From 2c2a2ec3401f0c7e4f202892fde34fa0f8b2da0a Mon Sep 17 00:00:00 2001 From: Ayomiposi Ayoola Date: Fri, 27 Mar 2026 10:47:39 +0100 Subject: [PATCH 1/6] fix: correct graphql metadata and add gitlab CVE-2021-39935 detection module --- .../modules/vuln/gitlab_cve_2021_39935.yaml | 93 +++++++++++++++++++ nettacker/modules/vuln/graphql.yaml | 23 +++-- 2 files changed, 104 insertions(+), 12 deletions(-) create mode 100644 nettacker/modules/vuln/gitlab_cve_2021_39935.yaml diff --git a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml new file mode 100644 index 000000000..52eec9a00 --- /dev/null +++ b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml @@ -0,0 +1,93 @@ +info: + name: gitlab_cve_2021_39935_vuln + author: Ayomiposi Ayoola + severity: 8 + description: Detects GitLab instances vulnerable to CVE-2021-39935, + an unauthenticated Server-Side Request Forgery vulnerability in the + CI Lint API endpoint. Affects GitLab CE and EE versions 10.5 through + 14.5.1. Detection first confirms the instance is running a vulnerable + version via the public version API, then verifies the CI Lint endpoint + is accessible without authentication. Added to CISA KEV catalog with + federal patch deadline of February 24 2026. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-39935 + - https://gitlab.com/gitlab-org/gitlab/-/issues/346569 + - https://www.cisa.gov/known-exploited-vulnerabilities-catalog + - https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/ + profiles: + - vuln + - http + - high_severity + - cve2021 + - cve + - gitlab + - ssrf + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/api/v4/version" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8080 + - 8443 + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "\"version\":\"1[0-3]\\.|\"version\":\"14\\.[0-4]\\.|\"version\":\"14\\.5\\.0|\"version\":\"14\\.5\\.1" + reverse: false + - method: post + timeout: 3 + headers: + User-Agent: "{user_agent}" + Content-Type: "application/json" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/api/v4/ci/lint" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8080 + - 8443 + json: + content: "stages: [test]" + dry_run: true + ref: "main" + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "valid|errors|warnings|merged_yaml" + reverse: false \ No newline at end of file diff --git a/nettacker/modules/vuln/graphql.yaml b/nettacker/modules/vuln/graphql.yaml index 2ddfddab1..84e430c25 100644 --- a/nettacker/modules/vuln/graphql.yaml +++ b/nettacker/modules/vuln/graphql.yaml @@ -2,8 +2,12 @@ info: name: graphql_vuln author: OWASP Nettacker Team severity: 3 - description: + description: Detects exposed GraphQL introspection endpoints which can + reveal the full API schema structure to unauthenticated attackers, + potentially exposing sensitive types, queries, and mutations. reference: + - https://graphql.org/learn/introspection/ + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL profiles: - vuln - http @@ -33,17 +37,12 @@ payloads: - 80 - 443 endpoint: - - 1239b01720/graphql + - graphql + - api/graphql + - v1/graphql + - query json: - query: " - {{ - __schema {{ - types {{ - name - }} - }} - }} - " + query: "{{__schema{{types{{name}}}}}}" variables: "{{}}" response: condition_type: and @@ -53,4 +52,4 @@ payloads: reverse: false content: regex: data|errors - reverse: false + reverse: false \ No newline at end of file From b37d7a6dcfd3a06dd84d5f881b054b245fc67d93 Mon Sep 17 00:00:00 2001 From: Ayomiposi Ayoola Date: Fri, 27 Mar 2026 11:06:46 +0100 Subject: [PATCH 2/6] fix: correct gitlab CVE metadata and add ivanti epm CVE-2026-1603 detection module --- .../modules/vuln/gitlab_cve_2021_39935.yaml | 2 +- .../vuln/ivanti_epm_cve_2026_1603.yaml | 63 +++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml diff --git a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml index 52eec9a00..cf08aa574 100644 --- a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml +++ b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml @@ -1,6 +1,6 @@ info: name: gitlab_cve_2021_39935_vuln - author: Ayomiposi Ayoola + author: OWASP Nettacker Team severity: 8 description: Detects GitLab instances vulnerable to CVE-2021-39935, an unauthenticated Server-Side Request Forgery vulnerability in the diff --git a/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml new file mode 100644 index 000000000..b3c366869 --- /dev/null +++ b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml @@ -0,0 +1,63 @@ +info: + name: ivanti_epm_cve_2026_1603_vuln + author: OWASP Nettacker Team + severity: 9 + description: Detects Ivanti Endpoint Manager instances vulnerable to + CVE-2026-1603, an authentication bypass via alternate path (CWE-288) + affecting all EPM versions prior to 2024 SU5. A remote unauthenticated + attacker sends a crafted HTTP request containing the magic number 64 + to bypass authentication controls and leak stored credential data + including Domain Administrator password hashes and service account + credentials from the EPM Credential Vault. Added to CISA KEV catalog + with federal patch deadline of March 23 2026. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-1603 + - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024 + - https://www.cisa.gov/known-exploited-vulnerabilities-catalog + - https://www.zerodayinitiative.com/advisories/ZDI-26-1603/ + profiles: + - vuln + - http + - high_severity + - cve2026 + - cve + - ivanti + - auth_bypass + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + X-Ivanti-Magic: "64" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/{{endpoint}}" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8443 + endpoint: + - dms/portal + - dms/services/AuthenticationService + - dms/authenticate + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "Ivanti|EPM|LanDesk|credential|Endpoint.Manager" + reverse: false \ No newline at end of file From 87b4ebd3d3d1be4fd3212ec767b688bd52e17d00 Mon Sep 17 00:00:00 2001 From: Ayomiposi Ayoola Date: Fri, 27 Mar 2026 11:12:35 +0100 Subject: [PATCH 3/6] fix: update Ivanti EPM CVE-2026-1603 detection module and adjust severity --- .gitignore | 1 + .../modules/vuln/gitlab_cve_2021_39935.yaml | 3 +- .../vuln/ivanti_epm_cve_2026_1603.yaml | 126 +++++++++--------- 3 files changed, 66 insertions(+), 64 deletions(-) diff --git a/.gitignore b/.gitignore index b5debb571..2e50cf307 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ results.* coverage.xml venv +report.html diff --git a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml index cf08aa574..5549d9b2f 100644 --- a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml +++ b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml @@ -90,4 +90,5 @@ payloads: reverse: false content: regex: "valid|errors|warnings|merged_yaml" - reverse: false \ No newline at end of file + reverse: false + \ No newline at end of file diff --git a/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml index b3c366869..e3b73e035 100644 --- a/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml +++ b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml @@ -1,63 +1,63 @@ -info: - name: ivanti_epm_cve_2026_1603_vuln - author: OWASP Nettacker Team - severity: 9 - description: Detects Ivanti Endpoint Manager instances vulnerable to - CVE-2026-1603, an authentication bypass via alternate path (CWE-288) - affecting all EPM versions prior to 2024 SU5. A remote unauthenticated - attacker sends a crafted HTTP request containing the magic number 64 - to bypass authentication controls and leak stored credential data - including Domain Administrator password hashes and service account - credentials from the EPM Credential Vault. Added to CISA KEV catalog - with federal patch deadline of March 23 2026. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2026-1603 - - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024 - - https://www.cisa.gov/known-exploited-vulnerabilities-catalog - - https://www.zerodayinitiative.com/advisories/ZDI-26-1603/ - profiles: - - vuln - - http - - high_severity - - cve2026 - - cve - - ivanti - - auth_bypass - -payloads: - - library: http - steps: - - method: get - timeout: 3 - headers: - User-Agent: "{user_agent}" - X-Ivanti-Magic: "64" - allow_redirects: false - ssl: false - url: - nettacker_fuzzer: - input_format: "{{schema}}://{target}:{{ports}}/{{endpoint}}" - prefix: "" - suffix: "" - interceptors: - data: - schema: - - "http" - - "https" - ports: - - 80 - - 443 - - 8443 - endpoint: - - dms/portal - - dms/services/AuthenticationService - - dms/authenticate - response: - condition_type: and - conditions: - status_code: - regex: "200" - reverse: false - content: - regex: "Ivanti|EPM|LanDesk|credential|Endpoint.Manager" - reverse: false \ No newline at end of file +info: + name: ivanti_epm_cve_2026_1603 + author: OWASP Nettacker Team + severity: 8 + description: Detects Ivanti Endpoint Manager instances vulnerable to + CVE-2026-1603, an authentication bypass via alternate path (CWE-288) + affecting all EPM versions prior to 2024 SU5. A remote unauthenticated + attacker sends a crafted HTTP request containing the magic number 64 + to bypass authentication controls and leak stored credential data + including Domain Administrator password hashes and service account + credentials from the EPM Credential Vault. Added to CISA KEV catalog + with federal patch deadline of March 23 2026. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2026-1603 + - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024 + - https://www.cisa.gov/known-exploited-vulnerabilities-catalog + - https://www.zerodayinitiative.com/advisories/ZDI-26-1603/ + profiles: + - vuln + - http + - high_severity + - cve2026 + - cve + - ivanti + - auth_bypass + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + X-Ivanti-Magic: "64" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/{{endpoint}}" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + - 8443 + endpoint: + - dms/portal + - dms/services/AuthenticationService + - dms/authenticate + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + content: + regex: "Ivanti|EPM|LanDesk|credential|Endpoint.Manager" + reverse: false From 7ca1fd710c624aaccc46fb038525720e4bb1a54d Mon Sep 17 00:00:00 2001 From: Ayomiposi Ayoola Date: Fri, 27 Mar 2026 11:43:50 +0100 Subject: [PATCH 4/6] fix: update regex patterns in vulnerability detection modules for improved accuracy --- nettacker/modules/vuln/gitlab_cve_2021_39935.yaml | 10 ++++++---- nettacker/modules/vuln/graphql.yaml | 5 +++-- nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml | 2 +- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml index 5549d9b2f..8728f13b6 100644 --- a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml +++ b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml @@ -22,7 +22,7 @@ info: - cve - gitlab - ssrf - + payloads: - library: http steps: @@ -48,14 +48,16 @@ payloads: - 8080 - 8443 response: + save_to_temp_events_only: gitlab_version_check condition_type: and conditions: status_code: regex: "200" reverse: false content: - regex: "\"version\":\"1[0-3]\\.|\"version\":\"14\\.[0-4]\\.|\"version\":\"14\\.5\\.0|\"version\":\"14\\.5\\.1" + regex: "\"version\":\"10\\.[5-9]\\.|\"version\":\"10\\.\\d{2,}\\.|\"version\":\"1[1-3]\\.|\"version\":\"14\\.[0-4]\\.|\"version\":\"14\\.5\\.0|\"version\":\"14\\.5\\.1" reverse: false + - method: post timeout: 3 headers: @@ -83,12 +85,12 @@ payloads: dry_run: true ref: "main" response: + dependent_on_temp_event: gitlab_version_check condition_type: and conditions: status_code: regex: "200" reverse: false content: - regex: "valid|errors|warnings|merged_yaml" + regex: "__schema|types.*name" reverse: false - \ No newline at end of file diff --git a/nettacker/modules/vuln/graphql.yaml b/nettacker/modules/vuln/graphql.yaml index 84e430c25..7141bd387 100644 --- a/nettacker/modules/vuln/graphql.yaml +++ b/nettacker/modules/vuln/graphql.yaml @@ -51,5 +51,6 @@ payloads: regex: "200" reverse: false content: - regex: data|errors - reverse: false \ No newline at end of file + regex: "__schema|types.*name" + reverse: false + \ No newline at end of file diff --git a/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml index e3b73e035..a085b7b1b 100644 --- a/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml +++ b/nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml @@ -59,5 +59,5 @@ payloads: regex: "200" reverse: false content: - regex: "Ivanti|EPM|LanDesk|credential|Endpoint.Manager" + regex: "Ivanti|EPM|LanDesk|credential|Endpoint\\.Manager" reverse: false From d075174f4a3df6b938cfe1767a97c2dec93d288b Mon Sep 17 00:00:00 2001 From: Ayomiposi Ayoola Date: Fri, 27 Mar 2026 18:23:36 +0100 Subject: [PATCH 5/6] fix: update GraphQL introspection query and regex patterns for improved detection --- nettacker/modules/vuln/gitlab_cve_2021_39935.yaml | 4 ++-- nettacker/modules/vuln/graphql.yaml | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml index 8728f13b6..17180ce96 100644 --- a/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml +++ b/nettacker/modules/vuln/gitlab_cve_2021_39935.yaml @@ -22,7 +22,7 @@ info: - cve - gitlab - ssrf - + payloads: - library: http steps: @@ -92,5 +92,5 @@ payloads: regex: "200" reverse: false content: - regex: "__schema|types.*name" + regex: '"status"\s*:\s*"(valid|invalid)"|"errors"\s*:\s*\[' reverse: false diff --git a/nettacker/modules/vuln/graphql.yaml b/nettacker/modules/vuln/graphql.yaml index 7141bd387..d68c59648 100644 --- a/nettacker/modules/vuln/graphql.yaml +++ b/nettacker/modules/vuln/graphql.yaml @@ -42,7 +42,7 @@ payloads: - v1/graphql - query json: - query: "{{__schema{{types{{name}}}}}}" + query: "{__schema{types{name}}}" variables: "{{}}" response: condition_type: and @@ -53,4 +53,3 @@ payloads: content: regex: "__schema|types.*name" reverse: false - \ No newline at end of file From 55fc7b5f44f3cc5a46d137fcefff17f686bc2fdc Mon Sep 17 00:00:00 2001 From: Ayomiposi Ayoola Date: Fri, 27 Mar 2026 18:31:53 +0100 Subject: [PATCH 6/6] fix: add a more robust regex to graphql.yaml --- nettacker/modules/vuln/graphql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nettacker/modules/vuln/graphql.yaml b/nettacker/modules/vuln/graphql.yaml index d68c59648..2e9f7038b 100644 --- a/nettacker/modules/vuln/graphql.yaml +++ b/nettacker/modules/vuln/graphql.yaml @@ -51,5 +51,5 @@ payloads: regex: "200" reverse: false content: - regex: "__schema|types.*name" + regex: "(?s)__schema|types.*name" reverse: false