Create WebDavMethodsExposed.yml

Security-Misconfiguration/WebDavMethodsExposed.yml

@@ -0,0 +1,103 @@
+---
+id: WEBDAV_METHODS_EXPOSED
+info:
+  name: WebDAV Methods Exposed
+  description: |
+    "WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP that allows clients to perform remote web content authoring operations. When WebDAV methods are exposed on a server without proper security controls, attackers may leverage these methods to upload, modify, or delete files on the server."
+  details: |
+    "WebDAV methods such as MKCOL, COPY and MOVE can be used for remote content manipulation. If these methods are enabled and not secured with proper authentication and access control, attackers can exploit them to gain unauthorized access to sensitive files, upload malicious content, or delete important resources on the server. This can lead to server compromise, defacement, or data loss."
+  impact: |
+    "Exposing WebDAV methods without proper security controls poses a significant risk to the server's integrity. Attackers can exploit WebDAV to upload malicious files, modify existing content, or delete critical data. Unauthorized access to WebDAV functionality can lead to system compromise, website defacement, or even a full-scale breach of sensitive information. Properly securing these methods is essential to preventing unauthorized access and ensuring the security of the web application."
+
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: WEBDAV_METHODS_EXPOSED
+  severity: HIGH
+  references:
+    - https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142816(v=exchg.65)
+    - https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142926(v=exchg.65)
+    - https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142923(v=exchg.65)
+  cwe:
+    - CWE-16  
+    - CWE-200
+  cve:
+    - CVE-2015-4050  
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+
+wordLists:
+  attemptPaths:
+    - /admin/
+    - /content/
+    - /webdav/
+    - /dav/
+    - /uploads/
+    - /assets/
+    - /content/
+
+  attemptMethods:
+    - COPY
+    - MOVE
+    - MKCOL
+
+execute:
+  type: single
+  requests:
+    - req:
+      - modify_method: ${attemptMethods}
+      - modify_url: ${attemptPaths}
+      - add_header:
+          Destination: ${attemptPaths}
+
+validate:
+  response_code:
+    or:
+    - eq: 201
+    - eq: 204
+    - eq: 507
+    - eq: 409
+    - eq: 412
+    - eq: 423
+  response_payload:
+    length: 
+      gt: 0
+    not_contains:
+    - Error
+    - Internal Server
+    - Failed
+    - Unauthorized
+    - access denied
+    - Forbidden
+    - Method Not allowed
+    - Gateway timeout
+    - request timeout
+    - server error
+    - server busy
+    - authentication error
+    - authorization error
+    - validation error
+    - Permission Denied
+    - invalid token
+    - token expired
+    - session expired
+    - session timeout
+    - unexpected error
+    - unable to process request
+    - bad request
+    - service unavailable
+    - account is locked
+    - account is blocked
+    - multiple failed attempts
+    - Attention Required!
+    - CloudFlare
+    - "Sorry, you have been blocked"
+
+strategy:
+  run_once: /