Create rule S7141(secrets): Chief Tools API tokens should not be disclosed (APPSEC-2232) #4471
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
loris-s-sonarsource
changed the title
rules/S7141/secrets/rule.adoc
Outdated
| ==== Phishing and spam | ||
| I the leaked secret gives an attacker a Tny entitlement, an attacker can use | ||
| this API token to hide a malicious domain and use it in spam/phishing campaigns. | ||
|
|
||
| Spam can cause users to be exposed to the following: | ||
|
|
||
| * Unsolicited, inappropriate content, such as pornographic material | ||
| * Fraudulent attempts to trick users into sending information or money | ||
| * Abusive or hateful statements | ||
| * False advertising or fraudulent claims |
There was a problem hiding this comment.
Have you considered reusing the phishing.adoc here?
Although I agree its possible, I think mentioning pornographic material explicitly is not necessary.
There was a problem hiding this comment.
Yes, I considered using this file, I copied from it. The context is not the same, so I just copied and pasted its list of risks
There was a problem hiding this comment.
I'm sorry. I did not read the phishing. doc file entirely and did not notice the list of risks.
There was a problem hiding this comment.
it's alright, no worries
|
|
pierre-loup-tristant-sonarsource
merged commit 3763add
into
master
pierre-loup-tristant-sonarsource
changed the title
You can preview this rule here (updated a few minutes after each push).
Review
A dedicated reviewer checked the rule description successfully for: