From f4ec405b8140a6e876314a5aa87f56213bd476d7 Mon Sep 17 00:00:00 2001 From: ricekot Date: Tue, 4 Jun 2024 23:05:44 +0530 Subject: [PATCH] Implement `getMetadata` for some more Passive scripts - Update the following scripts to implement the `getMetadata()` function: - passive/find base64 strings.js - passive/Find Credit Cards.js - passive/Find Emails.js - passive/Find Hashes.js - passive/Find HTML Comments.js Also update passive scripts with an existing `getMetadata()` function to also specify a `codeLink` and a `helpLink`. Signed-off-by: ricekot --- CHANGELOG.md | 5 + passive/CookieHTTPOnly.js | 2 + passive/Find Credit Cards.js | 58 ++--- passive/Find Emails.js | 59 ++--- passive/Find HTML Comments.js | 86 ++++--- passive/Find Hashes.js | 260 +++++++++------------ passive/clacks.js | 2 + passive/detect_csp_notif_and_reportonly.js | 2 + passive/detect_samesite_protection.js | 2 + passive/f5_bigip_cookie_internal_ip.js | 2 + passive/find base64 strings.js | 78 +++---- 11 files changed, 257 insertions(+), 299 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac8e7b94..3304478a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - passive/detect_csp_notif_and_reportonly.js - passive/detect_samesite_protection.js - passive/f5_bigip_cookie_internal_ip.js + - passive/find base64 strings.js + - passive/Find Credit Cards.js + - passive/Find Emails.js + - passive/Find Hashes.js + - passive/Find HTML Comments.js ## [18] - 2024-01-29 ### Added diff --git a/passive/CookieHTTPOnly.js b/passive/CookieHTTPOnly.js index 0bc88e61..7e6f4673 100644 --- a/passive/CookieHTTPOnly.js +++ b/passive/CookieHTTPOnly.js @@ -18,6 +18,8 @@ confidence: medium cweId: 0 wascId: 13 # WASC-13: Information Leakage status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/CookieHTTPOnly.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ `); } diff --git a/passive/Find Credit Cards.js b/passive/Find Credit Cards.js index fb08e4c3..52b1067b 100644 --- a/passive/Find Credit Cards.js +++ b/passive/Find Credit Cards.js @@ -1,23 +1,32 @@ // CreditCard Finder by freakyclown@gmail.com -function scan(ps, msg, src) { - // lets set up some stuff we are going to need for the alert later if we find a credit card - var url = msg.getRequestHeader().getURI().toString(); +var ScanRuleMetadata = Java.type( + "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" +); + +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 100008 +name: Information Disclosure - Credit Card Number +description: A credit card number was found in the HTTP response body. +solution: > + Encrypt credit card numbers during transmission, use tokenization, + and adhere to PCI DSS standards for secure handling and storage. +risk: high +confidence: medium +cweId: 311 # CWE-311: Missing Encryption of Sensitive Data +wascId: 13 # WASC-13: Information Leakage +status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Credit%20Cards.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ +`); +} + +function scan(helper, msg, src) { var body = msg.getResponseBody().toString(); - var alertRisk = [0, 1, 2, 3]; //1=informational, 2=low, 3=medium, 4=high - var alertConfidence = [0, 1, 2, 3, 4]; //0=fp,1=low,2=medium,3=high,4=confirmed - var alertTitle = ["Credit Card Number(s) Disclosed (script)", ""]; - var alertDesc = ["Credit Card number(s) was discovered.", ""]; - var alertSolution = [ - "why are you showing Credit and debit card numbers?", - "", - ]; - var cweId = [0, 1]; - var wascId = [0, 1]; // lets make some regular expressions for well known credit cards // regex must appear within /( and )/g - var re_visa = /([3-5][0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //visa or mastercard var re_amex = /(3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5})/g; //amex var re_disc = /(6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //discovery @@ -56,21 +65,12 @@ function scan(ps, msg, src) { } } if (foundCard.length != 0) { - ps.raiseAlert( - alertRisk[3], - alertConfidence[2], - alertTitle[0], - alertDesc[0], - url, - "", - "", - foundCard.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setEvidence(foundCard[0]) + .setOtherInfo(`Other instances: ${foundCard.slice(1).toString()}`) + .setMessage(msg) + .raise(); } } } diff --git a/passive/Find Emails.js b/passive/Find Emails.js index d9dcd5e2..4829999c 100644 --- a/passive/Find Emails.js +++ b/passive/Find Emails.js @@ -5,25 +5,39 @@ // https://support.google.com/mail/answer/12096?hl=en // https://regex101.com/r/sH4vC0/2 // 20181213 - Update by nil0x42+owaspzap@gmail.com to ignore false positives (such as '*@123' or '$@#!.') +// 20240604 - Implement getMetadata() to expose the script as a scan rule. -function scan(ps, msg, src) { - // first lets set up some details incase we find an email, these will populate the alert later - var alertRisk = 0; - var alertConfidence = 3; - var alertTitle = "Email addresses (script)"; - var alertDesc = "Email addresses were found"; - var alertSolution = "Remove emails that are not public"; - var cweId = 0; - var wascId = 0; +var ScanRuleMetadata = Java.type( + "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" +); +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 100009 +name: Information Disclosure - Email Addresses +description: > + An email address was found in the HTTP response body. + Exposure of email addresses in HTTP messages can lead to privacy violations + and targeted phishing attacks. +solution: > + Mask email addresses during transmission and ensure proper access controls + to protect user privacy and prevent unauthorized access. +risk: low +confidence: high +cweId: 311 # CWE-311: Missing Encryption of Sensitive Data +wascId: 13 # WASC-13: Information Leakage +status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Emails.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ +`); +} + +function scan(helper, msg, src) { // lets build a regular expression that can find email addresses // the regex must appear within /( and )/g var re = /([a-zA-Z0-9_.+-]+@[a-zA-Z0-9]+[a-zA-Z0-9-]*\.[a-zA-Z0-9-.]*[a-zA-Z0-9]{2,})/g; - // we need to set the url variable to the request or we cant track the alert later - var url = msg.getRequestHeader().getURI().toString(); - // lets check its not one of the files types that are never likely to contain stuff, like pngs and jpegs var contenttype = msg.getResponseHeader().getHeader("Content-Type"); var unwantedfiletypes = [ @@ -49,21 +63,12 @@ function scan(ps, msg, src) { foundEmail.push(comm[0]); } // woohoo we found an email lets make an alert for it - ps.raiseAlert( - alertRisk, - alertConfidence, - alertTitle, - alertDesc, - url, - "", - "", - foundEmail.toString(), - alertSolution, - "", - cweId, - wascId, - msg - ); + helper + .newAlert() + .setEvidence(foundEmail[0]) + .setOtherInfo(`Other instances: ${foundEmail.slice(1).toString()}`) + .setMessage(msg) + .raise(); } } } diff --git a/passive/Find HTML Comments.js b/passive/Find HTML Comments.js index aa702b1f..a11a50bc 100644 --- a/passive/Find HTML Comments.js +++ b/passive/Find HTML Comments.js @@ -18,27 +18,37 @@ // NOTE: This script will only find HTML comments in content which passes through ZAP. // Therefore if you browser is caching you may not see something you expect to. -function scan(ps, msg, src) { +var ScanRuleMetadata = Java.type( + "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" +); + +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 100011 +name: Information Disclosure - HTML Comments +description: > + While adding general comments is very useful, some programmers tend to leave important data, + such as: filenames related to the web application, old links or links which were not meant + to be browsed by users, old code fragments, etc. +solution: > + Remove comments which have sensitive information about the design/implementation + of the application. Some of the comments may be exposed to the user and affect + the security posture of the application. +risk: info +confidence: medium +cweId: 615 # CWE-615: Inclusion of Sensitive Information in Source Code Comments +wascId: 13 # WASC-13: Information Leakage +status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20HTML%20Comments.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ +`); +} + +function scan(helper, msg, src) { // Both can be true, just know that you'll see duplication. var RESULT_PER_FINDING = new Boolean(0); // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1) var RESULT_PER_URL = new Boolean(1); // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1) - // lets set up some details we will need for alerts later if we find some comments - var alertRisk = 0; - var alertConfidence = 2; - var alertTitle = "Information Exposure Through HTML Comments (script)"; - var alertDesc = - "While adding general comments is very useful, \ -some programmers tend to leave important data, such as: filenames related to the web application, old links \ -or links which were not meant to be browsed by users, old code fragments, etc."; - var alertSolution = - "Remove comments which have sensitive information about the design/implementation \ -of the application. Some of the comments may be exposed to the user and affect the security posture of the \ -application."; - var cweId = 615; - var wascId = 13; - var url = msg.getRequestHeader().getURI().toString(); - // this is a rough regular expression to find HTML comments // regex needs to be inside /( and )/g to work var re = /(\)/g; @@ -66,40 +76,22 @@ application."; if (RESULT_PER_FINDING == true) { counter = counter + 1; //fakeparam+counter gives us parameter differientiation per comment alert (RESULT_PER_FINDING) - ps.raiseAlert( - alertRisk, - alertConfidence, - alertTitle, - alertDesc, - url, - "fakeparam" + counter, - "", - comm[0], - alertSolution, - "", - cweId, - wascId, - msg - ); + helper + .newAlert() + .setParam("fakeparam" + counter) + .setEvidence(comm[0]) + .setMessage(msg) + .raise(); } foundComments.push(comm[0]); } if (RESULT_PER_URL == true) { - ps.raiseAlert( - alertRisk, - alertConfidence, - alertTitle, - alertDesc, - url, - "", - "", - foundComments.toString(), - alertSolution, - "", - cweId, - wascId, - msg - ); + helper + .newAlert() + .setEvidence(foundComments[0]) + .setOtherInfo(`Other instances: ${foundComments.slice(1).toString()}`) + .setMessage(msg) + .raise(); } } } diff --git a/passive/Find Hashes.js b/passive/Find Hashes.js index 6e5d644f..a86d9957 100644 --- a/passive/Find Hashes.js +++ b/passive/Find Hashes.js @@ -1,20 +1,40 @@ // Encryption Hash Finder by freakyclown@gmail.com -function scan(ps, msg, src) { - var url = msg.getRequestHeader().getURI().toString(); +var ScanRuleMetadata = Java.type( + "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" +); + +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 100010 +name: Information Disclosure - Hash +description: A hash was discovered in the HTTP response body. +solution: > + Ensure that hashes that are used to protect credentials or other resources + are not leaked by the web server or database. There is typically no requirement + for password hashes to be accessible to the web browser. +risk: low +confidence: medium +cweId: 327 # CWE-327: Use of a Broken or Risky Cryptographic Algorithm +wascId: 13 # WASC-13: Information Leakage +status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Hashes.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ +`); +} + +function scan(helper, msg, src) { var body = msg.getResponseBody().toString(); - var alertRisk = [0, 1, 2, 3]; //1=informational, 2=low, 3=medium, 4=high - var alertConfidence = [0, 1, 2, 3, 4]; //0=fp,1=low,2=medium,3=high,4=confirmed var alertTitle = [ - "Wordpress hash Disclosed (script)", - "Sha512 hash Disclosed (script)", - "phpBB3 hash Disclosed (script)", - "Joomla hash Disclosed (script)", - "MySQL(old) hash Disclosed (script)", - "Drupal hash Disclosed (script)", - "Blowfish hash Disclosed (script)", - "VBulletin hash Disclosed (script)", - "MD4/MD5 hash Disclosed (script)", + "Information Disclosure - Wordpress Hash", + "Information Disclosure - Sha512 Hash", + "Information Disclosure - phpBB3 Hash", + "Information Disclosure - Joomla Hash", + "Information Disclosure - MySQL(old) Hash", + "Information Disclosure - Drupal Hash", + "Information Disclosure - Blowfish Hash", + "Information Disclosure - VBulletin Hash", + "Information Disclosure - MD4/MD5 Hash", "", ]; var alertDesc = [ @@ -29,12 +49,6 @@ function scan(ps, msg, src) { "A MD4/MD5 hash Disclosed was discovered", "", ]; - var alertSolution = [ - "Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser.", - "", - ]; - var cweId = [0, 1]; - var wascId = [0, 1]; // regex must appear within /( and )/g @@ -55,21 +69,14 @@ function scan(ps, msg, src) { while ((comm = wordpress.exec(body))) { foundwordpress.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[0], - alertDesc[0], - url, - "", - "", - foundwordpress.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[0]) + .setDescription(alertDesc[0]) + .setEvidence(foundwordpress[0]) + .setOtherInfo(`Other instances: ${foundwordpress.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (sha512.test(body)) { @@ -78,21 +85,14 @@ function scan(ps, msg, src) { while ((comm = sha512.exec(body))) { foundsha512.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[1], - alertDesc[1], - url, - "", - "", - foundsha512.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[1]) + .setDescription(alertDesc[1]) + .setEvidence(foundsha512[0]) + .setOtherInfo(`Other instances: ${foundsha512.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (phpbb3.test(body)) { phpbb3.lastIndex = 0; @@ -100,21 +100,14 @@ function scan(ps, msg, src) { while ((comm = phpbb3.exec(body))) { foundphpbb3.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[2], - alertDesc[2], - url, - "", - "", - foundphpbb3.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[2]) + .setDescription(alertDesc[2]) + .setEvidence(foundphpbb3[0]) + .setOtherInfo(`Other instances: ${foundphpbb3.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (mysqlold.test(body)) { @@ -123,21 +116,14 @@ function scan(ps, msg, src) { while ((comm = mysqlold.exec(body))) { foundmysqlold.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[3], - alertDesc[3], - url, - "", - "", - foundmysqlold.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[3]) + .setDescription(alertDesc[3]) + .setEvidence(foundmysqlold[0]) + .setOtherInfo(`Other instances: ${foundmysqlold.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (joomla.test(body)) { @@ -146,21 +132,14 @@ function scan(ps, msg, src) { while ((comm = joomla.exec(body))) { foundjoomla.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[4], - alertDesc[4], - url, - "", - "", - foundjoomla.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[4]) + .setDescription(alertDesc[4]) + .setEvidence(foundjoomla[0]) + .setOtherInfo(`Other instances: ${foundjoomla.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (drupal.test(body)) { drupal.lastIndex = 0; @@ -168,21 +147,14 @@ function scan(ps, msg, src) { while ((comm = drupal.exec(body))) { founddrupal.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[5], - alertDesc[5], - url, - "", - "", - founddrupal.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[5]) + .setDescription(alertDesc[5]) + .setEvidence(founddrupal[0]) + .setOtherInfo(`Other instances: ${founddrupal.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (blowfish.test(body)) { @@ -191,21 +163,14 @@ function scan(ps, msg, src) { while ((comm = blowfish.exec(body))) { foundblowfish.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[6], - alertDesc[6], - url, - "", - "", - foundblowfish.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[6]) + .setDescription(alertDesc[6]) + .setEvidence(foundblowfish[0]) + .setOtherInfo(`Other instances: ${foundblowfish.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (vbull.test(body)) { @@ -214,21 +179,14 @@ function scan(ps, msg, src) { while ((comm = vbull.exec(body))) { foundvbull.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[2], - alertTitle[7], - alertDesc[7], - url, - "", - "", - foundvbull.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[7]) + .setDescription(alertDesc[7]) + .setEvidence(foundvbull[0]) + .setOtherInfo(`Other instances: ${foundvbull.slice(1).toString()}`) + .setMessage(msg) + .raise(); } if (md45.test(body)) { @@ -237,20 +195,14 @@ function scan(ps, msg, src) { while ((comm = md45.exec(body))) { foundmd45.push(comm[0]); } - ps.raiseAlert( - alertRisk[1], - alertConfidence[1], - alertTitle[8], - alertDesc[8], - url, - "", - "", - foundmd45.toString(), - alertSolution[0], - "", - cweId[0], - wascId[0], - msg - ); + helper + .newAlert() + .setName(alertTitle[8]) + .setDescription(alertDesc[8]) + .setConfidence(1) + .setEvidence(foundmd45[0]) + .setOtherInfo(`Other instances: ${foundmd45.slice(1).toString()}`) + .setMessage(msg) + .raise(); } } diff --git a/passive/clacks.js b/passive/clacks.js index d180fea7..49791ec7 100644 --- a/passive/clacks.js +++ b/passive/clacks.js @@ -19,6 +19,8 @@ confidence: high cweId: 200 # CWE-200: Exposure of Sensitive Information to an Unauthorized Actor wascId: 13 # WASC-13: Information Leakage status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/clacks.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ `); } diff --git a/passive/detect_csp_notif_and_reportonly.js b/passive/detect_csp_notif_and_reportonly.js index dcdd6cec..2c8de7b7 100644 --- a/passive/detect_csp_notif_and_reportonly.js +++ b/passive/detect_csp_notif_and_reportonly.js @@ -36,6 +36,8 @@ confidence: high cweId: 200 # CWE-200: Exposure of Sensitive Information to an Unauthorized Actor wascId: 13 # WASC-13: Information Leakage status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/detect_csp_notif_and_reportonly.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ `); } diff --git a/passive/detect_samesite_protection.js b/passive/detect_samesite_protection.js index 35850dc7..492d4f8e 100644 --- a/passive/detect_samesite_protection.js +++ b/passive/detect_samesite_protection.js @@ -32,6 +32,8 @@ confidence: high cweId: 352 # CWE-352: Cross-Site Request Forgery (CSRF) wascId: 9 # WASC-9: Cross Site Request Forgery status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/detect_samesite_protection.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ `); } diff --git a/passive/f5_bigip_cookie_internal_ip.js b/passive/f5_bigip_cookie_internal_ip.js index efff7435..1ad74819 100755 --- a/passive/f5_bigip_cookie_internal_ip.js +++ b/passive/f5_bigip_cookie_internal_ip.js @@ -31,6 +31,8 @@ confidence: high cweId: 311 # CWE-311: Missing Encryption of Sensitive Data wascId: 13 # WASC-13: Information Leakage status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/f5_bigip_cookie_internal_ip.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ `); } diff --git a/passive/find base64 strings.js b/passive/find base64 strings.js index 673c55a9..02eaa73d 100644 --- a/passive/find base64 strings.js +++ b/passive/find base64 strings.js @@ -1,20 +1,32 @@ // This community script will analyze the response for base64 encoded strings // Regex Test: https://regex101.com/r/pS2oF3/3 -function scan(ps, msg, src) { +var ScanRuleMetadata = Java.type( + "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata" +); + +function getMetadata() { + return ScanRuleMetadata.fromYaml(` +id: 100007 +name: Information Disclosure - Base64-encoded String +description: > + A Base64-encoded string has been found in the HTTP response body. + Base64-encoded data may contain sensitive information such as usernames, + passwords or cookies which should be further inspected. +solution: Base64-encoding should not be used to store or send sensitive information. +risk: info +confidence: low +cweId: 311 # CWE-311: Missing Encryption of Sensitive Data +wascId: 13 # WASC-13: Information Leakage +status: alpha +codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/find%20base64%20strings.js +helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/ +`); +} + +function scan(helper, msg, src) { var RESULT_PER_FINDING = new Boolean(0); // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1) var RESULT_PER_URL = new Boolean(1); // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1) - - var alertRisk = 0; - var alertConfidence = 1; - var alertTitle = "Base64-encoded string found (script)"; - var alertDesc = - "A Base64-encoded string has been found in the HTTP response body. Base64-encoded data may contain sensitive information such as usernames, passwords or cookies which should be further inspected."; - var alertSolution = - "Base64-encoding should not be used to store or send sensitive information."; - var cweId = 0; - var wascId = 0; - var url = msg.getRequestHeader().getURI().toString(); var re = /([A-Za-z0-9+\/]{15,}=+)/g; var contenttype = msg.getResponseHeader().getHeader("Content-Type"); @@ -38,40 +50,22 @@ function scan(ps, msg, src) { while ((comm = re.exec(body))) { if (RESULT_PER_FINDING == true) { counter = counter + 1; - ps.raiseAlert( - alertRisk, - alertConfidence, - alertTitle, - alertDesc, - url, - "fakeparam" + counter, - "", - comm[0], - alertSolution, - "", - cweId, - wascId, - msg - ); + helper + .newAlert() + .setParam("fakeparam" + counter) + .setEvidence(comm[0]) + .setMessage(msg) + .raise(); } foundstrings.push(comm[0]); } if (RESULT_PER_URL == true) { - ps.raiseAlert( - alertRisk, - alertConfidence, - alertTitle, - alertDesc, - url, - "", - "", - foundstrings.toString(), - alertSolution, - "", - cweId, - wascId, - msg - ); + helper + .newAlert() + .setEvidence(foundstrings[0]) + .setOtherInfo(`Other instances: ${foundstrings.slice(1).toString()}`) + .setMessage(msg) + .raise(); } } }