Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] FAIL on lower case headers #8

Closed
HugoVG opened this issue Dec 3, 2024 · 9 comments
Closed

[BUG] FAIL on lower case headers #8

HugoVG opened this issue Dec 3, 2024 · 9 comments
Assignees
@righettod
Labels
bug Something isn't working

Comments

@HugoVG
Copy link

HugoVG commented Dec 3, 2024

Describe the bug
Test suite returns false negatives when lowercase headers are used
https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2

Just as in HTTP/1.x, header field names are strings of ASCII
characters that are compared in a case-insensitive fashion. However,
header field names MUST be converted to lowercase prior to their
encoding in HTTP/2. A request or response containing uppercase
header field names MUST be treated as malformed.

When running oshp yml with venom

Headers:

strict-transport-security | max-age=63072000; includeSubDomains; preload
x-frame-options | DEN

Actual:

• Strict-Transport-Security FAIL
Testcase "Strict-Transport-Security", step #0-0: Assertion "result.headers.Strict-Transport-Security ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:16)
Testcase "Strict-Transport-Security", step #0-0: Assertion "result.headers.Strict-Transport-Security ShouldEqual \"max-age=31536000; includeSubDomains\"" failed. expected: max-age=31536000; includeSubDomains  got: <nil> (owasp.securityheader.yml:17)
        
• X-Frame-Options FAIL
Testcase "X-Frame-Options", step #0-0: Assertion "result.headers.X-Frame-Options ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:27)
Testcase "X-Frame-Options", step #0-0: Assertion "result.headers.X-Frame-Options ShouldBeIn \"deny\" \"DENY\"" failed. expected '<nil>' in [deny DENY] but it wasnt (owasp.securityheader.yml:28)

Also I think I found a typo
failed. expected: Not Nil but is was
is supposed to be
failed. expected: Not Nil but **it** was

To Reproduce
Steps to reproduce the behavior:

  1. Download venom (in my case linux-x64)
  2. Grab the test_suit.yml from this github
  3. venom run --var="target_site=https://owasp.org" owasp.securityheader.yml (I renamed my file)
  4. get a bunch of fails due to case insensitivity

Expected behavior
A clear and concise description of what you expected to happen.
To not not throw false positives when working with headers.

Screenshots
N/A

Desktop (please complete the following information):

  • OS: Windows WSL2-Ubuntu
  • Browser: CLI
  • Version: tests_suite.yml of Oct 19
@HugoVG HugoVG added the bug Something isn't working label Dec 3, 2024
@righettod righettod moved this to 🏗 Pending in ⚒ OSHP work follow-up Dec 3, 2024
@righettod
Copy link
Collaborator

Hello,

Thanks a lot for the bug report, I will work on it and keep you informed.

@righettod righettod pinned this issue Dec 3, 2024
@righettod
Copy link
Collaborator

righettod commented Dec 3, 2024
edited
Loading

I have tested using the latest version of venom on Windows 10 Pro using test suites from the GitHub repository and I did not face the problem mentioned:

image

Same result on a Linux machine:

image

🤔Do you used the latest version of venom ?

@righettod righettod added the wait feedback Wait feedback from the opener of the issue label Dec 3, 2024
@righettod righettod moved this from 🏗 Pending to 📋 Backlog in ⚒ OSHP work follow-up Dec 3, 2024
@HugoVG
Copy link
Author

HugoVG commented Dec 4, 2024

Yes I first heard about venom about yesterday and wanted to try it, I was using the latest version
It's kinda odd, can you try testing it against the owasp.org homepage or google.com? I want to make sure it is not an issue on my end 😅

@righettod
Copy link
Collaborator

righettod commented Dec 4, 2024 via email
edited
Loading

@righettod righettod removed the wait feedback Wait feedback from the opener of the issue label Dec 4, 2024
@righettod righettod moved this from 📋 Backlog to 🏗 Pending in ⚒ OSHP work follow-up Dec 4, 2024
@righettod
Copy link
Collaborator

📖Test on https://owasp.org returning the following headers:

image

💻Venom run:

image

📖Test on https://www.google.com/ returning the following headers:

image

💻Venom run:

image

🤔For me, venom and the test suites behaves as expected: Did I miss something?

@righettod righettod added the wait feedback Wait feedback from the opener of the issue label Dec 4, 2024
@righettod righettod moved this from 🏗 Pending to 📋 Backlog in ⚒ OSHP work follow-up Dec 4, 2024
@HugoVG
Copy link
Author

HugoVG commented Dec 5, 2024

That's weird let me write my logs

venom version
Version venom: v1.1.0
test_suite.yml name: HTTP security response headers test suites vars: target_site: '' logout_url: '' request_timeout_in_seconds: 20 testcases: - name: Strict-Transport-Security steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Strict-Transport-Security ShouldNotBeNil - result.headers.Strict-Transport-Security ShouldEqual "max-age=31536000; includeSubDomains" - name: X-Frame-Options steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.X-Frame-Options ShouldNotBeNil - result.headers.X-Frame-Options ShouldBeIn "deny" "DENY" - name: X-Content-Type-Options steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.X-Content-Type-Options ShouldNotBeNil - result.headers.X-Content-Type-Options ShouldEqual "nosniff" - name: Content-Security-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Content-Security-Policy ShouldNotBeNil - result.headers.Content-Security-Policy ShouldNotContainSubstring "unsafe" - name: X-Permitted-Cross-Domain-Policies steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.X-Permitted-Cross-Domain-Policies ShouldNotBeNil - result.headers.X-Permitted-Cross-Domain-Policies ShouldEqual "none" - name: Referrer-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Referrer-Policy ShouldNotBeNil - result.headers.Referrer-Policy ShouldEqual "no-referrer" - name: Clear-Site-Data steps: - type: http method: GET url: '{{.target_site}}/{{.logout_url}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Clear-Site-Data ShouldNotBeNil - result.headers.Clear-Site-Data ShouldEqual '"cache","cookies","storage"' - name: Cross-Origin-Embedder-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Cross-Origin-Embedder-Policy ShouldNotBeNil - result.headers.Cross-Origin-Embedder-Policy ShouldEqual "require-corp" - name: Cross-Origin-Opener-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Cross-Origin-Opener-Policy ShouldNotBeNil - result.headers.Cross-Origin-Opener-Policy ShouldEqual "same-origin" - name: Cross-Origin-Resource-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Cross-Origin-Resource-Policy ShouldNotBeNil - result.headers.Cross-Origin-Resource-Policy ShouldEqual "same-origin" - name: Permissions-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Permissions-Policy ShouldNotBeNil - result.headers.Permissions-Policy ShouldEqual "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()" - name: Cache-Control steps: - type: http method: GET url: '{{.target_site}}' skip_body: true timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Cache-Control ShouldNotBeNil - 'result.headers.Cache-Control ShouldEqual "no-store, max-age=0"' - name: Feature-Policy steps: - type: http method: GET url: '{{.target_site}}' skip_body: true info: >- This header has now been renamed to Permissions-Policy in the specification. timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Feature-Policy ShouldBeNil - name: Public-Key-Pins steps: - type: http method: GET url: '{{.target_site}}' skip_body: true info: >- This header has been deprecated by all major browsers and is no longer recommended. Avoid using it, and update existing code if possible! timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Public-Key-Pins ShouldBeNil - name: Expect-CT steps: - type: http method: GET url: '{{.target_site}}' skip_body: true info: >- This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021. timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.Expect-CT ShouldBeNil - name: X-XSS-Protection steps: - type: http method: GET url: '{{.target_site}}' skip_body: true info: >- The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. timeout: '{{.request_timeout_in_seconds}}' assertions: - result.statuscode ShouldEqual 200 - result.headers.X-XSS-Protection ShouldBeNil
Venom run google.com venom run --var="target_site=https://google.com" owasp.securityheader.yml 
      [trac] writing venom.11.log

• HTTP security response headers test suites (owasp.securityheader.yml)
• Strict-Transport-Security FAIL
Testcase "Strict-Transport-Security", step #0-0: Assertion "result.headers.Strict-Transport-Security ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:16)
Testcase "Strict-Transport-Security", step #0-0: Assertion "result.headers.Strict-Transport-Security ShouldEqual "max-age=31536000; includeSubDomains"" failed. expected: max-age=31536000; includeSubDomains got: (owasp.securityheader.yml:17)
• X-Frame-Options FAIL
Testcase "X-Frame-Options", step #0-0: Assertion "result.headers.X-Frame-Options ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:27)
Testcase "X-Frame-Options", step #0-0: Assertion "result.headers.X-Frame-Options ShouldBeIn "deny" "DENY"" failed. expected '' in [deny DENY] but it wasnt (owasp.securityheader.yml:28)
• X-Content-Type-Options FAIL
Testcase "X-Content-Type-Options", step #0-0: Assertion "result.headers.X-Content-Type-Options ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:38)
Testcase "X-Content-Type-Options", step #0-0: Assertion "result.headers.X-Content-Type-Options ShouldEqual "nosniff"" failed. expected: nosniff got: (owasp.securityheader.yml:39)
• Content-Security-Policy FAIL
Testcase "Content-Security-Policy", step #0-0: Assertion "result.headers.Content-Security-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:49)
• X-Permitted-Cross-Domain-Policies FAIL
Testcase "X-Permitted-Cross-Domain-Policies", step #0-0: Assertion "result.headers.X-Permitted-Cross-Domain-Policies ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:60)
Testcase "X-Permitted-Cross-Domain-Policies", step #0-0: Assertion "result.headers.X-Permitted-Cross-Domain-Policies ShouldEqual "none"" failed. expected: none got: (owasp.securityheader.yml:61)
• Referrer-Policy FAIL
Testcase "Referrer-Policy", step #0-0: Assertion "result.headers.Referrer-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:71)
Testcase "Referrer-Policy", step #0-0: Assertion "result.headers.Referrer-Policy ShouldEqual "no-referrer"" failed. expected: no-referrer got: (owasp.securityheader.yml:72)
• Clear-Site-Data FAIL
Testcase "Clear-Site-Data", step #0-0: Assertion "result.headers.Clear-Site-Data ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:82)
Testcase "Clear-Site-Data", step #0-0: Assertion "result.headers.Clear-Site-Data ShouldEqual '"cache","cookies","storage"'" failed. expected: "cache","cookies","storage" got: (owasp.securityheader.yml:83)
• Cross-Origin-Embedder-Policy FAIL
Testcase "Cross-Origin-Embedder-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Embedder-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:93)
Testcase "Cross-Origin-Embedder-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Embedder-Policy ShouldEqual "require-corp"" failed. expected: require-corp got: (owasp.securityheader.yml:94)
• Cross-Origin-Opener-Policy FAIL
Testcase "Cross-Origin-Opener-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Opener-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:104)
Testcase "Cross-Origin-Opener-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Opener-Policy ShouldEqual "same-origin"" failed. expected: same-origin got: (owasp.securityheader.yml:105)
• Cross-Origin-Resource-Policy FAIL
Testcase "Cross-Origin-Resource-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Resource-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:115)
Testcase "Cross-Origin-Resource-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Resource-Policy ShouldEqual "same-origin"" failed. expected: same-origin got: (owasp.securityheader.yml:116)
• Permissions-Policy FAIL
Testcase "Permissions-Policy", step #0-0: Assertion "result.headers.Permissions-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:126)
Testcase "Permissions-Policy", step #0-0: Assertion "result.headers.Permissions-Policy ShouldEqual "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()"" failed. expected: accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=() got: (owasp.securityheader.yml:127)
• Cache-Control FAIL
Testcase "Cache-Control", step #0-0: Assertion "result.headers.Cache-Control ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:137)
Testcase "Cache-Control", step #0-0: Assertion "result.headers.Cache-Control ShouldEqual "no-store, max-age=0"" failed. expected: no-store, max-age=0 got: (owasp.securityheader.yml:138)
• Feature-Policy PASS
[info] This header has now been renamed to Permissions-Policy in the specification. (owasp.securityheader.yml:145)
• Public-Key-Pins PASS
[info] This header has been deprecated by all major browsers and is no longer recommended. Avoid using it, and update existing code if possible! (owasp.securityheader.yml:158)
• Expect-CT PASS
[info] This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021. (owasp.securityheader.yml:171)
• X-XSS-Protection PASS
[info] The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. (owasp.securityheader.yml:186)
final status: FAIL

Venom run owasp.org venom run --var="target_site=https://owasp.org" owasp.securityheader.yml 
      [trac] writing venom.12.log

• HTTP security response headers test suites (owasp.securityheader.yml)
• Strict-Transport-Security FAIL
Testcase "Strict-Transport-Security", step #0-0: Assertion "result.headers.Strict-Transport-Security ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:16)
Testcase "Strict-Transport-Security", step #0-0: Assertion "result.headers.Strict-Transport-Security ShouldEqual "max-age=31536000; includeSubDomains"" failed. expected: max-age=31536000; includeSubDomains got: (owasp.securityheader.yml:17)
• X-Frame-Options FAIL
Testcase "X-Frame-Options", step #0-0: Assertion "result.headers.X-Frame-Options ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:27)
Testcase "X-Frame-Options", step #0-0: Assertion "result.headers.X-Frame-Options ShouldBeIn "deny" "DENY"" failed. expected '' in [deny DENY] but it wasnt (owasp.securityheader.yml:28)
• X-Content-Type-Options FAIL
Testcase "X-Content-Type-Options", step #0-0: Assertion "result.headers.X-Content-Type-Options ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:38)
Testcase "X-Content-Type-Options", step #0-0: Assertion "result.headers.X-Content-Type-Options ShouldEqual "nosniff"" failed. expected: nosniff got: (owasp.securityheader.yml:39)
• Content-Security-Policy FAIL
Testcase "Content-Security-Policy", step #0-0: Assertion "result.headers.Content-Security-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:49)
• X-Permitted-Cross-Domain-Policies FAIL
Testcase "X-Permitted-Cross-Domain-Policies", step #0-0: Assertion "result.headers.X-Permitted-Cross-Domain-Policies ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:60)
Testcase "X-Permitted-Cross-Domain-Policies", step #0-0: Assertion "result.headers.X-Permitted-Cross-Domain-Policies ShouldEqual "none"" failed. expected: none got: (owasp.securityheader.yml:61)
• Referrer-Policy FAIL
Testcase "Referrer-Policy", step #0-0: Assertion "result.headers.Referrer-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:71)
Testcase "Referrer-Policy", step #0-0: Assertion "result.headers.Referrer-Policy ShouldEqual "no-referrer"" failed. expected: no-referrer got: (owasp.securityheader.yml:72)
• Clear-Site-Data FAIL
Testcase "Clear-Site-Data", step #0-0: Assertion "result.headers.Clear-Site-Data ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:82)
Testcase "Clear-Site-Data", step #0-0: Assertion "result.headers.Clear-Site-Data ShouldEqual '"cache","cookies","storage"'" failed. expected: "cache","cookies","storage" got: (owasp.securityheader.yml:83)
• Cross-Origin-Embedder-Policy FAIL
Testcase "Cross-Origin-Embedder-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Embedder-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:93)
Testcase "Cross-Origin-Embedder-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Embedder-Policy ShouldEqual "require-corp"" failed. expected: require-corp got: (owasp.securityheader.yml:94)
• Cross-Origin-Opener-Policy FAIL
Testcase "Cross-Origin-Opener-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Opener-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:104)
Testcase "Cross-Origin-Opener-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Opener-Policy ShouldEqual "same-origin"" failed. expected: same-origin got: (owasp.securityheader.yml:105)
• Cross-Origin-Resource-Policy FAIL
Testcase "Cross-Origin-Resource-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Resource-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:115)
Testcase "Cross-Origin-Resource-Policy", step #0-0: Assertion "result.headers.Cross-Origin-Resource-Policy ShouldEqual "same-origin"" failed. expected: same-origin got: (owasp.securityheader.yml:116)
• Permissions-Policy FAIL
Testcase "Permissions-Policy", step #0-0: Assertion "result.headers.Permissions-Policy ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:126)
Testcase "Permissions-Policy", step #0-0: Assertion "result.headers.Permissions-Policy ShouldEqual "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=()"" failed. expected: accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=() got: (owasp.securityheader.yml:127)
• Cache-Control FAIL
Testcase "Cache-Control", step #0-0: Assertion "result.headers.Cache-Control ShouldNotBeNil" failed. expected: Not Nil but is was (owasp.securityheader.yml:137)
Testcase "Cache-Control", step #0-0: Assertion "result.headers.Cache-Control ShouldEqual "no-store, max-age=0"" failed. expected: no-store, max-age=0 got: (owasp.securityheader.yml:138)
• Feature-Policy PASS
[info] This header has now been renamed to Permissions-Policy in the specification. (owasp.securityheader.yml:145)
• Public-Key-Pins PASS
[info] This header has been deprecated by all major browsers and is no longer recommended. Avoid using it, and update existing code if possible! (owasp.securityheader.yml:158)
• Expect-CT PASS
[info] This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021. (owasp.securityheader.yml:171)
• X-XSS-Protection PASS
[info] The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. (owasp.securityheader.yml:186)
final status: FAIL

@righettod
Copy link
Collaborator

righettod commented Dec 5, 2024
edited
Loading

You seems to use the version 1.1.0 of venom:

image

Made a try with the version 1.2.0 via a prior venom update command 😉

Indeed, there is a change in the behavior with the case with the version 1.2.0:

image

@HugoVG
Copy link
Author

HugoVG commented Dec 5, 2024

That worked. apparently the install from venom got me the older version

@HugoVG HugoVG closed this as completed Dec 5, 2024
@righettod
Copy link
Collaborator

Happy to have helped you 😉

@righettod righettod removed the wait feedback Wait feedback from the opener of the issue label Dec 5, 2024
@righettod righettod moved this from 📋 Backlog to ✅ Done in ⚒ OSHP work follow-up Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@righettod righettod

Labels
bug Something isn't working
Projects
No open projects
⚒ OSHP work follow-up
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@righettod @HugoVG