id: servicenow-helpdesk-credential

info:
  name: ServiceNow Helpdesk Credential Exposure
  author: ok_bye_now
  severity: high
  description: Detection of exposed credentials in help the help desk JS file.
  reference:
    - https://jordanpotti.com/2021/02/21/ServiceNow-HelpTheHelpDeskAndTheHackers/
  metadata:
    max-request: 1
  tags: servicenow,exposure

http:
  - method: GET
    path:
      - "{{RootURL}}/HelpTheHelpDesk.jsdbx"

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'var httpPassword = "encrypt:'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - 'var server = "([a-z:/0-9.-]+)"'

# digest: 4b0a00483046022100e5f48cbee77ba10b368a8cfce7a88dc765f72859fadf0c9f07c629b255d1d6d1022100c007039888d1e7c26e8355dd0f6b3446d65decae8db21a2c7c5192f4638675e8:922c64590222798bb761d5b6d8e72950