Dom, On Thu, Jan 3, 2013 at 3:19 AM, Dominique RIGHETTO <dominique.righe...@gmail.com> wrote: > Andres, > > I have updated the associated Github ticket with your feedback: > > https://github.com/righettod/w3af-contribs/issues/2 > > I will work on it on my next free time ;)
Great :) > For code duplication: > It's intentional, the specs is in Draft status and directives content > evolves. From my point of view, I prefer to separate each vulns search for > each directive in order to always have the possbility to add special case or > cross check between directives....Refactoring is a very good idea but this > one should be done when specs will be stabilized... Understood the reason, thanks for the clarification, > Dom > > > On 02/01/2013 14:18, Andres Riancho wrote: >> >> Dom, >> >> On Wed, Jan 2, 2013 at 7:51 AM, Dominique RIGHETTO >> <dominique.righe...@gmail.com> wrote: >>> >>> Hello, >>> >>> To begin with I present to you my best wishes for 2013 :) >> >> >> Thanks! My best wishes to you too in this new year that's just >> starting :) >> >>> I have added a method to find vulnerabilities into CSP policies from an >>> HTTP response, it analyze directives for >>> permissive/invalid configuration and misspelled directive names. >>> >>> I have also added dedicated tests cases in unit test class. >>> >>> I have executed unit tests against revision 6578 of Threading2 branch of >>> W3AF SVN repository. >>> >>> See >>> >>> https://github.com/righettod/w3af-contribs/commit/b2787b5371267d860b7a73ca23081d4bf2048e04 >> >> >> Very nice! This is evolving very quickly into what I imagined when >> you told me what you wanted to do :) I have a couple of potential >> improvements that I would like to see before merging into w3af and >> starting with the creation of the CSP plugin: >> >> * find_vulns returns a dict with the CSP directive and a string >> describing the vulnerability as value. While this is good as a start >> it looks like we'll need something more in the future. If we want to >> write a plugin that shows CSP directive misconfigurations to the user >> I think that "Directive 'default-src' allow all sources." is not as >> bad as "Directive 'img-src' allow all image sources." in terms of >> severity / impact to the security of the site. So, my proposal is for >> you to return a NamedTuple [0] as value of that dict. I've discovered >> NamedTuples recently but I learned to love them quickly :) So, >> basically we would have something like: >> >> from collections import namedtuple >> import core.data.constants.severity as severity >> >> CSPVulnerability = namedtuple('CSPVulnerability', ['desc', 'severity']) >> >> csp_vuln_default_src = CSPVulnerability("Directive 'default-src' allow >> all sources.", severity.HIGH) >> csp_vuln_image_src = CSPVulnerability("Directive 'img-src' allow all >> image sources.", severity.LOW) >> >> result[CSP_DIRECTIVE_DEFAULT] = csp_vuln_default_src >> result[CSP_DIRECTIVE_IMAGE] = csp_vuln_image_src >> >> * I've been working with the xss.py during the last days (mostly >> merged Taras' work) and one of the things we're missing there is the >> CSP policy check. Now the code looks like this: >> >> for contexts in get_context(response.get_body(), mod_value): >> for context in contexts: >> if context.is_executable() or >> context.can_break(mod_value): >> self._report_vuln(mutant, response, mod_value) >> return >> >> Which means: "Search for the string that I sent in the body and return >> the contexts [1] it is in; for each context verify if the string we >> sent can break out of that context, if so then we have a >> vulnerability". By example: >> >> mod_value: abc<def>ghi >> response_body: <html>hello abc<def>ghi</html> >> contexts for mod_value: HTML_TEXT >> can_break: True (because the < and > we sent were not escaped) >> >> The problem is that we're reporting this as a XSS with severity HIGH >> without knowing if the site has CSP enabled or not, which I think >> should modify the severity. So, what I would like to have in the csp >> module is a function that returns True/False for the question "site is >> protected against XSS". So, for example, if the default-src is set to >> *, it would return False, if unsafe-inline is set, then return False, >> etc. This will be integrated into the xss.py plugin like this: >> >> for contexts in get_context(response.get_body(), mod_value): >> for context in contexts: >> if context.is_executable() or >> context.can_break(mod_value): >> if >> csp.site_protected_against_xss_by_csp(response): >> self._report_vuln(mutant, response, >> mod_value, severity.MEDIUM) >> else: >> self._report_vuln(mutant, response, >> mod_value, severity.HIGH) >> >> * Finally, there seems to be a lot of repeated code in find_vulns >> (mostly in the analysis of each policy, ####Directive "connect-src", >> ####Directive "form-action", etc.). Could you try to refactor that? >> What could be done is something like this: >> >> from functools import partial >> >> def generic_star_analyzer(csp_policy, vuln_severity, csp_value): >> if '*' == value: >> csp_vuln = CSPVulnerability("Directive '%s' allows all >> sources." % csp_policy, vuln_severity) >> return csp_vuln >> >> analyzers = {CSP_DIRECTIVE_DEFAULT: partial(generic_star_analyzer, >> CSP_DIRECTIVE_DEFAULT, severity.HIGH), >> CSP_DIRECTIVE_IMAGE: partial(generic_star_analyzer, >> CSP_DIRECTIVE_IMAGE, severity.LOW),} >> >> for directive_name, directive_value in all_policies: >> vulnerability = analyzers[directive_name](directive_value) >> if vulnerability is not None: >> result_dict[directive_name] = vulnerability >> >> Sorry for the very long answer! >> >> [0] http://docs.python.org/2/library/collections.html >> [1] >> http://sourceforge.net/apps/trac/w3af/browser/branches/threading2/core/data/context/tests/test_context.py >> >> Regards, >>> >>> >>> -- >>> Cordialement, Best regards, >>> Dominique Righetto >>> dominique.righe...@gmail.com >>> dominique.righe...@owasp.org >>> Twitter: @righettod >>> GPG: 0xC34A4565323D19BA >>> http://righettod.github.com >>> "No trees were killed to send this message, but a large number of >>> electrons were terribly inconvenienced." >>> >>> >>> ------------------------------------------------------------------------------ >>> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >>> and much more. Keep your Java skills current with LearnJavaNow - >>> 200+ hours of step-by-step video tutorials by Java experts. >>> SALE $49.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122612 >>> _______________________________________________ >>> W3af-develop mailing list >>> W3af-develop@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
