UNPKG

@hclsoftware/secagent

Version:

IAST agent

41 lines (36 loc) 1.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
//IASTIGNORE /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ const {RequestRule, AdditionalInfoKey} = require('./RequestRule') const Vulnerability = require('../Vulnerability') const Entity = require('../Entity') const SessionTracker = require('../SessionTracker') const Utils = require('../Utils/Utils') class InsecureLogin extends RequestRule { constructor () { super(Vulnerability.INSECURE_LOGIN, true) } isVulnerable (requestInfo, responseText, additionalInfo) { if (requestInfo.isSecure) { return false } const parameterNames = Object.keys(requestInfo.allParameters) const userName = SessionTracker.getUserNameFromVariants(parameterNames) if (userName == null) { return false } const passwordName = SessionTracker.getPasswordFromVariants(parameterNames) if (passwordName == null) { return false } additionalInfo[AdditionalInfoKey] = additionalInfo[AdditionalInfoKey].origConcat(`request is not secure (e.g. not using HTTPS); username parameter detected: [${userName}]; password parameter detected: [${passwordName}]`) this.setEntity(new Entity.Entity(passwordName, Utils.PASSWORD_TEXT, Entity.EntityType.PARAMETER)) return true } } module.exports = InsecureLogin