Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: base/web.toml

Source

  • Original path: profiles/base/web.toml

Profile (TOML)

# Web Security Profile
# Detects web vulnerabilities and suspicious web-related patterns

decode = ["base64", "percent-encoding", "html-entity", "unicode-escape-sequences"]

[[patterns]]
  name = "SQL Injection Pattern"
  pattern = "(?:union.*select|select.*from|insert.*into|delete.*from|update.*set|drop.*table).*(?:--|#|/\\*)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "XSS Script Tag"
  pattern = "<script[^>]*>.*</script>"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "XSS Event Handler"
  pattern = "(?:on(?:load|error|click|mouseover|focus|blur))\\s*=\\s*[\"']?(?:javascript:|alert\\(|prompt\\(|confirm\\()"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Path Traversal"
  pattern = "\\.\\./|\\.\\.\\\\"
  type = "regex"

[[patterns]]
  name = "Command Injection"
  pattern = "(?:[;&|]|`|\\$\\().*(?:cat|ls|wget|curl|bash|sh|nc|netcat|chmod|chown)"
  type = "regex"

[[patterns]]
  name = "LDAP Injection"
  pattern = "(?:\\*\\)|\\(\\||\\(&|\\(!).*(?:cn=|uid=|ou=|dc=)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "XXE Attack"
  pattern = "<!ENTITY.*SYSTEM"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Server-Side Template Injection"
  pattern = "\\{\\{.*\\}\\}|\\{%.*%\\}|\\$\\{.*\\}"
  type = "regex"

[[patterns]]
  name = "PHP Code Injection"
  pattern = "(?:eval|assert|system|exec|shell_exec|passthru|proc_open|popen)\\s*\\("
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Webshell Indicator"
  pattern = "(?:c99|r57|b374k|wso|shell|webshell|backdoor|FilesMan)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Deserialization Attack"
  pattern = "(?:__reduce__|__setstate__|pickle|yaml\\.load|unserialize|json_decode)"
  type = "regex"

[[patterns]]
  name = "SSRF Pattern"
  pattern = "(?:file://|gopher://|dict://|ftp://|tftp://)(?:localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[::\\])"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Open Redirect"
  pattern = "(?:url|redirect|next|return|returnto)\\s*=\\s*(?:https?://|//)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "JSP Expression"
  pattern = "<%=\\s*[^%>]+\\s*%>"
  type = "regex"

[[patterns]]
  name = "JSP Scriptlet"
  pattern = "<%[^%>]+%>"
  type = "regex"

[[patterns]]
  name = "Suspicious Request Parameter"
  pattern = "request\\.(?:getParameter|getHeader|getAttribute)\\([^)]+\\)"
  type = "regex"

[[patterns]]
  name = "Response Writer"
  pattern = "response\\.(?:getWriter|getOutputStream)\\(\\)"
  type = "regex"

[[patterns]]
  name = "File Upload"
  pattern = "(?:upload|multipart/form-data|FileItem|DiskFileItemFactory)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Insecure Deserialization"
  pattern = "(?:ObjectInputStream|readObject|XMLDecoder)"
  type = "regex"

[[patterns]]
  name = "Hardcoded Session Key"
  pattern = "(?:session[_-]?(?:key|secret|id))\\s*[:=]\\s*[\"'][a-zA-Z0-9]{16,}[\"']"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Files with SQL Injection Patterns"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%SQL%'"

[[signatures]]
  name = "Files with Multiple Web Vulnerabilities"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as vuln_count FROM pattern_matches WHERE pattern_name IN ('XSS Script Tag', 'XSS Event Handler', 'SQL Injection Pattern', 'Path Traversal', 'Command Injection') GROUP BY sha256 HAVING vuln_count > 1"