From ff96cd39b07822dfcd3161428a4d77c3feb894fc Mon Sep 17 00:00:00 2001 From: Sasha Romijn Date: Mon, 7 Nov 2022 16:45:03 +0100 Subject: [PATCH] Ref #735 - Clean up X-XSS-Protection test (#779) This removes the test entirely, but results from historic tests are kept and still displayed. Translations are also kept. --- checks/categories.py | 25 -------------- checks/models.py | 4 +-- checks/scoring.py | 4 --- checks/tasks/appsecpriv.py | 14 -------- checks/tasks/http_headers.py | 44 ------------------------- interface/batch/__init__.py | 7 ---- interface/batch/openapi.yaml | 10 ------ interface/templates/domain-results.html | 1 + 8 files changed, 2 insertions(+), 107 deletions(-) diff --git a/checks/categories.py b/checks/categories.py index cc9ef286a..30cb53ae2 100644 --- a/checks/categories.py +++ b/checks/categories.py @@ -177,8 +177,6 @@ def __init__(self, name="web-appsecpriv"): WebAppsecprivHttpCsp, WebAppsecprivHttpXContentType, WebAppsecprivSecuritytxt, - # TODO: To be removed in the future. - # WebAppsecprivHttpXXss, ] super(WebAppsecpriv, self).__init__(name, subtests) @@ -2236,29 +2234,6 @@ def result_bad(self, tech_data): self.tech_data = tech_data or "" -class WebAppsecprivHttpXXss(Subtest): - def __init__(self): - super(WebAppsecprivHttpXXss, self).__init__( - name="http_x_xss", - label="detail web appsecpriv http-x-xss label", - explanation="detail web appsecpriv http-x-xss exp", - tech_string="detail web appsecpriv http-x-xss tech table", - worst_status=scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_WORST_STATUS, - full_score=scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_GOOD, - model_score_field="x_xss_protection_score", - ) - - def result_good(self, tech_data): - self._status(STATUS_SUCCESS) - self.verdict = "detail web appsecpriv http-x-xss verdict good" - self.tech_data = tech_data - - def result_bad(self, tech_data): - self._status(STATUS_FAIL) - self.verdict = "detail web appsecpriv http-x-xss verdict bad" - self.tech_data = tech_data or "" - - class WebAppsecprivHttpXContentType(Subtest): def __init__(self): super(WebAppsecprivHttpXContentType, self).__init__( diff --git a/checks/models.py b/checks/models.py index 676dfb8c4..6ee3a859e 100644 --- a/checks/models.py +++ b/checks/models.py @@ -688,6 +688,7 @@ class DomainTestAppsecpriv(BaseTestModel): x_frame_options_values = ListField(default=[]) x_frame_options_score = models.IntegerField(null=True) + # This check was removed, but we keep the data for legacy records x_xss_protection_enabled = models.BooleanField(null=True, default=False) x_xss_protection_values = ListField(default=[]) x_xss_protection_score = models.IntegerField(null=True) @@ -754,9 +755,6 @@ def get_web_api_details(self): "securitytxt_errors": self.securitytxt_errors, "securitytxt_recommendations": self.securitytxt_recommendations, "securitytxt_found_host": self.securitytxt_found_host, - # TODO: to be removed in the future. - # 'x_xss_protection_enabled': self.x_xss_protection_enabled, - # 'x_xss_protection_values': self.x_xss_protection_values, } class Meta: diff --git a/checks/scoring.py b/checks/scoring.py index 87b19ade1..e716656c8 100644 --- a/checks/scoring.py +++ b/checks/scoring.py @@ -189,10 +189,6 @@ WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_BAD = NO_POINTS WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_WORST_STATUS = STATUS_NOTICE -WEB_APPSECPRIV_X_XSS_PROTECTION_GOOD = FULL_WEIGHT_POINTS -WEB_APPSECPRIV_X_XSS_PROTECTION_BAD = FULL_WEIGHT_POINTS # TODO: XSS to be removed in the future. -WEB_APPSECPRIV_X_XSS_PROTECTION_WORST_STATUS = STATUS_INFO - WEB_APPSECPRIV_REFERRER_POLICY_GOOD = FULL_WEIGHT_POINTS WEB_APPSECPRIV_REFERRER_POLICY_BAD = FULL_WEIGHT_POINTS WEB_APPSECPRIV_REFERRER_POLICY_WORST_STATUS = STATUS_NOTICE diff --git a/checks/tasks/appsecpriv.py b/checks/tasks/appsecpriv.py index 5b6e31eec..8c4dc079b 100644 --- a/checks/tasks/appsecpriv.py +++ b/checks/tasks/appsecpriv.py @@ -15,7 +15,6 @@ HeaderCheckerReferrerPolicy, HeaderCheckerXContentTypeOptions, HeaderCheckerXFrameOptions, - HeaderCheckerXXssProtection, http_headers_check, ) from checks.tasks.shared import aggregate_subreports, results_per_domain @@ -116,9 +115,6 @@ def save_results(model, results, addr, domain): model.x_content_type_options_enabled = result.get("x_content_type_options_enabled") model.x_content_type_options_score = result.get("x_content_type_options_score") model.x_content_type_options_values = result.get("x_content_type_options_values") - model.x_xss_protection_enabled = result.get("x_xss_protection_enabled") - model.x_xss_protection_score = result.get("x_xss_protection_score") - model.x_xss_protection_values = result.get("x_xss_protection_values") model.referrer_policy_enabled = result.get("referrer_policy_enabled") model.referrer_policy_score = result.get("referrer_policy_score") model.referrer_policy_values = result.get("referrer_policy_values") @@ -146,15 +142,6 @@ def build_report(model, category): else: category.subtests["http_x_frame"].result_bad(model.x_frame_options_values) - # Do not include XSS in the report. - # TODO: Will be removed altogether in the future. - # if model.x_xss_protection_enabled: - # category.subtests['http_x_xss'].result_good( - # model.x_xss_protection_values) - # else: - # category.subtests['http_x_xss'].result_bad( - # model.x_xss_protection_values) - if model.referrer_policy_enabled: category.subtests["http_referrer_policy"].result_good(model.referrer_policy_values) else: @@ -212,7 +199,6 @@ def do_web_appsecpriv(af_ip_pairs, url, task, *args, **kwargs): HeaderCheckerContentSecurityPolicy(), HeaderCheckerXFrameOptions(), HeaderCheckerReferrerPolicy(), - HeaderCheckerXXssProtection(), HeaderCheckerXContentTypeOptions(), ] for af_ip_pair in af_ip_pairs: diff --git a/checks/tasks/http_headers.py b/checks/tasks/http_headers.py index 85b61e566..1f7df12dd 100644 --- a/checks/tasks/http_headers.py +++ b/checks/tasks/http_headers.py @@ -602,50 +602,6 @@ def get_negative_values(self): } -class HeaderCheckerXXssProtection(object): - """ - Class for checking the X-Xss-Protection HTTP header. - - """ - - def __init__(self): - self.name = "X-Xss-Protection" - - def check(self, value, results, domain): - """ - Check if XSS protection is enabled. - - """ - if not value: - score = scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_BAD - results["x_xss_protection_score"] = score - results["x_xss_protection_enabled"] = False - else: - values = get_multiple_values_from_header(value) - enabled = values[0].split(";")[0] - if enabled == "0": - score = scoring.WEB_APPSECPRIV_X_XSS_PROTECTION_BAD - results["x_xss_protection_score"] = score - results["x_xss_protection_enabled"] = False - results["x_xss_protection_values"].extend(values) - - def get_positive_values(self): - score = scoring.WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_GOOD - return { - "x_xss_protection_enabled": True, - "x_xss_protection_score": score, - "x_xss_protection_values": [], - } - - def get_negative_values(self): - score = scoring.WEB_APPSECPRIV_X_CONTENT_TYPE_OPTIONS_BAD - return { - "x_xss_protection_enabled": False, - "x_xss_protection_score": score, - "x_xss_protection_values": [], - } - - class HeaderCheckerReferrerPolicy(object): """ Class for checking the Referrer-Policy HTTP header. diff --git a/interface/batch/__init__.py b/interface/batch/__init__.py index 014b01b77..00cb909d3 100644 --- a/interface/batch/__init__.py +++ b/interface/batch/__init__.py @@ -310,13 +310,6 @@ "type": "test", "translation_key": "web appsecpriv http-x-content", }, - # TODO: To be removed in the future. - # { - # 'name': 'web_appsecpriv_x_xss_protection', - # 'name_on_report': 'http_x_xss', - # 'type': 'test', - # 'translation_key': 'web appsecpriv http-x-xss' - # }, { "name": "web_appsecpriv_csp", "name_on_report": "http_csp", diff --git a/interface/batch/openapi.yaml b/interface/batch/openapi.yaml index 4e26aa0c1..06fe53e43 100644 --- a/interface/batch/openapi.yaml +++ b/interface/batch/openapi.yaml @@ -807,16 +807,6 @@ components: behavior. items: type: string - x_xss_protection_enabled: - type: boolean - description: If the X-Xss-Protection header is set by the server. - x_xss_protection_values: - type: array - description: > - List of headers. Only the first one is evaluated as per browser - behavior. - items: - type: string referrer_policy_enabled: type: boolean description: If the Referrer-Policy header is set by the server. diff --git a/interface/templates/domain-results.html b/interface/templates/domain-results.html index 0d9c0428f..3b9ae7238 100644 --- a/interface/templates/domain-results.html +++ b/interface/templates/domain-results.html @@ -71,6 +71,7 @@

{% include "details-test-item.html" with testitem=details.http_x_frame %} {% include "details-test-item.html" with testitem=details.http_x_content_type %} + {# x-XSS shown for historical results only #} {% include "details-test-item.html" with testitem=details.http_x_xss %} {% include "details-test-item.html" with testitem=details.http_csp %} {% include "details-test-item.html" with testitem=details.http_referrer_policy %}