zaproxy · kurobeats · May 19, 2023 · Jun 11, 2023 · Jun 11, 2023 · Jun 11, 2023
diff --git a/passive/APIKeyDiscovery.js b/passive/APIKeyDiscovery.js
@@ -0,0 +1,176 @@
+// Lazily crafted by Anthony Cozamanis - [email protected]
+
+function scan(ps, msg, src)
+{
+    var url = msg.getRequestHeader().getURI().toString();
+    var body = msg.getResponseBody().toString()
+    var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high
+    var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed
+    var alertTitle = ["Stripe API key Disclosed (script)",
+		  "Recon-ng web reconnaissance framework API key database Disclosed (script)",
+		  "Generic API Key Disclosed (script)",
+		  "Google Cloud API Key Disclosed (script)",
+		  "Picatic API key Disclosed (script)",
+		  "Twilio API Key Disclosed (script)",
+		  "SendGrid API Key Disclosed (script)",
+		  "MailGun API Key Disclosed (script)",
+		  "MailChimp API Key Disclosed (script)",
+		  "NuGet API Key Disclosed (script)",
+		  "SonarQube Docs API Key Disclosed (script)",
+		  "StackHawk API Key Disclosed (script)",
+		  ""]
+    var alertDesc = ["A Stripe API key was discovered.",
+		 "A Recon-ng web reconnaissance framework API key database was discovered.",
+		 "A Generic API Key was discovered.",
+		 "A Google Cloud API Key was discovered.",
+		 "A Picatic API key was discovered.",
+		 "A Twilio API Key was discovered.",
+		 "A SendGrid API Key was discovered.",
+		 "A MailGun API Key was discovered.",
+		 "A MailChimp API Key was discovered.",
+		 "A NuGet API Key was discovered.",
+		 "A SonarQube Docs API Key was discovered.",
+		 "A StackHawk API Key was discovered.",
+		""]
+    var alertSolution = ["Ensure API keys that are publically accessible are not sensitive in nature.",
+		    ""]
+    var cweId = [0,1]
+    var wascId = [0,1]
+
+    var stripe = /((?:r|p|s)k_(live|test)_[0-9a-zA-Z]{24})/g
+    var reconng = /(\.?recon-ng\/keys\.db)/g
+    var generic = /([a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\"][0-9a-zA-Z]{32,45}['|\"])/g
+    var googlecloud = /(AIza[0-9A-Za-z\-_]{35})/g
+    var picatic = /(sk_(live|test)_[0-9a-z]{32})/g
+    var twilio = /(SK[0-9a-fA-F]{32})/g
+    var sendgrid = /(SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43})/g
+    var mailgun = /(key-[0-9a-zA-Z]{32})/g
+    var mailchimp = /([0-9a-f]{32}-us[0-9]{12})/g
+	var nuget = /(oy2[a-z0-9]{43})/g
+	var sonarqube = /((\i)sonar.{0,50}(\"|'|`)?[0-9a-f]{40}(\"|'|`)?)/g
+	var stackhawk = /(hawk\.[0-9A-Za-z\-_]{20}\.[0-9A-Za-z\-_]{20})/g
+
+	if (stripe.test(body))
+	  {
+	    stripe.lastIndex = 0
+	    var foundstripe = []
+	    var comm
+            while (comm = stripe.exec(body))
+	      {
+               foundstripe.push(comm[0]);
+	      }
+	    ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundstripe.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+
+	if (reconng.test(body))
+	  {
+	    reconng.lastIndex = 0
+	    var foundreconng = []
+            while (comm = reconng.exec(body))
+	      {
+               foundreconng.push(comm[0]);
+	      }
+	    ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundreconng.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (generic.test(body))
+	  {
+	    generic.lastIndex = 0
+	    var foundgeneric = []
+            while (comm = generic.exec(body))
+	      {
+               foundgeneric.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundgeneric.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (googlecloud.test(body))
+	  {
+	    googlecloud.lastIndex = 0
+	    var foundgooglecloud = []
+            while (comm = googlecloud.exec(body))
+	      {
+               foundgooglecloud.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundgooglecloud.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+
+	if (picatic.test(body))
+	  {
+	    picatic.lastIndex = 0
+	    var foundpicatic = []
+            while (comm = picatic.exec(body))
+	      {
+               foundpicatic.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundpicatic.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (twilio.test(body))
+	  {
+	    twilio.lastIndex = 0
+	    var foundtwilio = []
+            while (comm = twilio.exec(body))
+	      {
+               foundtwilio.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundtwilio.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (sendgrid.test(body))
+	  {
+	    sendgrid.lastIndex = 0
+	    var foundsendgrid = []
+            while (comm = sendgrid.exec(body))
+	      {
+               foundsendgrid.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundsendgrid.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (mailgun.test(body))
+	  {
+	    mailgun.lastIndex = 0
+	    var foundmailgun = []
+            while (comm = mailgun.exec(body))
+	      {
+               foundmailgun.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', foundmailgun.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (mailchimp.test(body))
+	  {
+	    mailchimp.lastIndex = 0
+	    var foundmailchimp = []
+            while (comm = mailchimp.exec(body))
+	      {
+               foundmailchimp.push(comm[0]);
+	      }
+	    ps.raiseAlert(alertRisk[3], alertConfidence[1], alertTitle[8], alertDesc[8], url, '', '', foundmailchimp.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (nuget.test(body))
+	  {
+	    nuget.lastIndex = 0
+	    var foundnuget = []
+            while (comm = nuget.exec(body))
+	      {
+               foundnuget.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[9], alertDesc[9], url, '', '', foundnuget.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (sonarqube.test(body))
+	  {
+	    sonarqube.lastIndex = 0
+	    var foundsonarqube = []
+            while (comm = sonarqube.exec(body))
+	      {
+               foundsonarqube.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[10], alertDesc[10], url, '', '', foundsonarqube.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (stackhawk.test(body))
+	  {
+	    stackhawk.lastIndex = 0
+	    var foundstackhawk = []
+            while (comm = stackhawk.exec(body))
+	      {
+               foundstackhawk.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[11], alertDesc[11], url, '', '', foundstackhawk.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+}
diff --git a/passive/ASCIIHexEncodedStringDiscovery.js b/passive/ASCIIHexEncodedStringDiscovery.js
@@ -0,0 +1,44 @@
+// This community script will analyze the response for ASCII Hex encoded strings
+
+function scan(ps, msg, src) {
+    var RESULT_PER_FINDING = new Boolean(0) // If you want to see results on a per comment basis (i.e.: A single URL may be listed more than once), set this to true (1)
+    var RESULT_PER_URL = new Boolean(1) // If you want to see results on a per URL basis (i.e.: all comments for a single URL will be grouped together), set this to true (1)
+
+
+    var alertRisk = 0
+    var alertConfidence = 1
+    var alertTitle = 'ASCII Hex-encoded string found (script)'
+    var alertDesc = "A ASCII Hex-encoded string has been found in the HTTP response body. ASCII Hex-encoded data may contain sensitive information which should be further inspected."
+    var alertSolution = 'ASCII Hex-encoding is used for all sorts of things. It is worth investigating and decoding.'
+    var cweId = 0
+    var wascId = 0
+    var url = msg.getRequestHeader().getURI().toString();
+    var re = /(^(?:[0-9A-Fa-f]{2})*$)/g
+
+    var contenttype = msg.getResponseHeader().getHeader("Content-Type")
+    var unwantedfiletypes = ['image/png', 'image/jpeg','image/gif','application/x-shockwave-flash']
+
+	if (unwantedfiletypes.indexOf(""+contenttype) >= 0) {
+		// skip scan if unwanted filetypes are found
+    		return
+	}else{
+        var body = msg.getResponseBody().toString()
+        if (re.test(body)) {
+            re.lastIndex = 0
+            var foundstrings = []
+            var counter=0
+            var comm
+            while (comm = re.exec(body)) {
+                if (RESULT_PER_FINDING == true) {
+                    counter = counter+1;
+                    ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, 'fakeparam'+counter, '', comm[0], alertSolution,'' , cweId, wascId, msg);
+                }
+                foundstrings.push(comm[0]);
+            }
+            if (RESULT_PER_URL == true) 
+            {
+                ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, '', '', foundstrings.toString(), alertSolution,'' , cweId, wascId, msg);
+            }
+        }
+    }
+}
diff --git a/passive/AWSRelatedDiscovery.js b/passive/AWSRelatedDiscovery.js
@@ -0,0 +1,124 @@
+// Lazily crafted by Anthony Cozamanis - [email protected]
+
+function scan(ps, msg, src)
+{
+    var url = msg.getRequestHeader().getURI().toString();
+    var body = msg.getResponseBody().toString()
+    var alertRisk = [0,1,2,3,4] //1=informational, 2=low, 3=medium, 4=high
+    var alertConfidence = [0,1,2,3,4] //0=fp,1=low,2=medium,3=high,4=confirmed
+    var alertTitle = ["AWS CLI credentials file Disclosed (script)",
+		  "AWS Access Key ID Value Disclosed (script)",
+		  "AWS ARN Disclosed (script)",
+		  "AWS Secret Access Key Disclosed (script)",
+		  "AWS Session Token Disclosed (script)",
+		  "AWS credential file Disclosed (script)",
+		  "Amazon MWS Auth Token Disclosed (script)",
+		  "S3cmd configuration file Disclosed (script)",
+		  ""]
+    var alertDesc = ["An AWS CLI credentials file was discovered.",
+		 "An AWS Access Key ID Value was discovered.",
+		 "An AWS ARN was discovered.",
+		 "An AWS Secret Access Key was discovered.",
+		 "An AWS Session Token was discovered.",
+		 "An AWS credential file was discovered.",
+		 "An Amazon MWS Auth Token was discovered.",
+		 "An S3cmd configuration file was discovered.",
+		""]
+    var alertSolution = ["Ensure API keys, Tokens and configuration files that are publically accessible are not sensitive in nature.",
+		    ""]
+    var cweId = [0,1]
+    var wascId = [0,1]
+
+	var awsclicreds = /\.?aws\/credentials/g;
+	var awsaccesskeyid = /((A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}|[A-Z0-9]{20})/g;
+	var awsarn = /arn:aws:organizations::\d{12}:account\/o-[a-z0-9]{10,32}\/\d{12}/g;
+	var awssecretskey = /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g;
+	var awssessiontoken = /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{16,}(?<![A-Za-z0-9/+=])/g;
+	var awscredfile = /(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}/g;
+	var amazonmws = /amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/g;
+	var s3cmdconfig = /\.?s3cfg/g;
+
+	if (awsclicreds.test(body))
+	  {
+	    awsclicreds.lastIndex = 0
+	    var foundawsclicreds = []
+	    var comm
+            while (comm = awsclicreds.exec(body))
+	      {
+               foundawsclicreds.push(comm[0]);
+	      }
+	    ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[0], alertDesc[0], url, '', '', foundawsclicreds.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+
+	if (awsaccesskeyid.test(body))
+	  {
+	    awsaccesskeyid.lastIndex = 0
+	    var foundawsaccesskeyid = []
+            while (comm = awsaccesskeyid.exec(body))
+	      {
+               foundawsaccesskeyid.push(comm[0]);
+	      }
+	    ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[1], alertDesc[1], url, '', '', foundawsaccesskeyid.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (awsarn.test(body))
+	  {
+	    awsarn.lastIndex = 0
+	    var foundawsarn = []
+            while (comm = awsarn.exec(body))
+	      {
+               foundawsarn.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[2], alertDesc[2], url, '', '', foundawsarn.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (awssecretskey.test(body))
+	  {
+	    awssecretskey.lastIndex = 0
+	    var foundawssecretskey = []
+            while (comm = awssecretskey.exec(body))
+	      {
+               foundawssecretskey.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[3], alertDesc[3], url, '', '', foundawssecretskey.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+
+	if (awssessiontoken.test(body))
+	  {
+	    awssessiontoken.lastIndex = 0
+	    var foundawssessiontoken = []
+            while (comm = awssessiontoken.exec(body))
+	      {
+               foundawssessiontoken.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[4], alertDesc[4], url, '', '', foundawssessiontoken.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (awscredfile.test(body))
+	  {
+	    awscredfile.lastIndex = 0
+	    var foundawscredfile = []
+            while (comm = awscredfile.exec(body))
+	      {
+               foundawscredfile.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[5], alertDesc[5], url, '', '', foundawscredfile.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (amazonmws.test(body))
+	  {
+	    amazonmws.lastIndex = 0
+	    var foundamazonmws = []
+            while (comm = amazonmws.exec(body))
+	      {
+               foundamazonmws.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[6], alertDesc[6], url, '', '', foundamazonmws.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+	if (s3cmdconfig.test(body))
+	  {
+	    s3cmdconfig.lastIndex = 0
+	    var founds3cmdconfig = []
+            while (comm = s3cmdconfig.exec(body))
+	      {
+               founds3cmdconfig.push(comm[0]);
+	      }
+            ps.raiseAlert(alertRisk[3], alertConfidence[2], alertTitle[7], alertDesc[7], url, '', '', founds3cmdconfig.toString(), alertSolution[0], '', cweId[0], wascId[0], msg);
+	  }
+}