@voidagency/web-scanner 0.0.7 → 0.0.8

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@voidagency/web-scanner",
-  "version": "0.0.7",
+  "version": "0.0.8",
   "description": "Security scanning CLI with authentication support - orchestrating ZAP, Nuclei, and testssl.sh",
   "type": "module",
   "main": "./dist/cli.js",
   "bin": {
-    "voidsec": "./dist/cli.js"
+    "voidsec": "dist/cli.js"
   },
   "files": [
     "dist",

package/templates/drupal-api-unpublished-document-exposed.yaml

@@ -0,0 +1,84 @@
+id: drupal-api-unpublished-document-exposed
+
+info:
+  name: Drupal JSON:API Unpublished Documents Exposed
+  author: voidsec
+  severity: high
+  description: |
+    Unauthenticated JSON:API access to unpublished file--document entities was detected.
+    Anonymous users can list draft files via ?filter[status]=0, exposing filenames and URIs.
+    This typically indicates the Anonymous role has "Bypass file access controls" or overly
+    broad view permissions on file entities — not merely a filter misconfiguration.
+    A secure site returns data:[] with omitted access-denied entries while meta.count > 0.
+  remediation: |
+    Remove "Bypass file access controls" from the Anonymous role.
+    Restrict view permissions on file--document and related entity types.
+    Review JSON:API / jsonapi_extras exposure settings.
+  reference:
+    - https://www.drupal.org/docs/8/modules/json-api/filtering#filters-access-control
+    - https://www.drupal.org/docs/core-modules-and-themes/core-modules/jsonapi-module/security-considerations
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cwe-id: CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: drupal
+    product: drupal
+  tags: drupal,exposure,api,jsonapi,file,draft,misconfig,high
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/file/document?filter[status]=0"
+      - "{{BaseURL}}/jsonapi/file/document?filter[status]=0"
+
+    stop-at-first-match: true
+
+    headers:
+      Accept: application/vnd.api+json
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+          - "application/vnd.api+json"
+        condition: or
+
+      - type: regex
+        part: body
+        regex:
+          - '"data"\s*:\s*\[\s*\{'
+
+      - type: word
+        part: body
+        words:
+          - '"file--document"'
+          - '"status":false'
+        condition: and
+
+      - type: word
+        part: body
+        words:
+          - '"errors"'
+          - '"data":[]'
+        negative: true
+        condition: or
+
+    extractors:
+      - type: json
+        name: draft_filenames
+        json:
+          - '.data[].attributes.filename'
+
+      - type: json
+        name: draft_uris
+        json:
+          - '.data[].attributes.uri.url'

package/zap.yaml

@@ -1,34 +0,0 @@
-env:
-  contexts:
-  - excludePaths: []
-    name: baseline
-    urls:
-    - https://backend-agr.leserveurdetest.com/fr
-    - https://backend-agr.leserveurdetest.com/
-  parameters:
-    failOnError: true
-    progressToStdout: false
-jobs:
-- parameters:
-    enableTags: false
-    maxAlertsPerRule: 10
-  type: passiveScan-config
-- parameters:
-    maxDuration: 1
-    url: https://backend-agr.leserveurdetest.com/
-  type: spider
-- parameters:
-    maxDuration: 0
-  type: passiveScan-wait
-- parameters:
-    format: Long
-    summaryFile: /home/zap/zap_out.json
-  rules: []
-  type: outputSummary
-- parameters:
-    reportDescription: ''
-    reportDir: /zap/wrk/
-    reportFile: zap-report.json
-    reportTitle: ZAP Scanning Report
-    template: traditional-json
-  type: report