BIN: analyse-headers: Will attempt to decode F5 Cookies

Thanks <Huw Edwards> for the idea and help implementing it.
Jonathan Hodgson 4 years ago
parent 08e4bceee8
commit 5832de6742
  1. 19
      bin/.bin/webtest/analyse-headers

@ -222,6 +222,10 @@ attacks (XSS).\n\n"
This prevents the content security policy from effectively mitigating against This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n" DOM based XSS attacks\n\n"
fi fi
# TODO, I'd like to check for more CSP issues.
# See https://csp-evaluator.withgoogle.com/
# https://www.securing.pl/en/why-should-you-care-about-content-security-policy/
# https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/
fi fi
if [ -n "$message" ]; then if [ -n "$message" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
@ -299,6 +303,21 @@ Strict means the browser sends the cookie only for same-site requests\n\n"
ret=$((ret>1 ? ret : 1)) ret=$((ret>1 ? ret : 1))
fi fi
if echo "$value" | grep -iq "bigipserver"; then
local ip_enc="$(echo "$value" | cut -d '=' -f 2 | cut -d '.' -f 1)"
local port_enc="$(echo "$value" | cut -d '=' -f 2 | cut -d '.' -f 2)"
local ip="$(echo "ibase=10;obase=16;$ip_enc"| bc | grep -o .. | tac |
while read -r part; do echo -n "$((0x$part))."; done)"
local port="$((0x$(echo "ibase=10;obase=16;$port_enc" | bc | grep -o .. | tac | tr -d '\n') ))"
if echo "$ip" | grep -Eq '([0-9]{1,3}[\.]){3}[0-9]{1,3}'; then
output+="The Cookie discloses internal IP addresses used by the load ballencer\n"
output+="IP: $ip\n"
output+="Port: $port\n\n"
output+="Remediate this by enabling cookie encryption\n\
https://support.f5.com/csp/article/K7784?sr=14607726"
ret=$((ret>1 ? ret : 1))
fi
fi
if [ "$ret" -gt 0 ]; then if [ "$ret" -gt 0 ]; then

Loading…
Cancel
Save