Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove non standard header findings and add deprecated headers findings #3127

Merged
merged 12 commits into from
Jul 5, 2024
Original file line number Diff line number Diff line change
Expand Up @@ -473,5 +473,12 @@
"risk": "medium",
"impact": "Disallowed domains are domains that are for example 'world writable', this opens up the possibility for an atacker to host malicious files on a csp whitelisted domain.",
"recommendation": "Remove the offending hostname from the CSP header."
},
"KAT-NONSTANDARD-HEADERS": {
"description": "Headers are used that are nonstandard and should not be used anymore.",
"risk": "low",
"source": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers",
"impact": "Nonstandard headers may not be supported by all browsers and may not provide the security that is expected.",
"recommendation": "Remove the nonstandard headers from the response."
}
}
52 changes: 22 additions & 30 deletions octopoes/bits/missing_headers/missing_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,16 @@
from octopoes.models.ooi.findings import Finding, KATFindingType
from octopoes.models.ooi.web import HTTPHeader, HTTPResource

DEPRECATED_HEADER = {
"x-forwarded-host",
"x-forwarded-proto",
"x-dns-prefetch-control",
"x-forwarded-for",
"x-robots-tag",
"pragma",
"warning",
}

XSS_CAPABLE_TYPES = [
"text/html",
"application/xhtml+xml",
Expand Down Expand Up @@ -50,26 +60,6 @@ def run(resource: HTTPResource, additional_oois: list[HTTPHeader], config: dict[
yield ft
yield finding

if "x-permitted-cross-domain-policies" not in header_keys:
ft = KATFindingType(id="KAT-NO-X-PERMITTED-CROSS-DOMAIN-POLICIES")
finding = Finding(
finding_type=ft.reference,
ooi=resource.reference,
description="Header x-permitted-cross-domain-policies is missing or not configured correctly.",
)
yield ft
yield finding

if "x-xss-protection" not in header_keys:
ft = KATFindingType(id="KAT-NO-EXPLICIT-XSS-PROTECTION")
finding = Finding(
finding_type=ft.reference,
ooi=resource.reference,
description="Header x-xss-protection is missing or not configured correctly.",
)
yield ft
yield finding

if "x-frame-options" not in header_keys:
ft = KATFindingType(id="KAT-NO-X-FRAME-OPTIONS")
finding = Finding(
Expand All @@ -80,16 +70,6 @@ def run(resource: HTTPResource, additional_oois: list[HTTPHeader], config: dict[
yield ft
yield finding

if "x-dns-prefetch-control" not in header_keys:
ft = KATFindingType(id="KAT-NO-X-DNS-PREFETCH-CONTROL")
finding = Finding(
finding_type=ft.reference,
ooi=resource.reference,
description="Header x-dns-prefetch-control is missing or not configured correctly.",
)
yield ft
yield finding

if "permissions-policy" not in header_keys:
ft = KATFindingType(id="KAT-NO-PERMISSIONS-POLICY")
finding = Finding(
Expand Down Expand Up @@ -119,3 +99,15 @@ def run(resource: HTTPResource, additional_oois: list[HTTPHeader], config: dict[
)
yield ft
yield finding

deprecated_headers = set(header_keys) & DEPRECATED_HEADER
if deprecated_headers:
ft = KATFindingType(id="KAT-NONSTANDARD-HEADERS")
finding = Finding(
finding_type=ft.reference,
ooi=resource.reference,
description=f"Nonstandard headers are used. Avoid using the following headers: "
f"{' '.join(deprecated_headers)}",
)
yield ft
yield finding
13 changes: 13 additions & 0 deletions octopoes/tests/test_bit_missing_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,16 @@ def test_http_no_hsts(http_resource_http):
hsts_findings = [r for r in results if r.object_type == "Finding" and r.finding_type.natural_key == "KAT-NO-HSTS"]

assert not hsts_findings


def test_deprecated_header(http_resource_https):
headers = [
HTTPHeader(resource=http_resource_https.reference, key="x-forwarded-for", value="DENY"),
]

results = list(run(http_resource_https, headers, {}))
deprecated_headers_findings = [
r for r in results if r.object_type == "Finding" and r.finding_type.natural_key == "KAT-NONSTANDARD-HEADERS"
]

assert len(deprecated_headers_findings) == 1