Add ScanRuleMetadata to Active and Passive Scan Rules

[ricekot]

Tracker issue for adding ScanRuleMetadata to active and passive scripts in this repo.

There are some scripts in the list below which may clash with existing rules in one of the scan rule add-ons (e.g. the check done by X-Powered-By_header_checker.js script is also done by the XPoweredByHeaderInfoLeakScanRule scan rule). We should either remove the script or the scan rule to avoid duplicate alerts.

Also, WebSocket passive scripts are not included here since they don't support the getMetadata() function at the moment.

Active

• [ ] bxss.py
• [ ] corsair.py
• [x] Cross Site WebSocket Hijacking.js
• [x] cve-2019-5418.js
• [x] gof_lite.js (Duplicate of: BackupFileDisclosureScanRule.java)
• [x] JWT None Exploit.js
• [ ] RCE.py
• [x] SSTI.js
• [ ] SSTI.py
• [ ] TestInsecureHTTPVerbs.py
• [ ] User defined attacks.js

Passive

• [x] clacks.js
• [x] CookieHTTPOnly.js
• [x] detect_csp_notif_and_reportonly.js
• [x] detect_samesite_protection.js
• [x] f5_bigip_cookie_internal_ip.js
• [x] find base64 strings.js
• [x] Find Credit Cards.js
• [x] Find Emails.js
• [x] Find Hashes.js
• [x] Find HTML Comments.js
• [x] Find IBANs.js
• [x] Find Internal IPs.js
• [x] find_reflected_params.py
• [x] google_api_keys_finder.js
• [x] HUNT.py
• [x] JavaDisclosure.js
• [x] Mutliple Security Header Check.js
• [x] Report non static sites.js
• [x] RPO.js
• [x] s3.js
• [x] Server Header Disclosure.js
• [x] SQL injection detection.js
• [x] Telerik Using Poor Crypto.js
• [x] Upload form discovery.js
• [x] X-Powered-By_header_checker.js (Duplicate of: XPoweredByHeaderInfoLeakScanRule)