Fix graphql vuln module metadata and add GitLab and Ivanti EPM CVE detection modules

.gitignore

@@ -31,3 +31,4 @@ results.*
 coverage.xml
 
 venv
+report.html

nettacker/modules/vuln/gitlab_cve_2021_39935.yaml

@@ -0,0 +1,96 @@
+info:
+  name: gitlab_cve_2021_39935_vuln
+  author: OWASP Nettacker Team
+  severity: 8
+  description: Detects GitLab instances vulnerable to CVE-2021-39935,
+    an unauthenticated Server-Side Request Forgery vulnerability in the
+    CI Lint API endpoint. Affects GitLab CE and EE versions 10.5 through
+    14.5.1. Detection first confirms the instance is running a vulnerable
+    version via the public version API, then verifies the CI Lint endpoint
+    is accessible without authentication. Added to CISA KEV catalog with
+    federal patch deadline of February 24 2026.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-39935
+    - https://gitlab.com/gitlab-org/gitlab/-/issues/346569
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+    - https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/
+  profiles:
+    - vuln
+    - http
+    - high_severity
+    - cve2021
+    - cve
+    - gitlab
+    - ssrf
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/api/v4/version"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 8080
+                - 8443
+        response:
+          save_to_temp_events_only: gitlab_version_check
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "\"version\":\"10\\.[5-9]\\.|\"version\":\"10\\.\\d{2,}\\.|\"version\":\"1[1-3]\\.|\"version\":\"14\\.[0-4]\\.|\"version\":\"14\\.5\\.0|\"version\":\"14\\.5\\.1"
+              reverse: false
+
+      - method: post
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          Content-Type: "application/json"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/api/v4/ci/lint"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 8080
+                - 8443
+        json:
+          content: "stages: [test]"
+          dry_run: true
+          ref: "main"
+        response:
+          dependent_on_temp_event: gitlab_version_check
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: '"status"\s*:\s*"(valid|invalid)"|"errors"\s*:\s*\['
+              reverse: false

nettacker/modules/vuln/graphql.yaml

@@ -2,8 +2,12 @@ info:
   name: graphql_vuln
   author: OWASP Nettacker Team
   severity: 3
-  description:
+  description: Detects exposed GraphQL introspection endpoints which can
+    reveal the full API schema structure to unauthenticated attackers,
+    potentially exposing sensitive types, queries, and mutations.
   reference:
+    - https://graphql.org/learn/introspection/
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL
   profiles:
     - vuln
     - http
@@ -33,17 +37,12 @@ payloads:
                 - 80
                 - 443
               endpoint:
-                - 1239b01720/graphql
+                - graphql
+                - api/graphql
+                - v1/graphql
+                - query
         json:
-          query: "
-          {{
-              __schema {{
-                  types {{
-                  name
-                  }}
-              }}
-              }}
-          "
+          query: "{__schema{types{name}}}"
           variables: "{{}}"
         response:
           condition_type: and
@@ -52,5 +51,5 @@ payloads:
               regex: "200"
               reverse: false
             content:
-              regex: data|errors
+              regex: "__schema|types.*name"
               reverse: false

nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml

@@ -0,0 +1,63 @@
+info:
+  name: ivanti_epm_cve_2026_1603
+  author: OWASP Nettacker Team
+  severity: 8
+  description: Detects Ivanti Endpoint Manager instances vulnerable to
+    CVE-2026-1603, an authentication bypass via alternate path (CWE-288)
+    affecting all EPM versions prior to 2024 SU5. A remote unauthenticated
+    attacker sends a crafted HTTP request containing the magic number 64
+    to bypass authentication controls and leak stored credential data
+    including Domain Administrator password hashes and service account
+    credentials from the EPM Credential Vault. Added to CISA KEV catalog
+    with federal patch deadline of March 23 2026.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1603
+    - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024
+    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+    - https://www.zerodayinitiative.com/advisories/ZDI-26-1603/
+  profiles:
+    - vuln
+    - http
+    - high_severity
+    - cve2026
+    - cve
+    - ivanti
+    - auth_bypass
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          X-Ivanti-Magic: "64"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{endpoint}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 8443
+              endpoint:
+                - dms/portal
+                - dms/services/AuthenticationService
+                - dms/authenticate
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "Ivanti|EPM|LanDesk|credential|Endpoint\\.Manager"
+              reverse: false