Silencing the Collective Groan

Security headers. Everyone’s encountered them. Security testers find them on every web application test, and it can be tedious work identifying these weaknesses that usually have low impact and low probability of exploitation. Vendors find them on reports, and they sink down the list of priorities. No-one likes finding security header misconfigurations.

If you expect the next few words to have said, “But now there is Yasha and it will all be unicorns and rainbows!” — no, Yasha is not going to solve all these things! But it can make things easier.

Yasha is a new tool I’ve written that helps with more contextual and accurate testing of headers.

github GitHub:

A lot of security header scanners simply take into account a single web page, but that’s rarely enough to get a full picture for all the headers across entire web applications. The other option is for testers to filter and trawl through all their requests or make a best-effort attempt: a time-consuming exercise in tedium!

But there are other ways, and Yasha is one of those.

Enter Yasha

Technically, all the information we need to analyse headers is in Burp (you are using Burp for web application testing, right?). By the end of an engagement, the proxy history should have a very representative sample of requests and responses.

A screenshot of a video game Description automatically generated

This is how Yasha works: it uses this history and analyses it to find security header misconfigurations. In some cases, it can’t really tell and needs a human being to analyse things. This is the case for deciding what URLs need no-caching directives, and complex content security policy headers; in these cases, Yasha helpfully produces output that can help with the process.

It also helps with reporting. It groups output by base URLs and emits colour-coded output for screenshots. But more importantly, it uses a Markdown file as a source and filters out the irrelevant bits before outputting it as copy-and-paste-ready HTML for pasting into all sorts of editors.

All this should make for an easier time with testing and reporting security header misconfigurations with the added bonus of increasing accuracy.

Caveat Emptor

Yasha was a tool that I used myself to help with testing, and that I offered to fellow testers with the important caveat that it had not hit version 1.0 yet. The thing is, I haven’t encountered every security header, and there are a lot of new scenarios that warrant expanding the code and checks.

That hasn’t changed, and while it is being released now, the hope is that wider usage will help fine-tune and improve its accuracy across a wide range of use cases. So if you would like to use Yasha, I would recommend ensuring you turn on JSON logging with the command-line flag, and double-checking the analysis by using Burp’s history with filters or Bambdas.

At any rate, even with this, I hope the tool proves useful and takes some of the tedium out while giving back with more accuracy across entire web applications.

You can find Yasha at the link below.

github GitHub: