Merge pull request #448 from ricekot/passive-scripts-metadata

Implement `getMetadata` for some more Passive scripts

Author: thc202

CHANGELOG.md

@@ -24,6 +24,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
   - passive/detect_csp_notif_and_reportonly.js
   - passive/detect_samesite_protection.js
   - passive/f5_bigip_cookie_internal_ip.js
+  - passive/find base64 strings.js
+  - passive/Find Credit Cards.js
+  - passive/Find Emails.js
+  - passive/Find Hashes.js
+  - passive/Find HTML Comments.js
 
 ## [18] - 2024-01-29
 ### Added

passive/CookieHTTPOnly.js

@@ -18,6 +18,8 @@ confidence: medium
 cweId: 0
 wascId: 13  # WASC-13: Information Leakage
 status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/CookieHTTPOnly.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
 `);
 }
 

passive/Find Credit Cards.js

@@ -1,23 +1,32 @@
 // CreditCard Finder by freakyclown@gmail.com
 
-function scan(ps, msg, src) {
-  // lets set up some stuff we are going to need for the alert later if we find a credit card
-  var url = msg.getRequestHeader().getURI().toString();
+var ScanRuleMetadata = Java.type(
+  "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
+);
+
+function getMetadata() {
+  return ScanRuleMetadata.fromYaml(`
+id: 100008
+name: Information Disclosure - Credit Card Number
+description: A credit card number was found in the HTTP response body.
+solution: >
+  Encrypt credit card numbers during transmission, use tokenization,
+  and adhere to PCI DSS standards for secure handling and storage.
+risk: high
+confidence: medium
+cweId: 311  # CWE-311: Missing Encryption of Sensitive Data
+wascId: 13  # WASC-13: Information Leakage
+status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Credit%20Cards.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
+`);
+}
+
+function scan(helper, msg, src) {
   var body = msg.getResponseBody().toString();
-  var alertRisk = [0, 1, 2, 3]; //1=informational, 2=low, 3=medium, 4=high
-  var alertConfidence = [0, 1, 2, 3, 4]; //0=fp,1=low,2=medium,3=high,4=confirmed
-  var alertTitle = ["Credit Card Number(s) Disclosed (script)", ""];
-  var alertDesc = ["Credit Card number(s) was discovered.", ""];
-  var alertSolution = [
-    "why are you showing Credit and debit card numbers?",
-    "",
-  ];
-  var cweId = [0, 1];
-  var wascId = [0, 1];
 
   // lets make some regular expressions for well known credit cards
   // regex must appear within /( and )/g
-
   var re_visa = /([3-5][0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //visa or mastercard
   var re_amex = /(3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5})/g; //amex
   var re_disc = /(6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4})/g; //discovery
@@ -56,21 +65,12 @@ function scan(ps, msg, src) {
           }
         }
         if (foundCard.length != 0) {
-          ps.raiseAlert(
-            alertRisk[3],
-            alertConfidence[2],
-            alertTitle[0],
-            alertDesc[0],
-            url,
-            "",
-            "",
-            foundCard.toString(),
-            alertSolution[0],
-            "",
-            cweId[0],
-            wascId[0],
-            msg
-          );
+          helper
+            .newAlert()
+            .setEvidence(foundCard[0])
+            .setOtherInfo(`Other instances: ${foundCard.slice(1).toString()}`)
+            .setMessage(msg)
+            .raise();
         }
       }
     }

passive/Find Emails.js

@@ -5,25 +5,39 @@
 //     https://support.google.com/mail/answer/12096?hl=en
 //     https://regex101.com/r/sH4vC0/2
 // 20181213 - Update by nil0x42+owaspzap@gmail.com to ignore false positives (such as '*@123' or '$@#!.')
+// 20240604 - Implement getMetadata() to expose the script as a scan rule.
 
-function scan(ps, msg, src) {
-  // first lets set up some details incase we find an email, these will populate the alert later
-  var alertRisk = 0;
-  var alertConfidence = 3;
-  var alertTitle = "Email addresses (script)";
-  var alertDesc = "Email addresses were found";
-  var alertSolution = "Remove emails that are not public";
-  var cweId = 0;
-  var wascId = 0;
+var ScanRuleMetadata = Java.type(
+  "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
+);
 
+function getMetadata() {
+  return ScanRuleMetadata.fromYaml(`
+id: 100009
+name: Information Disclosure - Email Addresses
+description: >
+  An email address was found in the HTTP response body.
+  Exposure of email addresses in HTTP messages can lead to privacy violations 
+  and targeted phishing attacks.
+solution: >
+  Mask email addresses during transmission and ensure proper access controls 
+  to protect user privacy and prevent unauthorized access.
+risk: low
+confidence: high
+cweId: 311  # CWE-311: Missing Encryption of Sensitive Data
+wascId: 13  # WASC-13: Information Leakage
+status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20Emails.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
+`);
+}
+
+function scan(helper, msg, src) {
   // lets build a regular expression that can find email addresses
   // the regex must appear within /( and )/g
   var re =
     /([a-zA-Z0-9_.+-]+@[a-zA-Z0-9]+[a-zA-Z0-9-]*\.[a-zA-Z0-9-.]*[a-zA-Z0-9]{2,})/g;
 
-  // we need to set the url variable to the request or we cant track the alert later
-  var url = msg.getRequestHeader().getURI().toString();
-
   // lets check its not one of the files types that are never likely to contain stuff, like pngs and jpegs
   var contenttype = msg.getResponseHeader().getHeader("Content-Type");
   var unwantedfiletypes = [
@@ -49,21 +63,12 @@ function scan(ps, msg, src) {
         foundEmail.push(comm[0]);
       }
       // woohoo we found an email lets make an alert for it
-      ps.raiseAlert(
-        alertRisk,
-        alertConfidence,
-        alertTitle,
-        alertDesc,
-        url,
-        "",
-        "",
-        foundEmail.toString(),
-        alertSolution,
-        "",
-        cweId,
-        wascId,
-        msg
-      );
+      helper
+        .newAlert()
+        .setEvidence(foundEmail[0])
+        .setOtherInfo(`Other instances: ${foundEmail.slice(1).toString()}`)
+        .setMessage(msg)
+        .raise();
     }
   }
 }

passive/Find HTML Comments.js

@@ -18,27 +18,37 @@
 // NOTE: This script will only find HTML comments in content which passes through ZAP.
 //		Therefore if you browser is caching you may not see something you expect to.
 
-function scan(ps, msg, src) {
+var ScanRuleMetadata = Java.type(
+  "org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
+);
+
+function getMetadata() {
+  return ScanRuleMetadata.fromYaml(`
+id: 100011
+name: Information Disclosure - HTML Comments
+description: >
+  While adding general comments is very useful, some programmers tend to leave important data,
+  such as: filenames related to the web application, old links or links which were not meant
+  to be browsed by users, old code fragments, etc.
+solution: >
+  Remove comments which have sensitive information about the design/implementation
+  of the application. Some of the comments may be exposed to the user and affect 
+  the security posture of the application.
+risk: info
+confidence: medium
+cweId: 615  # CWE-615: Inclusion of Sensitive Information in Source Code Comments
+wascId: 13  # WASC-13: Information Leakage
+status: alpha
+codeLink: https://github.com/zaproxy/community-scripts/blob/main/passive/Find%20HTML%20Comments.js
+helpLink: https://www.zaproxy.org/docs/desktop/addons/community-scripts/
+`);
+}
+
+function scan(helper, msg, src) {
   // Both can be true, just know that you'll see duplication.
   var RESULT_PER_FINDING = new Boolean(0); // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1)
   var RESULT_PER_URL = new Boolean(1); // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1)
 
-  // lets set up some details we will need for alerts later if we find some comments
-  var alertRisk = 0;
-  var alertConfidence = 2;
-  var alertTitle = "Information Exposure Through HTML Comments (script)";
-  var alertDesc =
-    "While adding general comments is very useful, \
-some programmers tend to leave important data, such as: filenames related to the web application, old links \
-or links which were not meant to be browsed by users, old code fragments, etc.";
-  var alertSolution =
-    "Remove comments which have sensitive information about the design/implementation \
-of the application. Some of the comments may be exposed to the user and affect the security posture of the \
-application.";
-  var cweId = 615;
-  var wascId = 13;
-  var url = msg.getRequestHeader().getURI().toString();
-
   // this is a rough regular expression to find HTML comments
   // regex needs to be inside /( and )/g to work
   var re = /(\<![\s]*--[\-!@#$%^&*:;ºª.,"'(){}\w\s\/\\[\]]*--[\s]*\>)/g;
@@ -66,40 +76,22 @@ application.";
         if (RESULT_PER_FINDING == true) {
           counter = counter + 1;
           //fakeparam+counter gives us parameter differientiation per comment alert (RESULT_PER_FINDING)
-          ps.raiseAlert(
-            alertRisk,
-            alertConfidence,
-            alertTitle,
-            alertDesc,
-            url,
-            "fakeparam" + counter,
-            "",
-            comm[0],
-            alertSolution,
-            "",
-            cweId,
-            wascId,
-            msg
-          );
+          helper
+            .newAlert()
+            .setParam("fakeparam" + counter)
+            .setEvidence(comm[0])
+            .setMessage(msg)
+            .raise();
         }
         foundComments.push(comm[0]);
       }
       if (RESULT_PER_URL == true) {
-        ps.raiseAlert(
-          alertRisk,
-          alertConfidence,
-          alertTitle,
-          alertDesc,
-          url,
-          "",
-          "",
-          foundComments.toString(),
-          alertSolution,
-          "",
-          cweId,
-          wascId,
-          msg
-        );
+        helper
+          .newAlert()
+          .setEvidence(foundComments[0])
+          .setOtherInfo(`Other instances: ${foundComments.slice(1).toString()}`)
+          .setMessage(msg)
+          .raise();
       }
     }
   }