- Original path:
profiles/composite/web-app-security.toml
# Web Application Security Profile
# Comprehensive web application vulnerability scanning
includes = [
"../base/web.toml",
"../base/credentials.toml",
"../base/crypto.toml"
]
decode = ["base64", "percent-encoding", "html-entity", "unicode-escape-sequences"]
# Additional web-specific patterns
[[patterns]]
name = "Hardcoded Database Credentials"
pattern = "(?:jdbc:|mongodb:|mysql:|postgresql:|oracle:).*(?:user(?:name)?|password|pwd)\\s*[:=]\\s*[\"'][^\"']+[\"']"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Exposed Admin Panel"
pattern = "/admin|/administrator|/wp-admin|/phpmyadmin|/adminer"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Default Credentials"
pattern = "(?:admin|root|administrator)\\s*[:=]\\s*(?:admin|password|123456|root)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Session Token in URL"
pattern = "(?:session|token|auth)\\s*=\\s*[a-zA-Z0-9]{20,}"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Information Disclosure"
pattern = "(?:stack.?trace|exception|error|warning|debug).*(?:at\\s+[a-zA-Z0-9_.]+\\(|line\\s+\\d+)"
case-insensitive = true
type = "regex"
[[signatures]]
name = "Critical Web Vulnerabilities"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('SQL Injection Pattern', 'XSS Script Tag', 'Command Injection', 'Path Traversal', 'Hardcoded Database Credentials')"
[[signatures]]
name = "Authentication Issues"
query = "SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Credentials%' OR pattern_name LIKE '%Password%' OR pattern_name LIKE '%Session%'"