Merge pull request #220 from LabMC/main

Added client_secret.bcheck
PortSwigger · Jul 26, 2024 · fb15207 · fb15207
2 parents 38da052 + 73a2319
commit fb15207
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 2 deletions.
diff --git a/archived/Content-Security-Policy.bcheck b/archived/Content-Security-Policy.bcheck
@@ -83,8 +83,8 @@ define:
 
 given response then
     # Ensures static file types irrelevant to the Content-Security-Policy header do not get checked.
-    if not({latest.response.url.file} matches "(\.apk|\.bmp|\.cgi|\.css|\.csv|\.db|\.dmg|\.do|\.doc|\.ico|
-\.ipa|\.env|\.eot|\.exe|\.gif|\.gz|\.jpg|\.jpeg|\.js|\.json|\.mp3|\.mp4|\.otf|\.pdf|\.png|\.ppt|\.rar|
+    if not({latest.response.url.file} matches "(\.apk|\.bmp|\.cgi|\.csv|\.db|\.dmg|\.do|\.doc|\.ico|
+\.ipa|\.env|\.eot|\.exe|\.gif|\.gz|\.jpg|\.jpeg|\.json|\.mp3|\.mp4|\.otf|\.pdf|\.png|\.ppt|\.rar|
 \.sqlite|\.svg|\.tar|\.tsv|\.ttf|\.txt|\.wav|\.webm|\.webp|\.woff|\.xls|\.xml|\.zip)") then
 
         # Ensures a Content-Security-Policy header appears in the target HTTP response.

diff --git a/other/APIs/client_secret.bcheck b/other/APIs/client_secret.bcheck
@@ -0,0 +1,50 @@
+metadata:
+    language: v2-beta
+    name: "Use of Known API Variable"
+    description: "This BCheck looks for known API variables (client_secret, client_id, refresh_token, & APIKey)."
+    author: "Kyle Gilligan"
+    tags: "passive", "API", "client_secret", "client_id", "ApiKey"
+
+define:
+    # Issue details (for discovery of insecure API variables) as individual string texts.
+    issueDetail1 = `A known sensitive API parameter has been discovered within a front-end file of this web application.`
+    iD_clientSecret1 = `\n    • client_secret: This OAuth variable is used to authenticate applications towards`
+    iD_clientSecret2 = `an intended authorization server. Essentially the 'password' of API authorization.`
+    iD_clientSecret3 = `If a user finds both an API's client_id & client_secret, they may be able to access an`
+    iD_clientSecret4 = `endpoint's resources by impersonating the application.`
+    iD_clientSecretFULL = `{iD_clientSecret1} {iD_clientSecret2} {iD_clientSecret3} {iD_clientSecret4}`
+    iD_refreshToken = `\n    • refresh_token: Secret variables used by an application to request new access tokens for an API.`
+    iD_apiKey1 = `\n    • api_key: An API Key acts as a secret identifier token used to provide identification`
+    iD_apiKey2 = `for an application when using a target API.`
+    iD_apiKeyFULL = `{iD_apiKey1} {iD_apiKey2}`
+    issueRemediation1 = `Unless impossible to remove based on application requirements, these API parameters should never list their values within front-end files.`
+    # Issue details (for discovery of known non-sensitive API variables) as individual string texts.
+    issueDetail2FULL = `A known API parameter has been discovered within a front-end file of this web application.`
+    iD_clientId1 = `\n    • client_id: This OAuth variable is used to authenticate applications towards an`
+    iD_clientId2 = `intended authorization server. Essentially the 'username' of API authorization. If a user`
+    iD_clientId3 = `finds both an API's client_id & client_secret, they may be able to access an endpoint's`
+    iD_clientId4 = `resources by impersonating the application.`
+    iD_clientIdFULL = `{iD_clientId1} {iD_clientId2} {iD_clientId3} {iD_clientId4}`
+    issueRemediation2 = `Unless impossible to remove based on application requirements, it becomes recommended for this API parameter's value to not be listed in a front-end file.`
+
+given response then
+
+    # This check ensures that only notable 200s HTTP responses appear present in the HTTP response.
+    if ({latest.response.status_code} matches "(200|204|206)") and not({latest.response.headers} matches "(Content-Type: image/)") then
+
+        if ({latest.response} matches "(?i)(client[-_]?secret|api[-_]?key|refresh[-_]?token)(:| :|=| =)") then
+            report issue:
+                severity: medium
+                confidence: firm
+                detail: `{issueDetail1}{iD_clientSecretFULL}{iD_apiKeyFULL}{iD_refreshToken}`
+                remediation: `{issueRemediation1}`
+
+        else if ({latest.response} matches "(?i)client[-_]?id(:| :|=| =)") then
+            report issue:
+                severity: info
+                confidence: firm
+                detail: `{issueDetail2FULL}{iD_clientIdFULL}`
+                remediation: `{issueRemediation2}`
+
+        end if
+    end if