Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect more auth headers and cookies #380

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Detect more auth headers and cookies #380

wants to merge 6 commits into from
+83 −21

Conversation

hansott
Copy link
Collaborator

@hansott hansott commented Sep 19, 2024

No description provided.

@codecov Codecov
Copy link

codecov bot commented Sep 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

willem-delbare
willem-delbare reviewed Sep 19, 2024
View reviewed changes
library/agent/api-discovery/getApiAuthType.ts Outdated
@@ -36,6 +36,7 @@ const commonAuthCookieNames = [
"auth_token",
"access_token",
"refresh_token",
"ghost-admin-api-session",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's just change these to contains

@hansott hansott changed the title Add ghost session cookie Detect more auth headers and cookies Sep 20, 2024
hansott added 2 commits October 7, 2024 15:33
@hansott
Update library/agent/api-discovery/getApiAuthType.ts
f61da42
@hansott
Merge branch 'main' of github.com:AikidoSec/firewall-node into patch-…
4b33956 
…ghost

* 'main' of github.com:AikidoSec/firewall-node: (53 commits)
  Fix path unit tests
  Fix not protecting path functions of different os
  Cleanup
  Extract type
  Update library/helpers/shouldEnableFirewall.ts
  Improve envToBool
  Add AIKIDO_DISABLE and envToBool helper
  Fix ShellJS tests
  Unhook fs functions that are not dangerous
  Increase code coverage
  Add distinct test with safe context
  Add happy path test
  Use separate method for distinct
  Undici/Fetch: Add metadata for SSRF
  Check filter for NoSQL of mongodb distinct
  Add test (no injection)
  Fix NoSQL injection bypass
  Add comment
  Remove lock file, not used (Docker container)
  Move server
  ...
@bitterpanda63
Copy link
Collaborator

We will want to port this to Python as well. I will make a PR once this one gets merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willem-delbare willem-delbare willem-delbare left review comments

@timokoessler timokoessler timokoessler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hansott @bitterpanda63 @willem-delbare @timokoessler