Quitten
commented
1 week ago Interesting point, Ill make some research and see what is the ideal solution, will keep you posted, thanks for reporting this
Open yeln4ts opened 2 weeks ago
Quitten
commented
1 week ago Interesting point, Ill make some research and see what is the ideal solution, will keep you posted, thanks for reporting this
sule01u
commented
5 days ago authorization/authorization.py
allowed_status_codes = ["200", "302", "301", "303", "307", "308"] if newStatusCode not in allowed_status_codes: return self.ENFORCED_STR
What about adding this logic? (other status codes do not seem to need to be checked)
Quitten
commented
1 day ago But if the new status code is still 302, it will return True and will be marked as enforced, im not sure how it helps
sule01u
commented
1 day ago But if the new status code is still 302, it will return True and will be marked as enforced, im not sure how it helps
Here's what I think: Remove the judgment that the response code is equal, and then the response status code is not within the range of the list definition, directly marked as enforced. That is, the bypass in the list is identified by matching the user-defined enforced rule or matching the response body
There is a specific case of false positive in the check_bypass function.
I encountered a web application which returns a 302 and redirect to
/but also returns the privileged data in the body. So it's categorized as "Enforced" but actual sensitive data is still returned.I understand that it's there so that it works out of the box without having to define enforcement filters, but it would be great to have an option to just bypass this check and only use enforcement filters.