-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathSensitive data in responses.bcheck
14 lines (13 loc) · 2.54 KB
/
Sensitive data in responses.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
metadata:
language: v2-beta
name: "Sensitive data in responses"
description: "Checks for sensitive data in all responses"
author: "Kaustubh"
given response then
if {latest.response.body} matches "(?<!\w)(?!(?:test_token|dummy_key|dummy_token|test_key|sample_key|placeholder|EXAMPLE|CONTRIBSYS|000000|aaaaaa|abcdefghijklmnopqrstuvwxyz))(?:(?:ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}|key-[a-f0-9]{32}|sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}|AIza[0-9A-Za-z\-_]{35}|A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA|gh[pousr]_[0-9a-zA-Z]{36}|xox[bp]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*|eyJrIjoi[A-Za-z0-9]{70,}|dp\.pt\.[a-z0-9]{43}|sq0atp-[a-zA-Z0-9\-_]{24}|sk_live_[0-9a-z]{32}|EAAG[a-zA-Z0-9]{60,100}|[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|sg\.[a-z0-9\-_]{8,}\.[a-z0-9\-_]{8,}|sq0csp-[0-9a-zA-Z\-_]{43}|sk_live_[0-9a-zA-Z]{24}|xoxe-[0-9]{1,}-[a-zA-Z0-9]{146}|mfa\.[0-9a-zA-Z\-_]{84}|[0-9]{5,16}:[a-z0-9_\-]{34}|eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?|AG[0-9a-zA-Z\-_]{100,}|(?:access|secret|auth|token)[_-]?(?:prod|live|production)[_-]?[0-9a-zA-Z\-_]{20,50}|[0-9a-f]{32}|[0-9a-f]{40}|[0-9a-zA-Z\-_]{24}\.[0-9a-zA-Z\-_]{6,7}\.[0-9a-zA-Z\-_]{27,}|[0-9a-zA-Z\-_]{64}|[0-9a-zA-Z\-_]{128}|(?:live|test)_[a-z0-9\-_]{32,64}|[0-9a-zA-Z]{18,22}\.[0-9a-zA-Z\-_]{43,47}|[0-9a-zA-Z]{25,30}\.[0-9a-zA-Z\-_]{8,12}|(?:ssh|rsa|dss|ed25519)[ -]?(?:private|public)[ -]?key.*?-+BEGIN(?: [A-Z]+)+ KEY-+|(?:-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----)|(?:blt[0-9A-Fa-f]{16}|cs[A-Za-z0-9]{16,32}|A(?:KI|SI|CA)A[0-9A-Z]{16}|(?:[A-Za-z0-9+/]{40}|[A-Za-z0-9+/]{39}=|[A-Za-z0-9+/]{38}==)|ya29\.[0-9A-Za-z\-_]{30,}|1/[0-9A-Za-z\-_]{43}|1/[0-9A-Za-z\-_]{64}|SG\.[A-Za-z0-9\-_]{8,}\.[A-Za-z0-9\-_]{8,}|glpat-[A-Za-z0-9]{20}|xox(?:b|p)-\d{10,12}-[0-9]{10,12}-[A-Za-z0-9]{24,32}|(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{16,100}|ghu_[0-9a-zA-Z]{36}|dapi[a-f0-9]{32}|doo_v1_[a-f0-9]{64}|dop_v1_[a-f0-9]{64}|shpat_[a-fA-F0-9]{32}|sq0atp-[a-zA-Z0-9\-_]{24}|(?:sk|pk)_(?:test|live)_[a-zA-Z0-9]{24}|[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|(?:access|secret|token)[_-]?(?:key|token)[_-]?[0-9a-f]{32}|(?:prod|dev|stage)[_-]?(?:key|token|secret)[_-]?[0-9a-f]{32}|(?:api|auth|client)[_-]?(?:key|token|secret)[_-]?[0-9a-f]{32}|(?:production|staging)[_-]?(?:key|token|secret)[_-]?[0-9a-f]{32})))(?!\w)" then
report issue and continue:
severity: medium
confidence: tentative
detail: "Sensitive keyword found in a response body: '{matched[0]}'."
remediation: "Review and remove the sensitive data."
end if