BIN: analyse-headers: Fix incorrect reporting of SSL issues

It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
master
Jonathan Hodgson 4 years ago
parent fd3997230d
commit bf132e16c2
  1. 4
      bin/.bin/webtest/analyse-headers

@ -241,14 +241,14 @@ test_set-cookie(){
if ! echo "$value" | grep -q "HttpOnly"; then if ! echo "$value" | grep -q "HttpOnly"; then
echo "$value" echo "$value"
echo "$value" | grep -q "HttpOnly" --color always echo "$value" | grep -qi "HttpOnly" --color always
output+="The HttpOnly flag isn't set which means the cookie value can \ output+="The HttpOnly flag isn't set which means the cookie value can \
be read by JavaScript. If a malicious actor manages to run JavaScript through \ be read by JavaScript. If a malicious actor manages to run JavaScript through \
methods like XSS, they may be able to steal the contents of cookies\n\n" methods like XSS, they may be able to steal the contents of cookies\n\n"
ret=$((ret>1 ? ret : 1)) ret=$((ret>1 ? ret : 1))
fi fi
if ! echo "$value" | grep -q "Secure"; then if ! echo "$value" | grep -qi "Secure"; then
output+="The Secure flag isn't set which means the cookie could be \ output+="The Secure flag isn't set which means the cookie could be \
sent over unencrypted channels\n\n" sent over unencrypted channels\n\n"
ret=$((ret>1 ? ret : 1)) ret=$((ret>1 ? ret : 1))

Loading…
Cancel
Save