moloch-- / csp-bypass Goto Github PK

Hi,
I noticed that some CSP directives reported by this extender are obsolete, and are reported by your tool. Is it possible to update this extender accordingly?

• 'referrer': https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer

This feature is obsolete. Although it may still work in some browsers, its use is discouraged since it could be removed at any time. Try to avoid using it.

• 'reflected-xss': https://bugs.chromium.org/p/chromium/issues/detail?id=657737

This was removed from CSP2, never added to CSP3, and will not ship in any other browser. We should remove it, as it is completely redundant with X-XSS-Protection, which is never going away.

Thanks

Hi Joe,
This is a simple notification to let you know that I have built a very similar extension. Both have passive rules to analyze CSP header(s).
I initially start the extension to have a readable View of the header in the response tab then I added some passive rules.

Anw, I not here to say that I am competing with your extension. I think that solely base on the fact that it was developed in Python could be useful for some people. I also saw that the passive rules are not exactly the same.

Finally, I am not close to exchanging information and contributions. Here are some list that am using to identify bad hosts configured (additional host to ajax.googleapis.com):

• https://github.com/GoSecure/csp-auditor/blob/master/csp-auditor-core/src/main/resources/resources/data/csp_host_user_content.txt
• https://github.com/GoSecure/csp-auditor/blob/master/csp-auditor-core/src/main/resources/resources/data/csp_host_vulnerable_js.txt

Also, I have submitted the extension just over a month ago for the Bapp Store.. I have no idea it will be accepted.

Just a suggestion - it would be cool to submit this to the Bapp store so it can be seamlessly installed from within the Burp environment by just clicking on it and all that :)

It is currently unclear what are the permissions when it comes to this project because there is no license defined, which makes it difficult to determine how to properly make adaptive works from this project. Could it be possible to add one, @moloch--?

While using this library in another project I noticed it throws a ValueError when a CSP makes use of the xhr-src directive.

According to MDN:

Prior to Firefox 23, xhr-src was used in place of the connect-src directive and only restricted the use of XMLHttpRequest.

Any interest in adding support for this?