Hi Andres, According to your mail,
>I think that we should be able to detect the following vulnerabilities: > * CSP not in use > * CSP in use but poorly configured >"default-src","script-src","object-src" directives with value set to >"*" > * CSP in "reporting" mode "report-uri" is found > * CSP enables 'unsafe-inline' > * CSP enables 'unsafe-eval' >I wasn't able to read the whole spec, one question: What's the scope >of CSP? If for example the browser accesses http://foo.com/bar.jsp and >that resource returns CSP headers (properly configured, etc.) and then >follows a link to http://foo.com/ , is the CSP configuration >"remembered" or is it URL-scoped? If the scope is URL, then we should >have some type of "protection" against reporting N vulns for each URL >in the site. I understand that CSP is page scope, CSP define for a resource the content loading policy to apply by the user agent. For me the Grep plugin should focus on CSP in XSS context and work at page level. It should report only a single issue indicating the page rendering HTML/XHTML content that contains poorly configured CSP directives (for example : "default-src: *"/"script-src: *"/"object-src: *")... About detection point i think that detecting 'unsafe-inline' will cause many False positive because many application use script code into their page and it not implicate always XSS vulnerabilities. >Recommendation: write a separate python module that parses the CSP >header, I have the feeling we'll use it in more places than just the >csp.py grep plugin. Totally agree, i'm working on this way ;o) -- Cordialement, Best regards, Dominique Righetto dominique.righe...@gmail.com dominique.righe...@owasp.org Twitter: @righettod GPG: 0xC34A4565323D19BA http://righettod.github.com "No trees were killed to send this message, but a large number of electrons were terribly inconvenienced." ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
