@voidagency/web-scanner 0.0.1

package/templates/drupal-install-error-disclosure.yaml

@@ -0,0 +1,62 @@
+id: drupal-install-error-disclosure
+
+info:
+  name: Drupal Install Error Information Disclosure
+  author: voidsec
+  severity: medium
+  description: |
+    The Drupal install.php endpoint is accessible and returns error messages
+    with sensitive information including stack traces, internal paths,
+    and service configuration details.
+  remediation: |
+    Remove or restrict access to install.php after installation.
+    Configure error display to be disabled in production.
+  reference:
+    - https://www.drupal.org/docs/security-in-drupal
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,install,debug,misconfig
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/core/install.php"
+      - "{{BaseURL}}/install.php"
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      # Error disclosure indicators
+      - type: word
+        part: body
+        words:
+          - "uncaught exception"
+          - "backtrace"
+          - "Symfony\\Component"
+          - "DrupalKernel"
+        condition: or
+
+      # Path disclosure
+      - type: regex
+        part: body
+        regex:
+          - '/var/www/|/home/|vendor/symfony|\.php\)'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: internal_paths
+        regex:
+          - '(/var/www/[^\s<]+|/home/[^\s<]+)'
+

package/templates/drupal-theme-lockfiles.yaml

@@ -0,0 +1,79 @@
+id: drupal-theme-lockfiles
+
+info:
+  name: Drupal Theme Lock Files Exposed
+  author: voidsec
+  severity: low
+  description: |
+    Drupal theme directory exposes package manager lock files (yarn.lock, 
+    package-lock.json, package.json). These reveal all frontend dependencies
+    with exact versions, which can be used to identify vulnerable packages.
+  remediation: |
+    Block access to lock files in web server configuration.
+    Nginx: location ~* (yarn\.lock|package-lock\.json|package\.json)$ { deny all; }
+  reference:
+    - https://www.drupal.org/docs/security-in-drupal
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-538
+  metadata:
+    verified: true
+    max-request: 6
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,config,theme,npm,yarn,misconfig
+
+# Usage: nuclei -t drupal-theme-lockfiles.yaml -u URL -var theme=mytheme
+# The 'theme' variable should be passed from the scanner after extracting from HTML
+
+http:
+  - method: GET
+    path:
+      # Theme paths - {{theme}} is passed via -var theme=xxx
+      - "{{BaseURL}}/themes/{{theme}}/package.json"
+      - "{{BaseURL}}/themes/{{theme}}/yarn.lock"
+      - "{{BaseURL}}/themes/{{theme}}/package-lock.json"
+      - "{{BaseURL}}/themes/custom/{{theme}}/package.json"
+      - "{{BaseURL}}/themes/custom/{{theme}}/yarn.lock"
+      - "{{BaseURL}}/themes/custom/{{theme}}/package-lock.json"
+
+    stop-at-first-match: false
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - '"name":'                    # package.json
+          - '"devDependencies":'         # package.json  
+          - '"dependencies":'            # package.json
+          - '# yarn lockfile'            # yarn.lock
+          - '"lockfileVersion":'         # package-lock.json
+        condition: or
+
+      # Must be JSON or lockfile, not HTML error page
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+          - 'application/octet-stream'
+          - 'text/plain'
+        condition: or
+
+    extractors:
+      - type: regex
+        name: package_name
+        group: 1
+        regex:
+          - '"name":\s*"([^"]+)"'
+      
+      - type: regex
+        name: author
+        group: 1
+        regex:
+          - '"author":\s*"([^"]+)"'

package/templates/drupal-version-detect.yaml

@@ -0,0 +1,89 @@
+id: drupal-version-detect
+
+info:
+  name: Drupal Version - Detect
+  author: voidsec,1nf1n7y,pathtaga
+  severity: info
+  description: Detects Drupal installation and extracts version from multiple sources
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cwe-id: CWE-200
+    cpe: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 4
+    vendor: drupal
+    product: drupal
+    shodan-query:
+      - http.component:"drupal"
+      - cpe:"cpe:2.3:a:drupal:drupal"
+  tags: tech,drupal,version,discovery
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/fr"
+      - "{{BaseURL}}/en"
+      - "{{BaseURL}}/CHANGELOG.txt"
+      - "{{BaseURL}}/core/install.php"
+      - "{{BaseURL}}/user/login"
+
+    redirects: true
+    max-redirects: 3
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      # Match Drupal script tags with version
+      - type: regex
+        part: body
+        regex:
+          - '/core/misc/drupal\.js\?v='
+          - '/core/misc/drupalSettingsLoader\.js\?v='
+        condition: or
+
+      # Original matchers from nuclei-templates
+      - type: word
+        part: body
+        words:
+          - 'Initial release'
+          - 'Drupal 1.0.0'
+        condition: and
+
+      - type: word
+        part: body
+        words:
+          - 'content="Drupal'
+
+      - type: regex
+        part: header
+        regex:
+          - '(?i)x-drupal'
+          - '(?i)x-generator: drupal'
+        condition: or
+
+    extractors:
+      # Extract version from script tags (most reliable for modern Drupal)
+      - type: regex
+        part: body
+        name: version_from_scripts
+        group: 1
+        regex:
+          - '/core/misc/drupal(?:SettingsLoader)?\.js\?v=([0-9]+\.[0-9]+\.[0-9]+)'
+
+      # Extract version from install.php
+      - type: regex
+        part: body
+        name: version_from_install
+        group: 1
+        regex:
+          - 'class="site-version">([0-9.x-]+)'
+
+      # Extract version from CHANGELOG.txt (Drupal 7 and older)
+      - type: regex
+        part: body
+        name: version_from_changelog
+        group: 1
+        regex:
+          - 'Drupal ([0-9]+\.[0-9]+)'
+

package/templates/http-options-enabled.yaml

@@ -0,0 +1,56 @@
+id: http-options-enabled
+
+info:
+  name: HTTP OPTIONS Method Enabled
+  author: voidsec
+  severity: low
+  description: |
+    The HTTP OPTIONS method is enabled on this server. While not directly exploitable,
+    it reveals information about available HTTP methods which can aid in reconnaissance.
+    Some methods (like TRACE, PUT, DELETE) could be dangerous if enabled.
+  remediation: |
+    Disable the OPTIONS method in your web server configuration if not required.
+    
+    Nginx: Add to server block:
+      if ($request_method = OPTIONS) { return 405; }
+    
+    Apache: Use mod_rewrite or LimitExcept directive.
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods
+    - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-16
+  metadata:
+    verified: true
+    max-request: 1
+  tags: misconfig,http,options,headers,generic
+
+http:
+  - method: OPTIONS
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 204
+
+      - type: word
+        part: header
+        words:
+          - "Allow:"
+        case-insensitive: true
+
+    extractors:
+      - type: kval
+        name: allowed_methods
+        kval:
+          - allow
+

package/templates/nextjs-version-detect.yaml

@@ -0,0 +1,35 @@
+id: nextjs-version-detect
+
+info:
+  name: Next.js Version - Detect
+  author: voidsec
+  severity: info
+  description: |
+    Detects Next.js framework and extracts the version number from the browser's
+    window.next.version property. Requires headless browser execution.
+  tags: tech,nextjs,headless
+
+headless:
+  - steps:
+      - action: navigate
+        args:
+          url: "{{BaseURL}}"
+      - action: waitload
+      - action: script
+        args:
+          code: () => window.next?.version
+        name: version
+
+    matchers:
+      - type: regex
+        part: version
+        regex:
+          - '\d+\.\d+\.\d+'
+
+    extractors:
+      - type: regex
+        name: nextjs_version
+        part: version
+        regex:
+          - '\d+\.\d+\.\d+'
+

package/templates/php-version-detect.yaml

@@ -0,0 +1,37 @@
+id: php-version-detect
+
+info:
+  name: PHP Version - Detect
+  author: voidsec
+  severity: info
+  description: Detects PHP version from headers and responses
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+    cwe-id: CWE-200
+    cpe: cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: php
+    product: php
+  tags: tech,php,version,discovery
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?i)x-powered-by:\s*PHP'
+
+    extractors:
+      # Extract PHP version from X-Powered-By header
+      - type: regex
+        part: header
+        name: php_version
+        group: 1
+        regex:
+          - '(?i)x-powered-by:\s*PHP/([0-9]+\.[0-9]+\.[0-9]+)'
+

package/zap.yaml

@@ -0,0 +1,33 @@
+env:
+  contexts:
+  - excludePaths: []
+    name: baseline
+    urls:
+    - https://chaabilldocaz.ma/
+  parameters:
+    failOnError: true
+    progressToStdout: false
+jobs:
+- parameters:
+    enableTags: false
+    maxAlertsPerRule: 10
+  type: passiveScan-config
+- parameters:
+    maxDuration: 1
+    url: https://chaabilldocaz.ma/
+  type: spider
+- parameters:
+    maxDuration: 0
+  type: passiveScan-wait
+- parameters:
+    format: Long
+    summaryFile: /home/zap/zap_out.json
+  rules: []
+  type: outputSummary
+- parameters:
+    reportDescription: ''
+    reportDir: /zap/wrk/
+    reportFile: zap-report.json
+    reportTitle: ZAP Scanning Report
+    template: traditional-json
+  type: report