Closed siccovansas closed 6 years ago
I encountered an edge case where the scanned domain used
maxage
instead ofmax-age
in its HSTS header. This results inpshtt
listingTrue
in theHSTS
column but having an emptyHSTS Max Age
column. This in turn gave aTypeError: unorderable types: NoneType() >= int()
error caused by line 581. We can prevent this by checking ifhsts_age
isTrue
in theif
-statement leading up to that line.
Thanks for catching this! Looks good to me.
This has the added advantage that HSTS headers with a
max-age
of 0 are also given an HSTS value of 0 (no HSTS) in Pulse instead of an HSTS value of 1 (HSTS with too low max-age). The RFC specifies that amax-age
of 0 means that the HSTS policy should be removed by the user agent. So the intended effect of the website is to have no HSTS. In a scan of 23k domains I actually got 44 domains listing amax-age
of 0.
Actually, this shouldn't be a problem, because pshtt
correctly marks the HSTS
field as False
if the max-age
is 0, so the conditional would have already caught this situation:
https://github.com/dhs-ncats/pshtt/blob/master/pshtt/pshtt.py#L366-L368
I encountered an edge case where the scanned domain used
maxage
instead ofmax-age
in its HSTS header. This results inpshtt
listingTrue
in theHSTS
column but having an emptyHSTS Max Age
column. This in turn gave aTypeError: unorderable types: NoneType() >= int()
error caused by line 581. We can prevent this by checking ifhsts_age
isTrue
in theif
-statement leading up to that line.This has the added advantage that HSTS headers with a
max-age
of 0 are also given an HSTS value of 0 (no HSTS) in Pulse instead of an HSTS value of 1 (HSTS with too low max-age). The RFC specifies that amax-age
of 0 means that the HSTS policy should be removed by the user agent. So the intended effect of the website is to have no HSTS. In a scan of 23k domains I actually got 44 domains listing amax-age
of 0.