Merge branch 'master' into add-fortivoice-cve-2025-32756

Author: Raavi29

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,26 +1,34 @@
 <!--
-  Thanks for contributing to OWASP Nettacker!
+  Thanks for contributing to OWASP Nettacker! 
+  Please read and follow the instructions!
+  Please DO NOT REMOVE THIS PR TEMPLATE AND THE PR CHECKLIST AT THE BOTTOM!
 -->
 
 ## Proposed change
 
 <!--
   Describe the big picture of your changes.
-  Don't forget to link your PR to an existing issue if any.
+  Don't forget to link your PR to a new or existing issue.
+  Remember to digitally sign your commits, run tests, attach screenshot/video evidence, add documentation
+  Check and follow the contribution guidelines here: https://nettacker.readthedocs.io/en/latest/Developers/#contribution-guidelines
+  We use CodeRabbit.AI to perform the first round of PR reviews
+  PRs failing to comply with the contribution guidelines and PR checks in this template may be auto-closed without a human maintainer review
 -->
 
-Your PR description goes here.
+Your PR description goes here:
+
+
 
 ## Type of change
 
 <!--
-  Type of change you want to introduce. Please, check one (1) box only!
-  If your PR requires multiple boxes to be checked, most likely it needs to
-  be split into multiple PRs.
+  Type of change you want to introduce. 
+  Select one (1) option only.
+  If your PR seems to fit multiple options, it likely should be split into multiple PRs.
 -->
 
 - [ ] New core framework functionality
-- [ ] Bugfix (non-breaking change which fixes an issue)
+- [ ] Bugfix (non-breaking change that fixes an issue)
 - [ ] Code refactoring without any functionality changes
 - [ ] New or existing module/payload change
 - [ ] Documentation/localization improvement
@@ -31,17 +39,17 @@ Your PR description goes here.
 ## Checklist
 
 <!--
-  Put an `x` in the boxes that apply. You can change them after PR is created.
+  Put an `x` in the boxes that apply. You can change them after the PR is created.
 -->
 
 - [ ] I've followed the [contributing guidelines][contributing-guidelines]
-- [ ] I have **digitally signed** all my commits in this PR
+- [ ] I've **digitally signed** all my commits in this PR
 - [ ] I've run `make pre-commit` and confirm it didn't generate any warnings/changes
-- [ ] I've run `make test`, I confirm all tests passed locally
+- [ ] I've run `make test` and I confirm all tests passed locally
 - [ ] I've added/updated any relevant documentation in the `docs/` folder 
 - [ ] I've linked this PR with an open issue
 - [ ] I've tested and verified that my code works as intended and resolves the issue as described
-- [ ] I have attached screenshots demonstrating my code works as intended
+- [ ] I've attached screenshots demonstrating that my code works as intended (if applicable)
 - [ ] I've checked all other open PRs to avoid submitting duplicate work
 - [ ] I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
 - [ ] I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision
@@ -50,4 +58,4 @@ Your PR description goes here.
   Thanks again for your contribution!
 -->
 
-[contributing-guidelines]: https://nettacker.readthedocs.io/en/latest/Developers/
+[contributing-guidelines]: https://nettacker.readthedocs.io/en/latest/Developers/#contribution-guidelines

.github/dependabot.yml

@@ -1,31 +1,61 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: 'docker'
+    cooldown:
+      default-days: 21
+    directory: '/'
+    groups:
+      version-updates:
+        applies-to: version-updates
+        patterns:
+          - '*'
     schedule:
-      interval: "daily"
+      interval: 'weekly'
 
-  - package-ecosystem: "docker" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: 'github-actions'
+    cooldown:
+      default-days: 21
+    directory: '/'
+    groups:
+      version-updates:
+        applies-to: version-updates
+        patterns:
+          - '*'
     schedule:
-      interval: "daily"
+      interval: 'weekly'
 
-  - package-ecosystem: "mix" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: 'gitsubmodule'
+    cooldown:
+      default-days: 21
+    directory: '/'
+    groups:
+      version-updates:
+        applies-to: version-updates
+        patterns:
+          - '*'
     schedule:
-      interval: "daily"
+      interval: 'weekly'
 
-  - package-ecosystem: "github-actions" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: 'mix'
+    cooldown:
+      default-days: 21
+    directory: '/'
+    groups:
+      version-updates:
+        applies-to: version-updates
+        patterns:
+          - '*'
     schedule:
-      interval: "daily"
+      interval: 'weekly'
 
-  - package-ecosystem: "gitsubmodule" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: 'pip'
+    cooldown:
+      default-days: 21
+    directory: '/'
+    groups:
+      version-updates:
+        applies-to: version-updates
+        patterns:
+          - '*'
     schedule:
-      interval: "daily"
+      interval: 'weekly'

.github/workflows/ci_cd.yml

@@ -54,12 +54,12 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           languages: ${{ matrix.language }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13
         with:
           category: /language:${{ matrix.language }}
 
@@ -269,7 +269,7 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
@@ -304,7 +304,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
       - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

README.md

@@ -45,7 +45,7 @@ OWASP Nettacker is an open-source, Python-based automated penetration testing an
   Automate and scale common reconnaissance tasks like subdomain enumeration, directory brute-forcing, and default credential checks to speed up finding targets.  
 
 - **Network Vulnerability Scanning**  
-  Efficiently scan IPs, IP ranges, or entire CIDR blocks or all subdmains of the organisation in parallel using a modular, multithreaded approach for large-scale network assessments.  
+  Efficiently scan IPs, IP ranges, or entire CIDR blocks or all subdomains of the organisation in parallel using a modular, multithreaded approach for large-scale network assessments.  
 
 - **Shadow IT & Asset Discovery**  
   Use historical scan data and drift detection to uncover unmanaged or forgotten hosts, open ports/services, and subdomains appearing over time.  

docs/Events.md

@@ -6,9 +6,9 @@ The OWASP Nettacker Events page lists various conferences and meetups where the
   * OFFSECONF 2017 Introduction Presentation [[1](https://drive.google.com/file/d/1Ox1xpvncPgSZPaFjvTQvkOwxP3to7Rqk/view?usp=sharing)]
 * OWASP Nettacker Accepted for **Google Summer of Code 2018** [[1](https://www.owasp.org/index.php/GSOC2018_Ideas)] [[2](https://summerofcode.withgoogle.com/organizations/6664778743808000/)]
   * OWASP Nettacker Video Conference/Webinar for GSoC Team 1 May 2018 - **Vahid Behzadan - ML/AI in CyberSecurity** [[1](https://www.youtube.com/watch?v=7RQH8oECSyg)]
-  * **Shaddy Garg**'s GSoC Experince [[1](https://medium.com/@shaddygarg/google-summer-of-code-final-submission-12eb98993ba8)]
-  * **Pradeep Jairamani**'s GSoC Experince [[1](https://medium.com/@pradeepjairamani/google-summer-of-code-final-submission-7a498856c914)]
-* OWASP Nettacker Tutorial by at **OWASP Bay Area** meetup (Presented by **Vahid Behzadan** - Sponsered by **OWASP Bay Area**) [[1](https://www.youtube.com/watch?v=4pu4hJMk6m8)]
+  * **Shaddy Garg**'s GSoC Experience [[1](https://medium.com/@shaddygarg/google-summer-of-code-final-submission-12eb98993ba8)]
+  * **Pradeep Jairamani**'s GSoC Experience [[1](https://medium.com/@pradeepjairamani/google-summer-of-code-final-submission-7a498856c914)]
+* OWASP Nettacker Tutorial at **OWASP Bay Area** meetup (Presented by **Vahid Behzadan** - Sponsored by **OWASP Bay Area**) [[1](https://www.youtube.com/watch?v=4pu4hJMk6m8)]
 * OWASP Nettacker Presented By Ali Razmjoo in OWASP Iran Chapter Meeting July 2018 [[1](https://www.owasp.org/index.php/Iran#tab=Past_Events)]
 * OWASP Nettacker ICS Section Presented in **P0SCON 2018 By Mohammad Reza Zamiri** [[1](http://www.poscon.ir/)] 
 * OWASP Nettacker ICS Section will be presented in **KasperSky Industrial Cybersecurity**: Opportunities and challenges in Digital Transformation 2018 by **Mohammad Reza Zamiri** [[1](https://github.com/zdresearch/OWASP-Nettacker/tree/master/lib/payload/scanner/ics_honeypot)] [[2](https://ics.kaspersky.com/conference/)]

docs/Modules.md

@@ -144,6 +144,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 - '**content_type_options_vuln**' - check the web server for missing 'X-Content-Type-Options'=nosniff header
 - '**crushftp_cve_2025_31161_vuln**' - check the target for CrushFTP CVE-2025-31161 vulnerability
 - '**f5_cve_2020_5902_vuln**' - check the target for F5 RCE CVE-2020-5902 vulnerability
+- '**geoserver_cve_2024_36401_vuln**' - check the target for CVE-2024-36401 vulnerability
 - '**heartbleed_vuln**' - check SSL for Heartbleed vulnerability (CVE-2014-0160)
 - '**msexchange_cve_2021_26855**' - check the target for MS Exchange SSRF CVE-2021-26855 (proxylogon/hafnium)
 - '**nextjs_cve_2025_55182_vuln**' - check the target for CVE-2025-55182(React2Shell)

docs/README.md

@@ -1,3 +1,3 @@
 # Documentation 
 
-OWASP Nettacker documentaion is now available on ReadTheDocs: [https://nettacker.readthedocs.io](https://nettacker.readthedocs.io)
+OWASP Nettacker documentation is now available on ReadTheDocs: [https://nettacker.readthedocs.io](https://nettacker.readthedocs.io)

docs/Usage.md

@@ -246,7 +246,7 @@ usage: Nettacker [-L LANGUAGE] [-v] [--verbose-event] [-V] [-o REPORT_PATH_FILEN
                         خواندن کلمه عبور (ها) از فایل
   -g PORTS, --ports PORTS
                         لیست درگاه (ها)، با "," جدا شود
-  --schema SCHMEA       schema(s) list, separate with ","
+  --schema SCHEMA       schema(s) list, separate with ","
   --user-agent USER_AGENT
                         Select a user agent to send with HTTP requests or enter "random_user_agent" to randomize the
                         User-Agent in the requests.
@@ -547,7 +547,7 @@ def nettacker_user_application_config():
 4. SARIF (.sarif)
 5. DefectDojo compatible json (.dd.json)
 
-These output types will help with integration with different softwares and dashboards. To set the output mode use the `-o` or `--output` flag
+These output types will help with integration with different software and dashboards. To set the output mode use the `-o` or `--output` flag
 
 ```
 python nettacker.py -i 192.168.1.1/24 --profile information_gathering -o report.sarif

nettacker/modules/vuln/geoserver_cve_2024_36401.yaml

@@ -0,0 +1,134 @@
+info:
+  name: geoserver_cve_2024_36401_vuln
+  author: Sankalp Bansal
+  severity: 9.8
+  description: >
+    CVE-2024-36401 is a critical vulnerability in GeoServer, an opensource
+    server that allows user to edit and share geospatial data. The Geoserver
+    library API passes property names as common-jsxpath library which can
+    execute arbitrary code when processing XPath expressions.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/cve-2024-36401
+    - https://github.com/Mr-xn/CVE-2024-36401
+    - https://www.bitsight.com/blog/geoserver-cve-2024-36401-tailoring-public-poc-enable-high-confidence-detection
+  profiles:
+    - vuln
+    - http
+    - critical_severity
+    - cve
+    - cve_2024
+    - geoserver
+    - cisa_kev
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/geoserver/wfs?service=wfs&request=DescribeFeatureType"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+              ports:
+                - 80
+        response:
+          save_to_temp_events_only: get_valid_namespace_1
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: typeName=([A-Za-z_][A-Za-z0-9._-]*%3A[A-Za-z_][A-Za-z0-9._-]*)
+              reverse: false
+
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=dependent_on_temp_event[0]['content'][0]&valueReference=java.lang.Runtime.getRuntime%28%29"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+              ports:
+                - 80
+        response:
+          dependent_on_temp_event: get_valid_namespace_1
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "400"
+              reverse: false
+            content:
+              regex: "ClassCastException"
+              reverse: false
+
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/geoserver/wfs?service=wfs&request=DescribeFeatureType"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "https"
+              ports:
+                - 443
+        response:
+          save_to_temp_events_only: get_valid_namespace_2
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: typeName=([A-Za-z_][A-Za-z0-9._-]*%3A[A-Za-z_][A-Za-z0-9._-]*)
+              reverse: false
+
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=dependent_on_temp_event[0]['content'][0]&valueReference=java.lang.Runtime.getRuntime%28%29"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "https"
+              ports:
+                - 443
+        response:
+          dependent_on_temp_event: get_valid_namespace_2
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "400"
+              reverse: false
+            content:
+              regex: "ClassCastException"
+              reverse: false