id: mixed-active-content

info:
  name: Mixed Active Content
  author: Liwermor
  severity: info
  description: |
    This check detects if there are any active content loaded over HTTP instead of HTTPS.
  reference:
    - https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
    - https://portswigger.net/kb/issues/01000400_mixed-content
    - https://resources.infosecinstitute.com/topics/vulnerabilities/https-mixed-content-vulnerability/
    - https://docs.gitlab.com/ee/user/application_security/dast/checks/319.1.html
  metadata:
    max-request: 1
  tags: misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "<script[^>]*src=['\"]http://[^'\">]+['\"]"
          - "<iframe[^>]*src=['\"]http://[^'\">]+['\"]"
          - "<object[^>]*data=['\"]http://[^'\">]+['\"]"

      - type: dsl
        dsl:
          - 'startswith(tostring(BaseURL), "https://")'

    extractors:
      - type: regex
        group: 1
        part: body
        regex:
          - "<script[^>]*src=['\"](http[^s'\">][^'\">]*)['\"]"
          - "<iframe[^>]*src=['\"](http[^s'\">][^'\">]*)['\"]"
          - "<object[^>]*data=['\"](http[^s'\">][^'\">]*)['\"]"
# digest: 490a0046304402206da84b39f7171acdcb806ade774850286919e63b2628ec34cc1e808c55a50bc4022018d956b267ea58eac95a3c718ccb8706453332cb853e89eb235cd7775c4cdfa5:922c64590222798bb761d5b6d8e72950