Merge pull request #225 from aman566/patch-9

Improved X-XSS-Protection header codebase
OWASP · Mar 16, 2020 · 4fd34a5 · 4fd34a5
2 parents ff0897a + 3b50710
commit 4fd34a5
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/vuln/XSS_protection/engine.py b/lib/vuln/XSS_protection/engine.py
@@ -60,6 +60,7 @@ def conn(targ, port, timeout_sec, socks_proxy):
 
 def xss_protection(target, port, timeout_sec, log_in_file, language, time_sleep,
                    thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
+    regex = '1; report='+'https?:\/\/(www\.)?[-a-zA-Z0-9]{1,256}\.[-a-zA-Z0-9]{1,6}'
     try:
         s = conn(target, port, timeout_sec, socks_proxy)
         if not s:
@@ -73,6 +74,10 @@ def xss_protection(target, port, timeout_sec, log_in_file, language, time_sleep,
             try:
                 if req.headers['X-XSS-Protection'] == '1; mode=block':
                     return False
+                elif req.header['X-XSS-Protection'] == '1':
+                    return False
+                elif re.match(regex, req.header['X-XSS-Protection']):
+                    return False
                 else:
                     return True
             except: