diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf8df6c89..3d494e0de 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,10 +26,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
### Additions
- New rules have been added:
+ - `Connection String in .NET Configuration` ([#238](https://github.com/praetorian-inc/noseyparker/pull/238))
- `Credentials in .NET System.DirectoryServices.DirectoryEntry` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
- `Credentials in .NET System.Net.NetworkCredential` ([#234](https://github.com/praetorian-inc/noseyparker/pull/234))
- `Kubernetes Bootstrap Token` ([#235](https://github.com/praetorian-inc/noseyparker/pull/235))
- - `Sensitive value in .NET configuration` ([#237](https://github.com/praetorian-inc/noseyparker/pull/237))
+ - `Sensitive Value in .NET Configuration` ([#237](https://github.com/praetorian-inc/noseyparker/pull/237))
- Rules now contain an optional `description` string field.
This is intended to be a message for human consumption that indicates (a) what was detected and (b) how an attacker might use it.
diff --git a/README.md b/README.md
index 2ede6f762..139017351 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ It has found secrets in hundreds of offensive security engagements at [Praetoria
**Key features:**
- **Flexiblity:** It natively scans files, directories, GitHub, and Git history, and has an extensible input enumeration mechanism
-- **Field-tested rules:** It uses regular expressions with [160 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
+- **Field-tested rules:** It uses regular expressions with [161 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
- **Signal-to-noise:** It deduplicates matches that share the same secret, reducing review burden by 10-1000x or more
- **Speed & scalability:** it can scan at GB/s on a multicore system, and has scanned inputs as large as 20TB during security engagements
diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap
index 26008594b..0ca72bee9 100644
--- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap
+++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap
@@ -2,4 +2,4 @@
source: crates/noseyparker-cli/tests/rules/mod.rs
expression: stdout
---
-160 rules and 3 rulesets: no issues detected
+161 rules and 3 rulesets: no issues detected
diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap
index 51ef8f8ac..565808df1 100644
--- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap
+++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap
@@ -1130,6 +1130,32 @@ expression: stdout
]
}
},
+ {
+ "id": "np.generic.10",
+ "structural_id": "7139cc6e9cf6d7babcdd37a5183e95a9a3e6ccfc",
+ "name": "Connection String in .NET Configuration",
+ "syntax": {
+ "name": "Connection String in .NET Configuration",
+ "id": "np.generic.10",
+ "pattern": "(?x)\n< \\s* add \\s+ key \\s* = \\s*\n \" (\n [^\\n\"]{0,20}\n (?: [Cc]onnection[Ss]tring | CONNECTIONSTRING )\n [^\\n\"]{0,20}\n ) \"\n\\s+\nvalue \\s* = \\s* \" ([^\\n\"]{3,200}) \" \\s* / \\s* >\n",
+ "description": "A possibly-sensitive connection string in .NET app configuration was found. This may allow an attacker direct access to a database.\n",
+ "examples": [
+ "\n"
+ ],
+ "negative_examples": [
+ "\n\n"
+ ],
+ "references": [
+ "https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview",
+ "https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration"
+ ],
+ "categories": [
+ "fuzzy",
+ "generic",
+ "secret"
+ ]
+ }
+ },
{
"id": "np.generic.2",
"structural_id": "ac1028729d342a4d0cf282377532d882a48795c6",
@@ -1332,16 +1358,18 @@ expression: stdout
{
"id": "np.generic.9",
"structural_id": "37dadc2ef09aa6f150315ce6f9aaebdf2d8b473b",
- "name": "Sensitive value in .NET configuration",
+ "name": "Sensitive Value in .NET Configuration",
"syntax": {
- "name": "Sensitive value in .NET configuration",
+ "name": "Sensitive Value in .NET Configuration",
"id": "np.generic.9",
"pattern": "(?x)\n< \\s* add \\s+ key \\s* = \\s*\n \" (\n [^\\n\"]{0,20}\n (?: pass | Pass | PASS\n | secret | Secret | SECRET\n | user | User | USER\n | admin | Admin | ADMIN\n | token | Token | TOKEN\n )\n [^\\n\"]{0,20}\n ) \"\n\\s+\nvalue \\s* = \\s* \" ([^\\n\"]{3,100}) \" \\s* / \\s* >\n",
"description": "A possibly-sensitive value in .NET app configuration was found. This may allow an attacker a way to bypass authentication or move laterally.\n",
"examples": [
"\n\n"
],
- "negative_examples": [],
+ "negative_examples": [
+ "\n"
+ ],
"references": [
"https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview",
"https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration"
@@ -4033,7 +4061,7 @@ expression: stdout
{
"id": "default",
"name": "Nosey Parker default rules",
- "num_rules": 139
+ "num_rules": 140
},
{
"id": "np.assets",
diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap
index 0dcca123d..1e67b9cfb 100644
--- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap
+++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap
@@ -49,6 +49,7 @@ expression: stdout
np.gcs.1 Google Cloud Storage Bucket api, identifier
np.gcs.2 Google Cloud Storage Bucket api, identifier
np.generic.1 Generic Secret fuzzy, generic, secret
+ np.generic.10 Connection String in .NET Configuration fuzzy, generic, secret
np.generic.2 Generic API Key fuzzy, generic, secret
np.generic.3 Generic Username and Password fuzzy, generic, secret
np.generic.4 Generic Username and Password fuzzy, generic, secret
@@ -56,7 +57,7 @@ expression: stdout
np.generic.6 Generic Password fuzzy, generic, secret
np.generic.7 Credentials in .NET System.Net.NetworkCredential fuzzy, generic, secret
np.generic.8 Credentials in .NET System.DirectoryServices.DirectoryEntry fuzzy, generic, secret
- np.generic.9 Sensitive value in .NET configuration fuzzy, generic, secret
+ np.generic.9 Sensitive Value in .NET Configuration fuzzy, generic, secret
np.github.1 GitHub Personal Access Token api, secret
np.github.2 GitHub OAuth Access Token api, secret
np.github.3 GitHub App Token api, secret
@@ -167,6 +168,6 @@ expression: stdout
Ruleset ID Ruleset Name Rules
─────────────────────────────────────────────────────────
- default Nosey Parker default rules 139
+ default Nosey Parker default rules 140
np.assets Nosey Parker asset detection rules 15
np.hashes Nosey Parker password hash rules 6
diff --git a/crates/noseyparker/data/default/builtin/rules/generic.yml b/crates/noseyparker/data/default/builtin/rules/generic.yml
index d04b8c47d..19b195777 100644
--- a/crates/noseyparker/data/default/builtin/rules/generic.yml
+++ b/crates/noseyparker/data/default/builtin/rules/generic.yml
@@ -331,7 +331,7 @@ rules:
This may allow an attacker access to an Active Directory instance.
-- name: Sensitive value in .NET configuration
+- name: Sensitive Value in .NET Configuration
id: np.generic.9
pattern: |
@@ -361,6 +361,45 @@ rules:
+ negative_examples:
+ - |
+
+
+
+ references:
+ - https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview
+ - https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration
+
+
+- name: Connection String in .NET Configuration
+ id: np.generic.10
+
+ pattern: |
+ (?x)
+ < \s* add \s+ key \s* = \s*
+ " (
+ [^\n"]{0,20}
+ (?: [Cc]onnection[Ss]tring | CONNECTIONSTRING )
+ [^\n"]{0,20}
+ ) "
+ \s+
+ value \s* = \s* " ([^\n"]{3,200}) " \s* / \s* >
+
+ categories: [fuzzy, generic, secret]
+
+ description: >
+ A possibly-sensitive connection string in .NET app configuration was found.
+ This may allow an attacker direct access to a database.
+
+ examples:
+ - |
+
+
+ negative_examples:
+ - |
+
+
+
references:
- https://learn.microsoft.com/en-us/dotnet/desktop/winforms/advanced/application-settings-overview
- https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/appsettings-element-for-configuration
diff --git a/crates/noseyparker/data/default/builtin/rulesets/default.yml b/crates/noseyparker/data/default/builtin/rulesets/default.yml
index cc7d72290..0ec308899 100644
--- a/crates/noseyparker/data/default/builtin/rulesets/default.yml
+++ b/crates/noseyparker/data/default/builtin/rulesets/default.yml
@@ -59,6 +59,7 @@ rulesets:
- np.generic.7 # Credentials in .NET System.Net.NetworkCredential
- np.generic.8 # Credentials in .NET System.DirectoryServices.DirectoryEntry
- np.generic.9 # Sensitive value in .NET configuration
+ - np.generic.10 # Connection string in .NET configuration
- np.github.1 # GitHub Personal Access Token
- np.github.2 # GitHub OAuth Access Token
- np.github.3 # GitHub App Token