diff --git a/Rules/AvoidUsingAllowUnencryptedAuthentication.cs b/Rules/AvoidUsingAllowUnencryptedAuthentication.cs
new file mode 100644
index 000000000..955de8113
--- /dev/null
+++ b/Rules/AvoidUsingAllowUnencryptedAuthentication.cs
@@ -0,0 +1,117 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Management.Automation.Language;
+using Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic;
+#if !CORECLR
+using System.ComponentModel.Composition;
+#endif
+using System.Globalization;
+
+namespace Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules
+{
+ ///
+ /// AvoidUsingAllowUnencryptedAuthentication: Avoid sending credentials and secrets over unencrypted connections.
+ ///
+#if !CORECLR
+[Export(typeof(IScriptRule))]
+#endif
+ public class AvoidUsingAllowUnencryptedAuthentication : AvoidParameterGeneric
+ {
+ ///
+ /// Condition on the cmdlet that must be satisfied for the error to be raised
+ ///
+ ///
+ ///
+ public override bool CommandCondition(CommandAst CmdAst)
+ {
+ return true;
+ }
+
+ ///
+ /// Condition on the parameter that must be satisfied for the error to be raised.
+ ///
+ ///
+ ///
+ ///
+ public override bool ParameterCondition(CommandAst CmdAst, CommandElementAst CeAst)
+ {
+ return CeAst is CommandParameterAst && String.Equals((CeAst as CommandParameterAst).ParameterName, "AllowUnencryptedAuthentication", StringComparison.OrdinalIgnoreCase);
+ }
+
+ ///
+ /// Retrieves the error message
+ ///
+ ///
+ ///
+ ///
+ public override string GetError(string fileName, CommandAst cmdAst)
+ {
+ return String.Format(CultureInfo.CurrentCulture, Strings.AvoidUsingAllowUnencryptedAuthenticationError);
+ }
+
+ ///
+ /// GetName: Retrieves the name of this rule.
+ ///
+ /// The name of this rule
+ public override string GetName()
+ {
+ return string.Format(CultureInfo.CurrentCulture, Strings.NameSpaceFormat, GetSourceName(), Strings.AvoidUsingAllowUnencryptedAuthenticationName);
+ }
+
+ ///
+ /// GetCommonName: Retrieves the common name of this rule.
+ ///
+ /// The common name of this rule
+ public override string GetCommonName()
+ {
+ return string.Format(CultureInfo.CurrentCulture, Strings.AvoidUsingAllowUnencryptedAuthenticationCommonName);
+ }
+
+ ///
+ /// GetDescription: Retrieves the description of this rule.
+ ///
+ /// The description of this rule
+ public override string GetDescription()
+ {
+ return string.Format(CultureInfo.CurrentCulture, Strings.AvoidUsingAllowUnencryptedAuthenticationDescription);
+ }
+
+ ///
+ /// GetSourceType: Retrieves the type of the rule: builtin, managed or module.
+ ///
+ public override SourceType GetSourceType()
+ {
+ return SourceType.Builtin;
+ }
+
+ ///
+ /// GetSeverity: Retrieves the severity of the rule: error, warning or information.
+ ///
+ ///
+ public override RuleSeverity GetSeverity()
+ {
+ return RuleSeverity.Warning;
+ }
+
+ ///
+ /// DiagnosticSeverity: Retrieves the severity of the rule of type DiagnosticSeverity: error, warning or information.
+ ///
+ ///
+ public override DiagnosticSeverity GetDiagnosticSeverity()
+ {
+ return DiagnosticSeverity.Warning;
+ }
+
+ ///
+ /// GetSourceName: Retrieves the module/assembly name the rule is from.
+ ///
+ public override string GetSourceName()
+ {
+ return string.Format(CultureInfo.CurrentCulture, Strings.SourceName);
+ }
+ }
+}
diff --git a/Rules/Strings.resx b/Rules/Strings.resx
index 479ca1f7a..ff75828cf 100644
--- a/Rules/Strings.resx
+++ b/Rules/Strings.resx
@@ -1206,4 +1206,16 @@
Replace ! with -not
+
+ Avoid AllowUnencryptedAuthentication Switch
+
+
+ Avoid sending credentials and secrets over unencrypted connections.
+
+
+ The insecure AllowUsingUnencryptedAuthentication switch was used. This should be avoided except for compatability with legacy systems.
+
+
+ AvoidUsingAllowUnencryptedAuthentication
+
\ No newline at end of file
diff --git a/Tests/Engine/GetScriptAnalyzerRule.tests.ps1 b/Tests/Engine/GetScriptAnalyzerRule.tests.ps1
index 960a2fcd5..93824060a 100644
--- a/Tests/Engine/GetScriptAnalyzerRule.tests.ps1
+++ b/Tests/Engine/GetScriptAnalyzerRule.tests.ps1
@@ -63,7 +63,7 @@ Describe "Test Name parameters" {
It "get Rules with no parameters supplied" {
$defaultRules = Get-ScriptAnalyzerRule
- $expectedNumRules = 69
+ $expectedNumRules = 70
if ($PSVersionTable.PSVersion.Major -le 4)
{
# for PSv3 PSAvoidGlobalAliases is not shipped because
diff --git a/Tests/Rules/AvoidUsingAllowUnencryptedAuthentication.tests.ps1 b/Tests/Rules/AvoidUsingAllowUnencryptedAuthentication.tests.ps1
new file mode 100644
index 000000000..ca89b280c
--- /dev/null
+++ b/Tests/Rules/AvoidUsingAllowUnencryptedAuthentication.tests.ps1
@@ -0,0 +1,38 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+BeforeAll {
+ $settings = @{
+ IncludeRules = @('PSAvoidUsingAllowUnencryptedAuthentication')
+ Rules = @{
+ PSAvoidUsingAllowUnencryptedAuthentication = @{
+ Enable = $true
+ }
+ }
+ }
+}
+
+Describe "AvoidUsingAllowUnencryptedAuthentication" {
+ Context "When there are violations" {
+ It "detects unencrypted authentication violations" {
+ (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-WebRequest foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1
+ (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-RestMethod foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1
+ (Invoke-ScriptAnalyzer -ScriptDefinition 'iwr foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1
+ }
+
+ It "detects arbitrary cmdlets" {
+ (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-CustomWebRequest foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1
+ }
+
+ }
+
+ Context "When there are no violations" {
+ It "does not flag safe usage" {
+ (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-WebRequest foo' -Settings $settings).Count | Should -Be 0
+ }
+
+ It "does not flag cases with unrelated parameters" {
+ (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-WebRequest foo -Method Get' -Settings $settings).Count | Should -Be 0
+ }
+ }
+}
\ No newline at end of file
diff --git a/docs/Rules/AvoidUsingAllowUnencryptedAuthentication.md b/docs/Rules/AvoidUsingAllowUnencryptedAuthentication.md
new file mode 100644
index 000000000..c30b69844
--- /dev/null
+++ b/docs/Rules/AvoidUsingAllowUnencryptedAuthentication.md
@@ -0,0 +1,35 @@
+---
+description: Avoid sending credentials and secrets over unencrypted connections
+ms.custom: PSSA v1.22.0
+ms.date: 11/06/2022
+ms.topic: reference
+title: AvoidUsingAllowUnencryptedAuthentication
+---
+# AvoidUsingAllowUnencryptedAuthentication
+
+**Severity Level: Warning**
+
+## Description
+
+Avoid using the `AllowUnencryptedAuthentication` switch on `Invoke-WebRequest`, `Invoke-RestMethod`, and other webrequest cmdlets, which sends credentials and secrets over unencrypted connections.
+This should be avoided except for compatability with legacy systems.
+
+For more details, see the documentation warning [here](https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/invoke-webrequest#-allowunencryptedauthentication).
+
+## How
+
+Avoid using the `AllowUnencryptedAuthentication` switch.
+
+## Example 1
+
+### Wrong
+
+```powershell
+Invoke-WebRequest foo -AllowUnencryptedAuthentication
+```
+
+### Correct
+
+```powershell
+Invoke-WebRequest foo
+```
\ No newline at end of file
diff --git a/docs/Rules/README.md b/docs/Rules/README.md
index 42c2003ad..6eea549aa 100644
--- a/docs/Rules/README.md
+++ b/docs/Rules/README.md
@@ -27,6 +27,7 @@ The PSScriptAnalyzer contains the following rule definitions.
| [AvoidSemicolonsAsLineTerminators](./AvoidSemicolonsAsLineTerminators.md) | Warning | No | |
| [AvoidShouldContinueWithoutForce](./AvoidShouldContinueWithoutForce.md) | Warning | Yes | |
| [AvoidTrailingWhitespace](./AvoidTrailingWhitespace.md) | Warning | Yes | |
+| [AvoidUsingAllowUnencryptedAuthentication](./AvoidUsingAllowUnencryptedAuthentication.md) | Warning | Yes | |
| [AvoidUsingBrokenHashAlgorithms](./AvoidUsingBrokenHashAlgorithms.md) | Warning | Yes | |
| [AvoidUsingCmdletAliases](./AvoidUsingCmdletAliases.md) | Warning | Yes | Yes2 |
| [AvoidUsingComputerNameHardcoded](./AvoidUsingComputerNameHardcoded.md) | Error | Yes | |