-
Notifications
You must be signed in to change notification settings - Fork 117
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create Use-of-Password-Grant-Type.bcheck
- `Use-of-Password-Grant-Type` file is used to detect for the `password` grant_type in OAuth.
- Loading branch information
Showing
1 changed file
with
46 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| metadata: | ||
| language: v2-beta | ||
| name: "Use of Password Grant Type" | ||
| author: "Kyle Gilligan" | ||
| description: "This test looks for indicators of OAuth's unsafe `Password` Grant Type." | ||
| tags: "passive", "oauth", "http", "password" | ||
|
|
||
| define: | ||
| # Issue Detail: | ||
| id_01 = `- This web application appears configured to use the "Password" grant type for authenticating OAuth 2.0 HTTP requests.` | ||
| id_02 = `\n- Use of the "Password" grant type in an "OAuth 2.0" HTTP authentication scheme involves directly sending user credentials towards an intended authentication server in plaintext.` | ||
| id_03 = `\n- Because the "Password" grant type requires clients to send credentials over an HTTP request in plaintext, best practice deems this methodology as insecure.` | ||
| id_04 = `\n- Strong security guidelines therefore highly-recommend developers replace the "Password" code grant out with a safer alternative.` | ||
| id_05 = `\n >> Examples include: 'Authorization', 'Authorization w/ PKCE', & 'Client Credentials'.` | ||
| issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}` | ||
|
|
||
| # Issue Remediation: | ||
| ir_01 = `- Plaintext disclosure in an HTTP request should only be disclosed under acceptable contexts, such as during "Login" or "Sign-Up" web processes.` | ||
| ir_02 = `\n- Usage of nontoken credentials in HTTP requests must be avoided whenever possible to deter potential breach attacks (MITM) from stealing passwords or hijacking sessions.` | ||
| ir_03 = `\n >> Authorization Code Grant ('grant_type=authorization_code'): Used for External S2S & Internal S2S.` | ||
| ir_04 = `\n >> Client Credentials Code Grant ('grant_type=client_credentials'): Used for Internal S2S.` | ||
| ir_05 = `\n >> Device Code Grant ('grant_type=device_code'): Used for Browserless S2S (IOT devices).` | ||
| issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}{ir_05}` | ||
|
|
||
| given request then | ||
| # This check looks for HTTP requests which have the `Content-Type` HTTP request header equal `application/x-www-form-urlencoded`. | ||
| if ({base.request.headers} matches "Content-Type:\s*application/x-www-form-urlencoded") then | ||
|
|
||
| # This check looks for "POST" HTTP requests which possess the `grant_type=password` variable as a body query parameter. | ||
| if ({base.request.method} matches "POST") and ({base.request.body} matches "(?i)grant_type\s*=\s*password") then | ||
| report issue: | ||
| severity: medium | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| # This check looks for "GET" HTTP requests which possess the `grant_type=password` variable as a URL query parameter. | ||
| else if ({base.request.method} matches "GET") and ({base.request.url.query} matches "(?i)grant_type\s*=\s*password") then | ||
| report issue: | ||
| severity: high | ||
| confidence: certain | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| end if | ||
| end if |