-
Notifications
You must be signed in to change notification settings - Fork 110
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added .bcheck file.
- Loading branch information
Showing
1 changed file
with
63 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| metadata: | ||
| language: v2-beta | ||
| name: "Use of Known API Variable" | ||
| description: "This BCheck looks for known API variables (client_secret, client_id, refresh_token, & APIKey)." | ||
| author: "Kyle Gilligan" | ||
| tags: "passive", "API", "client_secret", "client_id", "ApiKey" | ||
|
|
||
| define: | ||
| # Issue details (for discovery of insecure API variables) as individual string texts. | ||
| issueDetail1 = `A known sensitive API parameter has been discovered within a front-end file of this web` | ||
| issueDetail1a = `application.` | ||
| issueDetail1FULL = `{issueDetail1} {issueDetail1a}` | ||
| iD_clientSecret1 = `\n • client_secret: This OAuth variable is used to authenticate applications towards` | ||
| iD_clientSecret2 = `an intended authorization server. Essentially the 'password' of API authorization.` | ||
| iD_clientSecret3 = `If a user finds both an API's client_id & client_secret, they may be able to access an` | ||
| iD_clientSecret4 = `endpoint's resources by impersonating the application.` | ||
| iD_clientSecretFULL = `{iD_clientSecret1} {iD_clientSecret2} {iD_clientSecret3} {iD_clientSecret4}` | ||
| iD_refreshToken1 = `\n • refresh_token: Secret variables used by an application to request new access` | ||
| iD_refreshToken2 = `tokens for an API.` | ||
| iD_refreshTokenFULL = `{iD_refreshToken1} {iD_refreshToken2}` | ||
| iD_apiKey1 = `\n • api_key: An API Key acts as a secret identifier token used to provide identification` | ||
| iD_apiKey2 = `for an application when using a target API.` | ||
| iD_apiKeyFULL = `{iD_apiKey1} {iD_apiKey2}` | ||
| issueRemediation1 = `Unless impossible to remove based on application requirements, these API parameters` | ||
| issueRemediation1a = `should never list their values within front-end files.` | ||
| issueRemediation1FULL = `{issueRemediation1} {issueRemediation1a}` | ||
| # Issue details (for discovery of known non-sensitive API variables) as individual string texts. | ||
| issueDetail2FULL = `A known API parameter has been discovered within a front-end file of this web application.` | ||
| iD_clientId1 = `\n • client_id: This OAuth variable is used to authenticate applications towards an` | ||
| iD_clientId2 = `intended authorization server. Essentially the 'username' of API authorization. If a user` | ||
| iD_clientId3 = `finds both an API's client_id & client_secret, they may be able to access an endpoint's` | ||
| iD_clientId4 = `resources by impersonating the application.` | ||
| iD_clientIdFULL = `{iD_clientId1} {iD_clientId2} {iD_clientId3} {iD_clientId4}` | ||
| issueRemediation2 = `Unless impossible to remove based on application requirements, it becomes recommended` | ||
| issueRemediation2a = `for this API parameter's value to not be listed in a front-end file.` | ||
| issueRemediation2FULL = `{issueRemediation2} {issueRemediation2a}` | ||
|
|
||
| given response then | ||
| # Nesting several if statements becomes necessary to quickly reduce checks for FPs. | ||
|
|
||
| # This check ensures that only notable 200s HTTP responses appear present in the HTTP response. | ||
| if ({latest.response.status_code} matches "(200|204|206)") then | ||
|
|
||
| # This check ensures that unacceptable MIME types get ignored to reduce false positives. | ||
| if not({latest.response.headers} matches "(Content-Type: image/)") then | ||
|
|
||
| if ({latest.response} matches "(?i)(client[-_]?secret|api[-_]?key|refresh[-_]?token)(:| :|=| =)") then | ||
| report issue: | ||
| severity: medium | ||
| confidence: firm | ||
| detail: `{issueDetail1FULL}{iD_clientSecretFULL}{iD_apiKeyFULL}{iD_refreshTokenFULL}` | ||
| remediation: `{issueRemediation1FULL}` | ||
|
|
||
| else if ({latest.response} matches "(?i)client[-_]?id(:| :|=| =)") then | ||
| report issue: | ||
| severity: info | ||
| confidence: firm | ||
| detail: `{issueDetail2FULL}{iD_clientIdFULL}` | ||
| remediation: `{issueRemediation2FULL}` | ||
|
|
||
| end if | ||
| end if | ||
| end if |