Update Swagger Secret Detector with improved checks and minor changes suggested

Author: Aastha Sahni

active/swagger-secret-detector.js

@@ -10,7 +10,7 @@ var ScanRuleMetadata = Java.type("org.zaproxy.addon.commonlib.scanrules.ScanRule
 var CommonAlertTag = Java.type("org.zaproxy.addon.commonlib.CommonAlertTag");
 function getMetadata() {
 return ScanRuleMetadata.fromYaml(`
-id: 100001
+id: 100043
 name: Swagger UI Secret & Vulnerability Detector
 description: >
   Detects exposed Swagger UI and OpenAPI endpoints that leak sensitive secrets such as API keys, 
@@ -19,14 +19,10 @@ description: >
 solution: >
   Remove hardcoded secrets from API documentation, restrict access to API documentation endpoints,
   and upgrade Swagger UI to a secure version. Ensure proper authentication is required to access documentation.
-references:
-  - https://swagger.io/docs/
-  - https://owasp.org/www-project-api-security/
 category: info_gather
 risk: high
 confidence: medium
-cweId: 200  # CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
-wascId: 13  # WASC-13: Information Leakage
+cweId: 522  # Insufficiently Protected Credentials
 alertTags:
   ${CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getTag()}: ${CommonAlertTag.OWASP_2021_A05_SEC_MISCONFIG.getValue()}
   ${CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getTag()}: ${CommonAlertTag.OWASP_2017_A06_SEC_MISCONFIG.getValue()}
@@ -232,8 +228,8 @@ function scanPath(as, origMsg, scheme, host, port, pathOnly, fullPath) {
             as.newAlert()
                 .setRisk(3)
                 .setConfidence(2)
-                .setName("Vulnerable Swagger UI version detected (v" + semver + ")")
-                .setAlertRef("100001-1")
+                .setName("Vulnerable Swagger UI Version Detected (v" + semver + ")")
+                .setAlertRef("100043-1")
                 .setDescription("This Swagger UI version is known to contain vulnerabilities. Exploitation may allow unauthorized access, XSS, or token theft.\n\nAffected versions:\n- Swagger UI v2 < 2.2.10\n- Swagger UI v3 < 3.24.3")
                 .setOtherInfo("Discovered at: " + fullPath)
                 .setSolution("Upgrade to the latest version of Swagger UI. Regularly review and patch known issues.")
@@ -262,21 +258,22 @@ function detectSecrets(as, requestMsg, fullPath, body) {
 
     var evidenceRaw = Object.keys(matches);
     var redactedEvidence = evidenceRaw.map(redactSecret);
+   // var evidenceString = redactedEvidence.length > 0 ? redactedEvidence[0] : null;
     var foundClientId = evidenceRaw.some(e => /clientId/i.test(e));
     var foundSecret = evidenceRaw.some(e => /clientSecret|api_key|access_token|authorization/i.test(e));
 
     if (foundClientId && foundSecret) {
         as.newAlert()
             .setRisk(3)
             .setConfidence(2)
-            .setName("Exposed secrets in Swagger/OpenAPI path")
-            .setAlertRef("100001-2")
+            .setName("Exposed Secrets in Swagger/OpenAPI Path")
+            .setAlertRef("100043-2")
             .setDescription("Swagger UI endpoint exposes sensitive secrets such as client secrets, API keys, or OAuth tokens. These secrets may be accessible in the HTML source and should not be exposed publicly, as this can lead to compromise.")
-            .setEvidence(redactedEvidence.join("\n"))
-            .setOtherInfo("Discovered at: " + fullPath)
+            .setEvidence(redactedEvidence[0])
+            .setOtherInfo("All secrets exposed:\n" + redactedEvidence.join("\n"))
             .setSolution("Remove hardcoded secrets from documentation and ensure the endpoint is protected with authentication.")
             .setReference("https://swagger.io/docs/open-source-tools/swagger-ui/usage/oauth2/")
             .setMessage(requestMsg)
             .raise();
     }
-}
+}