This repository was archived by the owner on May 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalidate_cookie_properties.py
More file actions
59 lines (53 loc) · 2.35 KB
/
validate_cookie_properties.py
File metadata and controls
59 lines (53 loc) · 2.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
import sys
from http.cookies import SimpleCookie
# Python3 script performing validation on the cookies present in a HTTP response.
# Expect a complete HTTP response (header + body) to be passed as input via the following piping syntax:
# curl -ski https://www.myapp.com | python3 validate_cookie_properties.py
def extract_cookies(response_content):
cookies_collection = []
lines = response_content.split("\n")
for line in lines:
if line.lower().startswith("set-cookie:"):
cookie = SimpleCookie()
cookie.load(line[12:].strip())
cookies_collection.append(cookie)
if line.lower().startswith("set-cookie2:"):
cookie = SimpleCookie()
cookie.load(line[13:].strip())
cookies_collection.append(cookie)
return cookies_collection
def validate_cookies(cookies_collection):
issue_detected = False
for ckie in cookies_collection:
for cookie_key, morsel in ckie.items():
cookie_name = cookie_key
for key, value in morsel.items():
if key == "secure" and not value:
print(
f"Cookie '{cookie_name}' do not have the 'Secure' attribute defined.")
issue_detected = True
if key == "httponly" and not value:
print(
f"Cookie '{cookie_name}' do not have the 'HttpOnly' attribute defined.")
issue_detected = True
if key == "samesite" and value.lower() not in ["strict", "lax"]:
if len(value) == 0:
print(
f"Cookie '{cookie_name}' do not have the 'SameSite' attribute defined.")
else:
print(
f"Cookie '{cookie_name}' do not have the 'SameSite' attribute insecurely defined (value set to '{value}').")
issue_detected = True
return issue_detected
if __name__ == "__main__":
return_code = 0
# Gather the response content
response_text = "\n".join(sys.stdin)
# Apply validations
if len(response_text) > 0:
cookies = extract_cookies(response_text)
if len(cookies) > 0:
issue_detected = validate_cookies(cookies)
if issue_detected:
return_code = 1
sys.exit(return_code)