[Feature Request / Idea]: Detect curl (and other) "Authorization header" usage
MegaManSec opened this issue · 3 comments
Suggestion / Feature Request
Curl, wget, and other http tools can be used with authorization headers, like the Basic Authorization header, which contains a base64-encoded username:password combo.
For example:
curl -H 'Authorization: Basic $(printf username:password|base64)' website.com
is the same as
curl -H 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' website.com
According to https://reqbin.com/req/c-haxm0xgr/curl-basic-auth-example, a user can also use the command
curl -u username:password website.com
It would be great if shellclear could detect instances of this, as well as in other programs like wget, for example.
Thanks, @MegaManSec, for opening this PR. It looks very useful rule for shellclear.
Do you want to try adding this rule by opening a pull request? (I can help you with that)?
I can give it a go. However, I'll have to do some research on how these authentication method are used as I was thinking yesterday that it would be good to add curl,wget, and 'get'. I'll make a PR later in the week
My first attempt was this:
curl.*(?:H|header)(?:.*)(\"|\'|\x60|\$\()(?i:authorization):(?:.*)(?i:Basic)(.*)(\"|\'|\x60|\$\()
But then I realized some other programs may use this authorization header, so it's better to be much more broad.
Tested against:
curl -H 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcm=='
curl --header 'authorization: basic 123213=='
curl -H "Authorization: Basic `cat /etc/secret`"
curl -H 'Authorization: Basic $(cat /etc/secret)'
curl -H `echo 'Authorization: Basic $SECRET'`
curl -H 'authorization: basic 123'
the -u/--user detection is simple enough.