{"id":246,"date":"2012-01-05T15:56:28","date_gmt":"2012-01-05T23:56:28","guid":{"rendered":"http:\/\/blog.mozilla.org\/webappsec\/?p=246"},"modified":"2012-01-05T15:56:28","modified_gmt":"2012-01-05T23:56:28","slug":"garmr-update","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/","title":{"rendered":"Garmr Update"},"content":{"rendered":"<div id=\"magicdomid3\">As a part of my internship here at Mozilla, I have continued work on <a title=\"freddub's branch\" href=\"https:\/\/github.com\/freddyb\/Garmr\">Garmr<\/a>.<\/div>\n<div id=\"magicdomid5\">Garmr is a python script that performs <strong>basic web security checks<\/strong> in accordance with our <a href=\"https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines\">Secure Coding Guidelines<\/a>\u00a0 for web applications.<\/div>\n<div id=\"magicdomid7\">I have implemented the following (very basic) components:<\/div>\n<div id=\"magicdomid8\">\n<ul>\n<li>a class for <strong>test results based on HTML content<\/strong><\/li>\n<\/ul>\n<\/div>\n<div id=\"magicdomid9\">\n<ul>\n<li><strong>Detect inline JavaScript<\/strong>, which is undesirable when switching to Content-Security Policy (CSP)<\/li>\n<\/ul>\n<\/div>\n<div id=\"magicdomid10\">\n<ul>\n<li>Check for <strong>mixed-content<\/strong><\/li>\n<\/ul>\n<\/div>\n<div id=\"magicdomid13\">Additional work has been put into the scanning engine itself, where <strong>Cookie Support<\/strong> and the possibility of Tests calling for a specific successor depending on their outcome have been implemented. This allowed <strong>stateful analysis<\/strong> that require more than one request, such as the\u00a0 HTTP Header <strong>checks for Content-Security Policy (CSP) and Strict Transport Security<\/strong>.\u00a0 In addition to these changes, a few minor bugs have been fixed (and probably introduced).<\/div>\n<div>A long-term goal of this tool is to be used regularly in the <strong>Continuous Integration<\/strong> process of the Mozilla WebQA team.\u00a0 An example of how this tool would be used is having web developers build their own application specific test cases with Garmr. To support this, the code has been slightly modified to work with prior python versions.<\/div>\n<div id=\"magicdomid18\">Despite the tool being mainly used for our internal security focused QA, we appreciate feature requests as much as any other type of feedback on <a href=\"https:\/\/github.com\/freddyb\/Garmr\">Github<\/a>!<\/div>\n","protected":false},"excerpt":{"rendered":"<p>As a part of my internship here at Mozilla, I have continued work on Garmr. Garmr is a python script that performs basic web security checks in accordance with our &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/\">Read more<\/a><\/p>\n","protected":false},"author":405,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8630],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Garmr Update - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Frederik Braun\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/\",\"name\":\"Garmr Update - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2012-01-05T23:56:28+00:00\",\"dateModified\":\"2012-01-05T23:56:28+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/9a9b6565cbac3c698b84dbd7447e438f\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Garmr Update\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/9a9b6565cbac3c698b84dbd7447e438f\",\"name\":\"Frederik Braun\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/f188d5ece9062fd6ec08fbeb06809792\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1f41f3ef916e1c1fc9401cf3212a6708?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1f41f3ef916e1c1fc9401cf3212a6708?s=96&d=identicon&r=g\",\"caption\":\"Frederik Braun\"},\"description\":\"Frederik Braun defends Mozilla Firefox as a Staff Security Engineer in Berlin. He's also a member of the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard.\",\"sameAs\":[\"https:\/\/frederik-braun.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Garmr Update - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/","twitter_misc":{"Written by":"Frederik Braun","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/","url":"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/","name":"Garmr Update - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2012-01-05T23:56:28+00:00","dateModified":"2012-01-05T23:56:28+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/9a9b6565cbac3c698b84dbd7447e438f"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2012\/01\/05\/garmr-update\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Garmr Update"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/9a9b6565cbac3c698b84dbd7447e438f","name":"Frederik Braun","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/f188d5ece9062fd6ec08fbeb06809792","url":"https:\/\/secure.gravatar.com\/avatar\/1f41f3ef916e1c1fc9401cf3212a6708?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1f41f3ef916e1c1fc9401cf3212a6708?s=96&d=identicon&r=g","caption":"Frederik Braun"},"description":"Frederik Braun defends Mozilla Firefox as a Staff Security Engineer in Berlin. He's also a member of the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard.","sameAs":["https:\/\/frederik-braun.com"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/246"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/405"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=246"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/246\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=246"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}