From 04de206f1a44f9103a3509bc531fca2f9dd8627e Mon Sep 17 00:00:00 2001 From: rxerium Date: Tue, 14 Apr 2026 20:55:39 +0100 Subject: [PATCH 1/6] Add FortiSandbox detection template - Match on FortiSandbox and HTTP 200 status - Target path: /ng/login?returnUrl=%2F - Shodan query: http.title:"FortiSandbox" Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- http/detect/fortisandbox-detect.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 http/detect/fortisandbox-detect.yaml diff --git a/http/detect/fortisandbox-detect.yaml b/http/detect/fortisandbox-detect.yaml new file mode 100644 index 000000000000..9ef5133d6a20 --- /dev/null +++ b/http/detect/fortisandbox-detect.yaml @@ -0,0 +1,25 @@ +id: fortisandbox-detect + +info: + name: FortiSandbox Detection + author: nuclei + severity: info + description: Detects FortiSandbox login page + reference: + - https://www.fortinet.com/products/sandbox + metadata: + shodan-query: http.title:"FortiSandbox" + verified: true + +http: + - method: GET + path: + - /ng/login?returnUrl=%2F + matchers: + - type: word + words: + - '<title>FortiSandbox' + part: body + - type: status + status: + - 200 From 8b0df65954e159efdee5c48398cc326050409281 Mon Sep 17 00:00:00 2001 From: rxerium Date: Tue, 14 Apr 2026 21:00:59 +0100 Subject: [PATCH 2/6] FortiSandbox Detection --- http/detect/fortisandbox-detect.yaml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/http/detect/fortisandbox-detect.yaml b/http/detect/fortisandbox-detect.yaml index 9ef5133d6a20..62022c6e3338 100644 --- a/http/detect/fortisandbox-detect.yaml +++ b/http/detect/fortisandbox-detect.yaml @@ -2,24 +2,33 @@ id: fortisandbox-detect info: name: FortiSandbox Detection - author: nuclei + author: rxerium severity: info - description: Detects FortiSandbox login page + description: | + FortiSandbox is Fortinet's advanced sandbox solution for threat analysis and malware detection. + This template detects exposed FortiSandbox login and management interfaces. reference: - - https://www.fortinet.com/products/sandbox + - https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSandbox.pdf metadata: - shodan-query: http.title:"FortiSandbox" + max-request: 1 verified: true + vendor: fortinet + product: fortisandbox + shodan-query: http.title:"FortiSandbox" + tags: fortinet,fortisandbox,panel,login,sandbox,discovery http: - method: GET path: - - /ng/login?returnUrl=%2F + - "{{BaseURL}}/ng/login?returnUrl=%2F" + + matchers-condition: and matchers: - type: word + part: body words: - 'FortiSandbox' - part: body + - type: status status: - - 200 + - 200 \ No newline at end of file From b07c9697c310ea821b3a44bc0755f8b45b931542 Mon Sep 17 00:00:00 2001 From: rxerium Date: Tue, 14 Apr 2026 21:10:34 +0100 Subject: [PATCH 3/6] fix --- http/{detect => technologies}/fortisandbox-detect.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename http/{detect => technologies}/fortisandbox-detect.yaml (100%) diff --git a/http/detect/fortisandbox-detect.yaml b/http/technologies/fortisandbox-detect.yaml similarity index 100% rename from http/detect/fortisandbox-detect.yaml rename to http/technologies/fortisandbox-detect.yaml From 534c3734d229ce99d0d5fa21691445073c72f859 Mon Sep 17 00:00:00 2001 From: rxerium Date: Wed, 15 Apr 2026 12:36:59 +0100 Subject: [PATCH 4/6] formats --- .../fortisandbox-panel.yaml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename http/{technologies/fortisandbox-detect.yaml => exposed-panels/fortisandbox-panel.yaml} (92%) diff --git a/http/technologies/fortisandbox-detect.yaml b/http/exposed-panels/fortisandbox-panel.yaml similarity index 92% rename from http/technologies/fortisandbox-detect.yaml rename to http/exposed-panels/fortisandbox-panel.yaml index 62022c6e3338..0ccc8f592241 100644 --- a/http/technologies/fortisandbox-detect.yaml +++ b/http/exposed-panels/fortisandbox-panel.yaml @@ -1,7 +1,7 @@ -id: fortisandbox-detect +id: fortisandbox-panel-detect info: - name: FortiSandbox Detection + name: FortiSandbox Panel - Detect author: rxerium severity: info description: | From e55a526fc9c0d2c090f5b363f65c2ca9b64dcecf Mon Sep 17 00:00:00 2001 From: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Date: Wed, 15 Apr 2026 17:18:19 +0530 Subject: [PATCH 5/6] Update fortisandbox-panel.yaml --- http/exposed-panels/fortisandbox-panel.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/http/exposed-panels/fortisandbox-panel.yaml b/http/exposed-panels/fortisandbox-panel.yaml index 0ccc8f592241..2c4fb7f0972a 100644 --- a/http/exposed-panels/fortisandbox-panel.yaml +++ b/http/exposed-panels/fortisandbox-panel.yaml @@ -1,12 +1,11 @@ -id: fortisandbox-panel-detect +id: fortisandbox-panel info: name: FortiSandbox Panel - Detect author: rxerium severity: info description: | - FortiSandbox is Fortinet's advanced sandbox solution for threat analysis and malware detection. - This template detects exposed FortiSandbox login and management interfaces. + Detected exposed FortiSandbox login and management interfaces. reference: - https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSandbox.pdf metadata: @@ -15,7 +14,7 @@ info: vendor: fortinet product: fortisandbox shodan-query: http.title:"FortiSandbox" - tags: fortinet,fortisandbox,panel,login,sandbox,discovery + tags: fortinet,fortisandbox,panel,login,discovery http: - method: GET @@ -27,8 +26,8 @@ http: - type: word part: body words: - - 'FortiSandbox' + - 'FortiSandbox' - type: status status: - - 200 \ No newline at end of file + - 200 From 382e2219e732e44d8294ac8aa8d259aae485cd9d Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sun, 19 Apr 2026 13:45:04 +0530 Subject: [PATCH 6/6] Update fortisandbox-panel.yaml --- http/exposed-panels/fortisandbox-panel.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/exposed-panels/fortisandbox-panel.yaml b/http/exposed-panels/fortisandbox-panel.yaml index 2c4fb7f0972a..7b1208af57c2 100644 --- a/http/exposed-panels/fortisandbox-panel.yaml +++ b/http/exposed-panels/fortisandbox-panel.yaml @@ -27,6 +27,7 @@ http: part: body words: - '<title>FortiSandbox' + - '<span>FortiSandbox' - type: status status: