Web Application Security

As a part of my internship here at Mozilla, I have continued work on Garmr.

Garmr is a python script that performs basic web security checks in accordance with our Secure Coding Guidelines  for web applications.

I have implemented the following (very basic) components:

• a class for test results based on HTML content

• Detect inline JavaScript, which is undesirable when switching to Content-Security Policy (CSP)

• Check for mixed-content

Additional work has been put into the scanning engine itself, where Cookie Support and the possibility of Tests calling for a specific successor depending on their outcome have been implemented. This allowed stateful analysis that require more than one request, such as the  HTTP Header checks for Content-Security Policy (CSP) and Strict Transport Security.  In addition to these changes, a few minor bugs have been fixed (and probably introduced).

A long-term goal of this tool is to be used regularly in the Continuous Integration process of the Mozilla WebQA team.  An example of how this tool would be used is having web developers build their own application specific test cases with Garmr. To support this, the code has been slightly modified to work with prior python versions.

Despite the tool being mainly used for our internal security focused QA, we appreciate feature requests as much as any other type of feedback on Github!