gosecure / csp-auditor Goto Github PK
View Code? Open in Web Editor NEWBurp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
Hi, I’ve noticed that the CSP auditor from the BApp Store assumes an implicit 'default-src' directive even if there is none specify in the policy. As an example, the following CSP policy is configured with just one directive which is weak.
Content-Security-Policy: frame-ancestors https://corpnet.com/ https://*.corpnet.com;
Should this be flagged as a weak CSP policy, rather than no issue?
Thanks
Hello Philippe,
dear GoSecure team,
in a recent test we found the following misconfiguration which could make a good addition to your "CSP Auditor" extension:
upgrade-insecure-requests TOGETHER with block-all-mixed-content:
"The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set one directive or the other, but not both."
From my understanding the severity seems low (misconfiguration) but it could lead to unwanted behavior and who knows about potential browser edge cases.
Kind regards
Ben
Clicking the "Analyze" button causes Burp's UI to freeze. This long duration process needs to run in its own thread.
Clicking the "Refresh Domains" ( ↻ ) button causes Burp's UI to freeze. This long duration process needs to run in its own thread.
Is it possible to add an issue into the findings when a CSP policy is not implemented. I could modify the extension myself but I think it should be added to the approved version in the BApp Store.
Hi @h3xstream,
Your extension has been very useful for me and I'd like to contribute to it.
I've been looking to build a burp extension that will allow me to build a suitable Content Security Policy for a site that has none. It appears this extension attempts to do that in the configuration tab by looking at the response history. It uses the referrer and mime-type of requests to determine if it should add that domain to the policy and if so, to which directive it should be added.
However, it doesn't use the CSP violations.
I'd like to contribute by adding code to make use of the CSP violations when building a policy in the configuration tab. By doing so, the extension will be able to provide a much more accurate version of what the policy should be. It can also show how many reports correspond to a given directive-source mapping. This will be useful when first building a policy and when trying to tighten up an existing one.
The desired workflow is
Content-Security-Policy-Report-Only: default-src 'none'; report-uri /some/url
to responsesLet me know what you think.
csp-auditor freezes intermittently doing analysis. Sometimes I can analyze multiple sites before it freezes. Other times it freezes on the first or second analyze. When it freezes the entire UI does not respond and the CSP displays are blank.
this extension works fine on BS v2020.2.1 Build 1699 (same host, same JRE, same OS, etc).
in case its helpful i am attaching BS diagnostics.
bsdiag.txt
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.