Update Use-of-Unencrypted-URI-Schemes.bcheck

PortSwigger · Jun 28, 2024 · 76328f4 · 76328f4
1 parent de1d781
commit 76328f4
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/other/Use-of-Unencrypted-URI-Schemes.bcheck b/other/Use-of-Unencrypted-URI-Schemes.bcheck
@@ -11,12 +11,13 @@ metadata:
     # Blacklisted File Extensions 02: .rar, .svg, .tar, .wav, .webm, .webp, .woff, .xhtml, .xml, .zip
     # Blacklisted File Types: .svg, .xhtml, .ico
     # Blacklisted_Hosts_01: adobe, adobedtm, bing, duckduckgo, forms.office, google, googleads, googleapis
-    # Blacklisted Hosts_02: `googletagmanager, gstatic, jquery, jqueryui, microsoft, microsoftonline, momentjs
+    # Blacklisted Hosts_02: googletagmanager, gstatic, iptc, jquery, jqueryui, microsoft, microsoftonline
+    # Blacklisted Hosts_03: momentjs, underscorejs
     # Blacklisted Ports: 443, 587, 636, 989, 990
     # Blacklisted URI Schemes: http://, ftp://, ldap://, smtp://
-    # Blacklisted URLs 01: www.w3, www.example, example.com, www.apache, schema, purl, 127.0., bit.ly, g.co, maps.gstatic
-    # Blacklisted URLs 02: polymer.github, localhost, s3.amazonaws, jquery, jqueryui, sizzlejs, momentjs, feross
-    # Blacklisted URLs 03: tools.ietf. google.com
+    # Blacklisted URLs 01: 127.0., bit.ly, example.com, feross, g.co, google.com, jquery, jqueryui, localhost, 
+    # Blacklisted URLs 02: maps.gstatic, momentjs, polymer.github, purl, s3.amazonaws, schema, sizzlejs, 
+    # Blacklisted URLs 03: tools.ietf. underscorejs, www.apache, www.day, www.example, www.w3
 
 define:
     # Issue details (for discovery of insecure URL schemes) as individual string texts.
@@ -83,13 +84,13 @@ given response then
             if not({latest.response.headers} matches "(Content-Type: image/)") then
 
                  # This check ensures common `Host' domains/subdomains get ignored to reduce false positives.
-                if not({latest.response.url.host} matches "(\b(?:(\w+):\/\/)?(?:www\.)?(adobe|adobedtm|bing|duckduckgo|forms\.office|google|googleads|googleapis|googletagmanager|gstatic|jquery|jqueryui|microsoft|microsoftonline|momentjs)(\.[a-zA-Z]{2,})?\b)") then
+                if not({latest.response.url.host} matches "(\b(?:(\w+):\/\/)?(?:www\.)?(adobe|adobedtm|bing|duckduckgo|forms\.office|google|googleads|googleapis|googletagmanager|gstatic|jquery|jqueryui|microsoft|microsoftonline|momentjs|underscorejs)(\.[a-zA-Z]{2,})?\b)") then
 
                     # This check aims to ensure that entire URLs are being captured rather than single lines.
                     # This regex includes way to ignore /* unless */ is present within 100 character.
                     # This regex will unfortunately still match if: /* */ /* http://target.com
                     # This regex unfortunately needs to be placed on a SINGLE line (or else will bypass attributes to ignore FPs).
-                    if ({latest.response} matches "((?<!/\*[\s\S]{0,98}(?<!\*/[\s\S]{0,98}))(\b((http|ftp|ldap|smtp)://)(?!www\.w3|www\.example|example\.com|www\.apache|schema|purl|127\.0\.|bit\.ly|g\.co|maps\.gstatic|polymer\.github|localhost|s3\.amazonaws|jquery|jqueryui|ns\.adobe\.com|sizzlejs|momentjs|feross|tools.ietf|google\.com|.*:(443|587|636|989|990)|.*\.(svg|xhtml|ico))[^\s\"'`{}]{3,}))") then
+                    if ({latest.response} matches "((?<!/\*[\s\S]{0,98}(?<!\*/[\s\S]{0,98}))(\b((http|ftp|ldap|smtp)://)(?!www\.w3|www\.example|example\.com|www\.apache|schema|purl|127\.0\.|bit\.ly|g\.co|maps\.gstatic|polymer\.github|localhost|s3\.amazonaws|jquery|jqueryui|ns\.adobe\.com|sizzlejs|momentjs|feross|tools.ietf|google\.com|underscorejs|www\.day|.*:(443|587|636|989|990)|.*\.(svg|xhtml|ico))[^\s\"'`{}]{3,}))") then
                         report issue:
                             severity: low
                             confidence: certain