search

owasp-noir / noir

Attack surface detector that identifies endpoints by static analysis
https://owasp.org/www-project-noir/
MIT License
609 stars 45 forks source link

✨ Add Passive Scan Feature #420

Closed hahwul closed 2 months ago

hahwul commented 2 months ago

Closed #419

Signed-off-by: HAHWUL hahwul@gmail.com

hahwul commented 2 months ago

Interim review

....
GET /token
  ○ body: client_id=&redirect_url=&grant_type=

GET /socket [websocket]

GET /1.html

GET /2.html

Passive Results:
ID: ...
Info: PassiveScan::Info(@name="ABCD", @author=["abcd", "aaaa"], @severity="critical", @description="....", @reference=["https://google.com"])
Matchers: [PassiveScan::Matcher(@type="word", @patterns=["api"], @condition="or"), PassiveScan::Matcher(@type="regex", @patterns=[".*", "^a"], @condition="or")]
Matchers Condition: and
Category: secret
Techs: *, ruby-rails
File Path: ./spec/functional_test/fixtures/crystal_kemal/src/testapp.cr
Line Number: 4
Extract:   env.request.headers["x-api-key"].as(String)
{
"passive_results": [
    {
      "id": "...",
      "info": {
        "name": "ABCD",
        "author": [
          "abcd",
          "aaaa"
        ],
        "severity": "critical",
        "description": "....",
        "reference": [
          "https://google.com"
        ]
      },
      "category": "secret",
      "techs": [
        "*",
        "ruby-rails"
      ],
      "file_path": "./spec/functional_test/fixtures/crystal_kemal/src/testapp.cr",
      "line_number": 4,
      "extract": "  env.request.headers[\"x-api-key\"].as(String)"
    }
]
}
hahwul commented 2 months ago

스크린샷 2024-09-29 오후 10 50 08

hahwul commented 2 months ago

스크린샷 2024-09-29 오후 11 28 25

hahwul commented 2 months ago

스크린샷 2024-09-29 오후 11 42 22