Add fetch.header sink

[TAI-ing]

A new sink fetch.header (similar to fetch.url and fetch.body) would widen the possibilities to detect request hijacking.

Currently Foxhound doesn't recognize a possible request manipulation on the following page:

<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Request Hijacking Vulnerability</title>
</head>

<body>
    <script>
        let payload = decodeURIComponent(location.hash.substring(1));

        fetch('http://localhost:8000', {
            headers: {
                'Content-Type': 'application/json',
                // use payload as header value
                'Auth': payload
            }
        })
            .then(response => response.text())
            .then(data => {
                console.log('Response:', data);
            })
            .catch(error => {
                console.error('Error:', error);
            });

    </script>
</body>

</html>

[leeN]

Can you add test cases for the failing features? I'll happily look into this, but having failing tests would simplify this :)

[leeN]

Added a test case and fixed the issue in #303. Once that is merged, could you retest this?

[leeN]

Can you check this and reopen this issue in case this persists?

[TAI-ing]

I can confirm that fetch.header(value) sink is recognized successfully. Thank you for adding this.

[TAI-ing]

I was not able to detect fetch.header(name) sink. Perhaps it would be worthwhile to consider this sink similar to XMLHttpRequest.setRequestHeader(name).

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Request Hijacking Vulnerability</title>
</head>

<body>
    <script>
        let payload = decodeURIComponent(location.hash.substring(1)) //"{{REPLACE_SOURCE}}");

        fetch('http://localhost:8000', {
            headers: {
                'Content-Type': 'application/json',
                // use payload as header name
                [payload]: "test-payload"
            }
        })
            .then(response => response.text())
            .then(data => {
                console.log('Response:', data);
            })
            .catch(error => {
                console.error('Error:', error);
            });

    </script>
</body>
</html>

[leeN]

Oh, interesting. I will have a look at what goes wrong there. There is a testcase that tests for manually setting headers, but that syntax is not part of the test suite. Thanks!