-
Notifications
You must be signed in to change notification settings - Fork 7
/
extract_with_nuclei.yaml
94 lines (90 loc) · 5.42 KB
/
extract_with_nuclei.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
id: credentials-disclosure
# Extract secrets regex like api keys, token ... for different services
# Always validate the leaked key/tokens/passwords to make sure it's valid, a token/keys without any impact is not an valid issue.
# Severity is not fixed in this case, it varies from none to critical depending upon impact of disclosed key/tokes.
# Regex count:- 70
info:
name: Extract multiple tokens
author: Abdulrahman-Kamel
severity: medium
description: Look for multiple keys/tokens in the page response.
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- \"[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com"
- \"[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\\.com"
- "[0-9a-f]{32}-us[0-9]{1,2}"
- "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
- "[0-9a-fA-F]{7}.[0-9a-fA-F]{32}"
- "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
- "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12} "
- "[0-9a-z]{161[0-9a,]{32}"
- "[0-9a-zA-Z_][5,31]"
- "[1-9][ 0-9]+-[0-9a-zA-Z]{40}"
- "55[0-9a-fA-F]{32}"
- "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
- "(AAAA[a-zA-Z0-9_-]{7}:[a-zA-Z0-9_-]{140})"
- "(AC[a-f0-9]{32}[^a-f0-9])"
- "access_token,production$[0-9a-z]{161[0-9a,]{32}"
- "[a-f0-9]{32}"
- "AIza[0-9A-Za-z\\-_]{35}"
- "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
- "amzn.mws]{8}-[0-9a-f]{4}-10-9a-f1{4}-[0-9a,]{4}-[0-9a-f]{12}"
- "[A-Za-z0-9]{125} (counting letters [2])"
- "[A-Za-z0-9_]{21}--[A-Za-z0-9_]{8}"
#- "(?<=:\/\/)[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\\.[a-zA-Z]+"
- "basic [a-zA-Z0-9_\\-:\\.=]+"
- "bearer [a-zA-Z0-9_\\-\\.=]+"
- "(-----BEGIN DSA PRIVATE KEY-----[a-zA-Z0-9\\S]{100,}-----END DSA PRIVATE KEY-----)"
- "(-----BEGIN EC PRIVATE KEY-----[a-zA-Z0-9\\S]{100,}-----END EC PRIVATE KEY-----)"
- "(-----BEGIN OPENSSH PRIVATE KEY-----[a-zA-Z0-9\\S]{100,}-----END OPENSSH PRIVATE KEY-----)"
- "(-----BEGIN PGP PRIVATE KEY BLOCK-----[a-zA-Z0-9\\S]{100,}-----END PGP PRIVATE KEY BLOCK-----)"
- "(-----BEGIN PRIVATE KEY-----[a-zA-Z0-9\\S]{100,}-----END PRIVATE KEY-----)"
- "(-----BEGIN RSA PRIVATE KEY-----[a-zA-Z0-9\\S]{100,}-----END RSA PRIVATE KEY-----)"
#- "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+"
- "EAAA[a-zA-Z0-9]{60}"
- "EAACEdEose0cBA[0-9A-Za-z]+"
- "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}"
- "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\"][0-9a-f]{32}['|\"]"
#- "(\\'|\"|\\=)(?=(.*[0-9].*))(?=(.*[A-Z].*))(?=([0-9A-Za-z-_]{24})(\\1|\\'|\"|(\\s*(\r\n|\r|\n))))(?!.*\\1.*\\1.*)(?=(.*[a-z].*))(.*)(\\1|\\'|\"|(\\s*(\r\n|\r|\n)))"
- "[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}"
- "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}"
- "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}"
- "(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]"
- "(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]"
- "(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}"
- "key-[0-9a-f]{32}"
- "key-[0-9a-zA-Z]{32}"
- "[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9.-]+"
- "q0csp-[ 0-9A-Za-z-_]{43}"
- "R_[0-9a-f]{32}"
- "(rk_live_[0-9a-zA-Z]{24,34})"
- "(?:r|s)k_live_[0-9a-zA-Z]{24}"
- '(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}'
- '(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}'
- "[sb]\\.[a-zA-Z0-9]{24}"
- "(SG\\.[a-zA-Z0-9-_]{22}\\.[a-zA-Z0-9_-]{43})"
- "SK[0-9a-fA-F]{32}"
- "sk_live_[0-9a-z]{32}"
- "(sk_live_[0-9a-zA-Z]{24})"
- \"sq0[a-z]{3}-[0-9A-Za-z\-_]{22,43}\"
- "sq0[a-z]{3}-[0-9A-Za-z\\-_]{43}"
- "sq0csp-[ 0-9A-Za-z\\-_]{43}"
- "sqOatp-[0-9A-Za-z-_]{22}"
- "sqOatp-[0-9A-Za-z\\-_]{22}"
- "T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}"
- "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\\s][0-9a-zA-Z]{35,44}['\"\\s]"
- "[\\W]{1,2}([a-f0-9]{40})[\\W]{1,2}$"
- "\\W(?:[a-f0-9]{32}(-us[0-9]{1,2}))\\W"
- "\\W[a-f0-9]{32}\\W"
- "\\W(EAAA[a-zA-Z0-9_-]{60})\\W"
- "\\W(xox[p|b|o|a]-[0-9]{1,}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})\\W"
- "\\W(xox[p|b|o|a]-[0-9]{1,}-[0-9]{1,}-[a-zA-Z0-9]{24})\\W"
- "xox[baprs]-[0-9]{12}-[0-9]{12}-[0-9a-zA-Z]{24}"
- "xox[baprs]-([0-9a-zA-Z]{10,48})?"
- "ya29\\.[0-9A-Za-z\\-_]+"