Merge pull request #448 from ricekot/passive-scripts-metadata

Implement `getMetadata` for some more Passive scripts

CHANGELOG.md

@@ -24,6 +24,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  - passive/detect_csp_notif_and_reportonly.js
  - passive/detect_samesite_protection.js
  - passive/f5_bigip_cookie_internal_ip.js
+ - passive/find base64 strings.js
+ - passive/Find Credit Cards.js
+ - passive/Find Emails.js
+ - passive/Find Hashes.js
+ - passive/Find HTML Comments.js
 
 ## [18] - 2024-01-29
 ### Added

passive/CookieHTTPOnly.js

@@ -18,6 +18,8 @@ confidence: medium
 cweId: 0
 wascId: 13 # WASC-13: Information Leakage
 status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/CookieHTTPOnly.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
 `);
 }
 

passive/Find Credit Cards.js

@@ -1,23 +1,32 @@
 // CreditCard Finder by freakyclown@gmail.com
 
-function scan(ps, msg, src) {
- // lets set up some stuff we are going to need for the alert later if we find a credit card
- var url = msg.getRequestHeader().getURI().toString();
+var ScanRuleMetadata = Java.type(
+ "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
+);
+
+function getMetadata() {
+ return ScanRuleMetadata.fromYaml(`
+id: 100008
+name: Information Disclosure - Credit Card Number
+description: A credit card number was found in the HTTP response body.
+solution: >
+ Encrypt credit card numbers during transmission, use tokenization,
+ and adhere to PCI DSS standards for secure handling and storage.
+risk: high
+confidence: medium
+cweId: 311 # CWE-311: Missing Encryption of Sensitive Data
+wascId: 13 # WASC-13: Information Leakage
+status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Credit%20Cards.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
+`);
+}
+
+function scan(helper, msg, src) {
  var body = msg.getResponseBody().toString();
- var alertRisk = [0, 1, 2, 3]; //1=informational, 2=low, 3=medium, 4=high
- var alertConfidence = [0, 1, 2, 3, 4]; //0=fp,1=low,2=medium,3=high,4=confirmed
- var alertTitle = ["Credit Card Number(s) Disclosed (script)", ""];
- var alertDesc = ["Credit Card number(s) was discovered.", ""];
- var alertSolution = [
- "why are you showing Credit and debit card numbers?",
- "",
- ];
- var cweId = [0, 1];
- var wascId = [0, 1];
 
  // lets make some regular expressions for well known credit cards
  // regex must appear within /( and )/g
-
  var re_visa = /([3-5][0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //visa or mastercard
  var re_amex = /(3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5})/g; //amex
  var re_disc = /(6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //discovery
@@ -56,21 +65,12 @@ function scan(ps, msg, src) {
  }
  }
  if (foundCard.length != 0) {
- ps.raiseAlert(
- alertRisk[3],
- alertConfidence[2],
- alertTitle[0],
- alertDesc[0],
- url,
- "",
- "",
- foundCard.toString(),
- alertSolution[0],
- "",
- cweId[0],
- wascId[0],
- msg
- );
+ helper
+ .newAlert()
+ .setEvidence(foundCard[0])
+ .setOtherInfo(`Other instances: ${foundCard.slice(1).toString()}`)
+ .setMessage(msg)
+ .raise();
  }
  }
  }

passive/Find Emails.js

@@ -5,25 +5,39 @@
 // https://support.google.com/mail/answer/12096?hl=en
 // https://regex101.com/r/sH4vC0/2
 // 20181213 - Update by nil0x42+owaspzap@gmail.com to ignore false positives (such as '*@123' or '$@#!.')
+// 20240604 - Implement getMetadata() to expose the script as a scan rule.
 
-function scan(ps, msg, src) {
- // first lets set up some details incase we find an email, these will populate the alert later
- var alertRisk = 0;
- var alertConfidence = 3;
- var alertTitle = "Email addresses (script)";
- var alertDesc = "Email addresses were found";
- var alertSolution = "Remove emails that are not public";
- var cweId = 0;
- var wascId = 0;
+var ScanRuleMetadata = Java.type(
+ "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
+);
 
+function getMetadata() {
+ return ScanRuleMetadata.fromYaml(`
+id: 100009
+name: Information Disclosure - Email Addresses
+description: >
+ An email address was found in the HTTP response body.
+ Exposure of email addresses in HTTP messages can lead to privacy violations 
+ and targeted phishing attacks.
+solution: >
+ Mask email addresses during transmission and ensure proper access controls 
+ to protect user privacy and prevent unauthorized access.
+risk: low
+confidence: high
+cweId: 311 # CWE-311: Missing Encryption of Sensitive Data
+wascId: 13 # WASC-13: Information Leakage
+status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Emails.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
+`);
+}
+
+function scan(helper, msg, src) {
  // lets build a regular expression that can find email addresses
  // the regex must appear within /( and )/g
  var re =
  /([a-zA-Z0-9_.+-]+@[a-zA-Z0-9]+[a-zA-Z0-9-]*\.[a-zA-Z0-9-.]*[a-zA-Z0-9]{2,})/g;
 
- // we need to set the url variable to the request or we cant track the alert later
- var url = msg.getRequestHeader().getURI().toString();
-
  // lets check its not one of the files types that are never likely to contain stuff, like pngs and jpegs
  var contenttype = msg.getResponseHeader().getHeader("Content-Type");
  var unwantedfiletypes = [
@@ -49,21 +63,12 @@ function scan(ps, msg, src) {
  foundEmail.push(comm[0]);
  }
  // woohoo we found an email lets make an alert for it
- ps.raiseAlert(
- alertRisk,
- alertConfidence,
- alertTitle,
- alertDesc,
- url,
- "",
- "",
- foundEmail.toString(),
- alertSolution,
- "",
- cweId,
- wascId,
- msg
- );
+ helper
+ .newAlert()
+ .setEvidence(foundEmail[0])
+ .setOtherInfo(`Other instances: ${foundEmail.slice(1).toString()}`)
+ .setMessage(msg)
+ .raise();
  }
  }
 }

passive/Find HTML Comments.js

@@ -18,27 +18,37 @@
 // NOTE: This script will only find HTML comments in content which passes through ZAP.
 // Therefore if you browser is caching you may not see something you expect to.
 
-function scan(ps, msg, src) {
+var ScanRuleMetadata = Java.type(
+ "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
+);
+
+function getMetadata() {
+ return ScanRuleMetadata.fromYaml(`
+id: 100011
+name: Information Disclosure - HTML Comments
+description: >
+ While adding general comments is very useful, some programmers tend to leave important data,
+ such as: filenames related to the web application, old links or links which were not meant
+ to be browsed by users, old code fragments, etc.
+solution: >
+ Remove comments which have sensitive information about the design/implementation
+ of the application. Some of the comments may be exposed to the user and affect 
+ the security posture of the application.
+risk: info
+confidence: medium
+cweId: 615 # CWE-615: Inclusion of Sensitive Information in Source Code Comments
+wascId: 13 # WASC-13: Information Leakage
+status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20HTML%20Comments.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
+`);
+}
+
+function scan(helper, msg, src) {
  // Both can be true, just know that you'll see duplication.
  var RESULT_PER_FINDING = new Boolean(0); // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1)
  var RESULT_PER_URL = new Boolean(1); // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1)
 
- // lets set up some details we will need for alerts later if we find some comments
- var alertRisk = 0;
- var alertConfidence = 2;
- var alertTitle = "Information Exposure Through HTML Comments (script)";
- var alertDesc =
- "While adding general comments is very useful, \
-some programmers tend to leave important data, such as: filenames related to the web application, old links \
-or links which were not meant to be browsed by users, old code fragments, etc.";
- var alertSolution =
- "Remove comments which have sensitive information about the design/implementation \
-of the application. Some of the comments may be exposed to the user and affect the security posture of the \
-application.";
- var cweId = 615;
- var wascId = 13;
- var url = msg.getRequestHeader().getURI().toString();
-
  // this is a rough regular expression to find HTML comments
  // regex needs to be inside /( and )/g to work
  var re = /(\<![\s]*--[\-!@#$%^&*:;ºª.,"'(){}\w\s\/\\[\]]*--[\s]*\>)/g;
@@ -66,40 +76,22 @@ application.";
  if (RESULT_PER_FINDING == true) {
  counter = counter + 1;
  //fakeparam+counter gives us parameter differientiation per comment alert (RESULT_PER_FINDING)
- ps.raiseAlert(
- alertRisk,
- alertConfidence,
- alertTitle,
- alertDesc,
- url,
- "fakeparam" + counter,
- "",
- comm[0],
- alertSolution,
- "",
- cweId,
- wascId,
- msg
- );
+ helper
+ .newAlert()
+ .setParam("fakeparam" + counter)
+ .setEvidence(comm[0])
+ .setMessage(msg)
+ .raise();
  }
  foundComments.push(comm[0]);
  }
  if (RESULT_PER_URL == true) {
- ps.raiseAlert(
- alertRisk,
- alertConfidence,
- alertTitle,
- alertDesc,
- url,
- "",
- "",
- foundComments.toString(),
- alertSolution,
- "",
- cweId,
- wascId,
- msg
- );
+ helper
+ .newAlert()
+ .setEvidence(foundComments[0])
+ .setOtherInfo(`Other instances: ${foundComments.slice(1).toString()}`)
+ .setMessage(msg)
+ .raise();
  }
  }
  }