From 8d6f88421b8345626359ff3576e378dfc4d7bb73 Mon Sep 17 00:00:00 2001 From: meme-lord Date: Sun, 29 Jun 2025 14:11:11 +0100 Subject: [PATCH 1/3] change dedupe key for cookie reflection to per path rather than per url --- packages/workflows/src/cookie-reflection/javascript.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/workflows/src/cookie-reflection/javascript.ts b/packages/workflows/src/cookie-reflection/javascript.ts index e0ae6e7..2daa3e4 100644 --- a/packages/workflows/src/cookie-reflection/javascript.ts +++ b/packages/workflows/src/cookie-reflection/javascript.ts @@ -22,7 +22,7 @@ export async function run({ request, response }, sdk) { description: `The response from ${request.getUrl()} contains the value "${cookie_val}" which is also the value of the cookie "${cookie_name}"`, request: request, reporter: "CookieValueReflectedInResponse", - dedupeKey: `cookie_reflect_${request.getUrl()}_${cookie_name}_${cookie_val}` + dedupeKey: `cookie_reflect_${request.getHost()}${request.getPath()()}_${cookie_name}_${cookie_val}` }); } } From 5852f9356d7a3d0d531d9a8ced4065022d610662 Mon Sep 17 00:00:00 2001 From: meme-lord Date: Sun, 29 Jun 2025 14:12:08 +0100 Subject: [PATCH 2/3] reduced FPs from json with wrong content type workflow --- .../json-with-wrong-content-type/javascript.ts | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/packages/workflows/src/json-with-wrong-content-type/javascript.ts b/packages/workflows/src/json-with-wrong-content-type/javascript.ts index 3b3d887..b479088 100644 --- a/packages/workflows/src/json-with-wrong-content-type/javascript.ts +++ b/packages/workflows/src/json-with-wrong-content-type/javascript.ts @@ -11,14 +11,16 @@ export async function run({ request, response }, sdk) { if (body.startsWith('{') || body.startsWith('[')) { // Regex to ignore application/json application/manifest+json if (!contentTypeHeader[0].match(/^application\/(\w*\+)?json/)) { - let description = `The content of response from ${request.getHost()}${request.getPath()} is probably JSON but the content type is not application/json`; - await sdk.findings.create({ - title: "JSON Response Without JSON Content-Type", - description: description, - request: request, - reporter: "JSON Response Without JSON Content-Type", - dedupeKey: description - }); + if (!contentTypeHeader[0].match(/^text\/(javascript|css)/)) { + let description = `The content of response from ${request.getHost()}${request.getPath()} is probably JSON but the content type is not application/json`; + await sdk.findings.create({ + title: "JSON Response Without JSON Content-Type", + description: description, + request: request, + reporter: "JSON Response Without JSON Content-Type", + dedupeKey: description + }); + } } } } From 8edce5d599f270004b5e543f88d06cd8e227cd93 Mon Sep 17 00:00:00 2001 From: bebiksior Date: Sun, 29 Jun 2025 20:16:43 +0200 Subject: [PATCH 3/3] fix validation errs --- .../src/cookie-reflection/javascript.ts | 41 +++++++++---------- .../javascript.ts | 27 ++++++------ 2 files changed, 33 insertions(+), 35 deletions(-) diff --git a/packages/workflows/src/cookie-reflection/javascript.ts b/packages/workflows/src/cookie-reflection/javascript.ts index 6c9a9c3..7abff0c 100644 --- a/packages/workflows/src/cookie-reflection/javascript.ts +++ b/packages/workflows/src/cookie-reflection/javascript.ts @@ -4,27 +4,26 @@ * @returns {MaybePromise} */ export async function run({ request, response }, sdk) { - if (request && response) { - const cookie_header = request.getHeader('Cookie'); - if(cookie_header) { - const split = cookie_header[0].split(";"); - for(const cookie of split){ - const split2 = cookie.split('='); - const cookie_name = split2[0]; - const cookie_val = split2[1]; - if(cookie_val.length < 6){ - // checking short cookie values like "false" would create many false positives - continue; - } - if(response.getBody().toText().indexOf(cookie_val) != -1){ - await sdk.findings.create({ - title: `Value "${cookie_val}" from cookie "${cookie_name}" is reflected`, - description: `The response from ${request.getUrl()} contains the value "${cookie_val}" which is also the value of the cookie "${cookie_name}"`, - request: request, - reporter: "CookieValueReflectedInResponse", - dedupeKey: `cookie_reflect_${request.getHost()}${request.getPath()()}_${cookie_name}_${cookie_val}` - }); - } + if (request && response) { + const cookie_header = request.getHeader("Cookie"); + if (cookie_header) { + const split = cookie_header[0].split(";"); + for (const cookie of split) { + const split2 = cookie.split("="); + const cookie_name = split2[0]; + const cookie_val = split2[1]; + if (cookie_val.length < 6) { + // checking short cookie values like "false" would create many false positives + continue; + } + if (response.getBody().toText().indexOf(cookie_val) != -1) { + await sdk.findings.create({ + title: `Value "${cookie_val}" from cookie "${cookie_name}" is reflected`, + description: `The response from ${request.getUrl()} contains the value "${cookie_val}" which is also the value of the cookie "${cookie_name}"`, + request: request, + reporter: "CookieValueReflectedInResponse", + dedupeKey: `cookie_reflect_${request.getHost()}${request.getPath()()}_${cookie_name}_${cookie_val}`, + }); } } } diff --git a/packages/workflows/src/json-with-wrong-content-type/javascript.ts b/packages/workflows/src/json-with-wrong-content-type/javascript.ts index 9be8581..aee0c58 100644 --- a/packages/workflows/src/json-with-wrong-content-type/javascript.ts +++ b/packages/workflows/src/json-with-wrong-content-type/javascript.ts @@ -8,21 +8,20 @@ export async function run({ request, response }, sdk) { const body = response.getBody().toText().trimLeft(); const contentTypeHeader = response.getHeader("Content-Type"); - if (body.startsWith('{') || body.startsWith('[')) { - // Regex to ignore application/json application/manifest+json - if (!contentTypeHeader[0].match(/^application\/(\w*\+)?json/)) { - if (!contentTypeHeader[0].match(/^text\/(javascript|css)/)) { - let description = `The content of response from ${request.getHost()}${request.getPath()} is probably JSON but the content type is not application/json`; - await sdk.findings.create({ - title: "JSON Response Without JSON Content-Type", - description: description, - request: request, - reporter: "JSON Response Without JSON Content-Type", - dedupeKey: description - }); - } - } + if (body.startsWith("{") || body.startsWith("[")) { + // Regex to ignore application/json application/manifest+json + if (!contentTypeHeader[0].match(/^application\/(\w*\+)?json/)) { + if (!contentTypeHeader[0].match(/^text\/(javascript|css)/)) { + let description = `The content of response from ${request.getHost()}${request.getPath()} is probably JSON but the content type is not application/json`; + await sdk.findings.create({ + title: "JSON Response Without JSON Content-Type", + description: description, + request: request, + reporter: "JSON Response Without JSON Content-Type", + dedupeKey: description, + }); } + } } } }