Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives because of 200 status code #3

Open
irsdl opened this issue Apr 24, 2024 · 0 comments
Open

False positives because of 200 status code #3

irsdl opened this issue Apr 24, 2024 · 0 comments

Comments

@irsdl
Copy link

irsdl commented Apr 24, 2024

I have a page for authentication that takes a JWT string. If the JWT is valid, it generates a UUID and redirects me to another page where the UUID is used to log me in, returning a 30x status code. However, if the JWT is invalid, it returns a 200 OK status code along with a message in HTML.

This extension doesn't handle the expected redirect for valid requests properly. Instead, it treats the 200 OK response for invalid JWTs as if it were a valid response. This causes numerous false positive issues. I believe the extension should check whether the current JWT request is valid before determining the response's validity. It can ask users or give us two options as an example:

  • Scanning with a valid JWT
  • Scanning with an invalid JWT
    I think in the future a config panel with profile conditions of what should be count as valid for a specific path and target is the best solution.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@irsdl