id: servicenow-helpdesk-credential

info:
  name: ServiceNow Helpdesk Credential Exposure
  author: ok_bye_now
  severity: high
  description: Detection of exposed credentials in help the help desk JS file.
  reference:
    - https://jordanpotti.com/2021/02/21/ServiceNow-HelpTheHelpDeskAndTheHackers/
  tags: servicenow,exposure

requests:
  - method: GET
    path:
      - "{{RootURL}}/HelpTheHelpDesk.jsdbx"

    host-redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'var httpPassword = "encrypt:'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - 'var server = "([a-z:/0-9.-]+)"'