Merge pull request PortSwigger#29 from compr00t/main

Missing security.txt
mrrootsec · Jul 6, 2023 · df824a3 · df824a3
2 parents 8f677a1 + ca6c82d
commit df824a3
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/other/missing-security-txt.bcheck b/other/missing-security-txt.bcheck
@@ -0,0 +1,22 @@
+metadata:
+    language: v1-beta
+    name: "Missing security.txt"
+    description: "Checks for a missing security.txt according to RFC 9116"
+    author: "Patrick Schmid"
+
+define:
+    potential_path =
+        "/.well-known/security.txt"
+
+given host then
+    send request called check:
+        method: "GET"
+        path: {potential_path}
+
+    if not("Contact:" in {check.response.body}) then
+        report issue:
+            severity: info
+            confidence: certain
+            detail: `No security.txt could be found at {potential_path}.`
+            remediation: "Consider describing your security vulnerability disclosure process in a security.txt file according to RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)."
+    end if