Fix to avoid duplicated issue in Burp for the same URL.

GoSecure · Jun 27, 2016 · b7e0b55 · b7e0b55
1 parent 10491c5
commit b7e0b55
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 3 deletions.
diff --git a/csp-auditor-burp-plugin/src/main/java/burp/scanner/CspHeaderScanner.java b/csp-auditor-burp-plugin/src/main/java/burp/scanner/CspHeaderScanner.java
@@ -47,7 +47,10 @@ public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, I
 
     @Override
     public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) {
-        return 0;
+        if(existingIssue.getUrl().equals(newIssue.getUrl())) {
+            return -1; //Keep the old issue
+        }
+        return 0; //Accept both
     }
 
     private List<IScanIssue> convertIssues(List<CspIssue> issues,IHttpRequestResponse baseRequestResponse) {

diff --git a/csp-auditor-core/src/main/resources/resources/descriptions/issue_script_wildcard.htm b/csp-auditor-core/src/main/resources/resources/descriptions/issue_script_wildcard.htm
@@ -2,6 +2,8 @@
 
 <p>The <code>script-src</code> directive allows scripts from any domain to be loaded. An attacker will be able to load external scripts if a XSS insertion point is present.</p>
 <br/>
+<p>
 <b>References:</b><br/>
 <br/>
 <a href="https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives">CSP Policy Directives</a>
+</p>
diff --git a/csp-auditor-core/src/main/resources/resources/descriptions/issue_style.htm b/csp-auditor-core/src/main/resources/resources/descriptions/issue_style.htm
@@ -1,8 +1,9 @@
 <p>The configuration allows the inclusion of arbitrary stylesheets. Stylesheet inclusion has very limited possibilities.</p>
-
+<p>
 <b>References:</b><br/>
 <br/>
 <a href="http://sirdarckcat.blogspot.ca/2008/10/about-css-attacks.html">About CSS Attacks</a> by Eduardo Vela<br/>
 <a href="http://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html">CSS based Attack: Abusing unicode-range of @font-face</a> by Masato Kinugawa<br/>
 <a href="https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf">Scriptless Attacks – Stealing the Pie Without Touching the Sill</a> by Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, J&#xF6;rg Schwenk<br/>
-<a href="http://blog.portswigger.net/2015/02/prssi.html">Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities</a> by James Kettle<br/>
+<a href="http://blog.portswigger.net/2015/02/prssi.html">Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities</a> by James Kettle
+</p>
diff --git a/downloads/csp-auditor-burp-1.jar b/downloads/csp-auditor-burp-1.jar