From a4297e0d2128878cec291e6a6ef52879a54f3be0 Mon Sep 17 00:00:00 2001 From: Jan Klopper Date: Wed, 18 Dec 2024 12:11:19 +0100 Subject: [PATCH 1/5] Update disallowed_csp_hostnames.py, also trigger on higher level denied domains If a subdomain of a denied domain is listed, we should warn. Eg, if www.badexample.com is used in the CSP, but badexample.com is listed we should trigger. --- .../disallowed_csp_hostnames.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py index c67b8e01bb8..8d3d36c76a2 100644 --- a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py +++ b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py @@ -31,9 +31,11 @@ def run(input_ooi: HTTPHeaderHostname, additional_oois: list, config: dict[str, disallowed_hostnames_from_config = get_disallowed_hostnames_from_config(config, "disallowed_hostnames", []) disallowed_domains.extend(disallowed_hostnames_from_config) - - if hostname.lower() in disallowed_domains: - ft = KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP") - f = Finding(ooi=input_ooi.reference, finding_type=ft.reference) - yield ft - yield f + hostnameparts = hostname.lower().split(".") + for i in range(len(hostnameparts)): + if '.'.join(hostnameparts[i:]) in disallowed_domains: + ft = KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP") + f = Finding(ooi=input_ooi.reference, finding_type=ft.reference) + yield ft + yield f + break From b4ae0e9df47b014cdc9344ae3e56ae7559be4f11 Mon Sep 17 00:00:00 2001 From: Jan Klopper Date: Wed, 18 Dec 2024 12:40:08 +0100 Subject: [PATCH 2/5] Update disallowed_csp_hostnames.py --- .../bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py index 8d3d36c76a2..1d02ac4ffd8 100644 --- a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py +++ b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py @@ -33,7 +33,7 @@ def run(input_ooi: HTTPHeaderHostname, additional_oois: list, config: dict[str, disallowed_domains.extend(disallowed_hostnames_from_config) hostnameparts = hostname.lower().split(".") for i in range(len(hostnameparts)): - if '.'.join(hostnameparts[i:]) in disallowed_domains: + if ".".join(hostnameparts[i:]) in disallowed_domains: ft = KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP") f = Finding(ooi=input_ooi.reference, finding_type=ft.reference) yield ft From fcc371b5d7fa703791f5df7e86533039eb7a6891 Mon Sep 17 00:00:00 2001 From: Jan Klopper Date: Tue, 31 Dec 2024 10:28:11 +0100 Subject: [PATCH 3/5] Update octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py Co-authored-by: Donny Peeters <46660228+Donnype@users.noreply.github.com> --- .../bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py index 1d02ac4ffd8..659ae88f9d0 100644 --- a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py +++ b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py @@ -32,6 +32,8 @@ def run(input_ooi: HTTPHeaderHostname, additional_oois: list, config: dict[str, disallowed_domains.extend(disallowed_hostnames_from_config) hostnameparts = hostname.lower().split(".") + + # For e.g. ["www", "example", "com"], check "www.example.com", "example.com" and "com" for i in range(len(hostnameparts)): if ".".join(hostnameparts[i:]) in disallowed_domains: ft = KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP") From 031bd7bbf4fb066fe8e7ccd4431c74c1f2f6449b Mon Sep 17 00:00:00 2001 From: Jan Klopper Date: Thu, 2 Jan 2025 13:30:09 +0100 Subject: [PATCH 4/5] Update disallowed_csp_hostnames.py --- .../bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py index 659ae88f9d0..5dcdfa1b969 100644 --- a/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py +++ b/octopoes/bits/disallowed_csp_hostnames/disallowed_csp_hostnames.py @@ -32,7 +32,7 @@ def run(input_ooi: HTTPHeaderHostname, additional_oois: list, config: dict[str, disallowed_domains.extend(disallowed_hostnames_from_config) hostnameparts = hostname.lower().split(".") - + # For e.g. ["www", "example", "com"], check "www.example.com", "example.com" and "com" for i in range(len(hostnameparts)): if ".".join(hostnameparts[i:]) in disallowed_domains: From f8d9dfa900de4815c6e40c507cac3394789d79cd Mon Sep 17 00:00:00 2001 From: Rieven Date: Thu, 2 Jan 2025 16:29:44 +0100 Subject: [PATCH 5/5] add test --- .../tests/test_disallowed_csp_hostnames.py | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/octopoes/tests/test_disallowed_csp_hostnames.py b/octopoes/tests/test_disallowed_csp_hostnames.py index 60abf4b38c5..cb718dd9545 100644 --- a/octopoes/tests/test_disallowed_csp_hostnames.py +++ b/octopoes/tests/test_disallowed_csp_hostnames.py @@ -65,3 +65,23 @@ def test_disallowed_csp_headers_disallow_custom_hostname(): ooi=http_header_hostname.reference, finding_type=KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP").reference ), ] + + +def test_disallowed_csp_headers_disallow_subdomains(): + http_header_hostname = HTTPHeaderHostname( + hostname=Reference.from_str("Hostname|internet|subdomain.example.com"), + header=Reference.from_str( + "HTTPHeader|internet|1.1.1.1|tcp|443|https|internet|subdomain.example.com|https|internet|subdomain.example.com|443||Content-Security-Policy" + ), + ) + + results = list(run(http_header_hostname, [], {"disallowed_hostnames": "example.com"})) + + assert "subdomain" in http_header_hostname.reference + + assert results == [ + KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP"), + Finding( + ooi=http_header_hostname.reference, finding_type=KATFindingType(id="KAT-DISALLOWED-DOMAIN-IN-CSP").reference + ), + ]