From e8c691d5a00575349f00548f0d782ce6b73b62a6 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 11 Nov 2024 10:15:16 -0600 Subject: [PATCH 01/13] Create Use-of-Password-Grant-Type.bcheck - `Use-of-Password-Grant-Type` file is used to detect for the `password` grant_type in OAuth. --- other/OAuth/Use-of-Password-Grant-Type.bcheck | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 other/OAuth/Use-of-Password-Grant-Type.bcheck diff --git a/other/OAuth/Use-of-Password-Grant-Type.bcheck b/other/OAuth/Use-of-Password-Grant-Type.bcheck new file mode 100644 index 0000000..beeb034 --- /dev/null +++ b/other/OAuth/Use-of-Password-Grant-Type.bcheck @@ -0,0 +1,46 @@ +metadata: + language: v2-beta + name: "Use of Password Grant Type" + author: "Kyle Gilligan" + description: "This test looks for indicators of OAuth's unsafe `Password` Grant Type." + tags: "passive", "oauth", "http", "password" + +define: + # Issue Detail: + id_01 = `- This web application appears configured to use the "Password" grant type for authenticating OAuth 2.0 HTTP requests.` + id_02 = `\n- Use of the "Password" grant type in an "OAuth 2.0" HTTP authentication scheme involves directly sending user credentials towards an intended authentication server in plaintext.` + id_03 = `\n- Because the "Password" grant type requires clients to send credentials over an HTTP request in plaintext, best practice deems this methodology as insecure.` + id_04 = `\n- Strong security guidelines therefore highly-recommend developers replace the "Password" code grant out with a safer alternative.` + id_05 = `\n >> Examples include: 'Authorization', 'Authorization w/ PKCE', & 'Client Credentials'.` + issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}` + + # Issue Remediation: + ir_01 = `- Plaintext disclosure in an HTTP request should only be disclosed under acceptable contexts, such as during "Login" or "Sign-Up" web processes.` + ir_02 = `\n- Usage of nontoken credentials in HTTP requests must be avoided whenever possible to deter potential breach attacks (MITM) from stealing passwords or hijacking sessions.` + ir_03 = `\n >> Authorization Code Grant ('grant_type=authorization_code'): Used for External S2S & Internal S2S.` + ir_04 = `\n >> Client Credentials Code Grant ('grant_type=client_credentials'): Used for Internal S2S.` + ir_05 = `\n >> Device Code Grant ('grant_type=device_code'): Used for Browserless S2S (IOT devices).` + issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}{ir_05}` + +given request then + # This check looks for HTTP requests which have the `Content-Type` HTTP request header equal `application/x-www-form-urlencoded`. + if ({base.request.headers} matches "Content-Type:\s*application/x-www-form-urlencoded") then + + # This check looks for "POST" HTTP requests which possess the `grant_type=password` variable as a body query parameter. + if ({base.request.method} matches "POST") and ({base.request.body} matches "(?i)grant_type\s*=\s*password") then + report issue: + severity: medium + confidence: certain + detail: `{issueDetail_FULL}` + remediation: `{issueRemediation_FULL}` + + # This check looks for "GET" HTTP requests which possess the `grant_type=password` variable as a URL query parameter. + else if ({base.request.method} matches "GET") and ({base.request.url.query} matches "(?i)grant_type\s*=\s*password") then + report issue: + severity: high + confidence: certain + detail: `{issueDetail_FULL}` + remediation: `{issueRemediation_FULL}` + + end if + end if From 8b71ed7939be9146cfe77fe6eabbf4dae9244908 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:16:39 -0600 Subject: [PATCH 02/13] Create Password in JavaScript Logger.bcheck - Test to detect for indicators of `password/secret` values within known JavaScript library methods. --- other/Password in JavaScript Logger.bcheck | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 other/Password in JavaScript Logger.bcheck diff --git a/other/Password in JavaScript Logger.bcheck b/other/Password in JavaScript Logger.bcheck new file mode 100644 index 0000000..f72680f --- /dev/null +++ b/other/Password in JavaScript Logger.bcheck @@ -0,0 +1,35 @@ +metadata: + language: v2-beta + name: "Password in JavaScript Logger" + author: "Kyle Gilligan" + description: "This test searches for indicators of 'password' variables within known JS logger methods." + tags: "passive", "javascript", "logger", "password" + +# `Indicators of JS Logger Method` Keywords: `.log(`, `.info(`, `.warn(`, `.error(`, `.debug(`, `.table(`, `.group(`, `.trace(`, `.push(`, `.captureMessage(`. +# `Indicators of Password` Keywords #1: `password`, `pw`, `pass`, `passwrd`, `passwd`, `pswrd`, `pswd`, `psword`, `pword`, `client_secret`. +# `Indicators of Password` Keywords #2: `client-secret`, `clientsecret`, `secret`, `api_key`, `api-key`, `apikey`. + +define: + # Issue Detail: + id_01 = `- This test checks whether a file contains both an indicator of a logger functionality being used & an indicator of a 'password/secret' on the same code line.` + id_02 = `\n- For context, 'password/secrets' values should never be displayed in plaintext by a logger functionality due to the potential risk of leakage by numerous factors.` + id_03 = `\n >> Secrets in this context refers to "Account Passwords", "API Keys", & APIs' "client_secret" variable.` + id_04 = `\n- Console loggers should never have valid reason to display users' passwords in any context.` + issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}` + + # Issue Remediation: + ir_01 = `- If a 'password' value appears presented to consoles or runtime terminals via a logger, that variable should be immediately removed from capture.` + ir_02 = `\n- Consoles which must capture client information should only be restricted to information which does not risk account compromise.` + ir_03 = `\n >> For Example: Client IDs, timestamps.` + issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}` + +given response then + # This check looks through HTTP responses' bodies for keywords that indicate usage of both JS loggers & password variables on a shared code line. + if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*\b(?:password|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client_secret|client-secret|clientsecret|secret|api_key|api-key|apikey)\b).*" then + report issue: + severity: high + confidence: firm + detail: `{issueDetail_FULL}` + remediation: `{issueRemediation_FULL}` + + end if From 4bc5211fabab528c2a51b5fa93ecc8237b64e4c4 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 11 Nov 2024 12:45:08 -0600 Subject: [PATCH 03/13] Update Password in JavaScript Logger.bcheck Fix to regex. --- other/Password in JavaScript Logger.bcheck | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/Password in JavaScript Logger.bcheck b/other/Password in JavaScript Logger.bcheck index f72680f..1b1ac3b 100644 --- a/other/Password in JavaScript Logger.bcheck +++ b/other/Password in JavaScript Logger.bcheck @@ -25,7 +25,7 @@ define: given response then # This check looks through HTTP responses' bodies for keywords that indicate usage of both JS loggers & password variables on a shared code line. - if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*\b(?:password|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client_secret|client-secret|clientsecret|secret|api_key|api-key|apikey)\b).*" then + if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*[^\w]*?(?:password|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client_secret|client-secret|clientsecret|secret|api_key|api-key|apikey)[^\w]*?).*" then report issue: severity: high confidence: firm From c9c61ecbee922b1915836c6b22a436169a8e5603 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 11 Nov 2024 12:59:37 -0600 Subject: [PATCH 04/13] Update Password in JavaScript Logger.bcheck Updated regex to use `[-_ ]?` instead of arbitrarily set repeated terms. --- other/Password in JavaScript Logger.bcheck | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/Password in JavaScript Logger.bcheck b/other/Password in JavaScript Logger.bcheck index 1b1ac3b..26aa72c 100644 --- a/other/Password in JavaScript Logger.bcheck +++ b/other/Password in JavaScript Logger.bcheck @@ -25,7 +25,7 @@ define: given response then # This check looks through HTTP responses' bodies for keywords that indicate usage of both JS loggers & password variables on a shared code line. - if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*[^\w]*?(?:password|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client_secret|client-secret|clientsecret|secret|api_key|api-key|apikey)[^\w]*?).*" then + if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*[^\w]*?(?:pass[-_ ]?word|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client[-_ ]?secret|secret|api[-_ ]?key)[^\w]*?).*" then report issue: severity: high confidence: firm From 596888df35bb3c5003497db4b331da8ece2fb1ab Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 11 Nov 2024 13:08:42 -0600 Subject: [PATCH 05/13] Create Use-of-Basic-Auth-Scheme.bcheck The `Use-of-Basic-Auth-Scheme.bcheck` file searches for HTTP requests which possess the `Authorization: Basic` HTTP request header yet was not set with an Internet Protocol/Port that supported TLS encryption. --- other/Use-of-Basic-Auth-Scheme.bcheck | 51 +++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 other/Use-of-Basic-Auth-Scheme.bcheck diff --git a/other/Use-of-Basic-Auth-Scheme.bcheck b/other/Use-of-Basic-Auth-Scheme.bcheck new file mode 100644 index 0000000..16583ff --- /dev/null +++ b/other/Use-of-Basic-Auth-Scheme.bcheck @@ -0,0 +1,51 @@ +metadata: + language: v2-beta + name: "Use of Basic Auth Scheme" + author: "Kyle Gilligan" + description: "This test looks for indicators of 'Authorization: Basic' within unencrypted webpages." + tags: "passive", "basic", "http", "authorization" + +# `Indicators of `Basic Auth`-Acceptable Webpages` Keywords #1: `login`, `log-in`, `log_in`, `signin`, `sign-in`, `sign_in`, `signup`, `sign-up`, `sign_up`. +# `Indicators of `Basic Auth`-Acceptable Webpages` Keywords: `registration`, `register`, `access`, `auth`, `cdsso`, `forgot`, `reset`. + +define: + # Issue Detail: + id_01 = `- This web application appears configured to use the "Basic" HTTP authentication scheme for authenticating HTTP requests.` + id_02 = `\n- Use of the "Basic" authentication scheme involves directly sending user credentials over an HTTP request in plaintext.` + id_03 = `\n- Because the "Basic" scheme type requires clients to send credentials over an HTTP request in plaintext, it becomes highly-suggested to avoid its use whenever possible.` + id_04 = `\n- Utilization of the "Basic" HTTP Authorization scheme (if necessary) should only be restricted for when users must directly send credentials to servers (such as "Login" or "Sign-Up" webpages).` + id_05 = `\n- Deployment of the "Authorization: Basic" HTTP request header must otherwise require Internet Protocols which enforce SSL/TLS encryption to be used.` + id_06 = `\n >> Alternatives to the "Basic" HTTP Authorization scheme include: Bearer via OAuth-Generated Tokens.` + issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}{id_06}` + + # Issue Remediation: + ir_01 = `- Plaintext disclosure of credentials in an HTTP request should only be acceptable during "Login", "Sign-Up", or "Password Reset" web processes.` + ir_02 = `\n- Usage of credentials must otherwise be avoided whenever possible to avoid potential breach attacks (via MITM) from arising.` + ir_03 = `\n- Rather, best practice suggests recommends involving processes which allow the web server to first perform internal encryption & gain approval with the intended server using this ciphertext.` + ir_04 = `\n >> Bearer Authentication Scheme: Used for sending credentials over customized token methodology (often via the OAuth 2.0 & OpenID Connect frameworks).` + issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}` + +given response then +# Nesting several if statements becomes necessary to quickly reduce checks for FPs. + + # This check ignores HTTP requests which enforce TLS/SSL encryption through secure Internet Protocols. + if not ({base.request.url.protocol} matches "(?i)(https?|ftps|imaps|smtp|ldaps|xmpp|sip|nntp)") then + + # This check ignores HTTP requests which contain ports that secure Internet Protocols enforce TLS/SSL encryption through. + if not ({base.request.url.port} matches "(443|989|990|993|587|465|636|5223|5061|563)") then + + # This check ignores HTTP requests with URLs which possess indicators of `login/sign-up/password-reset` functionalities. + if not ({base.request.url.file} matches "(?i)(log[-_]?in|sign[-_]?in|sign[-_]?up|registration|register|access|auth|cdsso|forgot|reset)") then + + # This check detects for deployment of the `Authorization` HTTP request header using the `Basic` attribute. + if ({base.request.headers} matches "(?i)(Authorization:\s*Basic)") then + report issue: + severity: low + confidence: firm + detail: `{issueDetail_FULL}` + remediation: `{issueRemediation_FULL}` + + end if + end if + end if + end if From e26fd9cd6aee629269312eb619e02d4e35d38e26 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:07:44 -0600 Subject: [PATCH 06/13] Create Insecure HTTP Methods Allowed (Passive).bcheck - Created BCheck searches passively through HTTP methods by detecting whether non-GET/POST HTTP methods appear used in an HTTP request, or if non-GET/POST HTTP methods are present in a `Access-Control-Allow-Methods` HTTP response header value. --- ...cure HTTP Methods Allowed (Passive).bcheck | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 other/HTTP Methods/Insecure HTTP Methods Allowed (Passive).bcheck diff --git a/other/HTTP Methods/Insecure HTTP Methods Allowed (Passive).bcheck b/other/HTTP Methods/Insecure HTTP Methods Allowed (Passive).bcheck new file mode 100644 index 0000000..e8c951c --- /dev/null +++ b/other/HTTP Methods/Insecure HTTP Methods Allowed (Passive).bcheck @@ -0,0 +1,128 @@ +metadata: + language: v2-beta + name: "Insecure HTTP Methods Allowed [Passive]" + description: "This BCheck detects for usage of dangerous, cautionary, & arbitrary HTTP methods beyond 'GET' & 'POST'." + author: "Kyle Gilligan" + tags: "passive", "http methods", "http verbs" + +define: + # Issue Detail: + ## A. Introduction Issue Detail: + id_A_01 = `- This application was discovered to permit usage of HTTP methods beyond the recommended 'GET' & 'POST' verbs.` + ## B. Dangerous Issue Detail: + id_B_01 = `\n >> The 'CONNECT', 'TRACE', & 'TRACK' HTTP methods remain considered as dangerous HTTP verbs due to easily` + id_B_02 = ` permitting 'Authentication Bypass' & 'Sensitive Information Disclosure' exploits.` + ### B.1. CONNECT Dangerous Issue Detail: + id_B1_01 = `\n >>>> The 'CONNECT' HTTP method permits client users to establish direct TCP tunnels into a target web server,` + id_B1_02 = ` which helps permit threat actors to bypass servers' network firewalls, proxy filters, & monitoring systems.` + ### B.2. TRACE Dangerous Issue Detail: + id_B2_01 = `\n >>>> The 'TRACE' HTTP method has its HTTP responses reflect content from the source HTTP request, which - if triggered` + id_B2_02 = ` a victim user triggers a 'XSS Injection' on a webpage with sensitive information, that 'XSS Injection' may activate a script` + id_B2_03 = ` which sends an HTTP request containing the sensitive data within this HTTP response back to the attacker's web server.` + ### B.3. TRACK Dangerous Issue Detail: + id_B3_01 = `\n >>>> The 'TRACK' HTTP method acts similarly to the 'TRACE' verb for IIS servers; it is disabled for IIS Version 6 & newer.` + ## C. Cautionary Issue Detail: + id_C_01 = `\n >> The 'DELETE' & 'PUT' HTTP methods remain considered as situationally-insecure HTTP verbs due to being remaining relevant` + id_C_02 = ` for certain business logic functionalities while also being tied to potential functionality abuse & web server vulnerabilities.` + ### C.1. DELETE Dangerous Issue Detail: + id_C1_01 = `\n >>>> The 'DELETE' HTTP method permits resources to be removed from a web server from the client-side HTTP request,` + id_C1_02 = ` which becomes dangerous if security controls do not limit what resources can be deleted nor why appears allowed to delete them.` + ### C.2. PUT Dangerous Issue Detail: + id_C2_01 = `\n >>>> The 'PUT' HTTP method updates an existing resource by replacing its entire entity with the data sent in the` + id_C2_02 = ` request, which the "POST" HTTP method can already perform without being tied to resource creation.` + ## D. Arbitrary Issue Detail: + id_D_01 = `\n >> The 'HEAD', 'PATCH', & 'OPTIONS' HTTP methods remain considered as arbitrary HTTP verbs due to providing unnecessary` + id_D_02 = ` metadata or limitedly-overlaping with other HTTP verbs.` + ### D.1. HEAD Dangerous Issue Detail: + id_D1_01 = `\n >>>> The 'HEAD' HTTP method simply retrieves an HTTP response's headers without this the body text, which is made` + id_D1_02 = ` arbitrary by the 'GET' HTTP method.` + ### D.2. OPTIONS Dangerous Issue Detail: + id_D2_01 = `\n >>>> The 'OPTIONS' HTTP method returns a list of HTTP methods available for web server or its target web server,` + id_D2_02 = ` commonly used in CORS preflight checks.` + ### D.3. PATCH Dangerous Issue Detail: + id_D3_01 = `\n >>>> The 'PATCH' HTTP method updates partial resources, which the POST HTTP method makes arbitrary by allowing both` + id_D3_02 = ` creation & modification of resources, potentially overlapping with PATCH's functionality.` + issueDetail_FULL_HIGH = `{id_A_01}{id_B_01}{id_B_02}{id_B1_01}{id_B1_02}{id_B2_01}{id_B2_02}{id_B2_03}{id_B3_01}` + issueDetail_FULL_LOW = `{id_A_01}{id_C_01}{id_C_02}{id_C1_01}{id_C1_02}{id_C2_01}{id_C2_02}` + issueDetail_FULL_INFO = `{id_A_01}{id_D_01}{id_D_02}{id_D1_01}{id_D1_02}{id_D2_01}{id_D2_02}{id_D3_01}{id_D3_02}` + + # Issue Remediation: + ir_01 = `- Developers must consider what HTTP methods they permit onto a web application, evaluate why these verbs appear allowed, decide if` + ir_02 = ` these keywords can cause future harm, & conclude whether or not it would be possible to remove/replace them altogether.` + ir_03 = `\n >> HTTP methods considered dangerous ('CONNECT' & 'TRACE/TRACE') should be removed immediately without exception.` + ir_04 = `\n >> HTTP methods considered cautionary ('DELETE' & 'PUT') should be evaluated regarding potential risk/consequence in retention` + ir_05 = ` & efforts to replace if-warrented.` + ir_06 = `\n >> HTTP methods considered cautionary ('HEAD', 'OPTIONS', & 'PATCH') should additionally be evaluated regarding upkeep in webpage.` + ir_07 = ` interaction consistency & whether these verbs pose any actual use-cases within applications' business logic functionalities.` + ir_08 = `\n- Regardless of any case, if any particular HTTP method is not actively being deployed by a web application, it may remain.` + ir_09 = ` recommended to simply disallow its usage out of caution.` + issueRemediation_FULL_HIGH = `{ir_01}{ir_02}{ir_03}{ir_08}{ir_09}` + issueRemediation_FULL_LOW = `{ir_01}{ir_02}{ir_04}{ir_05}{ir_08}{ir_09}` + issueRemediation_FULL_INFO = `{ir_01}{ir_02}{ir_06}{ir_07}{ir_08}{ir_09}` + +given response then +# Nesting several if statements becomes necessary to quickly reduce checks for FPs. + + # This check looks for non-erroneous HTTP requests which use HTTP methods beyond 'GET' & 'POST'. + if not ({base.request.method} matches "(GET|POST)") and not ({base.response.status_code} matches "([45]\d{2}\s.*$)") then + + # This check specifies a 'High' criticality should be generated for this finding. + if ({base.request.method} matches "(CONNECT|TRACE|TRACK)") then + report issue and continue: + severity: high + confidence: certain + detail: `{issueDetail_FULL_HIGH}` + remediation: `{issueRemediation_FULL_HIGH}` + end if + + # This check specifies a 'Low' criticality should be generated for this finding. + if ({base.request.method} matches "(DELETE|PUT)") then + report issue and continue: + severity: low + confidence: certain + detail: `{issueDetail_FULL_LOW}` + remediation: `{issueRemediation_FULL_LOW}` + end if + + # This check specifies an 'Info' criticality should be generated for this finding. + if ({base.request.method} matches "(HEAD|OPTIONS|PATCH)") then + report issue and continue: + severity: info + confidence: certain + detail: `{issueDetail_FULL_INFO}` + remediation: `{issueRemediation_FULL_INFO}` + end if + + end if + + # This check searches for HTTP responses which possess the 'Access-Control-Allow-Methods" HTTP response header. + if ({base.response.headers} matches "(Access-Control-Allow-Methods:)") then + + # This check specifies a 'High' criticality should be generated for this finding. + if ({base.response.headers} matches "((?i)Access-Control-Allow-Methods:.*(CONNECT|TRACE|TRACK).*)") then + report issue and continue: + severity: high + confidence: certain + detail: `{issueDetail_FULL_HIGH}` + remediation: `{issueRemediation_FULL_HIGH}` + end if + + # This check specifies a 'Low' criticality should be generated for this finding. + if ({base.response.headers} matches "((?i)Access-Control-Allow-Methods:.*(DELETE|PUT).*)") then + report issue and continue: + severity: low + confidence: certain + detail: `{issueDetail_FULL_LOW}` + remediation: `{issueRemediation_FULL_LOW}` + end if + + # This check specifies an 'Info' criticality should be generated for this finding. + if ({base.response.headers} matches "((?i)Access-Control-Allow-Methods:.*(HEAD|OPTIONS|PATCH).*)") then + report issue and continue: + severity: info + confidence: certain + detail: `{issueDetail_FULL_INFO}` + remediation: `{issueRemediation_FULL_INFO}` + end if + + end if From ce9b518ddbb6102071f7c3870c123a4e7c14839d Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:08:49 -0600 Subject: [PATCH 07/13] Rename other/httpMethodOverrideCapability.bcheck to other/HTTP Methods/httpMethodOverrideCapability.bcheck - Moved this bcheck file into a dedicated `HTTP Methods` folder. --- other/{ => HTTP Methods}/httpMethodOverrideCapability.bcheck | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename other/{ => HTTP Methods}/httpMethodOverrideCapability.bcheck (99%) diff --git a/other/httpMethodOverrideCapability.bcheck b/other/HTTP Methods/httpMethodOverrideCapability.bcheck similarity index 99% rename from other/httpMethodOverrideCapability.bcheck rename to other/HTTP Methods/httpMethodOverrideCapability.bcheck index 604e41a..fc5cf27 100644 --- a/other/httpMethodOverrideCapability.bcheck +++ b/other/HTTP Methods/httpMethodOverrideCapability.bcheck @@ -33,4 +33,4 @@ given path then detail: "Endpoints support a hidden parameter/header, allowing to override the HTTP method effectively used to handle the HTTP requests." remediation: "Remove the support for the hidden request parameters/headers." end if - end if \ No newline at end of file + end if From 1f7cba91d0cb3de0905953568d3feb738cbef704 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:12:53 -0600 Subject: [PATCH 08/13] Rename other/Password in JavaScript Logger.bcheck to other/JavaScript/Password in JavaScript Logger.bcheck - Moved file into JavaScript folder. --- other/{ => JavaScript}/Password in JavaScript Logger.bcheck | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename other/{ => JavaScript}/Password in JavaScript Logger.bcheck (100%) diff --git a/other/Password in JavaScript Logger.bcheck b/other/JavaScript/Password in JavaScript Logger.bcheck similarity index 100% rename from other/Password in JavaScript Logger.bcheck rename to other/JavaScript/Password in JavaScript Logger.bcheck From 01bc3bbbdeb8df0f7c273486ad26bb809f06ca4d Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:13:53 -0600 Subject: [PATCH 09/13] Rename jsMapFile.bcheck to jsMapFile.bcheck - Moved file into `JavaScript` folder. --- other/{Javascript => JavaScript}/jsMapFile.bcheck | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename other/{Javascript => JavaScript}/jsMapFile.bcheck (100%) diff --git a/other/Javascript/jsMapFile.bcheck b/other/JavaScript/jsMapFile.bcheck similarity index 100% rename from other/Javascript/jsMapFile.bcheck rename to other/JavaScript/jsMapFile.bcheck From 57d3944651bcd56c536ab96f79d496c282fe0448 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:14:15 -0600 Subject: [PATCH 10/13] Rename malicious_javascript_imported.bcheck to malicious_javascript_imported.bcheck - Moved file into `JavaScript` folder. --- .../malicious_javascript_imported.bcheck | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename other/{Javascript => JavaScript}/malicious_javascript_imported.bcheck (100%) diff --git a/other/Javascript/malicious_javascript_imported.bcheck b/other/JavaScript/malicious_javascript_imported.bcheck similarity index 100% rename from other/Javascript/malicious_javascript_imported.bcheck rename to other/JavaScript/malicious_javascript_imported.bcheck From b3345825c23cc3146ff49b379a965cdef091c809 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:14:36 -0600 Subject: [PATCH 11/13] Rename malicious_polyfill_cdn.bcheck to malicious_polyfill_cdn.bcheck --- other/{Javascript => JavaScript}/malicious_polyfill_cdn.bcheck | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename other/{Javascript => JavaScript}/malicious_polyfill_cdn.bcheck (100%) diff --git a/other/Javascript/malicious_polyfill_cdn.bcheck b/other/JavaScript/malicious_polyfill_cdn.bcheck similarity index 100% rename from other/Javascript/malicious_polyfill_cdn.bcheck rename to other/JavaScript/malicious_polyfill_cdn.bcheck From 75a3c3c415f2c038465d10bd5aeb990664c51cad Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 18 Nov 2024 13:37:54 -0600 Subject: [PATCH 12/13] Update Password in JavaScript Logger.bcheck - Updated test to limit scans towards only the `HTML` or `Script` MIME types. - Updated test to limit scans towards only non-'400s/500s' error responses. --- .../Password in JavaScript Logger.bcheck | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/other/JavaScript/Password in JavaScript Logger.bcheck b/other/JavaScript/Password in JavaScript Logger.bcheck index 26aa72c..8e60a51 100644 --- a/other/JavaScript/Password in JavaScript Logger.bcheck +++ b/other/JavaScript/Password in JavaScript Logger.bcheck @@ -24,12 +24,17 @@ define: issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}` given response then - # This check looks through HTTP responses' bodies for keywords that indicate usage of both JS loggers & password variables on a shared code line. - if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*[^\w]*?(?:pass[-_ ]?word|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client[-_ ]?secret|secret|api[-_ ]?key)[^\w]*?).*" then - report issue: - severity: high - confidence: firm - detail: `{issueDetail_FULL}` - remediation: `{issueRemediation_FULL}` + # This check ensures that only notable 200s HTTP responses appear present in the HTTP response & unacceptable MIME types get ignored. + if not ({latest.response.status_code} matches "([45]\d{2}.*$)") and ({latest.response.headers} matches "(Content-Type:\s+text/(html|javascript))") then + + # This check looks through HTTP responses' bodies for keywords that indicate usage of both JS loggers & password variables on a shared code line. + if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*[^\w]*?(?:pass[-_ ]?word|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client[-_ ]?secret|secret|api[-_ ]?key)[^\w]*?).*" then + report issue: + severity: high + confidence: firm + detail: `{issueDetail_FULL}` + remediation: `{issueRemediation_FULL}` + + end if end if From 5ba998fd70fe67258b93e4842bf275e68ca6ef42 Mon Sep 17 00:00:00 2001 From: _ <36057926+LabMC@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:19:19 -0600 Subject: [PATCH 13/13] Update Use-of-Basic-Auth-Scheme.bcheck - Updates made to only ignore HTTPS-related ports. --- other/Use-of-Basic-Auth-Scheme.bcheck | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/other/Use-of-Basic-Auth-Scheme.bcheck b/other/Use-of-Basic-Auth-Scheme.bcheck index 16583ff..01ee029 100644 --- a/other/Use-of-Basic-Auth-Scheme.bcheck +++ b/other/Use-of-Basic-Auth-Scheme.bcheck @@ -28,24 +28,20 @@ define: given response then # Nesting several if statements becomes necessary to quickly reduce checks for FPs. - # This check ignores HTTP requests which enforce TLS/SSL encryption through secure Internet Protocols. - if not ({base.request.url.protocol} matches "(?i)(https?|ftps|imaps|smtp|ldaps|xmpp|sip|nntp)") then + # This check ignores HTTP requests which contain ports that secure Internet Protocols enforce TLS/SSL encryption through. + if not ({base.request.url.port} matches "(443|832|5986|8243|8403|8448)") then - # This check ignores HTTP requests which contain ports that secure Internet Protocols enforce TLS/SSL encryption through. - if not ({base.request.url.port} matches "(443|989|990|993|587|465|636|5223|5061|563)") then + # This check ignores HTTP requests with URLs which possess indicators of `login/sign-up/password-reset` functionalities. + if not ({base.request.url.file} matches "(?i)(log[-_]?in|sign[-_]?in|sign[-_]?up|registration|register|access|auth|cdsso|forgot|reset)") then - # This check ignores HTTP requests with URLs which possess indicators of `login/sign-up/password-reset` functionalities. - if not ({base.request.url.file} matches "(?i)(log[-_]?in|sign[-_]?in|sign[-_]?up|registration|register|access|auth|cdsso|forgot|reset)") then + # This check detects for deployment of the `Authorization` HTTP request header using the `Basic` attribute. + if ({base.request.headers} matches "(?i)(Authorization:\s*Basic)") then + report issue: + severity: low + confidence: firm + detail: `{issueDetail_FULL}` + remediation: `{issueRemediation_FULL}` - # This check detects for deployment of the `Authorization` HTTP request header using the `Basic` attribute. - if ({base.request.headers} matches "(?i)(Authorization:\s*Basic)") then - report issue: - severity: low - confidence: firm - detail: `{issueDetail_FULL}` - remediation: `{issueRemediation_FULL}` - - end if end if end if end if