From b5c5c219269a08901d55f303ca73d04f082b24c4 Mon Sep 17 00:00:00 2001 From: Vasco Franco Date: Sat, 13 Nov 2021 23:53:18 +0000 Subject: [PATCH] Fixes "origin reflected" check Previously there was a missing call to `headers = requester(url, scheme, header_dict, origin)` in the "origin reflected" check. This meant that the code was not using the intended origin (`origin = root + '://' + 'example.com'`). Intead, the check incorreclty used the headers from the first request (with `origin = scheme + '://' + root`). This commit fixes this problem by making the missing request. --- core/tests.py | 144 +++++++++++++++++++++++++------------------------- 1 file changed, 73 insertions(+), 71 deletions(-) diff --git a/core/tests.py b/core/tests.py index e8de404..be042ea 100644 --- a/core/tests.py +++ b/core/tests.py @@ -25,85 +25,87 @@ def passive_tests(url, headers): def active_tests(url, root, scheme, header_dict, delay): origin = scheme + '://' + root headers = requester(url, scheme, header_dict, origin) - if headers: - origin = root + '://' + 'example.com' - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and acao_header == (origin): - info = details['origin reflected'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - elif not acao_header: - return - time.sleep(delay) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header is None: + return + + origin = root + '://' + 'example.com' + headers = requester(url, scheme, header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and acao_header == (origin): + info = details['origin reflected'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + time.sleep(delay) - origin = scheme + '://' + root + '.example.com' - headers = requester(url, scheme, header_dict, origin) - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and acao_header == (origin): - info = details['post-domain wildcard'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - time.sleep(delay) + origin = scheme + '://' + root + '.example.com' + headers = requester(url, scheme, header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and acao_header == (origin): + info = details['post-domain wildcard'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + time.sleep(delay) - origin = scheme + '://d3v' + root - headers = requester(url, scheme, header_dict, origin) - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and acao_header == (origin): - info = details['pre-domain wildcard'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - time.sleep(delay) + origin = scheme + '://d3v' + root + headers = requester(url, scheme, header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and acao_header == (origin): + info = details['pre-domain wildcard'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + time.sleep(delay) - origin = 'null' - headers = requester(url, '', header_dict, origin) - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and acao_header == 'null': - info = details['null origin allowed'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - time.sleep(delay) + origin = 'null' + headers = requester(url, '', header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and acao_header == 'null': + info = details['null origin allowed'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + time.sleep(delay) - origin = scheme + '://' + root + '_.example.com' + origin = scheme + '://' + root + '_.example.com' + headers = requester(url, scheme, header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and acao_header == origin: + info = details['unrecognized underscore'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + time.sleep(delay) + + origin = scheme + '://' + root + '%60.example.com' + headers = requester(url, scheme, header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and '`.example.com' in acao_header: + info = details['broken parser'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + time.sleep(delay) + + if root.count('.') > 1: + origin = scheme + '://' + root.replace('.', 'x', 1) headers = requester(url, scheme, header_dict, origin) acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) if acao_header and acao_header == origin: - info = details['unrecognized underscore'] + info = details['unescaped regex'] info['acao header'] = acao_header info['acac header'] = acac_header return {url : info} time.sleep(delay) - - origin = scheme + '://' + root + '%60.example.com' - headers = requester(url, scheme, header_dict, origin) - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and '`.example.com' in acao_header: - info = details['broken parser'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - time.sleep(delay) - - if root.count('.') > 1: - origin = scheme + '://' + root.replace('.', 'x', 1) - headers = requester(url, scheme, header_dict, origin) - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and acao_header == origin: - info = details['unescaped regex'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - time.sleep(delay) - origin = 'http://' + root - headers = requester(url, 'http', header_dict, origin) - acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) - if acao_header and acao_header.startswith('http://'): - info = details['http origin allowed'] - info['acao header'] = acao_header - info['acac header'] = acac_header - return {url : info} - else: - return passive_tests(url, headers) + origin = 'http://' + root + headers = requester(url, 'http', header_dict, origin) + acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) + if acao_header and acao_header.startswith('http://'): + info = details['http origin allowed'] + info['acao header'] = acao_header + info['acac header'] = acac_header + return {url : info} + else: + return passive_tests(url, headers)