Skip to content

Commit

Permalink
Add new rule: Connection String in .NET Configuration (#238)
Browse files Browse the repository at this point in the history
  • Loading branch information
bradlarsen authored Dec 6, 2024
1 parent e7d68c6 commit 14a2a39
Show file tree
Hide file tree
Showing 7 changed files with 80 additions and 10 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
### Additions
- New rules have been added:

- `Connection String in .NET Configuration` ([#238](https://github.com/praetorian-inc/noseyparker/pull/238))
- `Credentials in .NET System.DirectoryServices.DirectoryEntry` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
- `Credentials in .NET System.Net.NetworkCredential` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
- `Kubernetes Bootstrap Token` ([#235](https://github.com/praetorian-inc/noseyparker/pull/235))
- `Sensitive value in .NET configuration` ([#237](https://github.com/praetorian-inc/noseyparker/pull/237))
- `Sensitive Value in .NET Configuration` ([#237](https://github.com/praetorian-inc/noseyparker/pull/237))

- Rules now contain an optional `description` string field.
This is intended to be a message for human consumption that indicates (a) what was detected and (b) how an attacker might use it.
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ It has found secrets in hundreds of offensive security engagements at [Praetoria

**Key features:**
- **Flexiblity:** It natively scans files, directories, GitHub, and Git history, and has an extensible input enumeration mechanism
- **Field-tested rules:** It uses regular expressions with [160 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
- **Field-tested rules:** It uses regular expressions with [161 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
- **Signal-to-noise:** It deduplicates matches that share the same secret, reducing review burden by 10-1000x or more
- **Speed & scalability:** it can scan at GB/s on a multicore system, and has scanned inputs as large as 20TB during security engagements

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
source: crates/noseyparker-cli/tests/rules/mod.rs
expression: stdout
---
160 rules and 3 rulesets: no issues detected
161 rules and 3 rulesets: no issues detected
Original file line number Diff line number Diff line change
Expand Up @@ -1130,6 +1130,32 @@ expression: stdout
]
}
},
{
"id": "np.generic.10",
"structural_id": "7139cc6e9cf6d7babcdd37a5183e95a9a3e6ccfc",
"name": "Connection String in .NET Configuration",
"syntax": {
"name": "Connection String in .NET Configuration",
"id": "np.generic.10",
"pattern": "(?x)\n< \\s* add \\s+ key \\s* = \\s*\n \" (\n [^\\n\"]{0,20}\n (?: [Cc]onnection[Ss]tring | CONNECTIONSTRING )\n [^\\n\"]{0,20}\n ) \"\n\\s+\nvalue \\s* = \\s* \" ([^\\n\"]{3,200}) \" \\s* / \\s* >\n",
"description": "A possibly-sensitive connection string in .NET app configuration was found. This may allow an attacker direct access to a database.\n",
"examples": [
"<add key=\"ConnectionString_B2B\" value=\"Server=awsbman-t,1433;Database=B2B;User ID=b2buser;Password=#gets0m3;Trusted_Connection=False\" />\n"
],
"negative_examples": [
"<add key=\"FromEmailAddress\" value=\"killer.joe@example.com\"/>\n<add key=\"FromEmailPassword\" value=\"Prestigitariu$\"/>\n"
],
"references": [
"https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview",
"https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration"
],
"categories": [
"fuzzy",
"generic",
"secret"
]
}
},
{
"id": "np.generic.2",
"structural_id": "ac1028729d342a4d0cf282377532d882a48795c6",
Expand Down Expand Up @@ -1332,16 +1358,18 @@ expression: stdout
{
"id": "np.generic.9",
"structural_id": "37dadc2ef09aa6f150315ce6f9aaebdf2d8b473b",
"name": "Sensitive value in .NET configuration",
"name": "Sensitive Value in .NET Configuration",
"syntax": {
"name": "Sensitive value in .NET configuration",
"name": "Sensitive Value in .NET Configuration",
"id": "np.generic.9",
"pattern": "(?x)\n< \\s* add \\s+ key \\s* = \\s*\n \" (\n [^\\n\"]{0,20}\n (?: pass | Pass | PASS\n | secret | Secret | SECRET\n | user | User | USER\n | admin | Admin | ADMIN\n | token | Token | TOKEN\n )\n [^\\n\"]{0,20}\n ) \"\n\\s+\nvalue \\s* = \\s* \" ([^\\n\"]{3,100}) \" \\s* / \\s* >\n",
"description": "A possibly-sensitive value in .NET app configuration was found. This may allow an attacker a way to bypass authentication or move laterally.\n",
"examples": [
"<add key=\"FromEmailAddress\" value=\"killer.joe@example.com\"/>\n<add key=\"FromEmailPassword\" value=\"Prestigitariu$\"/>\n"
],
"negative_examples": [],
"negative_examples": [
"<add key=\"ConnectionString_B2B\" value=\"Server=awsbman-t,1433;Database=B2B;User ID=b2buser;Password=#gets0m3;Trusted_Connection=False\" />\n"
],
"references": [
"https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview",
"https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration"
Expand Down Expand Up @@ -4033,7 +4061,7 @@ expression: stdout
{
"id": "default",
"name": "Nosey Parker default rules",
"num_rules": 139
"num_rules": 140
},
{
"id": "np.assets",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,14 +49,15 @@ expression: stdout
np.gcs.1 Google Cloud Storage Bucket api, identifier
np.gcs.2 Google Cloud Storage Bucket api, identifier
np.generic.1 Generic Secret fuzzy, generic, secret
np.generic.10 Connection String in .NET Configuration fuzzy, generic, secret
np.generic.2 Generic API Key fuzzy, generic, secret
np.generic.3 Generic Username and Password fuzzy, generic, secret
np.generic.4 Generic Username and Password fuzzy, generic, secret
np.generic.5 Generic Password fuzzy, generic, secret
np.generic.6 Generic Password fuzzy, generic, secret
np.generic.7 Credentials in .NET System.Net.NetworkCredential fuzzy, generic, secret
np.generic.8 Credentials in .NET System.DirectoryServices.DirectoryEntry fuzzy, generic, secret
np.generic.9 Sensitive value in .NET configuration fuzzy, generic, secret
np.generic.9 Sensitive Value in .NET Configuration fuzzy, generic, secret
np.github.1 GitHub Personal Access Token api, secret
np.github.2 GitHub OAuth Access Token api, secret
np.github.3 GitHub App Token api, secret
Expand Down Expand Up @@ -167,6 +168,6 @@ expression: stdout

Ruleset ID Ruleset Name Rules
─────────────────────────────────────────────────────────
default Nosey Parker default rules 139
default Nosey Parker default rules 140
np.assets Nosey Parker asset detection rules 15
np.hashes Nosey Parker password hash rules 6
41 changes: 40 additions & 1 deletion crates/noseyparker/data/default/builtin/rules/generic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -331,7 +331,7 @@ rules:
This may allow an attacker access to an Active Directory instance.
- name: Sensitive value in .NET configuration
- name: Sensitive Value in .NET Configuration
id: np.generic.9
pattern: |
Expand Down Expand Up @@ -361,6 +361,45 @@ rules:
<add key="FromEmailAddress" value="killer.joe@example.com"/>
<add key="FromEmailPassword" value="Prestigitariu$"/>
negative_examples:
- |
<add key="ConnectionString_B2B" value="Server=awsbman-t,1433;Database=B2B;User ID=b2buser;Password=#gets0m3;Trusted_Connection=False" />
references:
- https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview
- https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration
- name: Connection String in .NET Configuration
id: np.generic.10
pattern: |
(?x)
< \s* add \s+ key \s* = \s*
" (
[^\n"]{0,20}
(?: [Cc]onnection[Ss]tring | CONNECTIONSTRING )
[^\n"]{0,20}
) "
\s+
value \s* = \s* " ([^\n"]{3,200}) " \s* / \s* >
categories: [fuzzy, generic, secret]
description: >
A possibly-sensitive connection string in .NET app configuration was found.
This may allow an attacker direct access to a database.
examples:
- |
<add key="ConnectionString_B2B" value="Server=awsbman-t,1433;Database=B2B;User ID=b2buser;Password=#gets0m3;Trusted_Connection=False" />
negative_examples:
- |
<add key="FromEmailAddress" value="killer.joe@example.com"/>
<add key="FromEmailPassword" value="Prestigitariu$"/>
references:
- https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview
- https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ rulesets:
- np.generic.7 # Credentials in .NET System.Net.NetworkCredential
- np.generic.8 # Credentials in .NET System.DirectoryServices.DirectoryEntry
- np.generic.9 # Sensitive value in .NET configuration
- np.generic.10 # Connection string in .NET configuration
- np.github.1 # GitHub Personal Access Token
- np.github.2 # GitHub OAuth Access Token
- np.github.3 # GitHub App Token
Expand Down

0 comments on commit 14a2a39

Please sign in to comment.