-
Notifications
You must be signed in to change notification settings - Fork 118
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #236 from LabMC/main
Create Use-of-Password-Grant-Type.bcheck
- Loading branch information
Showing
8 changed files
with
262 additions
and
1 deletion.
There are no files selected for viewing
128 changes: 128 additions & 0 deletions
128
other/HTTP Methods/Insecure HTTP Methods Allowed (Passive).bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| metadata: | ||
| language: v2-beta | ||
| name: "Insecure HTTP Methods Allowed [Passive]" | ||
| description: "This BCheck detects for usage of dangerous, cautionary, & arbitrary HTTP methods beyond 'GET' & 'POST'." | ||
| author: "Kyle Gilligan" | ||
| tags: "passive", "http methods", "http verbs" | ||
|
|
||
| define: | ||
| # Issue Detail: | ||
| ## A. Introduction Issue Detail: | ||
| id_A_01 = `- This application was discovered to permit usage of HTTP methods beyond the recommended 'GET' & 'POST' verbs.` | ||
| ## B. Dangerous Issue Detail: | ||
| id_B_01 = `\n >> The 'CONNECT', 'TRACE', & 'TRACK' HTTP methods remain considered as dangerous HTTP verbs due to easily` | ||
| id_B_02 = ` permitting 'Authentication Bypass' & 'Sensitive Information Disclosure' exploits.` | ||
| ### B.1. CONNECT Dangerous Issue Detail: | ||
| id_B1_01 = `\n >>>> The 'CONNECT' HTTP method permits client users to establish direct TCP tunnels into a target web server,` | ||
| id_B1_02 = ` which helps permit threat actors to bypass servers' network firewalls, proxy filters, & monitoring systems.` | ||
| ### B.2. TRACE Dangerous Issue Detail: | ||
| id_B2_01 = `\n >>>> The 'TRACE' HTTP method has its HTTP responses reflect content from the source HTTP request, which - if triggered` | ||
| id_B2_02 = ` a victim user triggers a 'XSS Injection' on a webpage with sensitive information, that 'XSS Injection' may activate a script` | ||
| id_B2_03 = ` which sends an HTTP request containing the sensitive data within this HTTP response back to the attacker's web server.` | ||
| ### B.3. TRACK Dangerous Issue Detail: | ||
| id_B3_01 = `\n >>>> The 'TRACK' HTTP method acts similarly to the 'TRACE' verb for IIS servers; it is disabled for IIS Version 6 & newer.` | ||
| ## C. Cautionary Issue Detail: | ||
| id_C_01 = `\n >> The 'DELETE' & 'PUT' HTTP methods remain considered as situationally-insecure HTTP verbs due to being remaining relevant` | ||
| id_C_02 = ` for certain business logic functionalities while also being tied to potential functionality abuse & web server vulnerabilities.` | ||
| ### C.1. DELETE Dangerous Issue Detail: | ||
| id_C1_01 = `\n >>>> The 'DELETE' HTTP method permits resources to be removed from a web server from the client-side HTTP request,` | ||
| id_C1_02 = ` which becomes dangerous if security controls do not limit what resources can be deleted nor why appears allowed to delete them.` | ||
| ### C.2. PUT Dangerous Issue Detail: | ||
| id_C2_01 = `\n >>>> The 'PUT' HTTP method updates an existing resource by replacing its entire entity with the data sent in the` | ||
| id_C2_02 = ` request, which the "POST" HTTP method can already perform without being tied to resource creation.` | ||
| ## D. Arbitrary Issue Detail: | ||
| id_D_01 = `\n >> The 'HEAD', 'PATCH', & 'OPTIONS' HTTP methods remain considered as arbitrary HTTP verbs due to providing unnecessary` | ||
| id_D_02 = ` metadata or limitedly-overlaping with other HTTP verbs.` | ||
| ### D.1. HEAD Dangerous Issue Detail: | ||
| id_D1_01 = `\n >>>> The 'HEAD' HTTP method simply retrieves an HTTP response's headers without this the body text, which is made` | ||
| id_D1_02 = ` arbitrary by the 'GET' HTTP method.` | ||
| ### D.2. OPTIONS Dangerous Issue Detail: | ||
| id_D2_01 = `\n >>>> The 'OPTIONS' HTTP method returns a list of HTTP methods available for web server or its target web server,` | ||
| id_D2_02 = ` commonly used in CORS preflight checks.` | ||
| ### D.3. PATCH Dangerous Issue Detail: | ||
| id_D3_01 = `\n >>>> The 'PATCH' HTTP method updates partial resources, which the POST HTTP method makes arbitrary by allowing both` | ||
| id_D3_02 = ` creation & modification of resources, potentially overlapping with PATCH's functionality.` | ||
| issueDetail_FULL_HIGH = `{id_A_01}{id_B_01}{id_B_02}{id_B1_01}{id_B1_02}{id_B2_01}{id_B2_02}{id_B2_03}{id_B3_01}` | ||
| issueDetail_FULL_LOW = `{id_A_01}{id_C_01}{id_C_02}{id_C1_01}{id_C1_02}{id_C2_01}{id_C2_02}` | ||
| issueDetail_FULL_INFO = `{id_A_01}{id_D_01}{id_D_02}{id_D1_01}{id_D1_02}{id_D2_01}{id_D2_02}{id_D3_01}{id_D3_02}` | ||
|
|
||
| # Issue Remediation: | ||
| ir_01 = `- Developers must consider what HTTP methods they permit onto a web application, evaluate why these verbs appear allowed, decide if` | ||
| ir_02 = ` these keywords can cause future harm, & conclude whether or not it would be possible to remove/replace them altogether.` | ||
| ir_03 = `\n >> HTTP methods considered dangerous ('CONNECT' & 'TRACE/TRACE') should be removed immediately without exception.` | ||
| ir_04 = `\n >> HTTP methods considered cautionary ('DELETE' & 'PUT') should be evaluated regarding potential risk/consequence in retention` | ||
| ir_05 = ` & efforts to replace if-warrented.` | ||
| ir_06 = `\n >> HTTP methods considered cautionary ('HEAD', 'OPTIONS', & 'PATCH') should additionally be evaluated regarding upkeep in webpage.` | ||
| ir_07 = ` interaction consistency & whether these verbs pose any actual use-cases within applications' business logic functionalities.` | ||
| ir_08 = `\n- Regardless of any case, if any particular HTTP method is not actively being deployed by a web application, it may remain.` | ||
| ir_09 = ` recommended to simply disallow its usage out of caution.` | ||
| issueRemediation_FULL_HIGH = `{ir_01}{ir_02}{ir_03}{ir_08}{ir_09}` | ||
| issueRemediation_FULL_LOW = `{ir_01}{ir_02}{ir_04}{ir_05}{ir_08}{ir_09}` | ||
| issueRemediation_FULL_INFO = `{ir_01}{ir_02}{ir_06}{ir_07}{ir_08}{ir_09}` | ||
|
|
||
| given response then | ||
| # Nesting several if statements becomes necessary to quickly reduce checks for FPs. | ||
|
|
||
| # This check looks for non-erroneous HTTP requests which use HTTP methods beyond 'GET' & 'POST'. | ||
| if not ({base.request.method} matches "(GET|POST)") and not ({base.response.status_code} matches "([45]\d{2}\s.*$)") then | ||
|
|
||
| # This check specifies a 'High' criticality should be generated for this finding. | ||
| if ({base.request.method} matches "(CONNECT|TRACE|TRACK)") then | ||
| report issue and continue: | ||
| severity: high | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL_HIGH}` | ||
| remediation: `{issueRemediation_FULL_HIGH}` | ||
| end if | ||
|
|
||
| # This check specifies a 'Low' criticality should be generated for this finding. | ||
| if ({base.request.method} matches "(DELETE|PUT)") then | ||
| report issue and continue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL_LOW}` | ||
| remediation: `{issueRemediation_FULL_LOW}` | ||
| end if | ||
|
|
||
| # This check specifies an 'Info' criticality should be generated for this finding. | ||
| if ({base.request.method} matches "(HEAD|OPTIONS|PATCH)") then | ||
| report issue and continue: | ||
| severity: info | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL_INFO}` | ||
| remediation: `{issueRemediation_FULL_INFO}` | ||
| end if | ||
|
|
||
| end if | ||
|
|
||
| # This check searches for HTTP responses which possess the 'Access-Control-Allow-Methods" HTTP response header. | ||
| if ({base.response.headers} matches "(Access-Control-Allow-Methods:)") then | ||
|
|
||
| # This check specifies a 'High' criticality should be generated for this finding. | ||
| if ({base.response.headers} matches "((?i)Access-Control-Allow-Methods:.*(CONNECT|TRACE|TRACK).*)") then | ||
| report issue and continue: | ||
| severity: high | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL_HIGH}` | ||
| remediation: `{issueRemediation_FULL_HIGH}` | ||
| end if | ||
|
|
||
| # This check specifies a 'Low' criticality should be generated for this finding. | ||
| if ({base.response.headers} matches "((?i)Access-Control-Allow-Methods:.*(DELETE|PUT).*)") then | ||
| report issue and continue: | ||
| severity: low | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL_LOW}` | ||
| remediation: `{issueRemediation_FULL_LOW}` | ||
| end if | ||
|
|
||
| # This check specifies an 'Info' criticality should be generated for this finding. | ||
| if ({base.response.headers} matches "((?i)Access-Control-Allow-Methods:.*(HEAD|OPTIONS|PATCH).*)") then | ||
| report issue and continue: | ||
| severity: info | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL_INFO}` | ||
| remediation: `{issueRemediation_FULL_INFO}` | ||
| end if | ||
|
|
||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| metadata: | ||
| language: v2-beta | ||
| name: "Password in JavaScript Logger" | ||
| author: "Kyle Gilligan" | ||
| description: "This test searches for indicators of 'password' variables within known JS logger methods." | ||
| tags: "passive", "javascript", "logger", "password" | ||
|
|
||
| # `Indicators of JS Logger Method` Keywords: `.log(`, `.info(`, `.warn(`, `.error(`, `.debug(`, `.table(`, `.group(`, `.trace(`, `.push(`, `.captureMessage(`. | ||
| # `Indicators of Password` Keywords #1: `password`, `pw`, `pass`, `passwrd`, `passwd`, `pswrd`, `pswd`, `psword`, `pword`, `client_secret`. | ||
| # `Indicators of Password` Keywords #2: `client-secret`, `clientsecret`, `secret`, `api_key`, `api-key`, `apikey`. | ||
|
|
||
| define: | ||
| # Issue Detail: | ||
| id_01 = `- This test checks whether a file contains both an indicator of a logger functionality being used & an indicator of a 'password/secret' on the same code line.` | ||
| id_02 = `\n- For context, 'password/secrets' values should never be displayed in plaintext by a logger functionality due to the potential risk of leakage by numerous factors.` | ||
| id_03 = `\n >> Secrets in this context refers to "Account Passwords", "API Keys", & APIs' "client_secret" variable.` | ||
| id_04 = `\n- Console loggers should never have valid reason to display users' passwords in any context.` | ||
| issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}` | ||
|
|
||
| # Issue Remediation: | ||
| ir_01 = `- If a 'password' value appears presented to consoles or runtime terminals via a logger, that variable should be immediately removed from capture.` | ||
| ir_02 = `\n- Consoles which must capture client information should only be restricted to information which does not risk account compromise.` | ||
| ir_03 = `\n >> For Example: Client IDs, timestamps.` | ||
| issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}` | ||
|
|
||
| given response then | ||
|
|
||
| # This check ensures that only notable 200s HTTP responses appear present in the HTTP response & unacceptable MIME types get ignored. | ||
| if not ({latest.response.status_code} matches "([45]\d{2}.*$)") and ({latest.response.headers} matches "(Content-Type:\s+text/(html|javascript))") then | ||
|
|
||
| # This check looks through HTTP responses' bodies for keywords that indicate usage of both JS loggers & password variables on a shared code line. | ||
| if {latest.response.body} matches "(?i)^(?=.*\b(?:log|info|warn|error|debug|table|group|trace|push|captureMessage)\s*\()(?=.*[^\w]*?(?:pass[-_ ]?word|pw|pass|passwrd|passwd|pswrd|pswd|psword|pword|client[-_ ]?secret|secret|api[-_ ]?key)[^\w]*?).*" then | ||
| report issue: | ||
| severity: high | ||
| confidence: firm | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| end if | ||
| end if |
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| metadata: | ||
| language: v2-beta | ||
| name: "Use of Password Grant Type" | ||
| author: "Kyle Gilligan" | ||
| description: "This test looks for indicators of OAuth's unsafe `Password` Grant Type." | ||
| tags: "passive", "oauth", "http", "password" | ||
|
|
||
| define: | ||
| # Issue Detail: | ||
| id_01 = `- This web application appears configured to use the "Password" grant type for authenticating OAuth 2.0 HTTP requests.` | ||
| id_02 = `\n- Use of the "Password" grant type in an "OAuth 2.0" HTTP authentication scheme involves directly sending user credentials towards an intended authentication server in plaintext.` | ||
| id_03 = `\n- Because the "Password" grant type requires clients to send credentials over an HTTP request in plaintext, best practice deems this methodology as insecure.` | ||
| id_04 = `\n- Strong security guidelines therefore highly-recommend developers replace the "Password" code grant out with a safer alternative.` | ||
| id_05 = `\n >> Examples include: 'Authorization', 'Authorization w/ PKCE', & 'Client Credentials'.` | ||
| issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}` | ||
|
|
||
| # Issue Remediation: | ||
| ir_01 = `- Plaintext disclosure in an HTTP request should only be disclosed under acceptable contexts, such as during "Login" or "Sign-Up" web processes.` | ||
| ir_02 = `\n- Usage of nontoken credentials in HTTP requests must be avoided whenever possible to deter potential breach attacks (MITM) from stealing passwords or hijacking sessions.` | ||
| ir_03 = `\n >> Authorization Code Grant ('grant_type=authorization_code'): Used for External S2S & Internal S2S.` | ||
| ir_04 = `\n >> Client Credentials Code Grant ('grant_type=client_credentials'): Used for Internal S2S.` | ||
| ir_05 = `\n >> Device Code Grant ('grant_type=device_code'): Used for Browserless S2S (IOT devices).` | ||
| issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}{ir_05}` | ||
|
|
||
| given request then | ||
| # This check looks for HTTP requests which have the `Content-Type` HTTP request header equal `application/x-www-form-urlencoded`. | ||
| if ({base.request.headers} matches "Content-Type:\s*application/x-www-form-urlencoded") then | ||
|
|
||
| # This check looks for "POST" HTTP requests which possess the `grant_type=password` variable as a body query parameter. | ||
| if ({base.request.method} matches "POST") and ({base.request.body} matches "(?i)grant_type\s*=\s*password") then | ||
| report issue: | ||
| severity: medium | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| # This check looks for "GET" HTTP requests which possess the `grant_type=password` variable as a URL query parameter. | ||
| else if ({base.request.method} matches "GET") and ({base.request.url.query} matches "(?i)grant_type\s*=\s*password") then | ||
| report issue: | ||
| severity: high | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| end if | ||
| end if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| metadata: | ||
| language: v2-beta | ||
| name: "Use of Basic Auth Scheme" | ||
| author: "Kyle Gilligan" | ||
| description: "This test looks for indicators of 'Authorization: Basic' within unencrypted webpages." | ||
| tags: "passive", "basic", "http", "authorization" | ||
|
|
||
| # `Indicators of `Basic Auth`-Acceptable Webpages` Keywords #1: `login`, `log-in`, `log_in`, `signin`, `sign-in`, `sign_in`, `signup`, `sign-up`, `sign_up`. | ||
| # `Indicators of `Basic Auth`-Acceptable Webpages` Keywords: `registration`, `register`, `access`, `auth`, `cdsso`, `forgot`, `reset`. | ||
|
|
||
| define: | ||
| # Issue Detail: | ||
| id_01 = `- This web application appears configured to use the "Basic" HTTP authentication scheme for authenticating HTTP requests.` | ||
| id_02 = `\n- Use of the "Basic" authentication scheme involves directly sending user credentials over an HTTP request in plaintext.` | ||
| id_03 = `\n- Because the "Basic" scheme type requires clients to send credentials over an HTTP request in plaintext, it becomes highly-suggested to avoid its use whenever possible.` | ||
| id_04 = `\n- Utilization of the "Basic" HTTP Authorization scheme (if necessary) should only be restricted for when users must directly send credentials to servers (such as "Login" or "Sign-Up" webpages).` | ||
| id_05 = `\n- Deployment of the "Authorization: Basic" HTTP request header must otherwise require Internet Protocols which enforce SSL/TLS encryption to be used.` | ||
| id_06 = `\n >> Alternatives to the "Basic" HTTP Authorization scheme include: Bearer via OAuth-Generated Tokens.` | ||
| issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}{id_06}` | ||
|
|
||
| # Issue Remediation: | ||
| ir_01 = `- Plaintext disclosure of credentials in an HTTP request should only be acceptable during "Login", "Sign-Up", or "Password Reset" web processes.` | ||
| ir_02 = `\n- Usage of credentials must otherwise be avoided whenever possible to avoid potential breach attacks (via MITM) from arising.` | ||
| ir_03 = `\n- Rather, best practice suggests recommends involving processes which allow the web server to first perform internal encryption & gain approval with the intended server using this ciphertext.` | ||
| ir_04 = `\n >> Bearer Authentication Scheme: Used for sending credentials over customized token methodology (often via the OAuth 2.0 & OpenID Connect frameworks).` | ||
| issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}` | ||
|
|
||
| given response then | ||
| # Nesting several if statements becomes necessary to quickly reduce checks for FPs. | ||
|
|
||
| # This check ignores HTTP requests which contain ports that secure Internet Protocols enforce TLS/SSL encryption through. | ||
| if not ({base.request.url.port} matches "(443|832|5986|8243|8403|8448)") then | ||
|
|
||
| # This check ignores HTTP requests with URLs which possess indicators of `login/sign-up/password-reset` functionalities. | ||
| if not ({base.request.url.file} matches "(?i)(log[-_]?in|sign[-_]?in|sign[-_]?up|registration|register|access|auth|cdsso|forgot|reset)") then | ||
|
|
||
| # This check detects for deployment of the `Authorization` HTTP request header using the `Basic` attribute. | ||
| if ({base.request.headers} matches "(?i)(Authorization:\s*Basic)") then | ||
| report issue: | ||
| severity: low | ||
| confidence: firm | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| end if | ||
| end if | ||
| end if |