78
+ req.withCredentials = true;
79
+ req.send();
80
+ </script>
81
+ ```
82
+
83
+ ---
84
+
85
+ ## ๐Ÿ“‹ CORS Vulnerability Checklist
86
+
87
+ - [ ] `Access-Control-Allow-Origin: *` used?
88
+ - [ ] Credentials sent with wildcard origin?
89
+ - [ ] Sensitive endpoints allow CORS?
90
+ - [ ] `null` origin allowed?
91
+ - [ ] Internal IPs allowed as origin?
92
+ - [ ] Methods/Headers too permissive?
93
+ - [ ] CORS used as sole protection (should use auth)?
94
+
95
+ ---
96
+
97
+ ## ๐Ÿ”ง Common Misconfigurations
98
+
99
+ | Misconfiguration | Risk | Fix |
100
+ |------------------|------|-----|
101
+ | `*` origin | ๐Ÿ”ด CRITICAL | Whitelist specific domains |
102
+ | `null` origin | ๐Ÿ”ด CRITICAL | Remove or restrict |
103
+ | All methods allowed | ๐ŸŸ  HIGH | Only allow needed methods |
104
+ | All headers allowed | ๐ŸŸ  HIGH | Only allow needed headers |
105
+ | Credentials with `*` | ๐Ÿ”ด CRITICAL | Never use together |
106
+ | No `Vary: Origin` | ๐ŸŸก MEDIUM | Required for dynamic origins |
107
+
108
+ ---
109
+
110
+ ## ๐Ÿšจ Attack Scenarios
111
+
112
+ ### 1. Data Theft via CORS
113
+ ```
114
+ Attacker site โ†’ CORS request to target.com โ†’ Steals user data
115
+ ```
116
+
117
+ ### 2. Credential Hijacking
118
+ ```
119
+ Attacker site โ†’ CORS with credentials โ†’ Access victim's account
120
+ ```
121
+
122
+ ### 3. JSONP Hijacking
123
+ ```
124
+ Target allows GET with * โ†’ JSONP endpoint exposed
125
+ ```
126
+
127
+ ---
128
+
129
+ ## ๐Ÿ›ก๏ธ Remediation
130
+
131
+ ### Apache
132
+ ```apache
133
+ Header set Access-Control-Allow-Origin "https://trusted.com"
134
+ Header set Access-Control-Allow-Methods "GET, POST"
135
+ Header set Access-Control-Allow-Credentials "true"
136
+ Header set Access-Control-Max-Age "86400"
137
+ ```
138
+
139
+ ### Nginx
140
+ ```nginx
141
+ add_header Access-Control-Allow-Origin "https://trusted.com" always;
142
+ add_header Access-Control-Allow-Methods "GET, POST" always;
143
+ add_header Access-Control-Allow-Credentials "true" always;
144
+ add_header Access-Control-Max-Age "86400" always;
145
+ ```
146
+
147
+ ### Node.js/Express
148
+ ```javascript
149
+ app.use((req, res, next) => {
150
+ const allowedOrigins = ['https://trusted.com'];
151
+ const origin = req.headers.origin;
152
+ if (allowedOrigins.includes(origin)) {
153
+ res.setHeader('Access-Control-Allow-Origin', origin);
154
+ res.setHeader('Access-Control-Allow-Credentials', 'true');
155
+ }
156
+ res.setHeader('Access-Control-Allow-Methods', 'GET, POST');
157
+ next();
158
+ });
159
+ ```
160
+
161
+ ---
162
+
163
+ ## ๐Ÿ“Š CORS Security Score
164
+
165
+ | Configuration | Score | Grade |
166
+ |---------------|-------|-------|
167
+ | No CORS headers | 0 | F |
168
+ | `*` without credentials | 30 | D |
169
+ | Wildcard + credentials attempt | 40 | D |
170
+ | Whitelist with credentials | 80 | B |
171
+ | Whitelist + strict CSP | 100 | A |
172
+
173
+ ---
174
+
175
+ ## ๐Ÿ› ๏ธ Tools
176
+
177
+ ```bash
178
+ # CORS Scanner
179
+ nmap --script=http-cors-headers target.com -p 443
180
+
181
+ # Manual test
182
+ # Browser DevTools > Network > Check "Origin" in request headers
183
+ ```
@@ -0,0 +1,311 @@
1
+ # Exposed Files & Information Disclosure Checklist
2
+
3
+ ## ๐Ÿ”ด High Risk Exposed Files
4
+
5
+ ### 1. Configuration Files
6
+
7
+ | File | Risk | What to Check |
8
+ |------|------|--------------|
9
+ | `.env` | ๐Ÿ”ด CRITICAL | Database credentials, API keys, secrets |
10
+ | `.env.local` | ๐Ÿ”ด CRITICAL | Same as .env |
11
+ | `.env.production` | ๐Ÿ”ด CRITICAL | Production secrets |
12
+ | `wp-config.php` | ๐Ÿ”ด CRITICAL | WordPress DB + auth keys |
13
+ | `config.php` | ๐Ÿ”ด CRITICAL | PHP config with DB creds |
14
+ | `settings.py` | ๐Ÿ”ด CRITICAL | Django SECRET_KEY, DB |
15
+ | `config.js` | ๐Ÿ”ด CRITICAL | Node.js config |
16
+ | `application.properties` | ๐Ÿ”ด CRITICAL | Java/Spring config |
17
+ | `application.yml` | ๐Ÿ”ด CRITICAL | YAML config |
18
+ | `web.config` | ๐ŸŸ  HIGH | IIS config |
19
+ | `.htaccess` | ๐ŸŸ  HIGH | May reveal paths, rules |
20
+ | `.htpasswd` | ๐Ÿ”ด CRITICAL | HTTP auth hashes |
21
+
22
+ **Test Payloads:**
23
+ ```
24
+ /.env
25
+ /.env
26
+ /.env.local
27
+ /.env.production
28
+ /.env.development
29
+ /.env.staging
30
+ /config.php
31
+ /settings.php
32
+ /config.js
33
+ /configuration.php
34
+ /wp-config.php
35
+ /wp-config.backup
36
+ /configuration.json
37
+ /application.properties
38
+ /application.yml
39
+ /web.config
40
+ /.htaccess
41
+ /.htpasswd
42
+ ```
43
+
44
+ ---
45
+
46
+ ### 2. Git Repository Exposure
47
+
48
+ | Path | Risk | What to Check |
49
+ |------|------|--------------|
50
+ | `/.git/` | ๐Ÿ”ด CRITICAL | Full repository exposure |
51
+ | `/.git/config` | ๐Ÿ”ด CRITICAL | Repository remote, credentials |
52
+ | `/.git/HEAD` | ๐ŸŸ  HIGH | Branch information |
53
+ | `/.git/index` | ๐Ÿ”ด CRITICAL | File list |
54
+ | `/.git/logs/` | ๐ŸŸ  HIGH | Commit history |
55
+ | `/.git/description` | ๐ŸŸก MEDIUM | Repository description |
56
+
57
+ **Test Payloads:**
58
+ ```
59
+ /.git/
60
+ /.git/config
61
+ /.git/HEAD
62
+ /.git/index
63
+ /.git/logs/HEAD
64
+ /.git/refs/heads/main
65
+ /.git/objects/
66
+ /.gitignore
67
+ /.git/COMMIT_EDITMSG
68
+ /.git/ORIG_HEAD
69
+ ```
70
+
71
+ **Automated Tools:**
72
+ ```bash
73
+ # Git Dumper
74
+ gitdumper https://target.com/.git/ /outputdir/
75
+
76
+ # GitTools
77
+ gitdumper.sh https://target.com/.git/ output/
78
+
79
+ # Manual check
80
+ curl https://target.com/.git/config
81
+ ```
82
+
83
+ ---
84
+
85
+ ### 3. Backup Files
86
+
87
+ | File Pattern | Risk | Description |
88
+ |--------------|------|-------------|
89
+ | `*.zip` | ๐Ÿ”ด CRITICAL | Compressed backups |
90
+ | `*.tar` | ๐Ÿ”ด CRITICAL | Archive backups |
91
+ | `*.tar.gz` | ๐Ÿ”ด CRITICAL | Gzip archives |
92
+ | `*.sql` | ๐Ÿ”ด CRITICAL | Database dumps |
93
+ | `*.bak` | ๐ŸŸ  HIGH | File backups |
94
+ | `*.backup` | ๐ŸŸ  HIGH | Backup copies |
95
+ | `*.old` | ๐ŸŸก MEDIUM | Old versions |
96
+ | `*.tmp` | ๐ŸŸก MEDIUM | Temp files |
97
+ | `*~` | ๐ŸŸก MEDIUM | Vim/Editor backups |
98
+ | `*.swp` | ๐ŸŸก MEDIUM | Vim swap files |
99
+
100
+ **Test Payloads:**
101
+ ```
102
+ /backup.zip
103
+ /backups.zip
104
+ /database.zip
105
+ /db.sql
106
+ /database.sql
107
+ /dump.sql
108
+ /backup.sql
109
+ /site.tar.gz
110
+ /website.tar
111
+ /www.zip
112
+ /backup.tar
113
+ /backup/
114
+ /backups/
115
+ /db/
116
+ /database/
117
+ /old/
118
+ /temp/
119
+ /tmp/
120
+ ```
121
+
122
+ ---
123
+
124
+ ### 4. Admin & Debug Panels
125
+
126
+ | Path | Risk | Description |
127
+ |------|------|-------------|
128
+ | `/admin/` | ๐ŸŸ  HIGH | Admin panel |
129
+ | `/wp-admin/` | ๐ŸŸ  HIGH | WordPress admin |
130
+ | `/administrator/` | ๐ŸŸ  HIGH | Joomla admin |
131
+ | `/phpmyadmin/` | ๐Ÿ”ด CRITICAL | Database UI |
132
+ | `/pma/` | ๐Ÿ”ด CRITICAL | phpMyAdmin alias |
133
+ | `/mysql/` | ๐Ÿ”ด CRITICAL | MySQL admin |
134
+ | `/sqlmanager/` | ๐Ÿ”ด CRITICAL | SQL management |
135
+ | `/debug/` | ๐Ÿ”ด CRITICAL | Debug mode |
136
+ | `/api/debug/` | ๐Ÿ”ด CRITICAL | API debug |
137
+ | `/console/` | ๐ŸŸ  HIGH | Debug console |
138
+ | `/debug.php` | ๐Ÿ”ด CRITICAL | Debug script |
139
+ | `/test.php` | ๐ŸŸ  HIGH | Test script |
140
+ | `/info.php` | ๐ŸŸ  HIGH | PHP info |
141
+ | `/phpinfo.php` | ๐ŸŸ  HIGH | PHP info |
142
+
143
+ **Test Payloads:**
144
+ ```
145
+ /admin/
146
+ /wp-admin/
147
+ /administrator/
148
+ /backend/
149
+ /manage/
150
+ /management/
151
+ /phpmyadmin/
152
+ /pma/
153
+ /mysql/
154
+ /sqlmanager/
155
+ /debug/
156
+ /api/debug/
157
+ /console/
158
+ /debug.php
159
+ /test.php
160
+ /info.php
161
+ /phpinfo.php
162
+ /health
163
+ /actuator
164
+ /actuator/health
165
+ /actuator/env
166
+ /actuator/info
167
+ ```
168
+
169
+ ---
170
+
171
+ ### 5. Spring Boot Actuator
172
+
173
+ | Endpoint | Risk | Information |
174
+ |----------|------|------------|
175
+ | `/actuator/` | ๐ŸŸ  HIGH | Actuator base |
176
+ | `/actuator/env` | ๐Ÿ”ด CRITICAL | Environment variables |
177
+ | `/actuator/heapdump` | ๐Ÿ”ด CRITICAL | Heap dump (credentials) |
178
+ | `/actuator/threaddump` | ๐ŸŸ  HIGH | Thread info |
179
+ | `/actuator/metrics` | ๐ŸŸ  HIGH | Application metrics |
180
+ | `/actuator/logfile` | ๐ŸŸ  HIGH | Log file access |
181
+ | `/actuator/configprops` | ๐Ÿ”ด CRITICAL | Configuration properties |
182
+
183
+ ---
184
+
185
+ ### 6. API Documentation
186
+
187
+ | Path | Risk | Information |
188
+ |------|------|-------------|
189
+ | `/swagger/` | ๐ŸŸ  HIGH | Swagger UI |
190
+ | `/swagger-ui/` | ๐ŸŸ  HIGH | Swagger documentation |
191
+ | `/swagger-ui.html` | ๐ŸŸ  HIGH | Swagger HTML |
192
+ | `/api-docs/` | ๐ŸŸ  HIGH | API documentation |
193
+ | `/v2/api-docs/` | ๐ŸŸ  HIGH | OpenAPI v2 |
194
+ | `/v3/api-docs/` | ๐ŸŸ  HIGH | OpenAPI v3 |
195
+ | `/graphiql/` | ๐ŸŸ  HIGH | GraphQL IDE |
196
+ | `/graphql` | ๐ŸŸ  HIGH | GraphQL endpoint |
197
+ | `/api/` | ๐ŸŸก MEDIUM | API base path |
198
+ | `/api/v1/` | ๐ŸŸก MEDIUM | API versioned |
199
+
200
+ ---
201
+
202
+ ### 7. Log Files
203
+
204
+ | Path | Risk | Information |
205
+ |------|------|-------------|
206
+ | `/logs/` | ๐ŸŸ  HIGH | Directory listing |
207
+ | `/error.log` | ๐ŸŸ  HIGH | Error messages |
208
+ | `/access.log` | ๐ŸŸ  HIGH | Access history |
209
+ | `/debug.log` | ๐ŸŸ  HIGH | Debug logs |
210
+ | `/console.log` | ๐ŸŸก MEDIUM | Console output |
211
+ | `/application.log` | ๐ŸŸ  HIGH | App logs |
212
+
213
+ ---
214
+
215
+ ### 8. Information Disclosure Files
216
+
217
+ | Path | Risk | Information |
218
+ |------|------|-------------|
219
+ | `/robots.txt` | ๐ŸŸก MEDIUM | Reveals hidden paths |
220
+ | `/sitemap.xml` | ๐ŸŸก MEDIUM | Site structure |
221
+ | `/security.txt` | ๐ŸŸก MEDIUM | Security contact |
222
+ | `/crossdomain.xml` | ๐ŸŸก MEDIUM | Flash policy |
223
+ | `/clientaccesspolicy.xml` | ๐ŸŸก MEDIUM | Silverlight policy |
224
+ | `/humans.txt` | ๐ŸŸก MEDIUM | Developer info |
225
+ | `/server-status` | ๐Ÿ”ด CRITICAL | Apache status |
226
+ | `/server-info` | ๐ŸŸ  HIGH | Server details |
227
+
228
+ ---
229
+
230
+ ## ๐Ÿ” Quick Test Commands
231
+
232
+ ### cURL-based Check
233
+ ```bash
234
+ #!/bin/bash
235
+ TARGET=$1
236
+ echo "Checking exposed files for: $TARGET"
237
+
238
+ PATHS=(
239
+ "/.env"
240
+ "/.git/config"
241
+ "/.git/HEAD"
242
+ "/wp-config.php"
243
+ "/config.php"
244
+ "/backup.zip"
245
+ "/database.sql"
246
+ "/admin/"
247
+ "/debug/"
248
+ "/phpmyadmin/"
249
+ "/actuator/env"
250
+ "/swagger-ui/"
251
+ )
252
+
253
+ for path in "${PATHS[@]}"; do
254
+ STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$TARGET$path")
255
+ if [ "$STATUS" != "404" ] && [ "$STATUS" != "000" ]; then
256
+ echo "โš ๏ธ FOUND: $path (HTTP $STATUS)"
257
+ fi
258
+ done
259
+ ```
260
+
261
+ ### PowerShell Check
262
+ ```powershell
263
+ $target = "https://target.com"
264
+ $paths = @(
265
+ "/.env", "/.git/config", "/.git/HEAD",
266
+ "/wp-config.php", "/config.php",
267
+ "/backup.zip", "/database.sql",
268
+ "/admin/", "/debug/", "/phpmyadmin/",
269
+ "/actuator/env", "/swagger-ui/"
270
+ )
271
+
272
+ foreach ($path in $paths) {
273
+ try {
274
+ $resp = Invoke-WebRequest -Uri "$target$path" -Method Head -TimeoutSec 5 -ErrorAction SilentlyContinue
275
+ if ($resp.StatusCode -ne 404) {
276
+ Write-Host "โš ๏ธ FOUND: $path (HTTP $($resp.StatusCode))" -ForegroundColor Yellow
277
+ }
278
+ } catch {}
279
+ }
280
+ ```
281
+
282
+ ---
283
+
284
+ ## ๐Ÿ“Š Risk Scoring
285
+
286
+ | Finding | Score | Action |
287
+ |---------|-------|--------|
288
+ | `.env` exposed | 10 | Critical - Immediate fix |
289
+ | `.git/` directory | 9 | Critical - Immediate fix |
290
+ | Database dump | 10 | Critical - Immediate fix |
291
+ | phpMyAdmin | 8 | High - Restrict access |
292
+ | Debug mode | 8 | High - Disable debug |
293
+ | Actuator env | 9 | Critical - Disable env endpoint |
294
+ | Swagger UI | 5 | Medium - Add auth |
295
+ | Log files | 6 | Medium - Restrict access |
296
+ | robots.txt | 2 | Low - Informational |
297
+
298
+ ---
299
+
300
+ ## ๐Ÿ›ก๏ธ Remediation Checklist
301
+
302
+ - [ ] Block `.env` access in web server config
303
+ - [ ] Block `.git/` directory listing
304
+ - [ ] Remove backup files from web root
305
+ - [ ] Protect admin panels with IP restriction
306
+ - [ ] Disable debug mode in production
307
+ - [ ] Secure Spring Boot actuator endpoints
308
+ - [ ] Add authentication to API documentation
309
+ - [ ] Disable directory listing
310
+ - [ ] Remove test/debug files
311
+ - [ ] Configure security headers