ascanrulesAlpha: Add Swagger Secret Detector Script

Originally contributed in zaproxy/community-scripts#487.

Signed-off-by: ricekot <[email protected]>

Author: ricekot

addOns/ascanrulesAlpha/CHANGELOG.md

@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Added
 - SYSTEMIC tag to selected rules.
+- Swagger Secret Detector Script Scan Rule.
 
 ### Changed
 - The Web Cache Deception scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).

addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/scripts/ExtensionAscanRulesAlphaScripts.java

@@ -41,6 +41,7 @@ public class ExtensionAscanRulesAlphaScripts extends ExtensionAdaptor {
             LogManager.getLogger(ExtensionAscanRulesAlphaScripts.class);
     private static final String SCRIPT_SUSPICIOUS_INPUT_TRANSFORMATION =
             "SuspiciousInputTransformation.js";
+    private static final String SCRIPT_SWAGGER_SECRET_DETECTOR = "SwaggerSecretDetector.js";
 
     private ExtensionScript extScript;
 
@@ -90,6 +91,11 @@ private void addScripts() {
                         "ascanalpha.scripts.suspiciousInputTransformation.desc"),
                 extScript.getScriptType(ExtensionActiveScan.SCRIPT_TYPE_ACTIVE),
                 false);
+        addScript(
+                SCRIPT_SWAGGER_SECRET_DETECTOR,
+                Constant.messages.getString("ascanalpha.scripts.swaggerSecretDetector.desc"),
+                extScript.getScriptType(ExtensionActiveScan.SCRIPT_TYPE_ACTIVE),
+                false);
     }
 
     private void addScript(String name, String description, ScriptType type, boolean isTemplate) {
@@ -140,6 +146,7 @@ private void removeScripts() {
             return;
         }
         removeScript(SCRIPT_SUSPICIOUS_INPUT_TRANSFORMATION, false);
+        removeScript(SCRIPT_SWAGGER_SECRET_DETECTOR, false);
     }
 
     private void removeScript(String name, boolean isTemplate) {

addOns/ascanrulesAlpha/src/main/javahelp/org/zaproxy/zap/extension/ascanrulesAlpha/resources/help/contents/ascanalpha.html

@@ -41,6 +41,14 @@ <H2 id="id-40039">Web Cache Deception</H2>
 <br>
 Alert ID: <a href="https://www.zaproxy.org/docs/alerts/40039/">40039</a>.
 
+<H2 id="id-100043">Swagger Secret & Vulnerability Detector</H2>
+This is an active script scan rule. It attempts to find exposed OpenAPI documentation that leaks sensitive secrets such
+as API keys, OAuth client secrets, access tokens, or run vulnerable versions.
+<p>
+Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesAlpha/src/main/zapHomeFiles/scripts/scripts/active/SwaggerSecretDetector.js">SwaggerSecretDetector.js</a>
+<br>
+Alert ID: <a href="https://www.zaproxy.org/docs/alerts/100043/">100043</a>.
+
 <H2 id="id-100044">Suspicious Input Transformation</H2>
 This is an active script scan rule. It detects various types of suspicious input transformations that may indicate
 potential security vulnerabilities such as template injection, expression evaluation, quote consumption, and issues

addOns/ascanrulesAlpha/src/main/resources/org/zaproxy/zap/extension/ascanrulesAlpha/resources/Messages.properties

@@ -28,6 +28,7 @@ ascanalpha.name = Active Scan Rules - alpha
 ascanalpha.scripts.desc = Adds alpha status active scan rule scripts.
 ascanalpha.scripts.name = Active Scan Rule Scripts - alpha
 ascanalpha.scripts.suspiciousInputTransformation.desc = This script detects suspicious input transformations in web applications.
+ascanalpha.scripts.swaggerSecretDetector.desc = This script attempts to find exposed API documentation endpoints that may contain sensitive information.
 ascanalpha.scripts.warn.couldNotAddScripts = Could not add alpha active scan rule scripts: {0}.
 
 ascanalpha.webCacheDeception.desc = Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.