Dom, On Sun, Nov 11, 2012 at 7:26 AM, Dominique RIGHETTO <dominique.righe...@gmail.com> wrote: > Hi Andres, > > According to your mail, > >>I think that we should be able to detect the following vulnerabilities: >> * CSP not in use >> * CSP in use but poorly configured >>"default-src","script-src","object-src" directives with value set to >>"*" >> * CSP in "reporting" mode "report-uri" is found >> * CSP enables 'unsafe-inline' >> * CSP enables 'unsafe-eval' > >>I wasn't able to read the whole spec, one question: What's the scope >>of CSP? If for example the browser accesses http://foo.com/bar.jsp and >>that resource returns CSP headers (properly configured, etc.) and then >>follows a link to http://foo.com/ , is the CSP configuration >>"remembered" or is it URL-scoped? If the scope is URL, then we should >>have some type of "protection" against reporting N vulns for each URL >>in the site. > > I understand that CSP is page scope, CSP define for a resource the > content loading policy to apply by the user agent. For me the Grep > plugin should focus on CSP in XSS context and work at page level. It > should report only a single issue indicating the page rendering > HTML/XHTML content that contains poorly configured CSP directives (for > example : "default-src: *"/"script-src: *"/"object-src: *")...
Agreed, > About detection point i think that detecting 'unsafe-inline' will cause > many False positive because many application use script code into their > page and it not implicate always XSS vulnerabilities. The CSP grep plugin shouldn't say something like "if unsafe_inline_enabled(): return xss_vulnerability()" it should be more like "if unsafe_inline_enabled(): return information message recommending the user to correctly configure CSP". Having a correctly configured script-src, object-src, default-src doesn't do much good to protect you against XSS if you've got unsafe-inline enabled. >>Recommendation: write a separate python module that parses the CSP >>header, I have the feeling we'll use it in more places than just the >>csp.py grep plugin. > > Totally agree, i'm working on this way ;o) Also, and just realized this while reading this email but it actually is more related to the previous one... could you add a method that extracts the report-uri (if any) from the headers? I'll integrate this into our parsers when it is available. This will allow us to find vulnerabilities in that URL :) Regards, > -- > Cordialement, Best regards, > Dominique Righetto > dominique.righe...@gmail.com > dominique.righe...@owasp.org > Twitter: @righettod > GPG: 0xC34A4565323D19BA > http://righettod.github.com > "No trees were killed to send this message, but a large number of > electrons were terribly inconvenienced." -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
