feat(detectors): add RSA SecurID software token detector#5106
feat(detectors): add RSA SecurID software token detector#5106momomuchu wants to merge 3 commits into
Conversation
3c57a83 to
db29e15
Compare
rajpratham1
left a comment
There was a problem hiding this comment.
Good addition overall, but I think the Cursor finding is valid. contextPat recognizes both and , whereas Keywords() only returns "TKNBatch" and "sdtid". Since the Aho-Corasick prefilter gates execution of FromData, a valid token containing only may never be scanned. Could you add "TKNBasic" to Keywords() (or otherwise align the prefilter with contextPat) so all supported formats are reachable?
…flesecurity#4395 Detects RSA SecurID software tokens distributed as .sdtid XML files. A token export contains a <SN> element (12-digit serial number) and a <Seed> element (the TOTP seed, either a 128-bit hex value or an AES-encrypted seed in base64). Possession of the seed lets an attacker generate valid one-time passcodes, so both parts are emitted as a multi-part credential (serial + seed). False-positive defense: results are only emitted when an RSA SecurID structural marker (<TKNBatch>, <TKNBasic>, or the .sdtid extension) is present, so generic XML containing unrelated <SN>/<Seed> elements is not reported. The serial must be exactly 12 digits and the seed at least 16 characters. No public endpoint can validate a software token, so results are unverified. Registers the detector in pkg/engine/defaults and adds the RSASecurID (1057) enum to proto/detector_type.proto and the generated detector_typepb constants/maps.
… tokens are scanned, review feedback trufflesecurity#5106 contextPat matches <TKNBatch, <TKNBasic and .sdtid, but Keywords() only advertised "TKNBatch" and "sdtid". The Aho-Corasick prefilter gates FromData on Keywords(), so a token whose only structural marker is <TKNBasic> (no TKNBatch/sdtid literal) was dropped before ever being scanned. Add "TKNBasic" so every literal in contextPat has a covering keyword. Adds a BDD given/when/then test proving a <TKNBasic>-only token is now detected end-to-end through the real prefilter path, plus a structural test asserting every contextPat marker has a matching keyword. Existing negative controls unchanged.
… tokens are scanned — review feedback trufflesecurity#5106 contextPat matches <TKNBatch, <TKNBasic and .sdtid, but Keywords() only advertised "TKNBatch" and "sdtid". The Aho-Corasick prefilter gates FromData on Keywords(), so a token whose only structural marker is <TKNBasic> (no TKNBatch/sdtid literal) was dropped before ever being scanned. Add "TKNBasic" so every literal in contextPat has a covering keyword. Adds a BDD given/when/then test proving a <TKNBasic>-only token is now detected end-to-end through the real prefilter path, plus a structural test asserting every contextPat marker has a matching keyword. Existing negative controls unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
db29e15 to
73453d4
Compare
|
Addressed: |
73453d4 to
7c23b44
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Reviewed by Cursor Bugbot for commit 7c23b44. Configure here.
|
Good catch. Fixed: |

Description
Closes #4395.
Adds a detector for RSA SecurID software tokens distributed as
.sdtidXML files. Each token export contains a<SN>serial (12 digits) and a<Seed>TOTP seed (128-bit hex, or an AES-encrypted seed in base64). The seed lets an attacker generate valid one-time passcodes and defeat the MFA factor, so both parts are reported as a multi-part credential (serial + seed).Detection rationale
<SN>(\d{12})</SN>and<Seed>([A-Za-z0-9+/]{16,}={0,2})</Seed>must both be present.<TKNBatch>,<TKNBasic>, or.sdtid) before emitting, so generic XML with unrelated<SN>/<Seed>elements is not flagged. This is the primary false-positive defense.unverified.Test coverage
8 pattern cases: 2 positive (hex seed, base64/encrypted seed) and 6 negative (SN only, Seed only, wrong element names, short seed, wrong-length serial, missing structural marker). All synthetic/fake values, no real token material.
Note on generated protobuf
proto/detector_type.protois updated with the newRSASecurIDenum, and the generateddetector_type.pb.gocarries the matching constant + name/value map entries so the package builds and the enum resolves. The embedded descriptor blob was not regenerated (themake protostoolchain runs in a pinned Docker image unavailable in my environment). Runningmake protosbefore merge will regenerate it cleanly from the updated proto source.Checklist
go test ./pkg/detectors/rsasecurid/...passinggo vet/gofmtcleanpkg/engine/defaultsNote
Low Risk
Additive secret scanner with structural guards and no verification or auth changes; main risk is false positives on SecurID-shaped XML in repos.
Overview
Adds a new RSA SecurID detector for
.sdtidXML exports that pairs a 12-digit<SN>with a<Seed>(hex or base64) and reports them as a multi-part credential (serial+seed,RawV2asserial:seed). Detection requires SecurID structure markers (<TKNBatch>,<TKNBasic>, or.sdtid) so unrelated XML is ignored; there is no remote verification, so findings stay unverified.Keywords()includesTKNBatch,TKNBasic, andsdtidso the Aho-Corasick prefilter does not skip valid blobs. Tests cover keyword/context alignment, a<TKNBasic>-only end-to-end path, and positive/negative pattern cases.The scanner is wired into default detectors and
DetectorType_RSASecurID(1058) is added inproto/detector_type.protowith matching generated Go enum/maps (descriptor blob updated in the diff).Reviewed by Cursor Bugbot for commit 1a6d7d9. Bugbot is set up for automated code reviews on this repo. Configure here.