Exemplo n.º 1
0
    async def attack(self, request: Request):
        self.finished = True
        request_to_root = Request(request.url)

        try:
            response = await self.crawler.async_get(request_to_root, follow_redirects=True)
        except RequestError:
            self.network_errors += 1
            return

        if "Content-Security-Policy" not in response.headers:
            self.log_red(MSG_NO_CSP)
            await self.add_vuln_low(
                category=NAME,
                request=request_to_root,
                info=MSG_NO_CSP
            )
        else:
            csp_dict = csp_header_to_dict(response.headers["Content-Security-Policy"])

            for policy_name in CSP_CHECK_LISTS:
                result = check_policy_values(policy_name, csp_dict)

                if result <= 0:
                    if result == -1:
                        info = MSG_CSP_MISSING.format(policy_name)
                    else:  # result == 0
                        info = MSG_CSP_UNSAFE.format(policy_name)

                    self.log_red(info)
                    await self.add_vuln_low(
                        category=NAME,
                        request=request_to_root,
                        info=info
                    )
Exemplo n.º 2
0
    def attack(self):
        url = self.persister.get_root_url()
        request = Request(url)
        response = self.crawler.get(request, follow_redirects=True)

        if "Content-Security-Policy" not in response.headers:
            self.log_red(MSG_NO_CSP)
            self.add_vuln(category=NAME,
                          level=LOW_LEVEL,
                          request=request,
                          info=MSG_NO_CSP)
        else:
            csp_dict = csp_header_to_dict(
                response.headers["Content-Security-Policy"])

            for policy_name in CSP_CHECK_LISTS:
                result = check_policy_values(policy_name, csp_dict)

                if result == -1:
                    self.log_red(MSG_CSP_MISSING.format(policy_name))
                    self.add_vuln(category=NAME,
                                  level=LOW_LEVEL,
                                  request=request,
                                  info=MSG_CSP_MISSING.format(policy_name))
                elif result == 0:
                    self.log_red(MSG_CSP_UNSAFE.format(policy_name))
                    self.add_vuln(category=NAME,
                                  level=LOW_LEVEL,
                                  request=request,
                                  info=MSG_CSP_UNSAFE.format(policy_name))

        yield
Exemplo n.º 3
0
def test_bad_csp_examples():
    # Some examples from https://www.slideshare.net/LukasWeichselbaum/breaking-bad-csp
    # May be useful too: https://www.netsparker.com/blog/web-security/negative-impact-incorrect-csp-implementations/

    # unsafe-inline script
    csp_dict = csp_header_to_dict(
        "script-src 'self' 'unsafe-inline'; object-src 'none';")
    assert check_policy_values("script-src", csp_dict) == 0

    # URL schemes
    csp_dict = csp_header_to_dict(
        "script-src 'self' https:; object-src 'none' ;")
    assert check_policy_values("script-src", csp_dict) == 0

    # wildcard
    csp_dict = csp_header_to_dict("script-src 'self' *; object-src 'none' ;")
    assert check_policy_values("script-src", csp_dict) == 0
Exemplo n.º 4
0
def test_missing_csp_directive():
    csp_dict = csp_header_to_dict("script-src 'self'")
    assert check_policy_values("default-src", csp_dict) == -1