fix: false postive - metadata service check templates

[daffainfo]

Added more matcher to metadata service check templates

[DhiyaneshGeek]

Hi @daffainfo are these changes validated locally ?

[daffainfo]

@DhiyaneshGeek i didnt test all of the template but all of them are based from documentation between each services, for example:

• https://docs.digitalocean.com/reference/api/metadata-api/

We found that almost all metadata-* templates have very few matchers (only 1 - 2 words and the value matcher condition is or not and, this can lead to false positive result)

[DhiyaneshGeek]

Hi @daffainfo

can you share a FP target over discord (#geekfreak)

Looking forward to see you there

Thanks

[daffainfo]

@DhiyaneshGeek I can't give you the target because it is confidential but I can show you the reason why I need to change some of the matcher. I got some fp, especially when using metadata-google.yaml template. When I saw the matcher:

      - type: word
         part: body
         words:
           - "attributes"

The matcher only checks if there is an attribute string in the response body or not. And when using --debug to find why this template always producing false positive, my target returns a 404 status code and also has an attribute string in the response body which results in a false positive. And then, I checked other metadata-*.yaml template and it also has a very bad matcher, which relies on generic keywords like attributes etc

[DhiyaneshGeek]

Hi @daffainfo

Is metadata-google.yaml is it running it on a GCP host itself ?

if there is something updated on the GCP Metadata documentation, we can review and update the template accordingly

Looking forward to hear back from you

Thanks