Created
May 9, 2025 11:24
-
-
Save HouqiyuA/5ffa473c76723c5d1ae0b3d3f3a7e399 to your computer and use it in GitHub Desktop.
Gitea-Insecure cookie configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| from urllib.parse import urljoin | |
| def test_cookie_security(base_url, auth_token=None): | |
| """ | |
| Test cookie security settings including Secure, HttpOnly, and SameSite attributes | |
| """ | |
| headers = { | |
| "Accept": "application/json", | |
| } | |
| if auth_token: | |
| headers["Authorization"] = auth_token | |
| # Test endpoints that typically set cookies | |
| endpoints = [ | |
| "/api/v1/notifications/new", | |
| "/api/v1/user", | |
| "/login" | |
| ] | |
| print("\n=== Testing Cookie Security ===") | |
| for endpoint in endpoints: | |
| try: | |
| url = urljoin(base_url, endpoint) | |
| print(f"\nTesting endpoint: {url}") | |
| response = requests.get(url, headers=headers) | |
| print("\n=== Original Request ===") | |
| print(f"GET {url}") | |
| print("Headers:") | |
| for k, v in headers.items(): | |
| print(f"{k}: {v}") | |
| print("\n=== Server Response ===") | |
| print(f"Status Code: {response.status_code}") | |
| print("Headers:") | |
| for k, v in response.headers.items(): | |
| print(f"{k}: {v}") | |
| try: | |
| print(f"Response Body: {json.dumps(response.json(), indent=2)}") | |
| except: | |
| print(f"Response Body: {response.text}") | |
| # Enhanced cookie security analysis | |
| print("\n=== Enhanced Cookie Security Analysis ===") | |
| cookies = response.cookies | |
| if cookies: | |
| for cookie in cookies: | |
| print(f"\nCookie: {cookie.name}") | |
| print(f"Domain: {cookie.domain or 'Not specified'}") | |
| print(f"Path: {cookie.path or '/'}") | |
| print(f"Secure flag: {'PRESENT' if cookie.secure else 'MISSING (critical)'}") | |
| print(f"HttpOnly flag: {'PRESENT' if cookie.has_nonstandard_attr('HttpOnly') else 'MISSING'}") | |
| # Check for SameSite attribute | |
| samesite = getattr(cookie, 'samesite', None) | |
| if not samesite: | |
| # Try to parse from Set-Cookie header | |
| set_cookie = response.headers.get('Set-Cookie', '') | |
| if f'{cookie.name}=' in set_cookie: | |
| if 'SameSite=Strict' in set_cookie: | |
| samesite = 'Strict' | |
| elif 'SameSite=Lax' in set_cookie: | |
| samesite = 'Lax' | |
| elif 'SameSite=None' in set_cookie: | |
| samesite = 'None' | |
| print(f"SameSite attribute: {samesite or 'Not specified (vulnerable to CSRF)'}") | |
| # Additional security checks | |
| if cookie.name.lower() in ['session', 'sessionid', 'token', 'auth']: | |
| if not cookie.secure: | |
| print("WARNING: Critical session cookie missing Secure flag!") | |
| if not cookie.has_nonstandard_attr('HttpOnly'): | |
| print("WARNING: Critical session cookie missing HttpOnly flag!") | |
| if not samesite: | |
| print("WARNING: Critical session cookie missing SameSite attribute!") | |
| else: | |
| print("No cookies found in response") | |
| except Exception as e: | |
| print(f"Error testing endpoint {endpoint}: {str(e)}") | |
| def test_token_validity(base_url, auth_token): | |
| """ | |
| Test if the token provides any access to sensitive endpoints | |
| """ | |
| headers = { | |
| "Accept": "application/json", | |
| "Authorization": auth_token | |
| } | |
| endpoints = [ | |
| "/api/v1/user", | |
| "/api/v1/user/settings", | |
| "/api/v1/user/emails" | |
| ] | |
| print("\n=== Testing Token Validity ===") | |
| for endpoint in endpoints: | |
| try: | |
| url = urljoin(base_url, endpoint) | |
| print(f"\nTesting endpoint: {url}") | |
| response = requests.get(url, headers=headers) | |
| print("\n=== Server Response ===") | |
| print(f"Status Code: {response.status_code}") | |
| if response.status_code == 200: | |
| print("WARNING: Token provided access to potentially sensitive endpoint!") | |
| try: | |
| print(f"Response: {json.dumps(response.json(), indent=2)}") | |
| except: | |
| print(f"Response: {response.text}") | |
| elif response.status_code == 401: | |
| print("Token appears invalid or insufficient for this endpoint") | |
| else: | |
| print(f"Unexpected status code: {response.status_code}") | |
| except Exception as e: | |
| print(f"Error testing endpoint {endpoint}: {str(e)}") | |
| if __name__ == "__main__": | |
| # Configuration | |
| base_url = "http://GITEA_HOST:3000" | |
| auth_token = "YOUR_TOKEN" | |
| print("=== Enhanced API Security Testing PoC ===") | |
| print(f"Target: {base_url}") | |
| # Run cookie security tests without token first | |
| test_cookie_security(base_url) | |
| # Then test with token if provided | |
| if auth_token: | |
| print(f"\nTesting with Authorization token: {auth_token[:8]}...{auth_token[-4:]}") | |
| test_token_validity(base_url, auth_token) | |
| # Test cookie security with token | |
| test_cookie_security(base_url, auth_token) | |
| print("\n=== Test Complete ===") | |
| print("\nRecommendations:") | |
| print("- Ensure all cookies have Secure flag when using HTTPS") | |
| print("- Set HttpOnly flag for all session-related cookies") | |
| print("- Implement SameSite=Lax or Strict for CSRF protection") | |
| print("- Rotate invalid or test tokens immediately") | |
| print("- Consider token binding to prevent token reuse") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment