From 76a5d38ec353ceef7489b68414be0f5780d559ec Mon Sep 17 00:00:00 2001 From: ctflearner <98345027+ctflearner@users.noreply.github.com> Date: Wed, 18 Dec 2024 22:46:32 +0530 Subject: [PATCH 1/2] Create DetectWeakReferrerPolicy.bambda It ensures there is a response and scans the headers for either the absence of the Referrer-Policy header or the presence of policies that may expose sensitive referrer information. --- .../HTTP/DetectWeakReferrerPolicy.bambda | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda diff --git a/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda b/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda new file mode 100644 index 0000000..b9a1e9c --- /dev/null +++ b/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda @@ -0,0 +1,24 @@ +/** + * Bambda Script to Detect "Weak or Missing Referrer-Policy" Header in HTTP Response + * @author ctflearner + * This script checks if the HTTP response lacks the "Referrer-Policy" header or uses a weak policy, + * such as "no-referrer-when-downgrade" or "unsafe-url". + * It ensures there is a response and scans the headers for either the absence of the Referrer-Policy header + * or the presence of policies that may expose sensitive referrer information. + **/ + + +return requestResponse.hasResponse() && ( + // No Referrer-Policy header + requestResponse.response().headers().stream() + .noneMatch(header -> header.name().equalsIgnoreCase("Referrer-Policy")) || + + // Check for potentially weak referrer policies + requestResponse.response().headers().stream() + .filter(header -> header.name().equalsIgnoreCase("Referrer-Policy")) + .anyMatch(header -> { + String value = header.value().toLowerCase().trim(); + return value.equals("no-referrer-when-downgrade") || + value.equals("unsafe-url"); + }) +); From b97740b410efe2498ba5246b8f0a2b7c51cb4f7a Mon Sep 17 00:00:00 2001 From: ctflearner <98345027+ctflearner@users.noreply.github.com> Date: Thu, 2 Jan 2025 20:35:16 +0530 Subject: [PATCH 2/2] Update DetectWeakReferrerPolicy.bambda --- .../HTTP/DetectWeakReferrerPolicy.bambda | 35 ++++++++++++------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda b/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda index b9a1e9c..cc20052 100644 --- a/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda +++ b/Filter/Proxy/HTTP/DetectWeakReferrerPolicy.bambda @@ -8,17 +8,26 @@ **/ -return requestResponse.hasResponse() && ( - // No Referrer-Policy header - requestResponse.response().headers().stream() - .noneMatch(header -> header.name().equalsIgnoreCase("Referrer-Policy")) || - - // Check for potentially weak referrer policies - requestResponse.response().headers().stream() - .filter(header -> header.name().equalsIgnoreCase("Referrer-Policy")) - .anyMatch(header -> { - String value = header.value().toLowerCase().trim(); - return value.equals("no-referrer-when-downgrade") || - value.equals("unsafe-url"); - }) +if (!requestResponse.hasResponse()) { + return false; +} + +Optional referrerPolicyHeader = Optional.ofNullable( + requestResponse.response().header("Referrer-Policy") ); + +if (referrerPolicyHeader.isEmpty()) { + return true; +} + +String headerValue = referrerPolicyHeader.get().value().toLowerCase(Locale.US).trim(); + +// Check for weak referrer policies using a stream +boolean hasWeakPolicy = requestResponse.response().headers().stream() + .filter(header -> header.name().equalsIgnoreCase("Referrer-Policy")) + .anyMatch(header -> { + String value = header.value().toLowerCase(Locale.US).trim(); // Include Locale for toLowerCase() + return value.equals("no-referrer-when-downgrade") || value.equals("unsafe-url"); + }); + +return headerValue.equals("no-referrer-when-downgrade") || headerValue.equals("unsafe-url") || hasWeakPolicy;