forked from projectdiscovery/httpx
/
csp.go
70 lines (61 loc) · 1.78 KB
/
csp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package httpx
import (
"bytes"
"strings"
"github.com/PuerkitoBio/goquery"
"github.com/projectdiscovery/httpx/common/slice"
stringsutil "github.com/projectdiscovery/utils/strings"
)
// CSPHeaders is an incomplete list of most common CSP headers
var CSPHeaders = []string{
"Content-Security-Policy", // standard
"Content-Security-Policy-Report-Only", // standard
"X-Content-Security-Policy-Report-Only", // non - standard
"X-Webkit-Csp-Report-Only", // non - standard
}
// CSPData contains the Content-Security-Policy domain list
type CSPData struct {
Domains []string `json:"domains,omitempty"`
}
// CSPGrab fills the CSPData
func (h *HTTPX) CSPGrab(r *Response) *CSPData {
domains := make(map[string]struct{})
// extract from headers
for _, cspHeader := range CSPHeaders {
if cspValues, ok := r.Headers[cspHeader]; ok {
for _, cspValue := range cspValues {
parsePotentialDomains(domains, cspValue)
}
}
}
// extract from body
if len(r.Data) > 0 {
doc, err := goquery.NewDocumentFromReader(bytes.NewReader(r.Data))
if err == nil {
doc.Find("meta").Each(func(i int, s *goquery.Selection) {
if _, ok := s.Attr("http-equiv"); ok {
if content, ok := s.Attr("content"); ok {
parsePotentialDomains(domains, content)
}
}
})
}
}
if len(domains) > 0 {
return &CSPData{Domains: slice.ToSlice(domains)}
}
return nil
}
func parsePotentialDomains(domains map[string]struct{}, data string) {
// rule is like aa bb domain1 domain2 domain3
tokens := stringsutil.SplitAny(data, " ", ";", ",")
// we extracts only potential domains
for _, t := range tokens {
if isPotentialDomain(t) {
domains[t] = struct{}{}
}
}
}
func isPotentialDomain(s string) bool {
return strings.Contains(s, ".") || strings.HasPrefix(s, "http")
}