public CheckPasvMiscGrep()
{
configpanel = new StringCheckConfigPanel(this);
configpanel.Init(defaultstrings, "Case-insensitive regex patterns currently monitored:", "Enter new, case-insensitive regex patterns to monitor for in HTTP response bodies. NOTE: Watcher will not validate these patterns for you! Make sure they're correct before adding:");
UpdateWordList();
CheckCategory = WatcherCheckCategory.None;
LongName = "Miscellaneous - Check HTTP response body for custom-defined regex patterns.";
LongDescription = "This check looks at the HTTP resposne body to find matches for your custom-defined regex patterns. It's up to you to make sure the regex patterns are defined properly, and don't DoS Fiddler!";
ShortName = "My custom regex match";
ShortDescription = "Your custom-defined regex pattern had matches at the following URL:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#body-grep";
Recommendation = "This is your check, you tell me!";
}
public CheckPasvInformationDisclosureComments()
{
configpanel = new StringCheckConfigPanel(this);
configpanel.Init(defaultstrings, "Dubious Comment Words:", "Enter new words to watch for here:");
UpdateWordList();
CheckCategory = WatcherCheckCategory.InfoDisclosure;
LongName = "Information Disclosure - Check for dubious comments that warrant further attention.";
LongDescription = "This check looks for common patterns in HTML and javascript comments that may be useful to inspect in a security review or audit. This performs a pattern match looking for a list of words like BUG, TODO, and profanity. You can configure the list of words to search.";
ShortName = "Dubious comments were found";
ShortDescription = "Curious looking comments were found at the following URL:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#information-disclosure-in-comments";
Recommendation = "Scrub all comments before pushing to production.";
}
public CheckPasvInformationDisclosureInURL()
{
// Complies with OWASP ASVL 2 (DVR 9.5)
StandardsCompliance = WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel2;
configpanel = new StringCheckConfigPanel(this);
configpanel.Init(defaultstrings, "Sensitive URL Values:", "Enter new words to watch for here:");
UpdateWordList();
CheckCategory = WatcherCheckCategory.InfoDisclosure;
LongName = "Information Disclosure - Look for sensitive information passed through URL parameters.";
LongDescription = "This check looks for string patterns to identify sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment. In addition this check will find credit card numbers, SSN's, and email addresses.";
ShortName = "Information leak in URL parameter";
ShortDescription = "The following request may have leaked a potentially sensitive parameter in a URL parameter:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#information-disclosure-in-url-parameter";
Recommendation = "Do not pass sensitive information in URI's.";
}
public CheckPasvInformationDisclosureDebugErrors()
{
// Complies with OWASP ASVL 1 & 2 (DVR 8.9)
StandardsCompliance =
WatcherCheckStandardsCompliance.MicrosoftSdl |
WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel1 |
WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel2;
//Setup Configuration Panel and initialize
configpanel = new StringCheckConfigPanel(this);
configpanel.Init(defaultstrings, "Database Error Strings:", "Enter new Database Error Strings here:");
UpdateWordList();
CheckCategory = WatcherCheckCategory.InfoDisclosure;
LongName = "Information Disclosure - Check for common debugging error messages.";
LongDescription = "This check will search HTML content, including comments, for common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.";
ShortName = "Debug error message";
ShortDescription = "The response to the following request appeared to contain debugging information:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#information-disclosure-in-error-messages";
Recommendation = "Disable debugging messages before pushing to production.";
}
public CheckPasvInformationDisclosureDatabaseErrors()
{
// Complies with OWASP ASVL 1 & 2 (DVR 8.9)
StandardsCompliance =
WatcherCheckStandardsCompliance.MicrosoftSdl |
WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel1 |
WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel2;
//Setup Configuration Panel and initialize
configpanel = new StringCheckConfigPanel(this);
configpanel.Init(defaultstrings, "Database Error Strings:", "Enter new Database Error Strings here:");
UpdateWordList();
CheckCategory = WatcherCheckCategory.InfoDisclosure;
LongName = "Information Disclosure - Check for common error messages returned by databases, which may indicate SQL injection potential.";
LongDescription = "This check will review HTML content, including comments, for common error messages returned by database providers such as MSSQL, MySQL, and Oracle. If found, this may indicate SQL injection potential, which will need to be tested separately. You can configure the list of common error messages.";
ShortName = "Database error message";
ShortDescription = "The response to the following request appeared to contain a database error message:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#information-disclosure-in-database-error-messages";
Recommendation = "Disable debugging messages before pushing to production.";
}
