UNPKG

@hclsoftware/secagent

Version:

IAST agent

33 lines (28 loc) 1.21 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
//IASTIGNORE /* * **************************************************** * Licensed Materials - Property of HCL. * (c) Copyright HCL Technologies Ltd. 2017, 2025. * Note to U.S. Government Users *Restricted Rights. * **************************************************** */ const {RequestRule, AdditionalInfoKey} = require('./RequestRule') const Vulnerability = require('../Vulnerability') const Entity = require('../Entity') const SessionTracker = require('../SessionTracker') class PasswordLeakage extends RequestRule { constructor () { super(Vulnerability.PASSWORD_LEAKAGE, true) } isVulnerable (requestInfo, responseText, additionalInfo) { const parameterNames = Object.keys(requestInfo.queryParameters) const passwordName = SessionTracker.getPasswordFromVariants(parameterNames) if (passwordName == null) { return false } additionalInfo[AdditionalInfoKey] = additionalInfo[AdditionalInfoKey].origConcat(`password parameter detected: [${passwordName}]`) this.setEntity(new Entity.Entity(passwordName, requestInfo.queryParameters[passwordName], Entity.EntityType.PARAMETER)) return true } } module.exports = PasswordLeakage