id: mixed-active-content

info:
  name: Mixed Active Content
  author: Liwermor
  severity: info
  description: |
    This check detects if there are any active content loaded over HTTP instead of HTTPS.
  reference:
    - https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
    - https://portswigger.net/kb/issues/01000400_mixed-content
    - https://resources.infosecinstitute.com/topics/vulnerabilities/https-mixed-content-vulnerability/
    - https://docs.gitlab.com/ee/user/application_security/dast/checks/319.1.html
  metadata:
    max-request: 1
  tags: misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        negative: true
        regex:
          - "(?mi)<!--\\[if (lt|lte) IE [0-9]*\\]>\\s*<script[^>]*\\ssrc=\"http://"

      - type: regex
        part: body
        regex:
          - "<script[^>]*src=['\"]http://[^'\">]+['\"]"
          - "<iframe[^>]*src=['\"]http://[^'\">]+['\"]"
          - "<object[^>]*data=['\"]http://[^'\">]+['\"]"

      - type: dsl
        dsl:
          - 'startswith(tostring(BaseURL), "https://")'

    extractors:
      - type: regex
        group: 1
        part: body
        regex:
          - "<script[^>]*src=['\"](http[^s'\">][^'\">]*)['\"]"
          - "<iframe[^>]*src=['\"](http[^s'\">][^'\">]*)['\"]"
          - "<object[^>]*data=['\"](http[^s'\">][^'\">]*)['\"]"
# digest: 490a0046304402207e05fa38b8782a2e249d4c61827bf1869187c72c9cf5f80d7670be13f27c809802203060c90b8a8455be0327f1173c37d4d9e52cdf6c01ef06f9b5cfcbab39ecc40d:922c64590222798bb761d5b6d8e72950