Skip to content

Commit

Permalink
Fixed bug in Mutliple Security Header Check.js
Browse files Browse the repository at this point in the history
Signed-off-by: Simon Bennetts <[email protected]>
  • Loading branch information
psiinon committed Aug 6, 2024
1 parent bf5135a commit 48b0467
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [Unreleased]
### Changed
- Add cautionary note to help and readme.
###
- Fixed bug in 'Mutliple Security Header Check.js'.

## [19] - 2024-07-01
### Added
Expand Down
9 changes: 7 additions & 2 deletions passive/Mutliple Security Header Check.js
Original file line number Diff line number Diff line change
Expand Up @@ -50,17 +50,21 @@ function scan(helper, msg, src) {
"Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
"",
];
var responseHeader = msg.getResponseHeader().toString();

// test sts
if (msg.getRequestHeader().isSecure()) {
if (msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null)
if (
msg.getResponseHeader().getHeaders("Strict-Transport-Security") == null
) {
helper
.newAlert()
.setName(alertTitle[0])
.setDescription(alertDesc[0])
.setSolution(alertSolution[0])
.setMessage(msg)
.raise();
}
}
// test csp
if (
Expand All @@ -69,14 +73,15 @@ function scan(helper, msg, src) {
"X-Content-Security-Policy",
"X-WebKit-CSP",
])
)
) {
helper
.newAlert()
.setName(alertTitle[1])
.setDescription(alertDesc[1])
.setSolution(alertSolution[1])
.setMessage(msg)
.raise();
}

// test xxs protection
var re_xss = /(X\-XSS\-Protection\:.+1)/g;
Expand Down

0 comments on commit 48b0467

Please sign in to comment.