Friday, December 2, 2022

Web Scraping: Display the Content Security Policy of a Web Page

This simple program is an automation tool ideally for large website OWASP Testing projects. One of the main tasks in OWASP  fortification project is to check every URL created in the website(whole domain) if there is vulnerability in the implementation of Content Security Policy(CSP). If there are thousands of webpages, it would be too tedious to check it manually. Please note that this is just a portion of the project I am working on.

In my program I used DVWA as my test website. I used the selenium-wire library to enable me to intercept the CSP which is usually generated during url response.

The sample output:


Here is the code:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
##  Import webdriver from Selenium Wire instead of Selenium
from seleniumwire import webdriver
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
##  Get the URL
driver = webdriver.Chrome()#make sure chromedriver.exe is on the same directory as this python program
driver.get("http://localhost/dvwa/login.php")


# find username/email field and send the username itself to the input field
driver.find_element(by=By.NAME, value="username").send_keys('admin')
# find password input field and insert password as well
driver.find_element(by=By.NAME, value="password").send_keys('test1')
# click login button
driver.find_element(by=By.NAME, value="Login").click()

#driver.find_element(By.LINK_TEXT,'DVWA Security').click()
WebDriverWait(driver, 20).until(EC.element_to_be_clickable((By.LINK_TEXT,'DVWA Security'))).click()
# set the security level to low
driver.find_element(by=By.NAME, value="security").send_keys('Low')
# click submit button
driver.find_element(by=By.NAME, value="seclev_submit").click()


#driver.find_element(By.LINK_TEXT,'CSP Bypass').click()
WebDriverWait(driver, 20).until(EC.element_to_be_clickable((By.LINK_TEXT,'CSP Bypass'))).click()



##  Print request headers(CSP)
for request in driver.requests:
  if request.url == 'http://localhost/dvwa/vulnerabilities/csp/' : 
    print(request.url) 
    print('Content-Security-Policy: ' + request.response.headers['Content-Security-Policy']) # <-- Response headers


driver.close()
driver.quit()

By at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)