-
Notifications
You must be signed in to change notification settings - Fork 2
/
config.yml
67 lines (67 loc) · 2.38 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
db_environments:
majestic_snapshots:
user: root
password: Headers123!
host: 127.0.0.1
port: 27017
database: headers
headers_coll: header_scans
orphans_coll: orphan
general:
scrapeops: <your key>
abusable_domains:
- '*.amazonaws.com':
- exfil
- exec
- '*.cloudfront.net':
- exfil
- exec
- '*.jsdelivr.com':
- exec
- 'cdn.jsdelivr.net':
- exec
- 'www.facebook.com':
- exfil
- '*.facebook.com':
- exfil
- '*.hotjar.com':
- exfil
- 'ask.hotjar.io':
- exfil
- '*.herokuapp.com':
- exfil
- exec
- '*.firebaseapp.com':
- exfil
- exec
# It is possible to exfiltrate to googletagmanager.com by using custom events as well
# https://www.analyticsmania.com/post/google-tag-manager-custom-event-trigger/
# Integrate the custom event submision to Hotjar following this:
# https://help.hotjar.com/hc/en-us/articles/4412561401111-How-to-Send-Events-with-Google-Tag-Manager
- '*.google-analytics.com':
- exfil
- '*.azurestaticapps.net':
- exfil
- exec
- '*.azurewebsites.net':
- exfil
- exec
vulns_explanation:
UNDEFINED: Undefined vulnerability
NOCSP: No CSP policy was defined
UNSAFEINLINE: The value 'unsafe-inline' found in '{}'.
UNSAFEEVAL: The value 'unsafe-eval' found in '{}'.
LENIENTSCHEME: The policy contained a lenient handler in '{}'.
CSPRO: Header 'Content-Security-Policy-Report-Only' was found, but 'Content-Security-Policy' was not.
THIRDPARTYABUSE: Detected in '{}' - {}
NODEFAULTSRC: The directive 'default-src' was not found.
NOFRAMEANCESTORS: The directive 'frame-ancestors' was not found.
NOREPORTTO: Neither 'report-to' nor 'report-uri' were found.
NOBASEURI: The directive 'base-uri' was not found.
NOUPGRIR: The directive 'upgrade-insecure-request' was not found.
NOSCRIPTSRC: The directives 'script-src' and 'default-src' were not found.
NOCONNECTSRC: The directives 'connect-src' and 'default-src' were not found.
NOFRAMESRC: The directives 'frame-src' and 'default-src' were not found.
NOCHILDSRC: The directives 'child-src' and 'default-src' were not found.
NOOBJECTSRC: The directives 'object-src' and 'default-src' were not found.
ORPHANDOMAIN: Domain '{}', in '{}' of the '{}' header, is not found (NXDOMAIN and no WHOIS)