Create DetectCSPReportOnlyHeader.bambda

This script checks if the HTTP response contains the "Content-Security-Policy-Report-Only" header, which is used for monitoring CSP violations without enforcing restrictions.
PortSwigger · Dec 18, 2024 · fde5f3e · fde5f3e
1 parent e1154e5
commit fde5f3e
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/Filter/Proxy/HTTP/DetectCSPReportOnlyHeader.bambda b/Filter/Proxy/HTTP/DetectCSPReportOnlyHeader.bambda
@@ -0,0 +1,25 @@
+/**
+ * Bambda Script to Detect "Content-Security-Policy-Report-Only (CSP-RO)" Header in HTTP Response
+ * @author ctflearner
+ * This script checks if the HTTP response contains the "Content-Security-Policy-Report-Only" header, 
+ * which is used for monitoring CSP violations without enforcing restrictions. 
+ * Additionally, it verifies if the header specifies a "report-uri" directive, 
+ * indicating where CSP violation reports are sent.
+ * The script ensures there is a response and scans the headers for these conditions.
+ **/
+
+
+
+return requestResponse.hasResponse() && (
+    // Check for Content-Security-Policy-Report-Only header
+    requestResponse.response().headers().stream()
+        .anyMatch(header -> 
+            header.name().equalsIgnoreCase("Content-Security-Policy-Report-Only")
+        ) &&
+    // Optional: Check if report-uri is specified
+    requestResponse.response().headers().stream()
+        .anyMatch(header -> 
+            header.name().equalsIgnoreCase("Content-Security-Policy-Report-Only") && 
+            header.value().toLowerCase().contains("report-uri")
+        )
+);