Skip to content

Commit

Permalink
Add rule: Sensitive value in .NET configuration (#237)
Browse files Browse the repository at this point in the history
  • Loading branch information
bradlarsen authored Dec 4, 2024
1 parent 45ee29c commit f5f5267
Show file tree
Hide file tree
Showing 7 changed files with 71 additions and 9 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- `Credentials in .NET System.DirectoryServices.DirectoryEntry` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
- `Credentials in .NET System.Net.NetworkCredential` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
- `Kubernetes Bootstrap Token` ([#235](https://github.com/praetorian-inc/noseyparker/pull/235))
- `Sensitive value in .NET configuration` ([#237](https://github.com/praetorian-inc/noseyparker/pull/237))

- Rules now contain an optional `description` string field.
This is intended to be a message for human consumption that indicates (a) what was detected and (b) how an attacker might use it.
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information

**Key features:**
- It natively scans files, directories, and Git repository history
- It uses regular expression matching with a set of [159 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
- It uses regular expression matching with a set of [160 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
- It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more compared to other tools
- It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro
- It scales: it has scanned inputs as large as 20TiB during security engagements
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
source: crates/noseyparker-cli/tests/rules/mod.rs
expression: stdout
---
159 rules and 3 rulesets: no issues detected
160 rules and 3 rulesets: no issues detected
Original file line number Diff line number Diff line change
Expand Up @@ -1289,7 +1289,7 @@ expression: stdout
"name": "Credentials in .NET System.Net.NetworkCredential",
"id": "np.generic.7",
"pattern": "(?x)\n\\b\n(?: NetworkCredential | NETWORKCREDENTIAL | networkcredential )\n\\s* \\( \\s*\n \" ( [^\"\\n]{3,50} ) \" (?# username )\n \\s* , \\s*\n \" ( [^\"\\n]{3,50} ) \" (?# password )\n\\s* \\)\n",
"description": "A .NET `System.Net.NetworkCredential` value with hardcoded parameters was found.\nThis may allow an attack access to a resource that uses basic, digest, NTLM, or Kerberos authentication.\n",
"description": "A .NET `System.Net.NetworkCredential` value with hardcoded parameters was found. This may allow an attack access to a resource that uses basic, digest, NTLM, or Kerberos authentication.\n",
"examples": [
"sender.Credentials = new NetworkCredential(\"[email protected]\", \"vzihlaquknriqlht\");\n",
"$webClient.Credentials = new-object System.Net.NetworkCredential(\"cidownload\", \"AP7JaG9ToerxBc6gWP5LcU2CNpb\");\n"
Expand All @@ -1313,7 +1313,7 @@ expression: stdout
"name": "Credentials in .NET System.DirectoryServices.DirectoryEntry",
"id": "np.generic.8",
"pattern": "(?x)\n\\b\n(?: DirectoryEntry | DIRECTORYENTRY | directoryentry )\n\\s* \\( \\s*\n \" ( [^\"\\n]{3,100} ) \" (?# path )\n \\s* , \\s*\n \" ( [^\"\\n]{3,50} ) \" (?# username )\n \\s* , \\s*\n \" ( [^\"\\n]{3,50} ) \" (?# password )\n (?: \\s* , \\s* [^)]{3,50} )? (?# authentication type )\n\\s* \\)\n",
"description": "A .NET `System.DirectoryServices.DirectoryEntry` value was found with hardcoded credentials.\nThis may allow an attack access to an Active Directory instance.\n",
"description": "A .NET `System.DirectoryServices.DirectoryEntry` value was found with hardcoded credentials. This may allow an attacker access to an Active Directory instance.\n",
"examples": [
"$domain = New-Object DirectoryServices.DirectoryEntry(\"LDAP://10.10.10.1\",\"domain\\user\", \"secret\")\n",
"new DirectoryEntry(\"LDAP://EXAMPLE.COM\",\n \"[email protected]\",\n \"Rrhh1234\");\n"
Expand All @@ -1329,6 +1329,30 @@ expression: stdout
]
}
},
{
"id": "np.generic.9",
"structural_id": "37dadc2ef09aa6f150315ce6f9aaebdf2d8b473b",
"name": "Sensitive value in .NET configuration",
"syntax": {
"name": "Sensitive value in .NET configuration",
"id": "np.generic.9",
"pattern": "(?x)\n< \\s* add \\s+ key \\s* = \\s*\n \" (\n [^\\n\"]{0,20}\n (?: pass | Pass | PASS\n | secret | Secret | SECRET\n | user | User | USER\n | admin | Admin | ADMIN\n | token | Token | TOKEN\n )\n [^\\n\"]{0,20}\n ) \"\n\\s+\nvalue \\s* = \\s* \" ([^\\n\"]{3,100}) \" \\s* / \\s* >\n",
"description": "A possibly-sensitive value in .NET app configuration was found. This may allow an attacker a way to bypass authentication or move laterally.\n",
"examples": [
"<add key=\"FromEmailAddress\" value=\"[email protected]\"/>\n<add key=\"FromEmailPassword\" value=\"Prestigitariu$\"/>\n"
],
"negative_examples": [],
"references": [
"https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview",
"https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration"
],
"categories": [
"fuzzy",
"generic",
"secret"
]
}
},
{
"id": "np.github.1",
"structural_id": "f6c4fca24a1c7f275d51d2718a1585ca6e4ae664",
Expand Down Expand Up @@ -4009,7 +4033,7 @@ expression: stdout
{
"id": "default",
"name": "Nosey Parker default rules",
"num_rules": 138
"num_rules": 139
},
{
"id": "np.assets",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ expression: stdout
np.generic.6 Generic Password fuzzy, generic, secret
np.generic.7 Credentials in .NET System.Net.NetworkCredential fuzzy, generic, secret
np.generic.8 Credentials in .NET System.DirectoryServices.DirectoryEntry fuzzy, generic, secret
np.generic.9 Sensitive value in .NET configuration fuzzy, generic, secret
np.github.1 GitHub Personal Access Token api, secret
np.github.2 GitHub OAuth Access Token api, secret
np.github.3 GitHub App Token api, secret
Expand Down Expand Up @@ -166,6 +167,6 @@ expression: stdout

Ruleset ID Ruleset Name Rules
─────────────────────────────────────────────────────────
default Nosey Parker default rules 138
default Nosey Parker default rules 139
np.assets Nosey Parker asset detection rules 15
np.hashes Nosey Parker password hash rules 6
41 changes: 38 additions & 3 deletions crates/noseyparker/data/default/builtin/rules/generic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ rules:
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.networkcredential
description: |
description: >
A .NET `System.Net.NetworkCredential` value with hardcoded parameters was found.
This may allow an attack access to a resource that uses basic, digest, NTLM, or Kerberos authentication.
Expand Down Expand Up @@ -326,6 +326,41 @@ rules:
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directoryentry
description: |
description: >
A .NET `System.DirectoryServices.DirectoryEntry` value was found with hardcoded credentials.
This may allow an attack access to an Active Directory instance.
This may allow an attacker access to an Active Directory instance.
- name: Sensitive value in .NET configuration
id: np.generic.9
pattern: |
(?x)
< \s* add \s+ key \s* = \s*
" (
[^\n"]{0,20}
(?: pass | Pass | PASS
| secret | Secret | SECRET
| user | User | USER
| admin | Admin | ADMIN
| token | Token | TOKEN
)
[^\n"]{0,20}
) "
\s+
value \s* = \s* " ([^\n"]{3,100}) " \s* / \s* >
categories: [fuzzy, generic, secret]
description: >
A possibly-sensitive value in .NET app configuration was found.
This may allow an attacker a way to bypass authentication or move laterally.
examples:
- |
<add key="FromEmailAddress" value="[email protected]"/>
<add key="FromEmailPassword" value="Prestigitariu$"/>
references:
- https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview
- https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ rulesets:
- np.generic.6 # Generic Password
- np.generic.7 # Credentials in .NET System.Net.NetworkCredential
- np.generic.8 # Credentials in .NET System.DirectoryServices.DirectoryEntry
- np.generic.9 # Sensitive value in .NET configuration
- np.github.1 # GitHub Personal Access Token
- np.github.2 # GitHub OAuth Access Token
- np.github.3 # GitHub App Token
Expand Down

0 comments on commit f5f5267

Please sign in to comment.