From da850fcb48045305ac0b5249b120badcbbfc041b Mon Sep 17 00:00:00 2001
From: ChieftainY2k <ChieftainY2k@gmail.com>
Date: Fri, 9 Feb 2024 09:48:15 +0100
Subject: [PATCH] Passive scan for Java error messages containing sensitive
 information (CWE-209) (#386)

Passive scan for Java error messages containing sensitive information.

Signed-off-by: ChieftainY2k <ChieftainY2k@gmail.com>
---
 CHANGELOG.md              |  1 +
 passive/JavaDisclosure.js | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100755 passive/JavaDisclosure.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cfaa0017..da2e4cd0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 - extender/arpSyndicateSubdomainDiscovery.js - uses the API of [ARPSyndicate's Subdomain Center](https://www.subdomain.center/)
   to find and add subdomains to the Sites Tree.
+- passive/JavaDisclosure.js - Passive scan for Java error messages leaks
 
 ## [18] - 2024-01-29
 ### Added
diff --git a/passive/JavaDisclosure.js b/passive/JavaDisclosure.js
new file mode 100755
index 00000000..d5864e42
--- /dev/null
+++ b/passive/JavaDisclosure.js
@@ -0,0 +1,29 @@
+//Passive scan for Java error messages containing sensitive information (CWE-209)
+
+function scan(ps, msg, src) {
+    var alertRisk = 2
+    var alertConfidence = 3
+    var alertTitle = 'Java stack trace disclosure'
+    var alertDesc = 'Java stack trace disclosure (or similar) was found'
+    var alertSolution = 'Investigate Java stack trace disclosures found in the response, remove or mask as required'
+    var cweId = 209
+    var wascId = 0
+
+    var re = /springframework|\.java|rootBeanClass/i
+
+    var contentType = msg.getResponseHeader().getHeader("Content-Type")
+    var unwantedFileTypes = ['image/png', 'image/jpeg', 'image/gif', 'application/x-shockwave-flash', 'application/pdf']
+
+    if (unwantedFileTypes.indexOf("" + contentType) >= 0) {
+        return
+    }
+
+    var body = msg.getResponseBody().toString()
+    if (re.test(body)) {
+        let url = msg.getRequestHeader().getURI().toString();
+        ps.raiseAlert(alertRisk, alertConfidence, alertTitle, alertDesc, url, '', '', body, alertSolution, body, cweId, wascId, msg)
+    }
+
+}
+
+