Create Use-of-Password-Grant-Type.bcheck #236
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- `Use-of-Password-Grant-Type` file is used to detect for the `password` grant_type in OAuth.
- Test to detect for indicators of `password/secret` values within known JavaScript library methods.
Fix to regex.
Updated regex to use `[-_ ]?` instead of arbitrarily set repeated terms.
The `Use-of-Basic-Auth-Scheme.bcheck` file searches for HTTP requests which possess the `Authorization: Basic` HTTP request header yet was not set with an Internet Protocol/Port that supported TLS encryption.
- Created BCheck searches passively through HTTP methods by detecting whether non-GET/POST HTTP methods appear used in an HTTP request, or if non-GET/POST HTTP methods are present in a `Access-Control-Allow-Methods` HTTP response header value.
…s/httpMethodOverrideCapability.bcheck - Moved this bcheck file into a dedicated `HTTP Methods` folder.
…/Password in JavaScript Logger.bcheck - Moved file into JavaScript folder.
- Moved file into `JavaScript` folder.
…mported.bcheck - Moved file into `JavaScript` folder.
There was a problem hiding this comment.
Thanks for all your work, it's really good to see how you're using BChecks and that you're happy to share with the wider community :)
We've made a couple of suggestions for small tweaks/enhancements. In the future you might want to send each BCheck as a separate pull request so ones that are ready to go can be merged immediately.
- Updated test to limit scans towards only the `HTML` or `Script` MIME types. - Updated test to limit scans towards only non-'400s/500s' error responses.
- Updates made to only ignore HTTPS-related ports.
Michelle-PortSwigger
approved these changes
Nov 26, 2024
PortSwiggerWiener
approved these changes
Nov 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use-of-Password-Grant-Typefile is used to detect for usage of thepasswordgrant_type in OAuth withinGET&POSTHTTP requests' HTTP request bodies./OAuthfolder within the/otherroot folder.BCheck Contributions