gosecure / csp-auditor Goto Github PK

Clicking the "Refresh Domains" ( ↻ ) button causes Burp's UI to freeze. This long duration process needs to run in its own thread.

Hello Philippe,
dear GoSecure team,

in a recent test we found the following misconfiguration which could make a good addition to your "CSP Auditor" extension:

upgrade-insecure-requests TOGETHER with block-all-mixed-content:

"The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set one directive or the other, but not both."

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

From my understanding the severity seems low (misconfiguration) but it could lead to unwanted behavior and who knows about potential browser edge cases.

Kind regards
Ben

Clicking the "Analyze" button causes Burp's UI to freeze. This long duration process needs to run in its own thread.

Hi, I’ve noticed that the CSP auditor from the BApp Store assumes an implicit 'default-src' directive even if there is none specify in the policy. As an example, the following CSP policy is configured with just one directive which is weak.

Content-Security-Policy: frame-ancestors https://corpnet.com/ https://*.corpnet.com;

Should this be flagged as a weak CSP policy, rather than no issue?

Thanks

csp-auditor freezes intermittently doing analysis. Sometimes I can analyze multiple sites before it freezes. Other times it freezes on the first or second analyze. When it freezes the entire UI does not respond and the CSP displays are blank.

this extension works fine on BS v2020.2.1 Build 1699 (same host, same JRE, same OS, etc).

in case its helpful i am attaching BS diagnostics.
bsdiag.txt

Is it possible to add an issue into the findings when a CSP policy is not implemented. I could modify the extension myself but I think it should be added to the approved version in the BApp Store.

Hi @h3xstream,

Your extension has been very useful for me and I'd like to contribute to it.

I've been looking to build a burp extension that will allow me to build a suitable Content Security Policy for a site that has none. It appears this extension attempts to do that in the configuration tab by looking at the response history. It uses the referrer and mime-type of requests to determine if it should add that domain to the policy and if so, to which directive it should be added.

However, it doesn't use the CSP violations.

I'd like to contribute by adding code to make use of the CSP violations when building a policy in the configuration tab. By doing so, the extension will be able to provide a much more accurate version of what the policy should be. It can also show how many reports correspond to a given directive-source mapping. This will be useful when first building a policy and when trying to tighten up an existing one.

The desired workflow is

• user sets up burp to to add something along the lines of Content-Security-Policy-Report-Only: default-src 'none'; report-uri /some/url to responses
• user browses site
• configuration tab shows a policy that would be suitable for that site.

Let me know what you think.