Merge pull request #417 from tls-attacker/fix/httpHeaderCaseInsensitivity

ic0ns · web-flow · commit e8f903f7ae29 · 2024-10-09T14:54:27.000+04:00
http parsing is now case-insensitive
diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/HttpHeaderProbe.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/HttpHeaderProbe.java
@@ -110,19 +110,18 @@ protected void mergeData(ServerReport report) {
             for (HttpHeader header : headerList) {
                 if (header.getHeaderName()
                         .getValue()
-                        .toLowerCase()
-                        .equals("strict-transport-security")) {
+                        .equalsIgnoreCase("strict-transport-security")) {
                     supportsHsts = TestResults.TRUE;
                     boolean preload = false;
                     String[] values = header.getHeaderValue().getValue().split(";");
                     for (String value : values) {
-                        if (value.trim().startsWith("preload")) {
+                        if (value.trim().toLowerCase().startsWith("preload")) {
                             preload = true;
                         }
-                        if (value.trim().startsWith("includeSubDomains")) {
+                        if (value.trim().toLowerCase().startsWith("includesubdomains")) {
                             hstsIncludesSubdomains = TestResults.TRUE;
                         }
-                        if (value.trim().startsWith("max-age")) {
+                        if (value.trim().toLowerCase().startsWith("max-age")) {
                             String[] maxAge = value.split("=");
                             if (maxAge.length == 2) {
                                 try {
@@ -138,14 +137,14 @@ protected void mergeData(ServerReport report) {
                     }
                     supportsHstsPreloading = preload == true ? TestResults.TRUE : TestResults.FALSE;
                 }
-                if (header.getHeaderName().getValue().equals("Public-Key-Pins")) {
+                if (header.getHeaderName().getValue().equalsIgnoreCase("Public-Key-Pins")) {
                     supportsHpkp = TestResults.TRUE;
                     String[] values = header.getHeaderValue().getValue().split(";");
                     for (String value : values) {
-                        if (value.trim().startsWith("includeSubDomains")) {
+                        if (value.trim().toLowerCase().startsWith("includesubdomains")) {
                             hpkpIncludesSubdomains = TestResults.TRUE;
                         }
-                        if (value.trim().startsWith("max-age")) {
+                        if (value.trim().toLowerCase().startsWith("max-age")) {
                             String[] maxAge = value.split("=");
                             if (maxAge.length == 2) {
                                 try {
@@ -172,14 +171,16 @@ protected void mergeData(ServerReport report) {
                         }
                     }
                 }
-                if (header.getHeaderName().getValue().equals("Public-Key-Pins-Report-Only")) {
+                if (header.getHeaderName()
+                        .getValue()
+                        .equalsIgnoreCase("Public-Key-Pins-Report-Only")) {
                     supportsHpkpReportOnly = TestResults.TRUE;
                     String[] values = header.getHeaderValue().getValue().split(";");
                     for (String value : values) {
-                        if (value.trim().startsWith("includeSubDomains")) {
+                        if (value.trim().toLowerCase().startsWith("includesubdomains")) {
                             hpkpIncludesSubdomains = TestResults.TRUE;
                         }
-                        if (value.trim().startsWith("max-age")) {
+                        if (value.trim().toLowerCase().startsWith("max-age")) {
                             String[] maxAge = value.split("=");
                             if (maxAge.length == 2) {
                                 try {
@@ -192,7 +193,7 @@ protected void mergeData(ServerReport report) {
                                 hpkpNotParseable = TestResults.FALSE;
                             }
                         }
-                        if (value.trim().startsWith("pin-")) {
+                        if (value.trim().toLowerCase().startsWith("pin-")) {
                             try {
                                 String[] pinString = value.split("=");
                                 HpkpPin pin =
@@ -208,14 +209,15 @@ protected void mergeData(ServerReport report) {
                         }
                     }
                 }
-                if (header.getHeaderName().getValue().equals("Content-Encoding")) {
+                if (header.getHeaderName().getValue().equalsIgnoreCase("Content-Encoding")) {
                     String compressionHeaderValue = header.getHeaderValue().getValue();
                     String[] compressionAlgorithms = {
                         "compress", "deflate", "exi", "gzip", "br", "bzip2", "lzma", "xz"
                     };
                     for (String compression : compressionAlgorithms) {
-                        if (compressionHeaderValue.contains(compression)) {
+                        if (compressionHeaderValue.toLowerCase().contains(compression)) {
                             vulnerableBreach = TestResults.TRUE;
+                            break;
                         }
                     }
                 }

Original file line number	Diff line number	Diff line change
`@@ -110,19 +110,18 @@ protected void mergeData(ServerReport report) {`
`110`	`110`	`for (HttpHeader header : headerList) {`
`111`	`111`	`if (header.getHeaderName()`
`112`	`112`	`.getValue()`
`113`		`- .toLowerCase()`
`114`		`- .equals("strict-transport-security")) {`
	`113`	`+ .equalsIgnoreCase("strict-transport-security")) {`
`115`	`114`	`supportsHsts = TestResults.TRUE;`
`116`	`115`	`boolean preload = false;`
`117`	`116`	`String[] values = header.getHeaderValue().getValue().split(";");`
`118`	`117`	`for (String value : values) {`
`119`		`- if (value.trim().startsWith("preload")) {`
	`118`	`+ if (value.trim().toLowerCase().startsWith("preload")) {`
`120`	`119`	`preload = true;`
`121`	`120`	`}`
`122`		`- if (value.trim().startsWith("includeSubDomains")) {`
	`121`	`+ if (value.trim().toLowerCase().startsWith("includesubdomains")) {`
`123`	`122`	`hstsIncludesSubdomains = TestResults.TRUE;`
`124`	`123`	`}`
`125`		`- if (value.trim().startsWith("max-age")) {`
	`124`	`+ if (value.trim().toLowerCase().startsWith("max-age")) {`
`126`	`125`	`String[] maxAge = value.split("=");`
`127`	`126`	`if (maxAge.length == 2) {`
`128`	`127`	`try {`
`@@ -138,14 +137,14 @@ protected void mergeData(ServerReport report) {`
`138`	`137`	`}`
`139`	`138`	`supportsHstsPreloading = preload == true ? TestResults.TRUE : TestResults.FALSE;`
`140`	`139`	`}`
`141`		`- if (header.getHeaderName().getValue().equals("Public-Key-Pins")) {`
	`140`	`+ if (header.getHeaderName().getValue().equalsIgnoreCase("Public-Key-Pins")) {`
`142`	`141`	`supportsHpkp = TestResults.TRUE;`
`143`	`142`	`String[] values = header.getHeaderValue().getValue().split(";");`
`144`	`143`	`for (String value : values) {`
`145`		`- if (value.trim().startsWith("includeSubDomains")) {`
	`144`	`+ if (value.trim().toLowerCase().startsWith("includesubdomains")) {`
`146`	`145`	`hpkpIncludesSubdomains = TestResults.TRUE;`
`147`	`146`	`}`
`148`		`- if (value.trim().startsWith("max-age")) {`
	`147`	`+ if (value.trim().toLowerCase().startsWith("max-age")) {`
`149`	`148`	`String[] maxAge = value.split("=");`
`150`	`149`	`if (maxAge.length == 2) {`
`151`	`150`	`try {`
`@@ -172,14 +171,16 @@ protected void mergeData(ServerReport report) {`
`172`	`171`	`}`
`173`	`172`	`}`
`174`	`173`	`}`
`175`		`- if (header.getHeaderName().getValue().equals("Public-Key-Pins-Report-Only")) {`
	`174`	`+ if (header.getHeaderName()`
	`175`	`+ .getValue()`
	`176`	`+ .equalsIgnoreCase("Public-Key-Pins-Report-Only")) {`
`176`	`177`	`supportsHpkpReportOnly = TestResults.TRUE;`
`177`	`178`	`String[] values = header.getHeaderValue().getValue().split(";");`
`178`	`179`	`for (String value : values) {`
`179`		`- if (value.trim().startsWith("includeSubDomains")) {`
	`180`	`+ if (value.trim().toLowerCase().startsWith("includesubdomains")) {`
`180`	`181`	`hpkpIncludesSubdomains = TestResults.TRUE;`
`181`	`182`	`}`
`182`		`- if (value.trim().startsWith("max-age")) {`
	`183`	`+ if (value.trim().toLowerCase().startsWith("max-age")) {`
`183`	`184`	`String[] maxAge = value.split("=");`
`184`	`185`	`if (maxAge.length == 2) {`
`185`	`186`	`try {`
`@@ -192,7 +193,7 @@ protected void mergeData(ServerReport report) {`
`192`	`193`	`hpkpNotParseable = TestResults.FALSE;`
`193`	`194`	`}`
`194`	`195`	`}`
`195`		`- if (value.trim().startsWith("pin-")) {`
	`196`	`+ if (value.trim().toLowerCase().startsWith("pin-")) {`
`196`	`197`	`try {`
`197`	`198`	`String[] pinString = value.split("=");`
`198`	`199`	`HpkpPin pin =`
`@@ -208,14 +209,15 @@ protected void mergeData(ServerReport report) {`
`208`	`209`	`}`
`209`	`210`	`}`
`210`	`211`	`}`
`211`		`- if (header.getHeaderName().getValue().equals("Content-Encoding")) {`
	`212`	`+ if (header.getHeaderName().getValue().equalsIgnoreCase("Content-Encoding")) {`
`212`	`213`	`String compressionHeaderValue = header.getHeaderValue().getValue();`
`213`	`214`	`String[] compressionAlgorithms = {`
`214`	`215`	`"compress", "deflate", "exi", "gzip", "br", "bzip2", "lzma", "xz"`
`215`	`216`	`};`
`216`	`217`	`for (String compression : compressionAlgorithms) {`
`217`		`- if (compressionHeaderValue.contains(compression)) {`
	`218`	`+ if (compressionHeaderValue.toLowerCase().contains(compression)) {`
`218`	`219`	`vulnerableBreach = TestResults.TRUE;`
	`220`	`+ break;`
`219`	`221`	`}`
`220`	`222`	`}`
`221`	`223`	`}`