Additional Audit Rule Proposition

GoSecure / csp-auditor

Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website

136 stars 34 forks source link

Additional Audit Rule Proposition #1

Closed benboeck closed 6 years ago

benboeck commented 6 years ago

Hello Philippe, dear GoSecure team,

in a recent test we found the following misconfiguration which could make a good addition to your "CSP Auditor" extension:

upgrade-insecure-requests TOGETHER with block-all-mixed-content:

"The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set one directive or the other, but not both."

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

From my understanding the severity seems low (misconfiguration) but it could lead to unwanted behavior and who knows about potential browser edge cases.

Kind regards Ben

h3xstream commented 6 years ago

Hi @benboeck, I just read the documentation from Mozilla. It does not seem to bring a new vulnerability.

upgrade-insecure-requests : Upgrade http:// to https://
block-all-mixed-content : Block http:// URL

I test to see if upgrade-insecure-requests would be disabled when block-all-mixed-content is present. I have done tests in Chrome and Firefox. They will both upgrade HTTP requests regardless of the order of the two directives.

If you have a POC, it would help. Thanks