Merge pull request #11312 from projectdiscovery/exposed-pki-cert

Create exposed-pki-cert.yaml
projectdiscovery · Dec 9, 2024 · ff4db92 · ff4db92
2 parents ad36c9a + 82107cf
commit ff4db92
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/http/exposures/files/exposed-pki-cert.yaml b/http/exposures/files/exposed-pki-cert.yaml
@@ -0,0 +1,60 @@
+id: exposed-pki-cert
+
+info:
+  name: Exposed Internal PKI Infrastructure - Detect
+  author: nullenc0de
+  severity: high
+  description: |
+    Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
+  metadata:
+    verified: true
+    max-request: 10
+  tags: pki,exposure,misconfig
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/{{paths}}"
+
+    payloads:
+      paths:
+        - ""
+        - "certsrv/"
+        - "pki/"
+        - "PKI/"
+        - "crl/"
+        - "CRL/"
+        - ".well-known/pki-validation/"
+        - "ocsp/"
+        - "CertEnroll/"
+        - "CertSrv/"
+
+    stop-at-first-match: true
+    host-redirects: true
+    max-redirects: 2
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_any(body, "Certificate Services", "CRL Distribution Point", "OCSP Responder")'
+          - '!regex("^This is an OCSP responder.$", body)'
+        condition: and
+
+      - type: regex
+        regex:
+          - 'CN=[A-Za-z0-9-]+-CA'
+          - '(?i)<a\s+href="([^"]+\.crl)"[^>]*>[^<]*\.crl<\/a>'
+          - '(?i)<a\s+href="([^"]+\.cer)"[^>]*>[^<]*\.cer<\/a>'
+          - '(?i)<a\s+href="([^"]+\.p7b)"[^>]*>[^<]*\.p7b<\/a>'
+          - '(?i)href="([^"]+\.crl)"'
+          - '(?i)href="([^"]+\.cer)"'
+          - '(?i)href="([^"]+\.p7b)"'
+        condition: or
+
+    extractors:
+      - type: regex
+        name: certificate_details
+        regex:
+          - "CN=[A-Za-z0-9-]+-CA"
+          - "O=[A-Za-z0-9 ]+"
+          - "OU=[A-Za-z0-9 ]+"