search

cerberauth / vulnapi

API Security Vulnerability Scanner designed to help you secure your APIs.
https://vulnapi.cerberauth.com
MIT License
89 stars 10 forks source link

Fix-cache-control #189

Open Similadayo opened 2 months ago

Similadayo commented 2 months ago

This pull request fixes a problem with the GetHeaders method in the OAuth and JWT Bearer security schemes. It wasn't handling cases where attack and valid values were nil, which could cause errors. I changed the code to fix this, making sure headers are generated more reliably for requests.

Changes:

  1. Fixed errors with type checks in GetHeaders.

  2. Improved how attack and valid values are handled in headers.

I look forward to your feedback on these updates!

emmanuelgautier commented 1 month ago

Thanks for contributing @Similadayo.

I'm not sure which type check error this PR is addressing. Could you maybe share an example of the error you encountered during the scan?

Regarding the changes in your PR, I see you've added Cache-Control request headers. It's true that APIs should not allow public cacheable responses if authentication is required. Testing for this behavior is actually planned for the next version (see issue #187). If you're interested in working on this feature as well. I will be happy to welcome your contributions!

Similadayo commented 1 month ago

Thanks for getting back to me @emmanuelgautier

My PR tackles the same issue about Cache-Control headers for authenticated APIs. It makes sure that public cacheable responses aren’t allowed when authentication is used, which helps protect confidential data. I’d love to contribute more to this issue and help with testing in the next version. Let me know how I can help.

emmanuelgautier commented 1 month ago

The goal of the scan is not necessarily to ensure that requests made during the scan aren't cached, but rather to check if there are any shared cache directives (like public Cache-Control) in the response, which could expose sensitive data.

I think, you should add a new scan for this specific case. You can refer to one of the existing scans in this repository: https://github.com/cerberauth/vulnapi/tree/main/scan.

I'd be happy to assist. One approach for the scan would involve making a request with an authentication method in place and then inspecting the response headers. If the response is successful (e.g., 2xx status code), and it includes public cache control directives, the test would fail as this could expose protected data. Do not hesitate to suggest another approach if you think there’s a better way to perform this scan.

Similadayo commented 1 month ago

Thanks for the clarification.

I will go through the scan directory to understand better and won't hesistate to reach out incase I need understanding.