BIN: analyse-headers: Fix incorrect reporting of SSL issues
It turns out the SSL flags secure and httponly are not case sensitive. https://tools.ietf.org/html/rfc6265#section-5.2.5 I cannot find any documentation about the SameSite=Strict so I will leave it case sensitive for now. The spec for that section is here: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2 Thanks <Dom Ingram> for flagging this
This commit is contained in:
Jonathan Hodgson
parent
fd3997230d
commit
bf132e16c2
1 changed files with 2 additions and 2 deletions
|
|
@ -241,14 +241,14 @@ test_set-cookie(){
|
||||||
|
|
||||||
if ! echo "$value" | grep -q "HttpOnly"; then
|
if ! echo "$value" | grep -q "HttpOnly"; then
|
||||||
echo "$value"
|
echo "$value"
|
||||||
echo "$value" | grep -q "HttpOnly" --color always
|
echo "$value" | grep -qi "HttpOnly" --color always
|
||||||
output+="The HttpOnly flag isn't set which means the cookie value can \
|
output+="The HttpOnly flag isn't set which means the cookie value can \
|
||||||
be read by JavaScript. If a malicious actor manages to run JavaScript through \
|
be read by JavaScript. If a malicious actor manages to run JavaScript through \
|
||||||
methods like XSS, they may be able to steal the contents of cookies\n\n"
|
methods like XSS, they may be able to steal the contents of cookies\n\n"
|
||||||
ret=$((ret>1 ? ret : 1))
|
ret=$((ret>1 ? ret : 1))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! echo "$value" | grep -q "Secure"; then
|
if ! echo "$value" | grep -qi "Secure"; then
|
||||||
output+="The Secure flag isn't set which means the cookie could be \
|
output+="The Secure flag isn't set which means the cookie could be \
|
||||||
sent over unencrypted channels\n\n"
|
sent over unencrypted channels\n\n"
|
||||||
ret=$((ret>1 ? ret : 1))
|
ret=$((ret>1 ? ret : 1))
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue