Dom,
Ok, I'll subscribe/follow those tasks and comment on them
Regards,
On Sat, Dec 15, 2012 at 6:19 AM, Dominique RIGHETTO
<dominique.righe...@gmail.com> wrote:
> Hi Andres,
>
> In order to facilitate tracking of the tasks that you have provided to me I
> wil use the "Issues" feature of my dedicated Github repository :
>
> https://github.com/righettod/w3af-contribs/issues?state=open
>
> Dom
>
>
>
> On 14/12/2012 15:01, Andres Riancho wrote:
>>
>> Dom,
>>
>> This is my code review for the CSP tests and utils:
>>
>> * All the tests passed without any modifications
>>
>> * Code in utils.py looks very clean, great improvement :)
>>
>> * Code in test_utils.py did not respect the 80 column limit, applied
>> autopep8 to it to fix it
>>
>> * This is kind of hard to read:
>>
>> hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " '" + \
>> CSP_DIRECTIVE_VALUE_UNSAFE_INLINE + "'"
>> hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_DEFAULT + \
>> " 'self';" + CSP_DIRECTIVE_REPORT_URI + " http://example.com";
>> hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_SCRIPT + " 'self';" + \
>> CSP_DIRECTIVE_REPORT_URI + " /myrelativeuri"
>>
>> For the next contribution, I think that it would be fine to have tests
>> that don't use the constants and instead look like:
>>
>> hrds[CSP_HEADER_FIREFOX] = "img-src 'unsafe-inline'"
>> hrds[CSP_HEADER_W3C_REPORT_ONLY] = "default-src 'self';
>> report-uri http://example.com";
>> ...
>>
>> * Question: "Do we need these extra lines in
>> test_unsafe_inline_enabled_no_case02?"
>>
>> hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_DEFAULT + \
>> " 'self';" + CSP_DIRECTIVE_REPORT_URI + " http://example.com";
>> hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_SCRIPT + " 'self';" + \
>> CSP_DIRECTIVE_REPORT_URI + " /myrelativeuri"
>>
>> I usually prefer the tests as short as possible. Maybe you're testing
>> that these headers don't interfere with the CSP_HEADER_FIREFOX also?
>>
>> * Added a new test case (see: test_provides_csp_features_no_case02)
>> where this CSP is provided:
>>
>> # Note the errors in the directive:
>> # default-src -> default-source
>> # img-src -> image-src
>> header_value = "default-source 'self'; image-src *"
>>
>> And then tested provides_csp_features, which in my opinion should
>> return False (because the browser will ignore it) and returned True.
>>
>> * See also test_provides_csp_features_no_case03
>>
>> To sum up, great work on the utils and tests, I'm very happy with this
>> code :) Regarding the next steps:
>>
>> * retrieve_csp_report_uri could be easily integrated with w3af's
>> code in order to extract URIs from those headers and make them
>> available to other plugins to find vulnerabilities in them. This
>> should be done in core.data.requests.factory (there is similar code
>> there for handling 302 redirects). Do you want to give it a try?
>>
>> * The code we have up to now is a great parser for CSP, but lacks
>> high level functions/methods to easily use in other places of the
>> framework. In the future I would like the xss.py code to look
>> something like this:
>>
>> if vulnerability_found(response):
>> if correctly_implements_csp(response):
>> msg = 'Your site is vulnerable to XSS but this
>> vulnerability is mitigated because you correctly implemented CSP, only
>> old browsers will be affected by it'
>> else:
>> msg = 'Your site is vulnerable to XSS'
>>
>> Do you think that it would be possible to achieve this kind of
>> abstraction? Could you add it to the utils.py module and test it?
>>
>> Thanks for your contributions and sorry for the delay.
>>
>> PS: Gtalk to me if you've got a minute to talk about this
>>
>> Regards,
>>
>> On Fri, Dec 14, 2012 at 10:04 AM, Andres Riancho
>> <andres.rian...@gmail.com> wrote:
>>>
>>> Damn! Forgot about this one, reading right now. Give me some mins.
>>>
>>> On Fri, Nov 30, 2012 at 12:16 PM, Andres Riancho
>>> <andres.rian...@gmail.com> wrote:
>>>>
>>>> I'm on vacations until next Monday, I'll answer that day.
>>>>
>>>> On Fri, Nov 30, 2012 at 2:41 AM, Dominique Righetto
>>>> <dominique.righe...@gmail.com> wrote:
>>>>>
>>>>> Andres,
>>>>>
>>>>> I have implemented all your remarks and I have aligned the "utils.py"
>>>>> code
>>>>> to stick to 80 columns using the Python official style guide
>>>>> recommendation.
>>>>>
>>>>> I have executed my unit tests against the revision 6177 of Threading2
>>>>> branch
>>>>> (last from today) and all unit tests pass.
>>>>>
>>>>> The github repo is up to date with source code.
>>>>>
>>>>> Thanks in advance for your review ;o)
>>>>>
>>>>> Dom
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Keep yourself connected to Go Parallel:
>>>>> TUNE You got it built. Now make it sing. Tune shows you how.
>>>>> http://goparallel.sourceforge.net
>>>>> _______________________________________________
>>>>> W3af-develop mailing list
>>>>> W3af-develop@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Project Leader at w3af - http://w3af.org/
>>>> Web Application Attack and Audit Framework
>>>> Twitter: @w3af
>>>> GPG: 0x93C344F3
>>>
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>>
>>
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
