Andres, I have updated the associated Github ticket with your feedback:
https://github.com/righettod/w3af-contribs/issues/2 I will work on it on my next free time ;) For code duplication: It's intentional, the specs is in Draft status and directives content evolves. From my point of view, I prefer to separate each vulns search for each directive in order to always have the possbility to add special case or cross check between directives....Refactoring is a very good idea but this one should be done when specs will be stabilized... Dom On 02/01/2013 14:18, Andres Riancho wrote: > Dom, > > On Wed, Jan 2, 2013 at 7:51 AM, Dominique RIGHETTO > <dominique.righe...@gmail.com> wrote: >> Hello, >> >> To begin with I present to you my best wishes for 2013 :) > > Thanks! My best wishes to you too in this new year that's just starting > :) > >> I have added a method to find vulnerabilities into CSP policies from an >> HTTP response, it analyze directives for >> permissive/invalid configuration and misspelled directive names. >> >> I have also added dedicated tests cases in unit test class. >> >> I have executed unit tests against revision 6578 of Threading2 branch of >> W3AF SVN repository. >> >> See >> https://github.com/righettod/w3af-contribs/commit/b2787b5371267d860b7a73ca23081d4bf2048e04 > > Very nice! This is evolving very quickly into what I imagined when > you told me what you wanted to do :) I have a couple of potential > improvements that I would like to see before merging into w3af and > starting with the creation of the CSP plugin: > > * find_vulns returns a dict with the CSP directive and a string > describing the vulnerability as value. While this is good as a start > it looks like we'll need something more in the future. If we want to > write a plugin that shows CSP directive misconfigurations to the user > I think that "Directive 'default-src' allow all sources." is not as > bad as "Directive 'img-src' allow all image sources." in terms of > severity / impact to the security of the site. So, my proposal is for > you to return a NamedTuple [0] as value of that dict. I've discovered > NamedTuples recently but I learned to love them quickly :) So, > basically we would have something like: > > from collections import namedtuple > import core.data.constants.severity as severity > > CSPVulnerability = namedtuple('CSPVulnerability', ['desc', 'severity']) > > csp_vuln_default_src = CSPVulnerability("Directive 'default-src' allow > all sources.", severity.HIGH) > csp_vuln_image_src = CSPVulnerability("Directive 'img-src' allow all > image sources.", severity.LOW) > > result[CSP_DIRECTIVE_DEFAULT] = csp_vuln_default_src > result[CSP_DIRECTIVE_IMAGE] = csp_vuln_image_src > > * I've been working with the xss.py during the last days (mostly > merged Taras' work) and one of the things we're missing there is the > CSP policy check. Now the code looks like this: > > for contexts in get_context(response.get_body(), mod_value): > for context in contexts: > if context.is_executable() or > context.can_break(mod_value): > self._report_vuln(mutant, response, mod_value) > return > > Which means: "Search for the string that I sent in the body and return > the contexts [1] it is in; for each context verify if the string we > sent can break out of that context, if so then we have a > vulnerability". By example: > > mod_value: abc<def>ghi > response_body: <html>hello abc<def>ghi</html> > contexts for mod_value: HTML_TEXT > can_break: True (because the < and > we sent were not escaped) > > The problem is that we're reporting this as a XSS with severity HIGH > without knowing if the site has CSP enabled or not, which I think > should modify the severity. So, what I would like to have in the csp > module is a function that returns True/False for the question "site is > protected against XSS". So, for example, if the default-src is set to > *, it would return False, if unsafe-inline is set, then return False, > etc. This will be integrated into the xss.py plugin like this: > > for contexts in get_context(response.get_body(), mod_value): > for context in contexts: > if context.is_executable() or > context.can_break(mod_value): > if csp.site_protected_against_xss_by_csp(response): > self._report_vuln(mutant, response, > mod_value, severity.MEDIUM) > else: > self._report_vuln(mutant, response, > mod_value, severity.HIGH) > > * Finally, there seems to be a lot of repeated code in find_vulns > (mostly in the analysis of each policy, ####Directive "connect-src", > ####Directive "form-action", etc.). Could you try to refactor that? > What could be done is something like this: > > from functools import partial > > def generic_star_analyzer(csp_policy, vuln_severity, csp_value): > if '*' == value: > csp_vuln = CSPVulnerability("Directive '%s' allows all > sources." % csp_policy, vuln_severity) > return csp_vuln > > analyzers = {CSP_DIRECTIVE_DEFAULT: partial(generic_star_analyzer, > CSP_DIRECTIVE_DEFAULT, severity.HIGH), > CSP_DIRECTIVE_IMAGE: partial(generic_star_analyzer, > CSP_DIRECTIVE_IMAGE, severity.LOW),} > > for directive_name, directive_value in all_policies: > vulnerability = analyzers[directive_name](directive_value) > if vulnerability is not None: > result_dict[directive_name] = vulnerability > > Sorry for the very long answer! > > [0] http://docs.python.org/2/library/collections.html > [1] > http://sourceforge.net/apps/trac/w3af/browser/branches/threading2/core/data/context/tests/test_context.py > > Regards, >> >> -- >> Cordialement, Best regards, >> Dominique Righetto >> dominique.righe...@gmail.com >> dominique.righe...@owasp.org >> Twitter: @righettod >> GPG: 0xC34A4565323D19BA >> http://righettod.github.com >> "No trees were killed to send this message, but a large number of >> electrons were terribly inconvenienced." >> >> ------------------------------------------------------------------------------ >> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >> and much more. Keep your Java skills current with LearnJavaNow - >> 200+ hours of step-by-step video tutorials by Java experts. >> SALE $49.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122612 >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
