From 590b2a5f9f6d9e8cc1fbd0615612c64058b65853 Mon Sep 17 00:00:00 2001
From: _ <36057926+LabMC@users.noreply.github.com>
Date: Wed, 17 Jul 2024 13:45:44 -0500
Subject: [PATCH] Create client_secret.bcheck

Added .bcheck file.
---
 other/APIs/client_secret.bcheck | 63 +++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 other/APIs/client_secret.bcheck

diff --git a/other/APIs/client_secret.bcheck b/other/APIs/client_secret.bcheck
new file mode 100644
index 0000000..311ef0b
--- /dev/null
+++ b/other/APIs/client_secret.bcheck
@@ -0,0 +1,63 @@
+metadata:
+    language: v2-beta
+    name: "Use of Known API Variable"
+    description: "This BCheck looks for known API variables (client_secret, client_id, refresh_token, & APIKey)."
+    author: "Kyle Gilligan"
+    tags: "passive", "API", "client_secret", "client_id", "ApiKey"
+
+define:
+    # Issue details (for discovery of insecure API variables) as individual string texts.
+    issueDetail1 = `A known sensitive API parameter has been discovered within a front-end file of this web`
+    issueDetail1a = `application.`
+    issueDetail1FULL = `{issueDetail1} {issueDetail1a}`
+    iD_clientSecret1 = `\n    • client_secret: This OAuth variable is used to authenticate applications towards`
+    iD_clientSecret2 = `an intended authorization server. Essentially the 'password' of API authorization.`
+    iD_clientSecret3 = `If a user finds both an API's client_id & client_secret, they may be able to access an`
+    iD_clientSecret4 = `endpoint's resources by impersonating the application.`
+    iD_clientSecretFULL = `{iD_clientSecret1} {iD_clientSecret2} {iD_clientSecret3} {iD_clientSecret4}`
+    iD_refreshToken1 = `\n    • refresh_token: Secret variables used by an application to request new access`
+    iD_refreshToken2 = `tokens for an API.`
+    iD_refreshTokenFULL = `{iD_refreshToken1} {iD_refreshToken2}`
+    iD_apiKey1 = `\n    • api_key: An API Key acts as a secret identifier token used to provide identification`
+    iD_apiKey2 = `for an application when using a target API.`
+    iD_apiKeyFULL = `{iD_apiKey1} {iD_apiKey2}`
+    issueRemediation1 = `Unless impossible to remove based on application requirements, these API parameters`
+    issueRemediation1a = `should never list their values within front-end files.`
+    issueRemediation1FULL = `{issueRemediation1} {issueRemediation1a}`
+    # Issue details (for discovery of known non-sensitive API variables) as individual string texts.
+    issueDetail2FULL = `A known API parameter has been discovered within a front-end file of this web application.`
+    iD_clientId1 = `\n    • client_id: This OAuth variable is used to authenticate applications towards an`
+    iD_clientId2 = `intended authorization server. Essentially the 'username' of API authorization. If a user`
+    iD_clientId3 = `finds both an API's client_id & client_secret, they may be able to access an endpoint's`
+    iD_clientId4 = `resources by impersonating the application.`
+    iD_clientIdFULL = `{iD_clientId1} {iD_clientId2} {iD_clientId3} {iD_clientId4}`
+    issueRemediation2 = `Unless impossible to remove based on application requirements, it becomes recommended`
+    issueRemediation2a = `for this API parameter's value to not be listed in a front-end file.`
+    issueRemediation2FULL = `{issueRemediation2} {issueRemediation2a}`
+
+given response then
+    # Nesting several if statements becomes necessary to quickly reduce checks for FPs.
+
+    # This check ensures that only notable 200s HTTP responses appear present in the HTTP response.
+    if ({latest.response.status_code} matches "(200|204|206)") then
+
+        # This check ensures that unacceptable MIME types get ignored to reduce false positives.
+        if not({latest.response.headers} matches "(Content-Type: image/)") then
+
+            if ({latest.response} matches "(?i)(client[-_]?secret|api[-_]?key|refresh[-_]?token)(:| :|=| =)") then
+                report issue:
+                    severity: medium
+                    confidence: firm
+                    detail: `{issueDetail1FULL}{iD_clientSecretFULL}{iD_apiKeyFULL}{iD_refreshTokenFULL}`
+                    remediation: `{issueRemediation1FULL}`
+
+           else if ({latest.response} matches "(?i)client[-_]?id(:| :|=| =)") then
+                report issue:
+                    severity: info
+                    confidence: firm
+                    detail: `{issueDetail2FULL}{iD_clientIdFULL}`
+                    remediation: `{issueRemediation2FULL}`
+
+            end if
+        end if
+    end if