-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #424 from owasp-noir/add-ps-documents
Add passive scan documents
- Loading branch information
Showing
12 changed files
with
245 additions
and
83 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
--- | ||
title: Diff Mode | ||
has_children: false | ||
nav_order: 4 | ||
nav_order: 5 | ||
layout: page | ||
--- | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
title: Passive Scan | ||
has_children: true | ||
nav_order: 4 | ||
layout: page | ||
--- | ||
|
||
A Passive Scan is a feature where additional actions are performed by the Detector to identify security issues according to scan rules. This functionality typically includes: | ||
|
||
* Regular Expression Matching: It uses regular expressions to match patterns that could indicate security vulnerabilities. | ||
* String Matching: Besides regex, it looks for specific strings within the code that could be indicative of security concerns. | ||
* Default Rule Set: Comes with a predefined set of rules to check against common security issues. | ||
|
||
```bash | ||
noir -b <BASE_PATH> -P | ||
|
||
# You can check the format list with the -h flag. | ||
# PASSIVE SCAN: | ||
# -P, --passive-scan Perform a passive scan for security issues using rules from the specified path | ||
# --passive-scan-path PATH Specify the path for the rules used in the passive security scan | ||
``` | ||
|
||
Usage Example: | ||
|
||
When you run a command like: | ||
|
||
```bash | ||
noir -b ./your_app -P | ||
``` | ||
|
||
The passive scan might produce results like: | ||
|
||
``` | ||
★ Passive Results: | ||
[critical][hahwul-test][secret] use x-api-key | ||
├── extract: env.request.headers["x-api-key"].as(String) | ||
└── file: ./spec/functional_test/fixtures/crystal_kemal/src/testapp.cr:4 | ||
``` | ||
|
||
Explanation of Output: | ||
|
||
* Label: `[critical][hahwul-test][secret]` - This line indicates the severity, test context, and type of issue found. Here, it's critical, related to a test named hahwul-test, and concerns a secret. | ||
* Extract: This shows where or how the sensitive information is being accessed or used. In this case, it's extracting an x-api-key from the request headers. | ||
* File: Indicates the location of the potential security issue within the codebase, pointing to the exact file and line number where the issue was detected. | ||
|
||
This output helps developers immediately identify where and what kind of security issues exist in their code, focusing on passive analysis without actively exploiting the vulnerabilities. | ||
' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
title: Default Rules | ||
parent: Passive Scan | ||
has_children: false | ||
nav_order: 2 | ||
layout: page | ||
--- | ||
|
||
The default rules are stored in the following paths based on your operating system: | ||
|
||
| OS | Path | | ||
|---|---| | ||
| MacOS: | `~/.config/noir/passive_rules/` | | ||
| Linux: | `~/.config/noir/passive_rules/` | | ||
| Windows: | `%APPDATA%\noir\passive_rules\` | | ||
|
||
When using the `-P` (`--passive-scan`) flag, Noir references the rules stored in these paths. These rules are managed by the Noir team, ensuring they are up-to-date and effective. | ||
|
||
However, if you wish to add your own custom rules, you can place them in the respective directory for your operating system. This allows you to extend the functionality of the passive scan to meet your specific needs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
--- | ||
title: Passive Scan Rule | ||
parent: Passive Scan | ||
has_children: false | ||
nav_order: 1 | ||
layout: page | ||
--- | ||
|
||
```yaml | ||
id: rule-id | ||
info: | ||
name: "The name of the rule" | ||
author: | ||
- "List of authors" | ||
- "Another author" | ||
severity: "The severity level of the rule (e.g., critical, high, medium, low)" | ||
description: "A brief description of the rule" | ||
reference: | ||
- "URLs or references related to the rule" | ||
|
||
matchers-condition: "The condition to apply between matchers (and/or)" | ||
matchers: | ||
- type: "The type of matcher (e.g., word, regex)" | ||
patterns: | ||
- "Patterns to match" | ||
condition: "The condition to apply within the matcher (and/or)" | ||
|
||
- type: "The type of matcher (e.g., word, regex)" | ||
patterns: | ||
- "Patterns to match" | ||
- "Another pattern" | ||
condition: "The condition to apply within the matcher (and/or)" | ||
|
||
category: "The category of the rule (e.g., secret, vulnerability)" | ||
techs: | ||
- "Technologies or frameworks the rule applies to" | ||
- "Another technology" | ||
``` | ||
### Example Rule: Detecting PRIVATE_KEY | ||
```yaml | ||
id: detect-private-key | ||
info: | ||
name: "Detect PRIVATE_KEY" | ||
author: | ||
- "security-team" | ||
severity: critical | ||
description: "Detects the presence of PRIVATE_KEY in the code" | ||
reference: | ||
- "https://example.com/security-guidelines" | ||
|
||
matchers-condition: or | ||
matchers: | ||
- type: word | ||
patterns: | ||
- "PRIVATE_KEY" | ||
- "-----BEGIN PRIVATE KEY-----" | ||
condition: or | ||
|
||
- type: regex | ||
patterns: | ||
- "PRIVATE_KEY\\s*=\\s*['\"]?[^'\"]+['\"]?" | ||
- "-----BEGIN PRIVATE KEY-----[\\s\\S]*?-----END PRIVATE KEY-----" | ||
condition: or | ||
|
||
category: secret | ||
techs: | ||
- '*' | ||
``` | ||
![](../../../images/advanced/passive_private_key.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,7 @@ noir -b . -f yaml --no-log | |
``` | ||
|
||
```yaml | ||
endpoints: | ||
- url: / | ||
method: GET | ||
params: | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.