Add Swagger Secret & Version Detector active scan rule

[aasthasahni9]

🧪 New Active Scan Script: Swagger Secret & Version Detector

✅ Summary

This script detects:

• Exposed Swagger/OpenAPI documentation endpoints
• Leaked secrets like clientSecret, access_token, api_key, authorization
• Vulnerable Swagger UI versions:
  • v2 < 2.2.10 (CVE-2019-17495)
  • v3 < 3.24.3

⚙️ Technical Details

• JavaScript-based active scan rule using ZAP scripting API
• Metadata provided via getMetadata() for integration into ZAP scan rules
• Uses:
  • Custom path regex filters
  • Heuristics for false-positive filtering
  • Secret redaction in evidence
• Alert IDs:
  • 100001-1: Vulnerable Swagger UI version
  • 100001-2: Exposed secrets

🧪 Tested Against

• Some POC sites (internally created)
• False Positives and True Positive Scenarios

📚 References

• https://swagger.io/docs/
• https://owasp.org/www-project-api-security/
• https://nvd.nist.gov/vuln/detail/CVE-2019-17495

---

Author: @aasthasahni9
Script file: active/swagger-secret-detector.js

[psiinon]

Checkmarx One – Scan Summary & Details – 1af44f4f-24b0-4f15-b319-beed4b6018c9

Great job! No new security vulnerabilities introduced in this pull request

[kingthorin]

This is just a quick look

[aasthasahni9]

Thanks @kingthorin I will update my script based on your comments

[aasthasahni9]

@kingthorin I have made the suggested changes here: 97215e6

[kingthorin]

Within the two main for loops it should probably check isStop() and exit. (If the user has hit stop on the scan before the rule is complete).

[kingthorin]

Re the build failure:

Run ./gradlew :spotlessApply to fix these violations.

[aasthasahni9]

Re the build failure:

Run ./gradlew :spotlessApply to fix these violations.

@kingthorin this is done as well.

[aasthasahni9]

@kingthorin Apologies for not cleaning up the comments, it is done now.

[kingthorin]

Sorry I didn't check/think of this earlier. File name should use CamelCase.ext
https://github.com/zaproxy/community-scripts/blob/main/CONTRIBUTING.md#naming-scripts

There are existing scripts that are non-conformant, we need to do a renaming pass and also figure out the plan for updating the add-on. But new stuff should conform to make life easier for everyone.

Edit: I guess it's actually Pascal Case 🤷‍♂️
https://www.freecodecamp.org/news/snake-case-vs-camel-case-vs-pascal-case-vs-kebab-case-whats-the-difference/

[aasthasahni9]

Sorry I didn't check/think of this earlier. File name should use CamelCase.ext https://github.com/zaproxy/community-scripts/blob/main/CONTRIBUTING.md#naming-scripts

There are existing scripts that are non-conformant, we need to do a renaming pass and also figure out the plan for updating the add-on. But new stuff should conform to make life easier for everyone.

Edit: I guess it's actually Pascal Case 🤷‍♂️ https://www.freecodecamp.org/news/snake-case-vs-camel-case-vs-pascal-case-vs-kebab-case-whats-the-difference/

@kingthorin the script has been renamed with pascal case.

[kingthorin]

One file should be removed.

The CHANGELOG should be updated as well. (Model based on existing entries)

[aasthasahni9]

One file should be removed.

The CHANGELOG should be updated as well. (Model based on existing entries)

@kingthorin Thanks for the catch, I did remove the file but don't know why it did not go in the commit. for Change log - what else needs to be updated in addition to the active script entry?

Update: made the changes, please review.

[kingthorin]

That's it, just a note that it was added. The file should be straight forward. The addition just goes in the unreleased section/heading.

[kingthorin]

Looks good to me