Skip to content

Add Swagger Secret & Version Detector active scan rule #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 11, 2025
Merged

Add Swagger Secret & Version Detector active scan rule #487

merged 7 commits into from
Aug 11, 2025

Conversation

@aasthasahni9
Copy link
Contributor

@aasthasahni9 aasthasahni9 commented Jul 28, 2025

🧪 New Active Scan Script: Swagger Secret & Version Detector

✅ Summary

This script detects:

  • Exposed Swagger/OpenAPI documentation endpoints
  • Leaked secrets like clientSecret, access_token, api_key, authorization
  • Vulnerable Swagger UI versions:

⚙️ Technical Details

  • JavaScript-based active scan rule using ZAP scripting API
  • Metadata provided via getMetadata() for integration into ZAP scan rules
  • Uses:
    • Custom path regex filters
    • Heuristics for false-positive filtering
    • Secret redaction in evidence
  • Alert IDs:
    • 100001-1: Vulnerable Swagger UI version
    • 100001-2: Exposed secrets

🧪 Tested Against

  • Some POC sites (internally created)
  • False Positives and True Positive Scenarios

📚 References

Author: @aasthasahni9
Script file: active/swagger-secret-detector.js

@psiinon
Copy link
Member

psiinon commented Jul 28, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details1af44f4f-24b0-4f15-b319-beed4b6018c9

Great job! No new security vulnerabilities introduced in this pull request

kingthorin
kingthorin reviewed Jul 28, 2025
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just a quick look

@aasthasahni9
Copy link
Contributor Author

aasthasahni9 commented Jul 28, 2025

Thanks @kingthorin I will update my script based on your comments

@aasthasahni9
Copy link
Contributor Author

aasthasahni9 commented Jul 28, 2025

@kingthorin I have made the suggested changes here: 97215e6

@aasthasahni9 aasthasahni9 force-pushed the add-swagger-secret-detector branch from 97215e6 to 4d7e813 Compare July 28, 2025 19:45
kingthorin
kingthorin reviewed Jul 29, 2025
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Within the two main for loops it should probably check isStop() and exit. (If the user has hit stop on the scan before the rule is complete).

@kingthorin
Copy link
Member

kingthorin commented Jul 29, 2025
edited
Loading

Re the build failure:

Run ./gradlew :spotlessApply to fix these violations.

@aasthasahni9 aasthasahni9 force-pushed the add-swagger-secret-detector branch from 4d7e813 to 117d413 Compare July 29, 2025 16:15
@aasthasahni9 aasthasahni9 force-pushed the add-swagger-secret-detector branch from 70e0b0f to 920664d Compare July 29, 2025 18:48
@aasthasahni9
Copy link
Contributor Author

aasthasahni9 commented Jul 29, 2025

Re the build failure:

Run ./gradlew :spotlessApply to fix these violations.

@kingthorin this is done as well.

Aastha Sahni and others added 2 commits July 29, 2025 17:01
@aasthasahni9 aasthasahni9 force-pushed the add-swagger-secret-detector branch from 8281d5c to 0de188d Compare July 29, 2025 21:02
@aasthasahni9 aasthasahni9 requested a review from kingthorin July 29, 2025 21:03
kingthorin
kingthorin reviewed Jul 29, 2025
View reviewed changes
@aasthasahni9 aasthasahni9 force-pushed the add-swagger-secret-detector branch from bc4d4dc to 24d9f9e Compare July 29, 2025 21:49
@aasthasahni9 aasthasahni9 requested a review from kingthorin July 29, 2025 21:49
@aasthasahni9
Copy link
Contributor Author

aasthasahni9 commented Jul 29, 2025

@kingthorin Apologies for not cleaning up the comments, it is done now.

@thc202 thc202 mentioned this pull request Jul 30, 2025
Merged
@aasthasahni9
Added newline character after last brace, to fix gradlew violation. a…
e8cebcf 
…nd remove extra space from file name.

Signed-off-by: Aastha Sahni <[email protected]>
@aasthasahni9 aasthasahni9 force-pushed the add-swagger-secret-detector branch from db84d56 to e8cebcf Compare July 30, 2025 14:31
kingthorin
kingthorin reviewed Jul 30, 2025
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I didn't check/think of this earlier. File name should use CamelCase.ext
https://github.com/zaproxy/community-scripts/blob/main/CONTRIBUTING.md#naming-scripts

There are existing scripts that are non-conformant, we need to do a renaming pass and also figure out the plan for updating the add-on. But new stuff should conform to make life easier for everyone.

Edit: I guess it's actually Pascal Case 🤷‍♂️
https://www.freecodecamp.org/news/snake-case-vs-camel-case-vs-pascal-case-vs-kebab-case-whats-the-difference/

@kingthorin kingthorin mentioned this pull request Jul 30, 2025
Merged
@aasthasahni9
Copy link
Contributor Author

aasthasahni9 commented Jul 30, 2025

Sorry I didn't check/think of this earlier. File name should use CamelCase.ext https://github.com/zaproxy/community-scripts/blob/main/CONTRIBUTING.md#naming-scripts

There are existing scripts that are non-conformant, we need to do a renaming pass and also figure out the plan for updating the add-on. But new stuff should conform to make life easier for everyone.

Edit: I guess it's actually Pascal Case 🤷‍♂️ https://www.freecodecamp.org/news/snake-case-vs-camel-case-vs-pascal-case-vs-kebab-case-whats-the-difference/

@kingthorin the script has been renamed with pascal case.

@aasthasahni9 aasthasahni9 requested a review from kingthorin July 30, 2025 20:42
kingthorin
kingthorin reviewed Jul 30, 2025
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One file should be removed.

The CHANGELOG should be updated as well. (Model based on existing entries)

@aasthasahni9
Copy link
Contributor Author

aasthasahni9 commented Jul 30, 2025
edited
Loading

One file should be removed.

The CHANGELOG should be updated as well. (Model based on existing entries)

@kingthorin Thanks for the catch, I did remove the file but don't know why it did not go in the commit. for Change log - what else needs to be updated in addition to the active script entry?

Update: made the changes, please review.

@kingthorin
Copy link
Member

kingthorin commented Jul 30, 2025

That's it, just a note that it was added. The file should be straight forward. The addition just goes in the unreleased section/heading.

@aasthasahni9 aasthasahni9 requested a review from kingthorin July 30, 2025 22:01
kingthorin
kingthorin approved these changes Jul 30, 2025
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@thc202 thc202 merged commit 0fd0ea9 into zaproxy:main Aug 11, 2025
9 checks passed
@thc202
Copy link
Member

thc202 commented Aug 11, 2025

Thank you!

@aasthasahni9 aasthasahni9 mentioned this pull request Sep 8, 2025
Open
ricekot added a commit to ricekot/zap-extensions that referenced this pull request Oct 25, 2025
@ricekot
ascanrulesAlpha: Add Swagger Secret Detector Script
19543f5 
Originally contributed in zaproxy/community-scripts#487.

Signed-off-by: ricekot <[email protected]>
ricekot added a commit to ricekot/zap-extensions that referenced this pull request Oct 25, 2025
@ricekot
ascanrulesAlpha: Add Swagger Secret Detector Script
435440c 
Originally contributed in zaproxy/community-scripts#487.

Signed-off-by: ricekot <[email protected]>
@ricekot ricekot mentioned this pull request Oct 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 approved these changes

@kingthorin kingthorin kingthorin approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aasthasahni9 @psiinon @kingthorin @thc202