file/url-analyse/url-extension-inspector.yaml

id: url-extension-inspector
info:
  name: URL Extension Inspector
  author: ayadim
  severity: low
  description: This template help you to find intersting extensions in list of urls
  reference: https://github.com/CYS4srl/CYS4-SensitiveDiscoverer/
  tags: file,urls

file:
  - extensions:
      - all
    extractors:
      - type: regex
        name: Hot finding
        regex:
          - "(?i)(htdocs|www|html|web|webapps|public|public_html|uploads|website|api|test|app|backup|bin|bak|old|release|sql)\\.(7z|bz2|gz|lz|rar|tar\\.gz|tar\\.bz2|xz|zip|z)('|\")"
      - type: regex
        name: Backup file
        regex:
          - "(?i)\\.(bak|backup|bkp|_bkp|bk|BAK)('|\")"
      - type: regex
        name: PHP Source
        regex:
          - "(?i)(\\.php)\\.(~|bk|bak|bkp|BAK|swp|swo|swn|tmp|save|old|new|orig|dist|txt|disabled|original|backup|_back|_1bak|~|!|0|1|2|3)('|\")"
      - type: regex
        name: ASP Source
        regex:
          - "(?i)\\.(asp)(~|bk|bak|bkp|BAK|swp|swo|swn|tmp|save|old|new|orig|dist|txt|disabled|original|backup|_back|_1bak|~|!|0|1|2|3)('|\")"
      - type: regex
        name: Database file
        regex:
          - "(?i)(\\.db|\\.sql)('|\")"
      - type: regex
        name: Bash script
        regex:
          - "(?i)\\.(sh|bashrc|zshrc)('|\")"
      - type: regex
        name: 1Password password manager database file
        regex:
          - "(?i)\\.agilekeychain('|\")"
      - type: regex
        name: ASP configuration file
        regex:
          - "(?i)\\.asa('|\")"
      - type: regex
        name: Apple Keychain database file
        regex:
          - "(?i)\\.keychain('|\")"
      - type: regex
        name: Azure service configuration schema file
        regex:
          - "(?i)\\.cscfg('|\")"
      - type: regex
        name: Compressed archive file
        regex:
          - "(?i)\\.(zip|gz|tar|rar|tgz)('|\")"
      - type: regex
        name: Configuration file
        regex:
          - "(?i)\\.(ini|config|conf)('|\")"
      - type: regex
        name: Day One journal file
        regex:
          - "(?i)\\.dayone('|\")"
      - type: regex
        name: Document file
        regex:
          - "(?i)\\.(doc|docx|rtf)('|\")"
      - type: regex
        name: GnuCash database file
        regex:
          - "(?i)\\.gnucash('|\")"
      - type: regex
        name: Include file
        regex:
          - "(?i)\\.inc('|\")"
      - type: regex
        name: XML file
        regex:
          - "(?i)\\.xml('|\")"
      - type: regex
        name: Old file
        regex:
          - "(?i)\\.old('|\")"
      - type: regex
        name: Log file
        regex:
          - "(?i)(\\.log)('|\")"
      - type: regex
        name: Java file
        regex:
          - "(?i)\\.(java|class|jar|war|ear|jsp|jspx|jsf|servlet|bean|applet|properties|manifest|policy|keystore|jnlp)('|\")"
      - type: regex
        name: SQL dump file
        regex:
          - "(?i)\\.sql('|\")"
      - type: regex
        name: Excel file
        regex:
          - "(?i)\\.(xls|xlsx|csv)('|\")"
      - type: regex
        name: Certificate file
        regex:
          - "(?i)(\\.cer|\\.crt|\\.p7b)('|\")"
      - type: regex
        name: Java key storte
        regex:
          - "(?i)\\.jks('|\")"
      - type: regex
        name: KDE Wallet Manager database file
        regex:
          - "(?i)\\.kwallet('|\")"
      - type: regex
        name: Little Snitch firewall configuration file
        regex:
          - "(?i)\\.xpl('|\")"
      - type: regex
        name: Microsoft BitLocker Trusted Platform Module password file
        regex:
          - "(?i)\\.tpm('|\")"
      - type: regex
        name: Microsoft BitLocker recovery key file
        regex:
          - "(?i)\\.bek('|\")"
      - type: regex
        name: Microsoft SQL database file
        regex:
          - "(?i)\\.mdf('|\")"
      - type: regex
        name: Microsoft SQL server compact database file
        regex:
          - "(?i)\\.sdf('|\")"
      - type: regex
        name: Network traffic capture file
        regex:
          - "(?i)\\.pcap('|\")"
      - type: regex
        name: OpenVPN client configuration file
        regex:
          - "(?i)\\.ovpn('|\")"
      - type: regex
        name: PDF file
        regex:
          - "(?i)\\.pdf('|\")"
      - type: regex
        name: PHP file
        regex:
          - "(?i)\\.pcap('|\")"
      - type: regex
        name: Password Safe database file
        regex:
          - "(?i)\\.psafe3('|\")"
      - type: regex
        name: Potential configuration file
        regex:
          - "(?i)\\.yml('|\")"
      - type: regex
        name: Potential cryptographic key bundle
        regex:
          - "(?i)\\.(pkcs12|p12|pfx|asc|pem)('|\")"
      - type: regex
        name: Potential private key
        regex:
          - "(?i)otr.private_key('|\")"
      - type: regex
        name: Presentation file
        regex:
          - "(?i)\\.(ppt|pptx)('|\")"
      - type: regex
        name: Python file
        regex:
          - "(?i)\\.py('|\")"
      - type: regex
        name: Remote Desktop connection file
        regex:
          - "(?i)\\.rdp('|\")"
      - type: regex
        name: Ruby On Rails file
        regex:
          - "(?i)\\.rb('|\")"
      - type: regex
        name: SQLite database file
        regex:
          - "(?i)\\.(sqlite|sqlitedb)('|\")"
      - type: regex
        name: SQLite3 database file
        regex:
          - "(?i)\\.sqlite3('|\")"
      - type: regex
        name: Sequel Pro MySQL database manager bookmark file
        regex:
          - "(?i)\\.plist('|\")"
      - type: regex
        name: Shell configuration file
        regex:
          - "(?i)\\.(exports|functions|extra)('|\")"
      - type: regex
        name: Temporary file
        regex:
          - "(?i)\\.tmp('|\")"
      - type: regex
        name: Terraform variable config file
        regex:
          - "(?i)\\.tfvars('|\")"
      - type: regex
        name: Text file
        regex:
          - "(?i)\\.txt('|\")"
      - type: regex
        name: Tunnelblick VPN configuration file
        regex:
          - "(?i)\\.tblk('|\")"
      - type: regex
        name: Windows BitLocker full volume encrypted data file
        regex:
          - "(?i)\\.fve('|\")"