Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Implement getMetadata for some more Passive scripts #448

Merged
merged 1 commit into from
Jun 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- passive/detect_csp_notif_and_reportonly.js
- passive/detect_samesite_protection.js
- passive/f5_bigip_cookie_internal_ip.js
- passive/find base64 strings.js
- passive/Find Credit Cards.js
- passive/Find Emails.js
- passive/Find Hashes.js
- passive/Find HTML Comments.js

## [18] - 2024-01-29
### Added
Expand Down
2 changes: 2 additions & 0 deletions passive/CookieHTTPOnly.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ confidence: medium
cweId: 0
wascId: 13 # WASC-13: Information Leakage
status: alpha
codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/CookieHTTPOnly.js
helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
`);
}

Expand Down
58 changes: 29 additions & 29 deletions passive/Find Credit Cards.js
Original file line number Diff line number Diff line change
@@ -1,23 +1,32 @@
// CreditCard Finder by freakyclown@gmail.com

function scan(ps, msg, src) {
// lets set up some stuff we are going to need for the alert later if we find a credit card
var url = msg.getRequestHeader().getURI().toString();
var ScanRuleMetadata = Java.type(
"org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
);

function getMetadata() {
return ScanRuleMetadata.fromYaml(`
id: 100008
name: Information Disclosure - Credit Card Number
description: A credit card number was found in the HTTP response body.
solution: >
Encrypt credit card numbers during transmission, use tokenization,
and adhere to PCI DSS standards for secure handling and storage.
risk: high
confidence: medium
cweId: 311 # CWE-311: Missing Encryption of Sensitive Data
wascId: 13 # WASC-13: Information Leakage
status: alpha
codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Credit%20Cards.js
helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
`);
}

function scan(helper, msg, src) {
var body = msg.getResponseBody().toString();
var alertRisk = [0, 1, 2, 3]; //1=informational, 2=low, 3=medium, 4=high
var alertConfidence = [0, 1, 2, 3, 4]; //0=fp,1=low,2=medium,3=high,4=confirmed
var alertTitle = ["Credit Card Number(s) Disclosed (script)", ""];
var alertDesc = ["Credit Card number(s) was discovered.", ""];
var alertSolution = [
"why are you showing Credit and debit card numbers?",
"",
];
var cweId = [0, 1];
var wascId = [0, 1];

// lets make some regular expressions for well known credit cards
// regex must appear within /( and )/g

var re_visa = /([3-5][0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //visa or mastercard
var re_amex = /(3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5})/g; //amex
var re_disc = /(6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //discovery
Expand Down Expand Up @@ -56,21 +65,12 @@ function scan(ps, msg, src) {
}
}
if (foundCard.length != 0) {
ps.raiseAlert(
alertRisk[3],
alertConfidence[2],
alertTitle[0],
alertDesc[0],
url,
"",
"",
foundCard.toString(),
alertSolution[0],
"",
cweId[0],
wascId[0],
msg
);
helper
.newAlert()
.setEvidence(foundCard[0])
.setOtherInfo(`Other instances: ${foundCard.slice(1).toString()}`)
.setMessage(msg)
.raise();
}
}
}
Expand Down
59 changes: 32 additions & 27 deletions passive/Find Emails.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,39 @@
// https://support.google.com/mail/answer/12096?hl=en
// https://regex101.com/r/sH4vC0/2
// 20181213 - Update by nil0x42+owaspzap@gmail.com to ignore false positives (such as '*@123' or '$@#!.')
// 20240604 - Implement getMetadata() to expose the script as a scan rule.

function scan(ps, msg, src) {
// first lets set up some details incase we find an email, these will populate the alert later
var alertRisk = 0;
var alertConfidence = 3;
var alertTitle = "Email addresses (script)";
var alertDesc = "Email addresses were found";
var alertSolution = "Remove emails that are not public";
var cweId = 0;
var wascId = 0;
var ScanRuleMetadata = Java.type(
"org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
);

function getMetadata() {
return ScanRuleMetadata.fromYaml(`
id: 100009
name: Information Disclosure - Email Addresses
description: >
An email address was found in the HTTP response body.
Exposure of email addresses in HTTP messages can lead to privacy violations
and targeted phishing attacks.
solution: >
Mask email addresses during transmission and ensure proper access controls
to protect user privacy and prevent unauthorized access.
risk: low
confidence: high
cweId: 311 # CWE-311: Missing Encryption of Sensitive Data
wascId: 13 # WASC-13: Information Leakage
status: alpha
codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Emails.js
helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
`);
}

function scan(helper, msg, src) {
// lets build a regular expression that can find email addresses
// the regex must appear within /( and )/g
var re =
/([a-zA-Z0-9_.+-]+@[a-zA-Z0-9]+[a-zA-Z0-9-]*\.[a-zA-Z0-9-.]*[a-zA-Z0-9]{2,})/g;

// we need to set the url variable to the request or we cant track the alert later
var url = msg.getRequestHeader().getURI().toString();

// lets check its not one of the files types that are never likely to contain stuff, like pngs and jpegs
var contenttype = msg.getResponseHeader().getHeader("Content-Type");
var unwantedfiletypes = [
Expand All @@ -49,21 +63,12 @@ function scan(ps, msg, src) {
foundEmail.push(comm[0]);
}
// woohoo we found an email lets make an alert for it
ps.raiseAlert(
alertRisk,
alertConfidence,
alertTitle,
alertDesc,
url,
"",
"",
foundEmail.toString(),
alertSolution,
"",
cweId,
wascId,
msg
);
helper
.newAlert()
.setEvidence(foundEmail[0])
.setOtherInfo(`Other instances: ${foundEmail.slice(1).toString()}`)
.setMessage(msg)
.raise();
}
}
}
86 changes: 39 additions & 47 deletions passive/Find HTML Comments.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,37 @@
// NOTE: This script will only find HTML comments in content which passes through ZAP.
// Therefore if you browser is caching you may not see something you expect to.

function scan(ps, msg, src) {
var ScanRuleMetadata = Java.type(
"org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
);

function getMetadata() {
return ScanRuleMetadata.fromYaml(`
id: 100011
name: Information Disclosure - HTML Comments
description: >
While adding general comments is very useful, some programmers tend to leave important data,
such as: filenames related to the web application, old links or links which were not meant
to be browsed by users, old code fragments, etc.
solution: >
Remove comments which have sensitive information about the design/implementation
of the application. Some of the comments may be exposed to the user and affect
the security posture of the application.
risk: info
confidence: medium
cweId: 615 # CWE-615: Inclusion of Sensitive Information in Source Code Comments
wascId: 13 # WASC-13: Information Leakage
status: alpha
codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20HTML%20Comments.js
helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
`);
}

function scan(helper, msg, src) {
// Both can be true, just know that you'll see duplication.
var RESULT_PER_FINDING = new Boolean(0); // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1)
var RESULT_PER_URL = new Boolean(1); // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1)

// lets set up some details we will need for alerts later if we find some comments
var alertRisk = 0;
var alertConfidence = 2;
var alertTitle = "Information Exposure Through HTML Comments (script)";
var alertDesc =
"While adding general comments is very useful, \
some programmers tend to leave important data, such as: filenames related to the web application, old links \
or links which were not meant to be browsed by users, old code fragments, etc.";
var alertSolution =
"Remove comments which have sensitive information about the design/implementation \
of the application. Some of the comments may be exposed to the user and affect the security posture of the \
application.";
var cweId = 615;
var wascId = 13;
var url = msg.getRequestHeader().getURI().toString();

// this is a rough regular expression to find HTML comments
// regex needs to be inside /( and )/g to work
var re = /(\<![\s]*--[\-!@#$%^&*:;ºª.,"'(){}\w\s\/\\[\]]*--[\s]*\>)/g;
Expand Down Expand Up @@ -66,40 +76,22 @@ application.";
if (RESULT_PER_FINDING == true) {
counter = counter + 1;
//fakeparam+counter gives us parameter differientiation per comment alert (RESULT_PER_FINDING)
ps.raiseAlert(
alertRisk,
alertConfidence,
alertTitle,
alertDesc,
url,
"fakeparam" + counter,
"",
comm[0],
alertSolution,
"",
cweId,
wascId,
msg
);
helper
.newAlert()
.setParam("fakeparam" + counter)
.setEvidence(comm[0])
.setMessage(msg)
.raise();
}
foundComments.push(comm[0]);
}
if (RESULT_PER_URL == true) {
ps.raiseAlert(
alertRisk,
alertConfidence,
alertTitle,
alertDesc,
url,
"",
"",
foundComments.toString(),
alertSolution,
"",
cweId,
wascId,
msg
);
helper
.newAlert()
.setEvidence(foundComments[0])
.setOtherInfo(`Other instances: ${foundComments.slice(1).toString()}`)
.setMessage(msg)
.raise();
}
}
}
Expand Down
Loading