forked from mirrors/kingfisher
38 lines
1.5 KiB
YAML
38 lines
1.5 KiB
YAML
rules:
|
|
- name: FileZilla base64 encoded password
|
|
id: kingfisher.filezilla.1
|
|
pattern: <Pass\b[^>]*\bencoding\s*=\s*"(?:base64|radix64)"[^>]*>\s*([A-Za-z0-9+/]{8,}={0,2})\s*</Pass>
|
|
min_entropy: 3.2
|
|
confidence: low
|
|
pattern_requirements:
|
|
ignore_if_contains:
|
|
- "ZXhhbXBsZQ==" # "example" (base64)
|
|
- "cGFzc3dvcmQ=" # "password" (base64)
|
|
- "Y2hhbmdlbWU=" # "changeme" (base64)
|
|
examples:
|
|
- '<Pass encoding="base64">VGhpc0lzQVRlc3RQYXNzd29yZA==</Pass>'
|
|
- '<FileZilla3><RecentServers><Server><Pass encoding="base64">NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg==</Pass></Server></RecentServers></FileZilla3>'
|
|
references:
|
|
- https://forum.filezilla-project.org/viewtopic.php?style=246&t=38820
|
|
- https://forum.filezilla-project.org/viewtopic.php?p=133138
|
|
- https://forum.filezilla-project.org/viewtopic.php?t=24758
|
|
|
|
- name: FileZilla stored password (Pass plaintext)
|
|
id: kingfisher.filezilla.2
|
|
pattern: <Pass>\s*([^<\r\n]{4,128})\s*</Pass>
|
|
min_entropy: 2.8
|
|
confidence: low
|
|
pattern_requirements:
|
|
ignore_if_contains:
|
|
- example
|
|
- Example
|
|
- password
|
|
- Password
|
|
- changeme
|
|
- ChangeMe
|
|
examples:
|
|
- "<Pass>ExamplePas123</Pass>"
|
|
- "<FileZilla3><Servers><Server><Pass>superS3cret!</Pass></Server></Servers></FileZilla3>"
|
|
references:
|
|
- https://stackoverflow.com/questions/29790136/filezilla-plain-text-password
|
|
- https://forum.filezilla-project.org/viewtopic.php?t=24758
|