Wildcard subdomains no longer reported by WildcardCheck

aefdr · Feb 1, 2016 · 2be39e6 · 2be39e6
1 parent b0e995e
commit 2be39e6
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/burp_csp_bypass.py b/burp_csp_bypass.py
@@ -129,10 +129,10 @@ def unsafeContentSourceCheck(self, csp, burpHttpReqResp):
     def wildcardContentSourceCheck(self, csp, burpHttpReqResp):
         """ Check content sources for wildcards '*' """
         issues = []
-        for directive, contentSoruces in csp.iteritems():
-            if contentSoruces is None:
+        for directive, sources in csp.iteritems():
+            if sources is None:
                 continue  # Skip unspecified directives in NO_FALLBACK
-            if any("*" in src for src in contentSoruces):
+            if any(src == "*" for src in sources):
                 wildcardContent = WildcardContentSource(
                     httpService=burpHttpReqResp.getHttpService(),
                     url=self._getUrl(burpHttpReqResp),