diff --git a/passive/APIKeyDiscovery.js b/passive/APIKeyDiscovery.js new file mode 100644 index 00000000..9b2e5e3e --- /dev/null +++ b/passive/APIKeyDiscovery.js @@ -0,0 +1,176 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["Stripe API key Disclosed (script)", + "Recon-ng web reconnaissance framework API key database Disclosed (script)", + "Generic API Key Disclosed (script)", + "Google Cloud API Key Disclosed (script)", + "Picatic API key Disclosed (script)", + "Twilio API Key Disclosed (script)", + "SendGrid API Key Disclosed (script)", + "MailGun API Key Disclosed (script)", + "MailChimp API Key Disclosed (script)", + "NuGet API Key Disclosed (script)", + "SonarQube Docs API Key Disclosed (script)", + "StackHawk API Key Disclosed (script)", + ""] + var alertDesc = ["A Stripe API key was discovered.", + "A Recon-ng web reconnaissance framework API key database was discovered.", + "A Generic API Key was discovered.", + "A Google Cloud API Key was discovered.", + "A Picatic API key was discovered.", + "A Twilio API Key was discovered.", + "A SendGrid API Key was discovered.", + "A MailGun API Key was discovered.", + "A MailChimp API Key was discovered.", + "A NuGet API Key was discovered.", + "A SonarQube Docs API Key was discovered.", + "A StackHawk API Key was discovered.", + ""] + var alertSolution = ["Ensure API keys that are publically accessible are not sensitive in nature.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var stripe = /((?:r|p|s)k_(live|test)_[0-9a-zA-Z]{24})/g + var reconng = /(\.?recon-ng\/keys\.db)/g + var generic = /([a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\"][0-9a-zA-Z]{32,45}['|\"])/g + var googlecloud = /(AIza[0-9A-Za-z\-_]{35})/g + var picatic = /(sk_(live|test)_[0-9a-z]{32})/g + var twilio = /(SK[0-9a-fA-F]{32})/g + var sendgrid = /(SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43})/g + var mailgun = /(key-[0-9a-zA-Z]{32})/g + var mailchimp = /([0-9a-f]{32}-us[0-9]{12})/g + var nuget = /(oy2[a-z0-9]{43})/g + var sonarqube = /((\i)sonar.{0,50}(\"|'|`)?[0-9a-f]{40}(\"|'|`)?)/g + var stackhawk = /(hawk\.[0-9A-Za-z\-_]{20}\.[0-9A-Za-z\-_]{20})/g + + if (stripe.test(body)) + { + stripe.lastIndex = 0 + var foundstripe = [] + var comm + while (comm = stripe.exec(body)) + { + foundstripe.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundstripe.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (reconng.test(body)) + { + reconng.lastIndex = 0 + var foundreconng = [] + while (comm = reconng.exec(body)) + { + foundreconng.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundreconng.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (generic.test(body)) + { + generic.lastIndex = 0 + var foundgeneric = [] + while (comm = generic.exec(body)) + { + foundgeneric.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundgeneric.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (googlecloud.test(body)) + { + googlecloud.lastIndex = 0 + var foundgooglecloud = [] + while (comm = googlecloud.exec(body)) + { + foundgooglecloud.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundgooglecloud.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (picatic.test(body)) + { + picatic.lastIndex = 0 + var foundpicatic = [] + while (comm = picatic.exec(body)) + { + foundpicatic.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundpicatic.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (twilio.test(body)) + { + twilio.lastIndex = 0 + var foundtwilio = [] + while (comm = twilio.exec(body)) + { + foundtwilio.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundtwilio.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sendgrid.test(body)) + { + sendgrid.lastIndex = 0 + var foundsendgrid = [] + while (comm = sendgrid.exec(body)) + { + foundsendgrid.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundsendgrid.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (mailgun.test(body)) + { + mailgun.lastIndex = 0 + var foundmailgun = [] + while (comm = mailgun.exec(body)) + { + foundmailgun.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', foundmailgun.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (mailchimp.test(body)) + { + mailchimp.lastIndex = 0 + var foundmailchimp = [] + while (comm = mailchimp.exec(body)) + { + foundmailchimp.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[1], alertTitle[8], alertDesc[8], url, '', '', foundmailchimp.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (nuget.test(body)) + { + nuget.lastIndex = 0 + var foundnuget = [] + while (comm = nuget.exec(body)) + { + foundnuget.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundnuget.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sonarqube.test(body)) + { + sonarqube.lastIndex = 0 + var foundsonarqube = [] + while (comm = sonarqube.exec(body)) + { + foundsonarqube.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[10], alertDesc[10], url, '', '', foundsonarqube.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (stackhawk.test(body)) + { + stackhawk.lastIndex = 0 + var foundstackhawk = [] + while (comm = stackhawk.exec(body)) + { + foundstackhawk.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[11], alertDesc[11], url, '', '', foundstackhawk.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/ASCIIHexEncodedStringDiscovery.js b/passive/ASCIIHexEncodedStringDiscovery.js new file mode 100644 index 00000000..c29bbbc6 --- /dev/null +++ b/passive/ASCIIHexEncodedStringDiscovery.js @@ -0,0 +1,44 @@ +// This community script will analyze the response for ASCII Hex encoded strings + +function scan(ps, msg, src) { + var RESULT_PER_FINDING = new Boolean(0) // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1) + var RESULT_PER_URL = new Boolean(1) // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1) + + + var alertRisk = 0 + var alertConfidence = 1 + var alertTitle = 'ASCII Hex-encoded string found (script)' + var alertDesc = "A ASCII Hex-encoded string has been found in the HTTP response body. ASCII Hex-encoded data may contain sensitive information which should be further inspected." + var alertSolution = 'ASCII Hex-encoding is used for all sorts of things. It is worth investigating and decoding.' + var cweId = 0 + var wascId = 0 + var url = msg.getRequestHeader().getURI().toString(); + var re = /(^(?:[0-9A-Fa-f]{2})*$)/g + + var contenttype = msg.getResponseHeader().getHeader("Content-Type") + var unwantedfiletypes = ['image/png', 'image/jpeg','image/gif','application/x-shockwave-flash'] + + if (unwantedfiletypes.indexOf(""+contenttype) >= 0) { + // skip scan if unwanted filetypes are found + return + }else{ + var body = msg.getResponseBody().toString() + if (re.test(body)) { + re.lastIndex = 0 + var foundstrings = [] + var counter=0 + var comm + while (comm = re.exec(body)) { + if (RESULT_PER_FINDING == true) { + counter = counter+1; + ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, 'fakeparam'+counter, '', comm[0], alertSolution,'' , cweId, wascId, msg); + } + foundstrings.push(comm[0]); + } + if (RESULT_PER_URL == true) + { + ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, '', '', foundstrings.toString(), alertSolution,'' , cweId, wascId, msg); + } + } + } +} diff --git a/passive/AWSRelatedDiscovery.js b/passive/AWSRelatedDiscovery.js new file mode 100644 index 00000000..4aa6e75e --- /dev/null +++ b/passive/AWSRelatedDiscovery.js @@ -0,0 +1,124 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["AWS CLI credentials file Disclosed (script)", + "AWS Access Key ID Value Disclosed (script)", + "AWS ARN Disclosed (script)", + "AWS Secret Access Key Disclosed (script)", + "AWS Session Token Disclosed (script)", + "AWS credential file Disclosed (script)", + "Amazon MWS Auth Token Disclosed (script)", + "S3cmd configuration file Disclosed (script)", + ""] + var alertDesc = ["An AWS CLI credentials file was discovered.", + "An AWS Access Key ID Value was discovered.", + "An AWS ARN was discovered.", + "An AWS Secret Access Key was discovered.", + "An AWS Session Token was discovered.", + "An AWS credential file was discovered.", + "An Amazon MWS Auth Token was discovered.", + "An S3cmd configuration file was discovered.", + ""] + var alertSolution = ["Ensure API keys, Tokens and configuration files that are publically accessible are not sensitive in nature.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var awsclicreds = /\.?aws\/credentials/g; + var awsaccesskeyid = /((A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}|[A-Z0-9]{20})/g; + var awsarn = /arn:aws:organizations::\d{12}:account\/o-[a-z0-9]{10,32}\/\d{12}/g; + var awssecretskey = /(?|=)\s{0,50}(\"|'|`)?service_account(\"|'|`)?,?))/g + + if (googleoauthkey.test(body)) + { + googleoauthkey.lastIndex = 0 + var foundgoogleoauthkey = [] + var comm + while (comm = googleoauthkey.exec(body)) + { + foundgoogleoauthkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundgoogleoauthkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (googleoauthaccesstoken.test(body)) + { + googleoauthaccesstoken.lastIndex = 0 + var foundgoogleoauthaccesstoken = [] + while (comm = googleoauthaccesstoken.exec(body)) + { + foundgoogleoauthaccesstoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundgoogleoauthaccesstoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (googleserviceaccount.test(body)) + { + googleserviceaccount.lastIndex = 0 + var foundgoogleserviceaccount = [] + while (comm = googleserviceaccount.exec(body)) + { + foundgoogleserviceaccount.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundgoogleserviceaccount.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/InfrastructureRelatedDiscovery.js b/passive/InfrastructureRelatedDiscovery.js new file mode 100644 index 00000000..0f6054da --- /dev/null +++ b/passive/InfrastructureRelatedDiscovery.js @@ -0,0 +1,267 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["DigitalOcean doctl command-line client configuration file Disclosed (script)", + "Tugboat DigitalOcean management tool configuration Disclosed (script)", + "GitHub Hub command-line client configuration file Disclosed (script)", + "Firebase URL Disclosed (script)", + "GitHub stuff Disclosed (script)", + "Generic Secret Disclosed (script)", + "IP Address Disclosed (script)", + "Slack Token Disclosed (script)", + "Slack Webhook Disclosed (script)", + "Outlook Team Webhook Disclosed (script)", + "Artifactory stuff Disclosed (script)", + "CodeClimate stuff Disclosed (script)", + "Sauce Token Disclosed (script)", + "Github Key Disclosed (script)", + "Heroku Key Disclosed (script)", + "Splunk Authorization Disclosed (script)", + "Square Access Token Disclosed (script)", + "Square OAuth Secret Disclosed (script)", + "PayPal/Braintree Access Token Disclosed (script)", + ""] + var alertDesc = ["A DigitalOcean doctl command-line client configuration file was discovered.", + "A Tugboat DigitalOcean management tool configuration was discovered.", + "A GitHub Hub command-line client configuration file was discovered.", + "A Firebase URL was discovered.", + "GitHub stuff was discovered.", + "A Generic Secret was discovered.", + "An IP Address was discovered.", + "A Slack Token was discovered.", + "A Slack Webhook was discovered.", + "An Outlook Team Webhook was discovered.", + "Artifactory stuff was discovered", + "CodeClimate stuff was discovered", + "A Sauce Token was discovered", + "A Github Key was discovered", + "A Heroku Key was discovered", + "Splunk Authorization was discovered", + "A Square Access Token was discovered", + "A Square OAuth Secret was discovered", + "A PayPal/Braintree Access Token was discovered", + ""] + var alertSolution = ["Ensure API keys, Tokens and configuration files that are publically accessible are not sensitive in nature.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var doctlcliconfig = /(doctl\/config\.yaml)/g + var dotugboat = /(\.?tugboat)/g + var githubhub = /(config\/hub)/g + var firebaseurl = /([a-z0-9.-]+\.firebaseio\.com)/g + var githubstuff = /([g|G][i|I][t|T][h|H][u|U][b|B].*['|\"][0-9a-zA-Z]{35,40}['|\"])/g + var genericsecret = /([s|S][e|E][c|C][r|R][e|E][t|T].*['|\"][0-9a-zA-Z]{32,45}['|\"])/g + var ipaddress = /([^\.0-9](([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])[^\.0-9])/g + var slacktoken = /((xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}))/g + var slackwebhook = /(https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]{8}\/B[a-zA-Z0-9_]{8}\/[a-zA-Z0-9_]{24})/g + var outlookwebhook = /(https:\/\/outlook\.office\.com\/webhook\/[0-9a-f-]{36}@)/g + var artifactorystuff = /((\i)artifactory.{0,50}(\"|'|`)?[a-zA-Z0-9=]{112}(\"|'|`)?)/g + var codeclimatestuff = /((\i)codeclima.{0,50}(\"|'|`)?[0-9a-f]{64}(\"|'|`)?)/g + var saucetoken = /((\i)sauce.{0,50}(\"|'|`)?[0-9a-f-]{36}(\"|'|`)?)/g + var githubkey = /((\i)github(.{0,20})?(\-i)['\"][0-9a-zA-Z]{35,40}['\"])/g + var herokukey = /((\i)heroku(.{0,20})?['\"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"])/g + var splunkauth = /(Splunk\s(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1})/g + var squareaccesstoken = /(sq0atp-[0-9A-Za-z\-_]{22})/g + var squareoauthsecret = /(sq0csp-[0-9A-Za-z\-_]{43})/g + var paypalaccesstoken = /(access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32})/g + + if (doctlcliconfig.test(body)) + { + doctlcliconfig.lastIndex = 0 + var founddoctlcliconfig = [] + var comm + while (comm = doctlcliconfig.exec(body)) + { + founddoctlcliconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', founddoctlcliconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (dotugboat.test(body)) + { + dotugboat.lastIndex = 0 + var founddotugboat = [] + while (comm = dotugboat.exec(body)) + { + founddotugboat.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', founddotugboat.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (githubhub.test(body)) + { + githubhub.lastIndex = 0 + var foundgithubhub = [] + while (comm = githubhub.exec(body)) + { + foundgithubhub.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundgithubhub.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (firebaseurl.test(body)) + { + firebaseurl.lastIndex = 0 + var foundfirebaseurl = [] + while (comm = firebaseurl.exec(body)) + { + foundfirebaseurl.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundfirebaseurl.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (githubstuff.test(body)) + { + githubstuff.lastIndex = 0 + var foundgithubstuff = [] + while (comm = githubstuff.exec(body)) + { + foundgithubstuff.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundgithubstuff.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (genericsecret.test(body)) + { + genericsecret.lastIndex = 0 + var foundgenericsecret = [] + while (comm = genericsecret.exec(body)) + { + foundgenericsecret.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundgenericsecret.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (ipaddress.test(body)) + { + ipaddress.lastIndex = 0 + var foundipaddress = [] + while (comm = ipaddress.exec(body)) + { + foundipaddress.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundipaddress.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (slacktoken.test(body)) + { + slacktoken.lastIndex = 0 + var foundslacktoken = [] + while (comm = slacktoken.exec(body)) + { + foundslacktoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', foundslacktoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (slackwebhook.test(body)) + { + slackwebhook.lastIndex = 0 + var foundslackwebhook = [] + while (comm = slackwebhook.exec(body)) + { + foundslackwebhook.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[8], alertDesc[8], url, '', '', foundslackwebhook.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (outlookwebhook.test(body)) + { + outlookwebhook.lastIndex = 0 + var foundoutlookwebhook = [] + while (comm = outlookwebhook.exec(body)) + { + foundoutlookwebhook.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundoutlookwebhook.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (artifactorystuff.test(body)) + { + artifactorystuff.lastIndex = 0 + var foundartifactorystuff = [] + while (comm = artifactorystuff.exec(body)) + { + foundartifactorystuff.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[10], alertDesc[10], url, '', '', foundartifactorystuff.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (codeclimatestuff.test(body)) + { + codeclimatestuff.lastIndex = 0 + var foundcodeclimatestuff = [] + while (comm = codeclimatestuff.exec(body)) + { + foundcodeclimatestuff.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[11], alertDesc[11], url, '', '', foundcodeclimatestuff.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (saucetoken.test(body)) + { + saucetoken.lastIndex = 0 + var foundsaucetoken = [] + while (comm = saucetoken.exec(body)) + { + foundsaucetoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[12], alertDesc[12], url, '', '', foundsaucetoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (githubkey.test(body)) + { + githubkey.lastIndex = 0 + var foundgithubkey = [] + while (comm = githubkey.exec(body)) + { + foundgithubkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[13], alertDesc[13], url, '', '', foundgithubkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (herokukey.test(body)) + { + herokukey.lastIndex = 0 + var foundherokukey = [] + while (comm = herokukey.exec(body)) + { + foundherokukey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[14], alertDesc[14], url, '', '', foundherokukey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (splunkauth.test(body)) + { + splunkauth.lastIndex = 0 + var foundsplunkauth = [] + while (comm = splunkauth.exec(body)) + { + foundsplunkauth.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[15], alertDesc[15], url, '', '', foundsplunkauth.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (squareaccesstoken.test(body)) + { + squareaccesstoken.lastIndex = 0 + var foundsquareaccesstoken = [] + while (comm = squareaccesstoken.exec(body)) + { + foundsquareaccesstoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[16], alertDesc[16], url, '', '', foundsquareaccesstoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (squareoauthsecret.test(body)) + { + squareoauthsecret.lastIndex = 0 + var foundsquareoauthsecret = [] + while (comm = squareoauthsecret.exec(body)) + { + foundsquareoauthsecret.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[17], alertDesc[17], url, '', '', foundsquareoauthsecret.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (paypalaccesstoken.test(body)) + { + paypalaccesstoken.lastIndex = 0 + var foundpaypalaccesstoken = [] + while (comm = paypalaccesstoken.exec(body)) + { + foundpaypalaccesstoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[18], alertDesc[18], url, '', '', foundpaypalaccesstoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/InterestingFileDiscovery.js b/passive/InterestingFileDiscovery.js new file mode 100644 index 00000000..2dced15a --- /dev/null +++ b/passive/InterestingFileDiscovery.js @@ -0,0 +1,31 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["A file with an interesting extension (script)", + ""] + var alertDesc = ["A file with an interesting extension was discovered.", + ""] + var alertSolution = ["A file with an interesting extension was discovered. It might be nothing, but it's worth investigating.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var interestingext = /(.*\.(pem|log|pkcs12|p12|pfx|asc|otr\.private_key|ovpn|cscfg|rdp|mdf|sdf|sqlite|sqlite3|bek|tpm|fve|jks|psafe3|rb|yml|py|agilekeychain|keychain|pcap|gnucash|xml|kwallet|php|tblk|plist|xpl|dayone|txt|terraform\.tfvars|exports|functions|extra|asa|inc|config|zip|tar|gz|tgz|rar|java|pdf|docx|doc|rtf|xlsx|xls|csv|pptx|ppt|bak|old|tmp|cer|crt|p7b))/gi + + if (interestingext.test(body)) + { + interestingext.lastIndex = 0 + var foundinterestingext = [] + var comm + while (comm = interestingext.exec(body)) + { + foundinterestingext.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundinterestingext.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/MiscSecretsAndFileDiscovery.js b/passive/MiscSecretsAndFileDiscovery.js new file mode 100644 index 00000000..b14a4928 --- /dev/null +++ b/passive/MiscSecretsAndFileDiscovery.js @@ -0,0 +1,215 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["SSH configuration file Disclosed (script)", + "Potential cryptographic private key Disclosed (script)", + "Ruby IRB console history file Disclosed (script)", + "GNOME Keyring database file Disclosed (script)", + "Configuration file for auto-login process Disclosed (script)", + "Rubygems credentials file Disclosed (script)", + "git-credential-store helper credentials file Disclosed (script)", + "Git configuration file Disclosed (script)", + "Chef private key Disclosed (script)", + "Potential Linux shadow file Disclosed (script)", + "Potential Linux passwd file Disclosed (script)", + "Environment configuration file Disclosed (script)", + "SSH Password Disclosed (script)", + "Firefox saved password collection Disclosed (script)", + "KeePass password manager database file Disclosed (script)", + ""] + var alertDesc = ["A SSH configuration file was discovered.", + "A Potential cryptographic private key was discovered.", + "A Ruby IRB console history file was discovered.", + "A GNOME Keyring database file was discovered.", + "A Configuration file for auto-login process was discovered.", + "A Rubygems credentials file was discovered.", + "A git-credential-store helper credentials file was discovered.", + "A Git configuration file was discovered.", + "A Chef private key was discovered.", + "A Potential Linux shadow file was discovered", + "A Potential Linux passwd file was discovered", + "An Environment configuration file was discovered", + "An SSH Password was discovered", + "A Firefox saved password collection was discovered", + "A KeePass password manager database file was discovered.", + ""] + var alertSolution = ["Ensure configuration files that are publically accessible are not sensitive in nature.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var sshconfig = /(\.?ssh\/config$)/g + var possprivatekey = /(^key(pair)?$)/g + var rubyirb = /((\.)?irb_history)/g + var gnomekeyring = /(key(store|ring)[\W]+)/g + var netrcconfig = /((\.|_)?netrc)/g + var rubygemsconfig = /(\.?gem\/credentials)/g + var gitcredstorehelper = /(\.?git-credentials)/g + var gitconfigfile = /(\.?gitconfig)/g + var chefprivatekey = /(\.?chef\/(.*)\.pem)/g + var linuxshadow = /(etc\/shadow)/g + var linuxpasswd = /(etc\/passwd)/g + var envconfigfile = /(\.env)/g + var sshpasswd = /(sshpass -p .*)/g + var firefoxpasswd = /(\.?mozilla\/firefox\/logins\.json)/g + var keepassdb = /(\.kdbx?)/g + + if (sshconfig.test(body)) + { + sshconfig.lastIndex = 0 + var foundsshconfig = [] + var comm + while (comm = sshconfig.exec(body)) + { + foundsshconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundsshconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (possprivatekey.test(body)) + { + possprivatekey.lastIndex = 0 + var foundpossprivatekey = [] + while (comm = possprivatekey.exec(body)) + { + foundpossprivatekey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundpossprivatekey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (rubyirb.test(body)) + { + rubyirb.lastIndex = 0 + var foundrubyirb = [] + while (comm = rubyirb.exec(body)) + { + foundrubyirb.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundrubyirb.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (gnomekeyring.test(body)) + { + gnomekeyring.lastIndex = 0 + var foundgnomekeyring = [] + while (comm = gnomekeyring.exec(body)) + { + foundgnomekeyring.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundgnomekeyring.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (netrcconfig.test(body)) + { + netrcconfig.lastIndex = 0 + var foundnetrcconfig = [] + while (comm = netrcconfig.exec(body)) + { + foundnetrcconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundnetrcconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (rubygemsconfig.test(body)) + { + rubygemsconfig.lastIndex = 0 + var foundrubygemsconfig = [] + while (comm = rubygemsconfig.exec(body)) + { + foundrubygemsconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundrubygemsconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (gitcredstorehelper.test(body)) + { + gitcredstorehelper.lastIndex = 0 + var foundgitcredstorehelper = [] + while (comm = gitcredstorehelper.exec(body)) + { + foundgitcredstorehelper.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundgitcredstorehelper.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (gitconfigfile.test(body)) + { + gitconfigfile.lastIndex = 0 + var foundgitconfigfile = [] + while (comm = gitconfigfile.exec(body)) + { + foundgitconfigfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', foundgitconfigfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (chefprivatekey.test(body)) + { + chefprivatekey.lastIndex = 0 + var foundchefprivatekey = [] + while (comm = chefprivatekey.exec(body)) + { + foundchefprivatekey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[8], alertDesc[8], url, '', '', foundchefprivatekey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (linuxshadow.test(body)) + { + linuxshadow.lastIndex = 0 + var foundlinuxshadow = [] + while (comm = linuxshadow.exec(body)) + { + foundlinuxshadow.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundlinuxshadow.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (linuxpasswd.test(body)) + { + linuxpasswd.lastIndex = 0 + var foundlinuxpasswd = [] + while (comm = linuxpasswd.exec(body)) + { + foundlinuxpasswd.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[10], alertDesc[10], url, '', '', foundlinuxpasswd.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (envconfigfile.test(body)) + { + envconfigfile.lastIndex = 0 + var foundenvconfigfile = [] + while (comm = envconfigfile.exec(body)) + { + foundenvconfigfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[11], alertDesc[11], url, '', '', foundenvconfigfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sshpasswd.test(body)) + { + sshpasswd.lastIndex = 0 + var foundsshpasswd = [] + while (comm = sshpasswd.exec(body)) + { + foundsshpasswd.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[12], alertDesc[12], url, '', '', foundsshpasswd.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (firefoxpasswd.test(body)) + { + firefoxpasswd.lastIndex = 0 + var foundfirefoxpasswd = [] + while (comm = firefoxpasswd.exec(body)) + { + foundfirefoxpasswd.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[13], alertDesc[13], url, '', '', foundfirefoxpasswd.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (keepassdb.test(body)) + { + keepassdb.lastIndex = 0 + var foundkeepassdb = [] + while (comm = keepassdb.exec(body)) + { + foundkeepassdb.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[14], alertDesc[14], url, '', '', foundkeepassdb.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/PrivateSSHKeyDiscovery.js b/passive/PrivateSSHKeyDiscovery.js new file mode 100644 index 00000000..e46f9f24 --- /dev/null +++ b/passive/PrivateSSHKeyDiscovery.js @@ -0,0 +1,31 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["Private SSH key Disclosed (script)", + ""] + var alertDesc = ["A Private SSH key was discovered.", + ""] + var alertSolution = ["Store SSH Private keys in a secure location.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var privatesshkey = /(^.*_rsa|^.*_dsa|^.*_ed25519|^.*_ecdsa|-----BEGIN (EC|RSA|DSA|OPENSSH) PRIVATE KEY|PGP)/g + + if (privatesshkey.test(body)) + { + privatesshkey.lastIndex = 0 + var foundprivatesshkey = [] + var comm + while (comm = privatesshkey.exec(body)) + { + foundprivatesshkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundprivatesshkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/SQLInjectionDetection.js b/passive/SQLInjectionDetection.js new file mode 100644 index 00000000..ae7b5bac --- /dev/null +++ b/passive/SQLInjectionDetection.js @@ -0,0 +1,202 @@ +// Made by kurobeats@yahoo.co.jp, regex shamelessly ripped from SQLMap project errors + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["MySQL error Disclosed (script)", + "Postgresql error Disclosed (script)", + "MSSQL error Disclosed (script)", + "Microsoft Access error Disclosed (script)", + "Oracle error Disclosed (script)", + "IBM DB2 error Disclosed (script)", + "Informix error Disclosed (script)", + "Firebird error Disclosed (script)", + "SQLite error Disclosed (script)", + "SAP DB error Disclosed (script)", + "Sybase error Disclosed (script)", + "Ingress error Disclosed (script)", + "Frontbase error Disclosed (script)", + "HSQLDB error Disclosed (script)", + ""] + var alertDesc = ["A MySQL error was discovered.", + "A Postgresql error was discovered.", + "A MSSQL error was discovered.", + "A Microsoft Access error was discovered.", + "An Oracle error was discovered.", + "An IBM DB2 error was discovered.", + "An Informix error was discovered.", + "A Firebird error was discovered.", + "An SQLite error was discovered", + "A SAP DB error was discovered", + "A Sybase error was discovered", + "An Ingress error was discovered", + "A Frontbase error was discovered", + "A HSQLDB error was discovered", + ""] + var alertSolution = ["Ensure proper sanitisation is done on the server side, or don't. I don't care.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var mysql = /(SQL syntax.*MySQL|Warning.*mysql_.*|MySqlException \(0x|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version|MySqlClient\.|com\.mysql\.jdbc\.exceptions)/g + var postgresql = /(PostgreSQL.*ERROR|Warning.*\Wpg_.*|valid PostgreSQL result|Npgsql\.|PG::SyntaxError:|org\.postgresql\.util\.PSQLException|ERROR:\s\ssyntax error at or near)/g + var mssql = /(Driver.* SQL[\-\_\ ]*Server|OLE DB.* SQL Server|\bSQL Server.*Driver|Warning.*mssql_.*|\bSQL Server.*[0-9a-fA-F]{8}|[\s\S]Exception.*\WSystem\.Data\.SqlClient\.|[\s\S]Exception.*\WRoadhouse\.Cms\.|Microsoft SQL Native Client.*[0-9a-fA-F]{8})/g + var msaccess = /(Microsoft Access (\d+ )?Driver|JET Database Engine|Access Database Engine|ODBC Microsoft Access)/g + var oracle = /(\bORA-\d{5}|Oracle error|Oracle.*Driver|Warning.*\Woci_.*|Warning.*\Wora_.*)/g + var ibmdb2 = /(CLI Driver.*DB2|DB2 SQL error|\bdb2_\w+\(|SQLSTATE.+SQLCODE)/g + var informix = /(Exception.*Informix)/g + var firebird = /(Dynamic SQL Error|Warning.*ibase_.*)/g + var sqlite = /(SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::|\[SQLITE_ERROR\])/g + var sapdb = /(SQL error.*POS([0-9]+).*|Warning.*maxdb.*)/g + var sybase = /(Warning.*sybase.*|Sybase message|Sybase.*Server message.*|SybSQLException|com\.sybase\.jdbc)/g + var ingress = /(Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)/g + var frontbase = /(Exception (condition )?\d+. Transaction rollback.)/g + var hsqldb = /(org\.hsqldb\.jdbc|Unexpected end of command in statement \[|Unexpected token.*in statement \[)/g + + if (mysql.test(body)) + { + mysql.lastIndex = 0 + var foundmysql = [] + var comm + while (comm = mysql.exec(body)) + { + foundmysql.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundmysql.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (postgresql.test(body)) + { + postgresql.lastIndex = 0 + var foundpostgresql = [] + while (comm = postgresql.exec(body)) + { + foundpostgresql.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundpostgresql.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (mssql.test(body)) + { + mssql.lastIndex = 0 + var foundmssql = [] + while (comm = mssql.exec(body)) + { + foundmssql.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundmssql.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (msaccess.test(body)) + { + msaccess.lastIndex = 0 + var foundmsaccess = [] + while (comm = msaccess.exec(body)) + { + foundmsaccess.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundmsaccess.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (oracle.test(body)) + { + oracle.lastIndex = 0 + var foundoracle = [] + while (comm = oracle.exec(body)) + { + foundoracle.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundoracle.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (ibmdb2.test(body)) + { + ibmdb2.lastIndex = 0 + var foundibmdb2 = [] + while (comm = ibmdb2.exec(body)) + { + foundibmdb2.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundibmdb2.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (informix.test(body)) + { + informix.lastIndex = 0 + var foundinformix = [] + while (comm = informix.exec(body)) + { + foundinformix.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundinformix.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (firebird.test(body)) + { + firebird.lastIndex = 0 + var foundfirebird = [] + while (comm = firebird.exec(body)) + { + foundfirebird.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', foundfirebird.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sqlite.test(body)) + { + sqlite.lastIndex = 0 + var foundsqlite = [] + while (comm = sqlite.exec(body)) + { + foundsqlite.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[1], alertTitle[8], alertDesc[8], url, '', '', foundsqlite.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sapdb.test(body)) + { + sapdb.lastIndex = 0 + var foundsapdb = [] + while (comm = sapdb.exec(body)) + { + foundsapdb.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundsapdb.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sybase.test(body)) + { + sybase.lastIndex = 0 + var foundsybase = [] + while (comm = sybase.exec(body)) + { + foundsybase.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[10], alertDesc[10], url, '', '', foundsybase.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (ingress.test(body)) + { + ingress.lastIndex = 0 + var foundingress = [] + while (comm = ingress.exec(body)) + { + foundingress.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[11], alertDesc[11], url, '', '', foundingress.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (frontbase.test(body)) + { + frontbase.lastIndex = 0 + var foundfrontbase = [] + while (comm = frontbase.exec(body)) + { + foundfrontbase.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[12], alertDesc[12], url, '', '', foundfrontbase.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (hsqldb.test(body)) + { + hsqldb.lastIndex = 0 + var foundhsqldb = [] + while (comm = hsqldb.exec(body)) + { + foundhsqldb.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[13], alertDesc[13], url, '', '', foundhsqldb.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/ShellFileDiscovery.js b/passive/ShellFileDiscovery.js new file mode 100644 index 00000000..7eff3491 --- /dev/null +++ b/passive/ShellFileDiscovery.js @@ -0,0 +1,71 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["Shell command history file Disclosed (script)", + "Shell configuration file Disclosed (script)", + "Shell profile configuration file Disclosed (script)", + "Shell command alias configuration file Disclosed (script)", + ""] + var alertDesc = ["A Shell command history file was discovered.", + "A Shell configuration file was discovered.", + "A Shell profile configuration file was discovered.", + "A Shell command alias configuration file was discovered.", + ""] + var alertSolution = ["Store Shell files in a secure location.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var shellhistory = /(\.?(bash_|sh_|z)+history)/g + var shellconfig = /(\.?(bash|zsh|csh)rc)/g + var shellprofile = /(\.?(bash_)+profile)/g + var shellalias = /(\.?(bash_)+aliases)/g + + if (shellhistory.test(body)) + { + shellhistory.lastIndex = 0 + var foundshellhistory = [] + var comm + while (comm = shellhistory.exec(body)) + { + foundshellhistory.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundshellhistory.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (shellconfig.test(body)) + { + shellconfig.lastIndex = 0 + var foundshellconfig = [] + while (comm = shellconfig.exec(body)) + { + foundshellconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundshellconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (shellprofile.test(body)) + { + shellprofile.lastIndex = 0 + var foundshellprofile = [] + while (comm = shellprofile.exec(body)) + { + foundshellprofile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundshellprofile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (shellalias.test(body)) + { + shellalias.lastIndex = 0 + var foundshellalias = [] + while (comm = shellalias.exec(body)) + { + foundshellalias.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundshellalias.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/SocialNetworkSecretsDiscovery.js b/passive/SocialNetworkSecretsDiscovery.js new file mode 100644 index 00000000..92c16c90 --- /dev/null +++ b/passive/SocialNetworkSecretsDiscovery.js @@ -0,0 +1,150 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["Facebook Secret Key Disclosed (script)", + "Facebook Client ID Disclosed (script)", + "Twitter Secret Key Disclosed (script)", + "Twitter Client ID Disclosed (script)", + "Twitter Access Token Disclosed (script)", + "Twitter OAuth Disclosed (script)", + "Linkedin Client ID Disclosed (script)", + "LinkedIn Secret Key Disclosed (script)", + "Facebook OAuth Disclosed (script)", + "Facebook access token Disclosed (script)", + ""] + var alertDesc = ["A Facebook Secret Key was discovered.", + "A Facebook Client ID was discovered.", + "A Twitter Secret Key was discovered.", + "A Twitter Client ID was discovered.", + "A Twitter Access Token was discovered.", + "A Twitter OAuth was discovered.", + "A Linkedin Client ID was discovered.", + "A LinkedIn Secret Key was discovered.", + "A Facebook OAuth was discovered.", + "A Facebook access token was discovered.", + ""] + var alertSolution = ["Ensure tokens and keys that are publically accessible are not sensitive in nature.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var fbsecretkey = /((\i)(facebook|fb)(.{0,20})?(\-i)['\"][0-9a-f]{32}['\"])/g + var fbclientid = /((\i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"])/g + var twsecretkey = /((\i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"])/g + var twclientid = /((\i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"])/g + var twaccesstoken = /([t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40})/g + var twoauth = /([t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\"][0-9a-zA-Z]{35,44}['|\"])/g + var lkdinclientid = /((\i)linkedin(.{0,20})?(\-i)['\"][0-9a-z]{12}['\"])/g + var lkdinsecretkey = /((\i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"])/g + var fboauth = /([f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\"][0-9a-f]{32}['|\"])/g + var fbaccesstoken = /(EAACEdEose0cBA[0-9A-Za-z]+)/g + + if (fbsecretkey.test(body)) + { + fbsecretkey.lastIndex = 0 + var foundfbsecretkey = [] + var comm + while (comm = fbsecretkey.exec(body)) + { + foundfbsecretkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundfbsecretkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (fbclientid.test(body)) + { + fbclientid.lastIndex = 0 + var foundfbclientid = [] + while (comm = fbclientid.exec(body)) + { + foundfbclientid.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundfbclientid.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (twsecretkey.test(body)) + { + twsecretkey.lastIndex = 0 + var foundtwsecretkey = [] + while (comm = twsecretkey.exec(body)) + { + foundtwsecretkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundtwsecretkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (twclientid.test(body)) + { + twclientid.lastIndex = 0 + var foundtwclientid = [] + while (comm = twclientid.exec(body)) + { + foundtwclientid.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundtwclientid.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (twaccesstoken.test(body)) + { + twaccesstoken.lastIndex = 0 + var foundtwaccesstoken = [] + while (comm = twaccesstoken.exec(body)) + { + foundtwaccesstoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundtwaccesstoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (twoauth.test(body)) + { + twoauth.lastIndex = 0 + var foundtwoauth = [] + while (comm = twoauth.exec(body)) + { + foundtwoauth.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundtwoauth.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (lkdinclientid.test(body)) + { + lkdinclientid.lastIndex = 0 + var foundlkdinclientid = [] + while (comm = lkdinclientid.exec(body)) + { + foundlkdinclientid.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundlkdinclientid.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (lkdinsecretkey.test(body)) + { + lkdinsecretkey.lastIndex = 0 + var foundlkdinsecretkey = [] + while (comm = lkdinsecretkey.exec(body)) + { + foundlkdinsecretkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', foundlkdinsecretkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (fboauth.test(body)) + { + fboauth.lastIndex = 0 + var foundfboauth = [] + while (comm = fboauth.exec(body)) + { + foundfboauth.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[8], alertDesc[8], url, '', '', foundfboauth.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (fbaccesstoken.test(body)) + { + fbaccesstoken.lastIndex = 0 + var foundfbaccesstoken = [] + while (comm = fbaccesstoken.exec(body)) + { + foundfbaccesstoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundfbaccesstoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/URLEncodedStringDiscovery.js b/passive/URLEncodedStringDiscovery.js new file mode 100644 index 00000000..ae11e65a --- /dev/null +++ b/passive/URLEncodedStringDiscovery.js @@ -0,0 +1,44 @@ +// This community script will analyze the response for URL encoded strings + +function scan(ps, msg, src) { + var RESULT_PER_FINDING = new Boolean(0) // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1) + var RESULT_PER_URL = new Boolean(1) // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1) + + + var alertRisk = 0 + var alertConfidence = 1 + var alertTitle = 'URL-encoded string found (script)' + var alertDesc = "A URL-encoded string has been found in the HTTP response body. URL-encoded data may contain sensitive information which should be further inspected." + var alertSolution = 'URL-encoding is used for all sorts of things. It is worth investigating and decoding.' + var cweId = 0 + var wascId = 0 + var url = msg.getRequestHeader().getURI().toString(); + var re = /(^[%A-Fa-f0-9]{2}+$)/g + + var contenttype = msg.getResponseHeader().getHeader("Content-Type") + var unwantedfiletypes = ['image/png', 'image/jpeg','image/gif','application/x-shockwave-flash'] + + if (unwantedfiletypes.indexOf(""+contenttype) >= 0) { + // skip scan if unwanted filetypes are found + return + }else{ + var body = msg.getResponseBody().toString() + if (re.test(body)) { + re.lastIndex = 0 + var foundstrings = [] + var counter=0 + var comm + while (comm = re.exec(body)) { + if (RESULT_PER_FINDING == true) { + counter = counter+1; + ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, 'fakeparam'+counter, '', comm[0], alertSolution,'' , cweId, wascId, msg); + } + foundstrings.push(comm[0]); + } + if (RESULT_PER_URL == true) + { + ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, '', '', foundstrings.toString(), alertSolution,'' , cweId, wascId, msg); + } + } + } +} diff --git a/passive/UploadFormDiscovery.js b/passive/UploadFormDiscovery.js new file mode 100644 index 00000000..3c759e63 --- /dev/null +++ b/passive/UploadFormDiscovery.js @@ -0,0 +1,28 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] // risk: 0: info, 1: low, 2: medium, 3: high + var alertConfidence = [0,1,2,3,4] // confidence: 0: falsePositive, 1: low, 2: medium, 3: high, 4: confirmed + var alertTitle = ["An upload form appeared! (script)",""] + var alertDesc = ["An upload form exists. This isn't an issue, but it could be a lot of fun! Go check it out!.",""] + var alertSolution = ["This isn't an issue, but it could be a lot of fun!",""] + var cweId = [0,1] + var wascId = [0,1] + + var uploadForm = /(type\s*=\s*['"]?file['"]?)/g + + if (uploadForm.test(body)) + { + uploadForm.lastIndex = 0 + var founduploadForm = [] + var comm + while (comm = uploadForm.exec(body)) + { + founduploadForm.push(comm[0]); + } + ps.raiseAlert(alertRisk[0], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', founduploadForm.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/WebserverInterestingThingDiscovery.js b/passive/WebserverInterestingThingDiscovery.js new file mode 100644 index 00000000..c843b96b --- /dev/null +++ b/passive/WebserverInterestingThingDiscovery.js @@ -0,0 +1,228 @@ +// Lazily crafted by Anthony Cozamanis - kurobeats@yahoo.co.jp + +function scan(ps, msg, src) +{ + var url = msg.getRequestHeader().getURI().toString(); + var body = msg.getResponseBody().toString() + var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high + var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed + var alertTitle = ["Authorization Bearer Token (script)", + "Authorization Basic (script)", + "Rails master key Disclosed (script)", + "Ruby on rails secrets.yml file Disclosed (script)", + "Jetbrains credentials file Disclosed (script)", + "PHP configuration file Disclosed (script)", + "Apache htpasswd file Disclosed (script)", + "Docker configuration file Disclosed (script)", + "NPM configuration file Disclosed (script)", + "esmtp Configuration Disclosed (script)", + "Atom sftp-deployment Config file Disclosed (script)", + "Atom remote-sync Config file Disclosed (script)", + "WP-Config file Disclosed (script)", + "VSCode vscode-sftp file Disclosed (script)", + "Docker registry authentication file Disclosed (script)", + "SFTP connection configuration file Disclosed (script)", + ""] + var alertDesc = ["An Authorization Bearer Token was discovered.", + "Authorization Basic was discovered.", + "A Rails master key was discovered.", + "A Ruby on rails secrets.yml file was discovered.", + "A Jetbrains credentials file was discovered.", + "A PHP configuration file was discovered.", + "An Apache htpasswd file was discovered.", + "A Docker configuration file was discovered.", + "A NPM configuration file was discovered.", + "An esmtp Configuration was discovered.", + "An Atom sftp-deployment Config file was discovered.", + "An Atom remote-sync Config file was discovered.", + "A WP-Config file was discovered.", + "A VSCode vscode-sftp file was discovered.", + "A Docker registry authentication file was discovered.", + "An SFTP connection configuration file was discovered.", + ""] + var alertSolution = ["There might not be an issue here but it's worth checking out. This script finds a few things.", + ""] + var cweId = [0,1] + var wascId = [0,1] + + var authbtoken = /(Bearer\s[\d|a-f]{8}-([\d|a-f]{4}-){3}[\d|a-f]{12}|Bearer\s[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+(\.[A-Za-z0-9\-_.+/=]+)?)/g + var authbasictoken = /(Basic\s[a-zA-Z0-9+\/]+\=*)/g + var railsmkey = /(ruby\/config\/master\.key)/g + var rubysfile = /(web\/ruby\/secrets\.yml)/g + var jbrainsxml = /(\.?idea\/WebServers\.xml)/g + var phpconfigfile = /(config(\.inc)?\.php)/g + var htpasswdfile = /(\.?htpasswd)/g + var dockerconfigfile = /(\.?dockercfg)/g + var npmconfig = /(\.?npmrc)/g + var esmtpconfig = /(\.esmtprc)/g + var atomsftpdeployment = /((deployment-config(\.json)?|\.ftpconfig))/g + var atomsremotesync = /(\.remote-sync.json)/g + var wpconfigfile = /(define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|\"].{10,120}['|\"]")/g + var vscodesftpfile = /(\.?vscode\/sftp\.json)/g + var dockerregistryauth = /(\.?docker\/config\.json)/g + var sftpconfig = /(sftp-config(\.json)?)/g + + if (authbtoken.test(body)) + { + authbtoken.lastIndex = 0 + var foundauthbtoken = [] + var comm + while (comm = authbtoken.exec(body)) + { + foundauthbtoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundauthbtoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (authbasictoken.test(body)) + { + authbasictoken.lastIndex = 0 + var foundauthbasictoken = [] + while (comm = authbasictoken.exec(body)) + { + foundauthbasictoken.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundauthbasictoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (railsmkey.test(body)) + { + railsmkey.lastIndex = 0 + var foundrailsmkey = [] + while (comm = railsmkey.exec(body)) + { + foundrailsmkey.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundrailsmkey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (rubysfile.test(body)) + { + rubysfile.lastIndex = 0 + var foundrubysfile = [] + while (comm = rubysfile.exec(body)) + { + foundrubysfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundrubysfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + + if (jbrainsxml.test(body)) + { + jbrainsxml.lastIndex = 0 + var foundjbrainsxml = [] + while (comm = jbrainsxml.exec(body)) + { + foundjbrainsxml.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundjbrainsxml.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (phpconfigfile.test(body)) + { + phpconfigfile.lastIndex = 0 + var foundphpconfigfile = [] + while (comm = phpconfigfile.exec(body)) + { + foundphpconfigfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundphpconfigfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (htpasswdfile.test(body)) + { + htpasswdfile.lastIndex = 0 + var foundhtpasswdfile = [] + while (comm = htpasswdfile.exec(body)) + { + foundhtpasswdfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundhtpasswdfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (dockerconfigfile.test(body)) + { + dockerconfigfile.lastIndex = 0 + var founddockerconfigfile = [] + while (comm = dockerconfigfile.exec(body)) + { + founddockerconfigfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', founddockerconfigfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (npmconfig.test(body)) + { + npmconfig.lastIndex = 0 + var foundnpmconfig = [] + while (comm = npmconfig.exec(body)) + { + foundnpmconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[1], alertTitle[8], alertDesc[8], url, '', '', foundnpmconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (esmtpconfig.test(body)) + { + esmtpconfig.lastIndex = 0 + var foundesmtpconfig = [] + while (comm = esmtpconfig.exec(body)) + { + foundesmtpconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundesmtpconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (atomsftpdeployment.test(body)) + { + atomsftpdeployment.lastIndex = 0 + var foundatomsftpdeployment = [] + while (comm = atomsftpdeployment.exec(body)) + { + foundatomsftpdeployment.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[10], alertDesc[10], url, '', '', foundatomsftpdeployment.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (atomsremotesync.test(body)) + { + atomsremotesync.lastIndex = 0 + var foundatomsremotesync = [] + while (comm = atomsremotesync.exec(body)) + { + foundatomsremotesync.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[11], alertDesc[11], url, '', '', foundatomsremotesync.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (wpconfigfile.test(body)) + { + wpconfigfile.lastIndex = 0 + var foundwpconfigfile = [] + while (comm = wpconfigfile.exec(body)) + { + foundwpconfigfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[12], alertDesc[12], url, '', '', foundwpconfigfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (vscodesftpfile.test(body)) + { + vscodesftpfile.lastIndex = 0 + var foundvscodesftpfile = [] + while (comm = vscodesftpfile.exec(body)) + { + foundvscodesftpfile.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[13], alertDesc[13], url, '', '', foundvscodesftpfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (dockerregistryauth.test(body)) + { + dockerregistryauth.lastIndex = 0 + var founddockerregistryauth = [] + while (comm = dockerregistryauth.exec(body)) + { + founddockerregistryauth.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[14], alertDesc[14], url, '', '', founddockerregistryauth.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } + if (sftpconfig.test(body)) + { + sftpconfig.lastIndex = 0 + var foundsftpconfig = [] + while (comm = sftpconfig.exec(body)) + { + foundsftpconfig.push(comm[0]); + } + ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[15], alertDesc[15], url, '', '', foundsftpconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg); + } +} diff --git a/passive/find base64 strings.js b/passive/find base64 strings.js index 5c8a3f15..6e1f2d47 100644 --- a/passive/find base64 strings.js +++ b/passive/find base64 strings.js @@ -15,7 +15,7 @@ function scan(ps, msg, src) { var cweId = 0 var wascId = 0 var url = msg.getRequestHeader().getURI().toString(); - var re = /([A-Za-z0-9+\/]{15,}=+)/g + var re = /(^[A-Za-z0-9+/]*={0,2}$)/g var contenttype = msg.getResponseHeader().getHeader("Content-Type") var unwantedfiletypes = ['image/png', 'image/jpeg','image/gif','application/x-shockwave-flash']