admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-05 10:13:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

removed audit templates

Browse Source
This commit is contained in:
Prince Chaddha
2025-04-12 18:41:15 +05:30
parent 4ab70fe769
commit 4f8bdce56c
27 changed files with 0 additions and 1464 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
javascript/audit/mongodb/mongodb-audit-log-disabled.yaml
View File

@@ -1,57 +0,0 @@
id: mongodb-audit-log-disabled
info:
name: MongoDB Audit Logging Disabled
author: pussycat0x
severity: high
description: |
Ensures MongoDB audit logging is enabled.
remediation: |
Set 'auditLog.destination: file' and specify 'path' in /etc/mongod.conf.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/mongodb/
- https://www.mongodb.com/docs/manual/tutorial/configure-audit-filters/
metadata:
verified: true
tags: mongodb,audit,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const MongoConfig = c.Run(Code)
MongoConfig
let result = "";
if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("#auditLog:")) {
result += "MongoDB Audit Log Disabled";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/mongod.conf
- /usr/local/etc/mongod.conf
- /opt/homebrew/etc/mongod.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a0047304502200c409317ef4f20bd0f95e4f918e9418223c4243124462484ad14db605fda9a7b022100889f260f7597bb9e2f97f1eca0952a7cdc12e7c8b358e13fbc487eb8126bce86:922c64590222798bb761d5b6d8e72950

55
javascript/audit/mongodb/mongodb-auth-disabled.yaml
View File

@@ -1,55 +0,0 @@
id: mongodb-auth-disabled
info:
name: MongoDB Authentication Disabled
author: pussycat0x
severity: high
description: |
Detects if MongoDB authentication is disabled or missing in mongod.conf.
If 'authorization: enabled' is missing under 'security:', authentication is not enforced.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/mongodb/
metadata:
verified: true
tags: mongodb,audit,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const MongoConfig = c.Run(Code)
MongoConfig
let result = "";
if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("#security") && !MongoConfig.includes("authorization: enabled")) {
result += "MongoDB Auth Disabled";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/mongod.conf
- /usr/local/etc/mongod.conf
- /opt/homebrew/etc/mongod.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a004730450221008185a9e90eb7e1e9bbd42dfef4078aced5cf8967e0312817328688982f9ff527022051079da7a4bc86a726de720394ee9c99a717b3f3f4efb9bd654832217b5a963e:922c64590222798bb761d5b6d8e72950

57
javascript/audit/mongodb/mongodb-http-interface-enabled.yaml
View File

@@ -1,57 +0,0 @@
id: mongodb-http-interface-enabled
info:
name: MongoDB HTTP Interface Enabled
author: pussycat0x
severity: high
description: |
Checks if the MongoDB HTTP interface is enabled in /etc/mongod.conf.
remediation: |
Set 'http.enabled: false' in /etc/mongod.conf and restart MongoDB.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/mongodb/
- https://www.mongodb.com/docs/manual/reference/configuration-options/
metadata:
verified: true
tags: mongodb,config,file,audit,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const MongoConfig = c.Run(Code)
MongoConfig
let result = "";
if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("http:") && MongoConfig.includes("enabled: true")) {
result += "MongoDB HTTP Interface Enabled";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/mongod.conf
- /usr/local/etc/mongod.conf
- /opt/homebrew/etc/mongod.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 490a00463044022051a6ac33d0867419d947cad61ed77488f483d432d77ba1de1c3d09e9ca39f789022014ac665ebd72c97eb7cbd0bbe190c744a7b170400a7233eea52999ecdd69041e:922c64590222798bb761d5b6d8e72950

57
javascript/audit/mongodb/mongodb-ssl-disabled.yaml
View File

@@ -1,57 +0,0 @@
id: mongodb-ssl-disabled
info:
name: MongoDB SSL Disabled
author: pussycat0x
severity: high
description: |
Ensures MongoDB uses SSL/TLS for secure connections.
remediation: |
Set 'net.ssl.mode: requireSSL' and define 'PEMKeyFile' in /etc/mongod.conf.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/mongodb/
- https://www.mongodb.com/docs/manual/tutorial/configure-ssl/
metadata:
verified: true
tags: mongodb,audit,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const MongoConfig = c.Run(Code)
MongoConfig
let result = "";
if (MongoConfig.includes("storage") && MongoConfig.includes("operationProfiling") && MongoConfig.includes("ssl:") && MongoConfig.includes("mode: requireSSL") && !MongoConfig.includes("mode: disabled")) {
result += "MongoDB SSL Disabled";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/mongod.conf
- /usr/local/etc/mongod.conf
- /opt/homebrew/etc/mongod.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100a47fb4ff86a5acf7ce8b0f01af5020f925744777251546997505455db8959990022025cd23417b236086b244801f5841660a86b845ca0a6f390bf27ab7332b4ec946:922c64590222798bb761d5b6d8e72950

61
javascript/audit/mysql/mysql-load-file.yaml
View File

@@ -1,61 +0,0 @@
id: mysql-load-file
info:
name: MySQL LOAD_FILE - Enable
author: pussycat0x
severity: high
description: |
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
reference:
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata:
verified: true
max-request: 16
shodan-query: "port:3306"
tags: js,mysql,network,audit
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: SELECT LOAD_FILE('/etc/passwd')
User: "{{usernames}}"
Pass: "{{passwords}}"
payloads:
usernames:
- root
- admin
- mysql
- test
passwords:
- root
- admin
- mysql
- test
attack: clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- success == true
- type: word
words:
- "root:x:"
extractors:
- type: json
part: response
json:
- .Rows[]
# digest: 4a0a004730450221009ad416364c3679ae98d7f27001407c284157e5ee85cfcea19ed1d53e4119128d02205a3741b7625ca7a9c74d10f76c99007e382188b80f5d6c7cadcf28d583b727e6:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/change-default-port.yaml
View File

@@ -1,51 +0,0 @@
id: change-default-port
info:
name: Change SSH Default Port
author: pussycat0x
severity: info
description: |
Reduces Automated Attacks: Changing the default port can help avoid most automated attacks that target port 22.
remediation: |
Set Port 2222 in /etc/ssh/sshd_config to change the default SSH port and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://gcore.com/learning/how-to-change-ssh-port/
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('#Port 22') && !sshConfig.includes('Port ')) {
result += "Default SSH Port Detected; ";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100b8bb63087a69512d1c645d43a523120deacae3ae090c2bf1980a4fc7b582affb0220784836e7371a3dcab75a9b1998013603031386aa936a345b42a3581a8e336e9d:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/disable-empty-password.yaml
View File

@@ -1,51 +0,0 @@
id: disable-empty-password
info:
name: Disable SSH Empty Password
author: pussycat0x
severity: high
description: |
Allowing empty passwords in SSH poses a severe security risk, enabling unauthorized access, brute-force attacks, and potential system compromise. It should always be disabled to prevent unauthorized logins.
remediation: |
Set PermitEmptyPasswords no in /etc/ssh/sshd_config to disable empty password logins and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-sshd-disable-empty-passwords/
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('PermitEmptyPasswords yes')) {
result += "Disable SSH Empty Password Access";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a0048304602210090f1b075340725c5e0a63dc65dabe176c1185bccf08e593976fd35572de9100802210093ed51e2c2f2b957243fb609c5c987ec849446151f7e846ca72cb7b91a89a01f:922c64590222798bb761d5b6d8e72950

50
javascript/audit/ssh/disable-root-login.yaml
View File

@@ -1,50 +0,0 @@
id: disable-root-login
info:
name: Disable SSH Root Login
author: pussycat0x
severity: high
description: |
Disabling direct root login can help prevent unauthorized users from gaining full control over your system.
remediation: |
Set PermitRootLogin no in /etc/ssh/sshd_config to disable root login and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('PermitRootLogin yes')) {
result += "Disable SSH Root Login; ";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100aa61482bf6e32c32117c1183f432c3d4b7df59f098114ccc7569ff25f568e42502206f613044bce918573618fd6ace79bf634f30823e8d9e6e959d3e2199e15e53cb:922c64590222798bb761d5b6d8e72950

50
javascript/audit/ssh/disable-ssh-forwarding.yaml
View File

@@ -1,50 +0,0 @@
id: disable-ssh-forwarding
info:
name: Disable SSH Forwarding
author: pussycat0x
severity: unknown
description: |
SSH forwarding can enhance security by encrypting traffic (X11, agent, or port forwarding), but it also poses risks if misused. Attackers with access to a compromised system can pivot to other machines, potentially escalating privileges or stealing credentials.
remediation: |
Set X11Forwarding no and AllowTcpForwarding no in /etc/ssh/sshd_config to disable SSH forwarding and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port)
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('AllowTcpForwarding yes') && !sshConfig.includes('#AllowTcpForwarding yes') || sshConfig.includes('X11Forwarding yes')) {
result += "Disable SSH Forwarding;";
}
else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100dc6908d6ef4bdff577247d002afeba2f2a2f0f4c6e8363603e4c60c46e452926022017929a72f04ee161a3700626a49ae427a6cdaaf14383292d3dd6c972d7dcb70f:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/disable-ssh-protocol-1.yaml
View File

@@ -1,51 +0,0 @@
id: disable-ssh-protocol-1
info:
name: Disable SSH Protocol 1
author: pussycat0x
severity: low
description: |
Using SSH Protocol 1 is insecure as it lacks strong encryption and integrity checks, making it vulnerable to man-in-the-middle attacks, session hijacking, and other exploits. It is recommended to use SSH Protocol 2 for enhanced security.
remediation: |
Set Protocol 2 in /etc/ssh/sshd_config to disable SSH Protocol 1 and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://www.ktchost.com/blog/enable-ssh-protocol-2/
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port)
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (!sshConfig.includes('Protocol 2')) {
result += "Disable SSH Protocol 1; ";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100a88133d800dc6c1178ceaa1411b527702f8644de63f384b2bca2d54a77e8d31b022100a136ac30c206fda2df328c01216b03ed6a37abec49b0a25a8f0c9faa457e2850:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/enable-ssh-privilege-separation.yaml
View File

@@ -1,51 +0,0 @@
id: enable-ssh-privilege-separation
info:
name: Enable Privilege Separation in SSH
author: pussycat0x
severity: unknown
description: |
Privilege separation in SSH enhances security by running the SSH daemon with minimal privileges, reducing the risk of privilege escalation. It limits the impact of vulnerabilities, preventing full system compromise if SSH is exploited.
remediation: |
Set UsePrivilegeSeparation yes in /etc/ssh/sshd_config to enhance security and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/finding/V-258010
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (!sshConfig.includes('UsePrivilegeSeparation yes')) {
result += "Enable Privilege Separation in SSH";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100f47ff8b921616e92693abe8151aa3b00f4744344aa3358e2badf6fd6c8944c170220065572cb418354904aa61203a171bda7123166b149077937d24c312078b196e5:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/hide-last-login-information.yaml
View File

@@ -1,51 +0,0 @@
id: hide-last-login-information
info:
name: Hide SSH Last Login Information
author: pussycat0x
severity: unknown
description: |
SSH last login information helps detect unauthorized access but may expose user activity details to attackers.
remediation: |
Set PrintLastLog no in /etc/ssh/sshd_config to disable last login information and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (!sshConfig.includes('PrintLastLog no')) {
result += "Hide SSH Last Login Information; ";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100a6a2316223724c672bd024f69d4dfbc7f32d17a399b2ecd148a10adee5eef0a702203c89eb525cbe0706d5e66ce0b199781d4774427b4dececea02ca9b6abefc15b4:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/idle-timeout-interval.yaml
View File

@@ -1,51 +0,0 @@
id: idle-timeout-interval
info:
name: Set SSH Idle Timeout Interval
author: pussycat0x
severity: low
description: |
Missing an SSH idle timeout interval can lead to security risks by allowing unattended sessions to remain open, increasing the chance of unauthorized access or session hijacking.
remediation: |
Set ClientAliveInterval 300 and ClientAliveCountMax 0 in /etc/ssh/sshd_config to enforce an idle timeout and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://support.forcepoint.com/s/article/000015900
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('#ClientAliveInterval') && sshConfig.includes('#ClientAliveCountMax') && !sshConfig.includes('ClientAliveInterval ') && !sshConfig.includes('ClientAliveCountMax ')){
result += "Set SSH Idle Timeout Interval";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100bf9a2fe48184cc61b2acaa709af5dd53f1ad7266dd4f8114200692210f6efd2202207f3942d6d0ff7ab6a301ce5e0c1fa29ccd14bf3425adcb54cf7b80def71b5d1b:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/limit-ssh-group.yaml
View File

@@ -1,51 +0,0 @@
id: limit-ssh-group
info:
name: Limit SSH Users Group Access
author: pussycat0x
severity: unknown
description: |
Limiting SSH user group access enhances security by restricting login permissions to authorized groups, reducing the attack surface and preventing unauthorized access.
remediation: |
Ensure only necessary users are listed in AllowUsers within /etc/ssh/sshd_config, then restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://cloud.ibm.com/docs/ssh-keys?topic=ssh-keys-granting-ssh-access-to-a-user
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (!sshConfig.includes('AllowGroups')){
result += "Limit SSH Users Group Access; ";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402200f92b3878984629518e1273af1410e7c952b53692df85e4e4fbecbe535b18043022062c92bfc1503feff994ca2314293fc1c6457ef6c605d384c96dd56ac0860f149:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/limit-ssh-users-access.yaml
View File

@@ -1,51 +0,0 @@
id: limit-ssh-users-access
info:
name: Limit SSH Users Access
author: pussycat0x
severity: unknown
description: |
Restricting SSH user access improves security by allowing only authorized users to connect, reducing the risk of unauthorized logins and potential attacks.
remediation: |
Restrict SSH access by configuring AllowUsers or AllowGroups in /etc/ssh/sshd_config and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://cloud.ibm.com/docs/ssh-keys?topic=ssh-keys-granting-ssh-access-to-a-user
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (!sshConfig.includes('AllowUsers')){
result += "Limit SSH Users Access; ";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100e5ca1199361b834994bf2db56bfe92380bef7598ae6ef39791c04bf96be2f199022100a5c92bcfd2ffef3d361341ec13958ae565ee54727b0e0cec624b66c33e5a7ac7:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/ssh-key-auth-disabled.yaml
View File

@@ -1,51 +0,0 @@
id: ssh-key-auth-disabled
info:
name: SSH Key-Based Authentication - Disabled
author: pussycat0x
severity: low
description: |
SSH key-based authentication is disabled, allowing password-based logins, which increases the risk of brute-force attacks and unauthorized access.
remediation: |
Enable SSH key-based authentication by adding the public key to ~/.ssh/authorized_keys and disabling password authentication in /etc/ssh/sshd_config (PasswordAuthentication no).
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('#PasswordAuthentication yes') && !sshConfig.includes('PasswordAuthentication yes')){
result += "SSH Key-Based Authentication Disabled";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100e74a6f1240b37c11e994a870993eda924e977fde4ca97ad003f6350c14e4eefe022100d2ccd197706d61fcf871d63bccc809641c470f082b10c3f75dd3e6ee9cd3fd93:922c64590222798bb761d5b6d8e72950

51
javascript/audit/ssh/ssh-unrestricted-nonwhitelist.yaml
View File

@@ -1,51 +0,0 @@
id: ssh-unrestricted-nonwhitelist
info:
name: Unrestricted SSH Access from Non-Whitelisted IPs
author: pussycat0x
severity: unknown
description: |
SSH access is not restricted to specific IP addresses, allowing connections from any source. This increases the risk of unauthorized access and brute-force attacks.
remediation: |
Restrict SSH to specific IPs in /etc/ssh/sshd_config by setting ListenAddress <trusted-IP> and restarting the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
- https://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html
metadata:
verified: true
tags: audit,config,ssh,auth
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const sshConfig = c.Run('cat /etc/ssh/sshd_config')
sshConfig
let result = "";
if (sshConfig.includes('#ListenAddress') && !sshConfig.includes('ListenAddress ')){
result += "SSH access restriction not enforced";
}
else{
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100e083bd557c319077edc862d63ff616e5f3b16c97993aa815fc99275c3d0b8681022100b655fa349c18a03be6a56866c42c56cdc6829c22ebf02f09b2d625e2b7119452:922c64590222798bb761d5b6d8e72950

59
javascript/audit/webserver/apache/disable-directory-listing.yaml
View File

@@ -1,59 +0,0 @@
id: disable-directory-listing
info:
name: Disable Directory Listing in Apache2
author: pussycat0x
severity: medium
description: |
Directory listing should be disabled to prevent unauthorized users from browsing server directories.
remediation: |
Add 'Options -Indexes' in the Apache configuration file or .htaccess file.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/apache/
- https://httpd.apache.org/docs/2.4/mod/core.html#options
metadata:
verified: true
tags: audit,config,auth,apache,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const ApacheConfig = c.Run(Code)
ApacheConfig
let result = "";
const regex = /\bOptions\s+Indexes\b(?!\s+FollowSymLinks)/;
if (ApacheConfig.includes("<Directory") && regex.test(ApacheConfig)) {
result += "Disable directory listing";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/apache2/apache2.conf
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d
- /usr/local/etc/httpd/httpd.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 490a00463044022024e7ed0a451f189f5f4a8e65a31c5090152c4ef902a23487b6a5568715bd076d02200bdb6084a8cb9a9ec470666affdb26fcfbb41620f189e867551dc4f1900a40de:922c64590222798bb761d5b6d8e72950

58
javascript/audit/webserver/apache/disable-http-trace-method.yaml
View File

@@ -1,58 +0,0 @@
id: disable-http-trace-method
info:
name: Disable HTTP TRACE Method in Apache2
author: pussycat0x
severity: high
description: |
The HTTP TRACE method should be disabled to prevent Cross-Site Tracing (XST) attacks.
remediation: |
Add 'TraceEnable Off' in the Apache configuration file and restart the service.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/apache/
- https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
metadata:
verified: true
tags: audit,config,auth,apache,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const ApacheConfig = c.Run(Code)
ApacheConfig
let result = "";
if (ApacheConfig.includes("<Directory") && !ApacheConfig.includes("TraceEnable On")) {
result += "Disable HTTP Trace Method";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/apache2/apache2.conf
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d
- /usr/local/etc/httpd/httpd.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a0047304502210088b13c7e6bc409b009330a899317e4bbe9ba25a511aafc5496b4eb2f5bcdd52b02200713e96eabd9adfec3b73d3456ac592df7ecc9c36366e521020a4241de527ce0:922c64590222798bb761d5b6d8e72950

58
javascript/audit/webserver/apache/disable-server-header.yaml
View File

@@ -1,58 +0,0 @@
id: disable-server-header
info:
name: Disable Server Header in Apache2
author: pussycat0x
severity: medium
description: |
Ensures that 'ServerTokens Prod' and 'ServerSignature Off' are correctly set in Apache to prevent server information leakage.
remediation: |
Set 'ServerTokens Prod' and 'ServerSignature Off' in Apache configuration and restart the service.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/apache/
- https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
metadata:
verified: true
tags: audit,config,auth,apache,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const ApacheConfig = c.Run(Code)
ApacheConfig
let result = "";
if (ApacheConfig.includes("<Directory") && !ApacheConfig.includes("ServerTokens Prod") && !ApacheConfig.includes("ServerSignature Off")) {
result += "Disable HTTP Headers";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/apache2/apache2.conf
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d
- /usr/local/etc/httpd/httpd.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100ab934cdfa66e4770066abd76813244cdd313ab2df4843cde04b2293c3e03a1a8022100db4afb5a43909096bdb1594c955383f2d98a5a0a3f61b97590775447157377d7:922c64590222798bb761d5b6d8e72950

58
javascript/audit/webserver/apache/disable-server-signature.yaml
View File

@@ -1,58 +0,0 @@
id: disable-server-signature
info:
name: Disable Server Signature in Apache
author: pussycat0x
severity: medium
description: |
Disabling the server signature prevents Apache from revealing version details in error pages.
remediation: |
Set 'ServerSignature Off' in the Apache configuration file and restart the service.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/apache/
- https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
metadata:
verified: true
tags: audit,config,auth,apache,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const ApacheConfig = c.Run(Code)
ApacheConfig
let result = "";
if (ApacheConfig.includes("<Directory") && !ApacheConfig.includes("ServerSignature Off")) {
result += "Disable Server Signature";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/apache2/apache2.conf
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d
- /usr/local/etc/httpd/httpd.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022003257f6b7fde949b083a9557796e87a313aa7c77627c9a06cd73cbfba4deea58022100940e645b12a981e41060fac47d95ceb5e87748038e983ea63c2c09e4838a1c8b:922c64590222798bb761d5b6d8e72950

58
javascript/audit/webserver/apache/enforce-server-tokens-prod.yaml
View File

@@ -1,58 +0,0 @@
id: enforce-server-tokens-prod
info:
name: Enforce ServerTokens Prod in Apache2
author: pussycat0x
severity: medium
description: |
ServerTokens should be set to 'Prod' to prevent Apache from exposing version details in response headers.
remediation: |
Set 'ServerTokens Prod' in the Apache configuration file and restart the service.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/apache/
- https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
metadata:
verified: true
tags: audit,config,auth,apache,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const ApacheConfig = c.Run(Code)
ApacheConfig
let result = "";
if (ApacheConfig.includes("<Directory") && !ApacheConfig.includes("ServerTokens Prod")) {
result += "Enforce ServerTokens Prod in Apache2";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/apache2/apache2.conf
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d
- /usr/local/etc/httpd/httpd.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100c7731f796d7de43d70b14e1b5f1e5959b05b2ca90ddbc25d7966d3577129837c022036363388e806c797d476e6571181c46bc9585092f467beb36ee5bace8e8e7527:922c64590222798bb761d5b6d8e72950

56
javascript/audit/webserver/nginx/disable-nginx-server-tokens.yaml
View File

@@ -1,56 +0,0 @@
id: disable-nginx-server-tokens
info:
name: Disbale Nginx Server Tokens
author: pussycat0x
severity: medium
description: |
Detects if 'server_tokens' is enabled in Nginx, which can reveal version information.
remediation: |
Set 'server_tokens off;' in /etc/nginx/nginx.conf and restart Nginx.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/nginx/
- https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
metadata:
verified: true
tags: audit,nginx,auth,ssh
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const NginxConfig = c.Run(Code)
NginxConfig
let result = "";
if (NginxConfig.includes("http") && NginxConfig.includes("events") && !NginxConfig.includes("server_tokens off")) {
result += "Disable Server Tokens";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/nginx/nginx.conf
- /usr/local/etc/nginx/nginx.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402203d6e6973a58ff089b317b1a96a42af59c55fa029f669b138e7ffd18b86b0e1530220665102c65294c87370c1be7ba467b4bf412a36abc0cbbd7c01e8c405115b333f:922c64590222798bb761d5b6d8e72950

54
javascript/audit/webserver/nginx/missing-nginx-bof-protection.yaml
View File

@@ -1,54 +0,0 @@
id: missing-nginx-bof-protection
info:
name: Missing Nginx Buffer Overflow Protection
author: pussycat0x
severity: medium
description: |
Ensures that buffer overflow protection is properly configured in Nginx to prevent large request attacks.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/nginx/
- https://nginx.org/en/docs/http/ngx_http_proxy_module.html
metadata:
verified: true
tags: nginx,file,audit,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const NginxConfig = c.Run(Code)
NginxConfig
let result = "";
if (NginxConfig.includes("http") && NginxConfig.includes("events") && !NginxConfig.includes("proxy_buffer_size") && !NginxConfig.includes("proxy_buffers") && !NginxConfig.includes("proxy_busy_buffers_size")) {
result += "Missing Nginx Buffer Overflow Protection";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/nginx/nginx.conf
- /usr/local/etc/nginx/nginx.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402200775851123ec35677fa66a24443324ac54fe75fd70471cb373801e7c2cf422ea02204c39b749efa797c759094ea627a38b7c7537ea9e57f7faf32196b16e603d4251:922c64590222798bb761d5b6d8e72950

56
javascript/audit/webserver/nginx/missing-nginx-hsts.yaml
View File

@@ -1,56 +0,0 @@
id: missing-nginx-hsts
info:
name: Missing Nginx HSTS
author: pussycat0x
severity: high
description: |
Ensures that HSTS (Strict-Transport-Security) is enabled in Nginx.
remediation: |
Add 'add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";' in /etc/nginx/nginx.conf under the server block.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/nginx/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
metadata:
verified: true
tags: audit,nginx,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const NginxConfig = c.Run(Code)
NginxConfig
let result = "";
if (NginxConfig.includes("http") && NginxConfig.includes("events") && !NginxConfig.includes("add_header Strict-Transport-Security")) {
result += "Nginx HSTS Missing";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/nginx/nginx.conf
- /usr/local/etc/nginx/nginx.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402202b5cae30744e929520ad2c13ec9b0337849b6a201234f43d92af97d9dbf6f91302206b7e2805b11187eedfb9c71d790e0511075da0043c358440486b5ad382d702c6:922c64590222798bb761d5b6d8e72950

56
javascript/audit/webserver/nginx/missing-nginx-rate-limit.yaml
View File

@@ -1,56 +0,0 @@
id: missing-nginx-rate-limiting
info:
name: Missing Nginx Rate Limiting Configuration
author: pussycat0x
severity: medium
description: |
Ensures that rate limiting is properly configured in Nginx to prevent excessive requests from a single client.
remediation: |
Add 'limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;' in /etc/nginx/nginx.conf.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/nginx/
- https://nginx.org/en/docs/http/ngx_http_limit_req_module.html
metadata:
verified: true
tags: nginx,audit,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const NginxConfig = c.Run(Code)
NginxConfig
let result = "";
if (NginxConfig.includes("http") && NginxConfig.includes("events") && !NginxConfig.includes("limit_req_zone $binary_remote_addr zone=") && !NginxConfig.includes("rate=")) {
result += "Missing Nginx Rate Limitting Protection";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/nginx/nginx.conf
- /usr/local/etc/nginx/nginx.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100ea0fcd4bec850b9db8970a4659cf52c99cac156870ede8c4793962d45119b34302207f3f9ab417656d1fff9f37324daebabcb94b4d2c733b787b1d20e93a727f6fdf:922c64590222798bb761d5b6d8e72950

54
javascript/audit/webserver/nginx/missing-nginx-xss-protection.yaml
View File

@@ -1,54 +0,0 @@
id: missing-nginx-xss-protection
info:
name: Missing Nginx XSS Protection
author: pussycat0x
severity: high
description: |
Ensures that XSS protection is enabled in Nginx by checking for the 'X-XSS-Protection' header.
reference:
- https://wiki.devsecopsguides.com/docs/checklists/mongodb/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
metadata:
verified: true
tags: audit,nginx,ssh,auth,hardening
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,User,Pass);
const NginxConfig = c.Run(Code)
NginxConfig
let result = "";
if (NginxConfig.includes("http") && NginxConfig.includes("events") && !NginxConfig.includes("add_header X-XSS-Protection") && !NginxConfig.includes("mode=block")) {
result += "Missing Nginx XSS protection";
} else {
exit();
}
result
args:
Host: "{{Host}}"
Port: "22"
User: "{{usernames}}"
Pass: "{{passwords}}"
Code: cat {{path}}
payloads:
path:
- /etc/nginx/nginx.conf
- /usr/local/etc/nginx/nginx.conf
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a0047304502206f7ffac003e28ae5cb00bf27c5676f88a7721db088a1387f1318be12a667e378022100a7a2bad66a19f6c03a29aa2f4c93f3ca9d7d0c4757234cbb6ba4810bc20c89ac:922c64590222798bb761d5b6d8e72950