@voidagency/web-scanner 0.0.1

package/dist/types.d.ts

@@ -0,0 +1,172 @@
+/**
+ * VoidSec Scanner - Core Types
+ * Based on actual tool output fields
+ */
+export type Severity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+export type ToolSource = 'nuclei' | 'testssl' | 'trivy' | 'katana' | 'nvd' | 'zap';
+/**
+ * Unified finding from any scanning tool
+ */
+export interface Finding {
+    id: string;
+    title: string;
+    description: string;
+    severity: Severity;
+    source: ToolSource;
+    target: string;
+    affectedUrls?: string[];
+    cveTable?: CveTableEntry[];
+    cve?: string;
+    cwe?: string;
+    cvss?: string;
+    templateId?: string;
+    tags?: string[];
+    matcher?: string;
+    extracted?: string[];
+    request?: string;
+    response?: string;
+    curl?: string;
+    packageName?: string;
+    installedVersion?: string;
+    fixedVersion?: string;
+    references?: string[];
+}
+/**
+ * Technology detection entry
+ */
+export interface TechDetection {
+    host: string;
+    technologies: string[];
+}
+/**
+ * Severity counts for summary
+ */
+export interface SeverityCounts {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    info: number;
+}
+/**
+ * Scan profile configuration
+ */
+export type ScanProfile = 'quick' | 'standard' | 'deep';
+/**
+ * Test coverage result for a category
+ */
+export interface TestCoverageItem {
+    name: string;
+    description: string;
+    tested: boolean;
+    status: 'pass' | 'fail' | 'info' | 'untested';
+    count: number;
+}
+/**
+ * Passed security check item
+ */
+export interface PassedCheckItem {
+    name: string;
+    description: string;
+}
+/**
+ * CVE table entry for consolidated version-based findings
+ */
+export interface CveTableEntry {
+    cve: string;
+    cvss?: string;
+    severity: Severity;
+    summary: string;
+    references?: string[];
+}
+/**
+ * Complete scan report
+ */
+export interface Report {
+    target: string;
+    scanDate: string;
+    duration: string;
+    profile: ScanProfile;
+    summary: SeverityCounts;
+    totalFindings: number;
+    technologies: TechDetection[];
+    findings: Finding[];
+    coverage?: TestCoverageItem[];
+    passedChecks?: PassedCheckItem[];
+}
+/**
+ * Nuclei JSONL output structure
+ */
+export interface NucleiOutput {
+    'template-id': string;
+    'template-path'?: string;
+    info: {
+        name: string;
+        description?: string;
+        severity: string;
+        tags?: string[];
+        reference?: string[];
+        classification?: {
+            'cve-id'?: string[];
+            'cwe-id'?: string[];
+            'cvss-metrics'?: string;
+            'cvss-score'?: number;
+        };
+    };
+    'matcher-name'?: string;
+    'matched-at': string;
+    'extracted-results'?: string[];
+    host?: string;
+    request?: string;
+    response?: string;
+    'curl-command'?: string;
+    timestamp?: string;
+}
+/**
+ * testssl.sh JSON output structure
+ */
+export interface TestsslOutput {
+    id: string;
+    ip: string;
+    port: string;
+    severity: string;
+    cve?: string;
+    cwe?: string;
+    finding: string;
+}
+/**
+ * Trivy JSON output structure (simplified)
+ */
+export interface TrivyVulnerability {
+    VulnerabilityID: string;
+    PkgName: string;
+    InstalledVersion: string;
+    FixedVersion?: string;
+    Severity: string;
+    Title?: string;
+    Description?: string;
+    References?: string[];
+    CVSS?: {
+        nvd?: {
+            V3Score?: number;
+            V3Vector?: string;
+        };
+    };
+}
+export interface TrivyOutput {
+    Results?: Array<{
+        Target: string;
+        Vulnerabilities?: TrivyVulnerability[];
+    }>;
+}
+/**
+ * Scan options passed to runners
+ */
+export interface ScanOptions {
+    target: string;
+    profile: ScanProfile;
+    outputDir?: string;
+    rateLimit?: number;
+    timeout?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAGvE,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,GAAG,QAAQ,GAAG,KAAK,GAAG,KAAK,CAAC;AAEnF;;GAEG;AACH,MAAM,WAAW,OAAO;IAEtB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IAGf,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAGxB,QAAQ,CAAC,EAAE,aAAa,EAAE,CAAC;IAG3B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IAGd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IAGd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AAExD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;IAC9C,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IAErB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC;IAGrB,OAAO,EAAE,cAAc,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IAGtB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,QAAQ,EAAE,OAAO,EAAE,CAAC;IAGpB,QAAQ,CAAC,EAAE,gBAAgB,EAAE,CAAC;IAG9B,YAAY,CAAC,EAAE,eAAe,EAAE,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;QACrB,cAAc,CAAC,EAAE;YACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;YACpB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;YACpB,cAAc,CAAC,EAAE,MAAM,CAAC;YACxB,YAAY,CAAC,EAAE,MAAM,CAAC;SACvB,CAAC;KACH,CAAC;IACF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,IAAI,CAAC,EAAE;QACL,GAAG,CAAC,EAAE;YACJ,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;SACnB,CAAC;KACH,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,KAAK,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC;KACxC,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,WAAW,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB"}

package/dist/types.js

@@ -0,0 +1,6 @@
+/**
+ * VoidSec Scanner - Core Types
+ * Based on actual tool output fields
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@voidagency/web-scanner",
+  "version": "0.0.1",
+  "description": "Security scanning CLI orchestrating ZAP, Nuclei, and testssl.sh",
+  "type": "module",
+  "main": "./dist/cli.js",
+  "bin": {
+    "voidsec": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "zap.yaml",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/cli.ts",
+    "start": "node dist/cli.js",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "vulnerability",
+    "pentest",
+    "zap",
+    "nuclei",
+    "testssl",
+    "cve",
+    "security-audit"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": ""
+  },
+  "dependencies": {
+    "commander": "^12.1.0",
+    "execa": "^9.3.0",
+    "handlebars": "^4.7.8",
+    "glob": "^11.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.0",
+    "@types/node": "^22.0.0",
+    "tsx": "^4.16.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}
+

package/templates/drupal-api-index-exposed.yaml

@@ -0,0 +1,81 @@
+id: drupal-api-index-exposed
+
+info:
+  name: Drupal JSON:API Index Exposed
+  author: voidsec
+  severity: high
+  description: |
+    The Drupal JSON:API index is publicly accessible without authentication.
+    This exposes the entire API structure including endpoints for users, nodes,
+    files, webform submissions, and other sensitive resources.
+    Attackers can use this to map the application and access sensitive data.
+  remediation: |
+    Restrict JSON:API access using authentication or disable public access.
+    In settings.php or via contrib module like 'jsonapi_extras'.
+  reference:
+    - https://www.drupal.org/project/drupal/issues/3240913
+    - https://www.drupal.org/docs/core-modules-and-themes/core-modules/jsonapi-module/security-considerations
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cwe-id: CWE-200
+  metadata:
+    verified: true
+    max-request: 4
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,api,jsonapi,misconfig,high
+
+http:
+  - method: GET
+    path:
+      # With language prefix
+      - "{{BaseURL}}/fr/api"
+      - "{{BaseURL}}/en/api"
+      - "{{BaseURL}}/ar/api"
+      # Without language prefix
+      - "{{BaseURL}}/api"
+      # Standard jsonapi prefix
+      - "{{BaseURL}}/jsonapi"
+      - "{{BaseURL}}/fr/jsonapi"
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      # Must be JSON:API response with links (index)
+      - type: word
+        part: body
+        words:
+          - '"jsonapi"'
+          - '"links"'
+        condition: and
+
+      # Must expose sensitive endpoints (not just 403)
+      - type: word
+        part: body
+        words:
+          - 'user--user'
+          - 'node--'
+          - 'file--'
+        condition: or
+
+      # Must NOT be an error response
+      - type: word
+        part: body
+        words:
+          - '"errors"'
+        negative: true
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      # Extract exposed resource types
+      - type: regex
+        name: exposed_endpoints
+        group: 1
+        regex:
+          - '"([a-z_]+--[a-z_]+)":\{"href"'
+

package/templates/drupal-api-user-detail.yaml

@@ -0,0 +1,76 @@
+id: drupal-api-user-detail-exposure
+
+info:
+  name: Drupal JSON:API User Details Exposed
+  author: voidsec
+  severity: medium
+  description: |
+    Individual Drupal user records expose sensitive attributes via JSON:API.
+    This can leak usernames, email patterns, and account information.
+  remediation: |
+    Configure JSON:API permissions to restrict user field access.
+    Use jsonapi_extras module to hide sensitive fields.
+  reference:
+    - https://www.drupal.org/project/drupal/issues/3240913
+    - https://www.drupal.org/docs/core-modules-and-themes/core-modules/jsonapi-module/security-considerations
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-200
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,api,jsonapi,user,pii
+
+# Usage: nuclei -t drupal-api-user-detail.yaml -u URL -var user_url=<full_user_url>
+# The 'user_url' variable should be passed from the scanner after extracting from API response
+
+http:
+  - method: GET
+    path:
+      - "{{user_url}}"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - '"jsonapi"'
+          - '"attributes"'
+        condition: and
+
+      # Check for sensitive attributes being exposed
+      - type: word
+        part: body
+        words:
+          - '"display_name"'
+          - '"mail"'
+          - '"name"'
+          - '"created"'
+          - '"changed"'
+          - '"access"'
+          - '"login"'
+        condition: or
+
+    extractors:
+      - type: json
+        name: display_name
+        json:
+          - '.data.attributes.display_name'
+      
+      - type: json
+        name: username
+        json:
+          - '.data.attributes.name'
+      
+      - type: json
+        name: email
+        json:
+          - '.data.attributes.mail'
+

package/templates/drupal-api-user-listing.yaml

@@ -0,0 +1,59 @@
+id: drupal-api-user-listing
+
+info:
+  name: Drupal API Username Listing - Detect
+  author: voidsec,lixts
+  severity: medium
+  description: |
+    Drupal API username listing was detected. This exposes user display names 
+    which could be used for targeted attacks or enumeration.
+  reference:
+    - https://www.drupal.org/project/drupal/issues/3240913
+    - https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/http/exposures/apis/drupal-jsonapi-user-listing.yaml
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,discovery,api,user-enum
+
+http:
+  - method: GET
+    path:
+      # Custom /api/ prefix (common in decoupled Drupal)
+      - "{{BaseURL}}/api/user/user"
+      # Standard JSON:API prefix
+      - "{{BaseURL}}/jsonapi/user/user"
+
+    stop-at-first-match: true
+    
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '"display_name"\s*:\s*"[^"]+"'
+          - '"name"\s*:\s*"[^"]+"'
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+          - "application/vnd.api+json"
+        condition: or
+
+    extractors:
+      - type: json
+        name: usernames
+        json:
+          - '.data[].attributes.display_name'
+          - '.data[].attributes.name'
+

package/templates/drupal-dev-files-exposed.yaml

@@ -0,0 +1,73 @@
+id: drupal-dev-files-exposed
+
+info:
+  name: Drupal Development Files Exposed
+  author: voidsec
+  severity: low
+  description: |
+    Development and configuration files are publicly accessible.
+    These files can reveal project structure, dependencies, and 
+    configuration that aids attackers in reconnaissance.
+  remediation: |
+    Block access to development files in web server configuration.
+    Add to nginx: location ~* \.(lock|properties)$ { deny all; }
+  reference:
+    - https://www.drupal.org/docs/security-in-drupal
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-538
+  metadata:
+    verified: true
+    max-request: 8
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,config,devfiles,misconfig
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cghooks.lock"
+      - "{{BaseURL}}/sonar-project.properties"
+      - "{{BaseURL}}/core/yarn.lock"
+      - "{{BaseURL}}/yarn.lock"
+      - "{{BaseURL}}/package-lock.json"
+      - "{{BaseURL}}/composer.lock"
+      - "{{BaseURL}}/.gitlab-ci.yml"
+      - "{{BaseURL}}/.github/workflows/main.yml"
+
+    stop-at-first-match: false
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      # Content indicators for each file type
+      - type: word
+        part: body
+        words:
+          - '"pre-commit"'           # cghooks.lock
+          - 'sonar.projectKey'       # sonar-project.properties
+          - '# yarn lockfile'        # yarn.lock
+          - '"lockfileVersion"'      # package-lock.json
+          - '"_readme"'              # composer.lock
+          - 'stages:'                # gitlab-ci
+          - 'runs-on:'               # github actions
+        condition: or
+
+    extractors:
+      # Extract project identifiers (NOT all package names)
+      - type: regex
+        name: sonar_project
+        regex:
+          - 'sonar\.projectKey=([^\s]+)'
+          - 'sonar\.projectName=([^\s]+)'
+      
+      # For composer.lock - just confirm it's a Drupal project
+      - type: regex
+        name: drupal_version
+        regex:
+          - '"drupal/core":\s*\{\s*"version":\s*"([^"]+)"'
+

package/templates/drupal-file-path-disclosure.yaml

@@ -0,0 +1,59 @@
+id: drupal-file-path-disclosure
+
+info:
+  name: Drupal File Path Disclosure in 403 Response
+  author: voidsec
+  severity: medium
+  description: |
+    The /file/{id}/download endpoint returns 403 Access Denied but leaks 
+    the actual filename in the error message (e.g., "Access to file 
+    public://2023-02/document.pdf denied"). An attacker can use this to 
+    discover file paths and access them directly via /sites/default/files/.
+  remediation: |
+    Customize error messages to not include file paths.
+    Use hook_file_download() to return generic access denied messages.
+  reference:
+    - https://www.drupal.org/docs/security-in-drupal/writing-secure-code-for-drupal
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-200
+  metadata:
+    verified: true
+    max-request: 6
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,file,path-disclosure,info-leak
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/file/1/download"
+      - "{{BaseURL}}/fr/file/1/download"
+      - "{{BaseURL}}/en/file/1/download"
+      - "{{BaseURL}}/ar/file/1/download"
+      - "{{BaseURL}}/file/2/download"
+      - "{{BaseURL}}/fr/file/2/download"
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403
+
+      - type: word
+        part: body
+        words:
+          - "public://"
+          - "Access to file"
+        condition: and
+
+    extractors:
+      - type: regex
+        name: disclosed_path
+        group: 1
+        regex:
+          - 'public://([^\s"<>]+)'
+

package/templates/drupal-files-listing.yaml

@@ -0,0 +1,63 @@
+id: drupal-files-listing
+
+info:
+  name: Drupal Files Directory Listing
+  author: voidsec
+  severity: medium
+  description: |
+    The Drupal /sites/default/files/ directory has listing enabled or is 
+    directly accessible. This can expose uploaded files, private documents,
+    and potentially sensitive information.
+  remediation: |
+    Disable directory listing in web server configuration.
+    For Nginx: autoindex off;
+    For Apache: Options -Indexes
+  reference:
+    - https://www.drupal.org/docs/security-in-drupal/writing-secure-code-for-drupal
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-548
+  metadata:
+    verified: true
+    max-request: 6
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,listing,files,misconfig
+
+http:
+  - method: GET
+    path:
+      # Standard Drupal files path
+      - "{{BaseURL}}/sites/default/files/"
+      # With language prefix
+      - "{{BaseURL}}/fr/sites/default/files/"
+      - "{{BaseURL}}/en/sites/default/files/"
+      # Alternative paths
+      - "{{BaseURL}}/files/"
+      - "{{BaseURL}}/sites/files/"
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      # Directory listing indicators
+      - type: word
+        part: body
+        words:
+          - "Index of"
+          - "Directory listing"
+          - "<title>Index of"
+          - "Parent Directory"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: files_found
+        regex:
+          - 'href="([^"]+\.(pdf|doc|docx|xls|xlsx|zip|sql|bak|txt|log))"'
+