BIN: analyse-headers: Wrap text in descriptions

The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
master
Jonathan Hodgson 4 years ago
parent fb5d25dc6c
commit afa3f3495a
  1. 37
      bin/.bin/webtest/analyse-headers

@ -26,6 +26,11 @@ trimWhitespace(){
sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//'
}
#wrapped echo
wecho(){
builtin echo -e "$@" | fold -s -w 80
}
drawInBox(){
innerWidth="45"
echo -en "${LBLUE}╭"
@ -69,25 +74,25 @@ printKey(){
test_server(){
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)"
echo "Server" | drawInBox
echo -e "The server responds with ${ORANGE}$value${NC} in the Server header"
echo -e "This is potentially un-necesary information disclosure\n\n"
wecho -e "The server responds with ${ORANGE}$value${NC} in the Server header"
wecho -e "This is potentially un-necesary information disclosure\n\n"
[ -n "$value" ] && return 1 || return 0
}
test_x-powered-by(){
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)"
echo "X-Powered-By" | drawInBox
echo -e "The server responds with ${ORANGE}$value${NC} in the X-Powered-By header"
echo -e "This is potentially un-necesary information disclosure\n\n"
wecho -e "The server responds with ${ORANGE}$value${NC} in the X-Powered-By header" | wrap
wecho -e "This is potentially un-necesary information disclosure\n\n"
[ -n "$value" ] && return 1 || return 0
}
test_x-aspnet-version(){
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)"
echo "X-Powered-By" | drawInBox
echo -e "The server responds with ${ORANGE}$value${NC} in the \
wecho -e "The server responds with ${ORANGE}$value${NC} in the \
X-AspNet-Version header"
echo -e "This is potentially un-necesary information disclosure\n\n"
wecho -e "This is potentially un-necesary information disclosure\n\n"
[ -n "$value" ] && return 1 || return 0
}
@ -97,7 +102,7 @@ test_x-xss-protection(){
return 0
else
echo "X-XSS-Protection" | drawInBox
echo -e "The X-XSS-Protection header asks browsers to try and prevent \
wecho -e "The X-XSS-Protection header asks browsers to try and prevent \
reflected cross site scripting attacks. It has been replaced in modern browsers \
by the content-security-policy although should still be included for the sake \
of old browsers\n\n"
@ -111,15 +116,15 @@ test_x-frame-options(){
"SAMEORIGIN"|"DENY") return 0 ;;
"ALLOW-FROM"*)
echo "X-Frame-Opitons" | drawInBox
echo "The ALLOW-FROM derivative is obsolete and no longer works \
wecho "The ALLOW-FROM derivative is obsolete and no longer works \
in modern browsers."
echo "The Content-Security-Policy HTTP header has a \
wecho "The Content-Security-Policy HTTP header has a \
frame-ancestors directive which you can use instead."
return 1
;;
*)
echo "X-Frame-Opitons" | drawInBox
echo "The X-Frame-Options HTTP response header can be used to \
wecho "The X-Frame-Options HTTP response header can be used to \
indicate whether or not a browser should be allowed to render a page in a \
<frame>, <iframe>, <embed> or <object>. Sites can use this to avoid \
click-jacking attacks, by ensuring that their content is not embedded into \
@ -158,7 +163,7 @@ text-align: center;
</body>
</html>
"
echo "To verify, type paste the following into your browser:"
wecho "To verify, type paste the following into your browser:"
echo -e "\ndata:text/html;base64,$(echo "$source" | base64 -w 0)\n\n"
return 2
@ -174,7 +179,7 @@ test_content-security-policy(){
if [ -z "$value" ]; then
echo "Content-Security-Policy" | drawInBox
echo -e "The HTTP Content-Security-Policy response header allows web site \
wecho -e "The HTTP Content-Security-Policy response header allows web site \
administrators to control resources the user agent is allowed to load for a \
given page. With a few exceptions, policies mostly involve specifying server \
origins and script endpoints. This helps guard against cross-site scripting \
@ -182,13 +187,13 @@ attacks (XSS).\n\n"
return 2
elif echo "$value" | grep -q 'unsafe-inline'; then
echo "Content-Security-Policy" | drawInBox
echo -e "The content security policy includes the \
wecho -e "The content security policy includes the \
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \
This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n"
elif echo "$value" | grep -q 'unsafe-eval'; then
echo "Content-Security-Policy" | drawInBox
echo -e "The content security policy includes the \
wecho -e "The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
@ -223,7 +228,7 @@ channel.\n\n"
if [ "$ret" -gt 0 ]; then
echo "Strict-Transport-Security" | drawInBox
echo -e "$output"
wecho -e "$output"
fi
return $ret
}
@ -258,7 +263,7 @@ Strict means the browser sends the cookie only for same-site requests\n\n"
if [ "$ret" -gt 0 ]; then
echo "Set-Cookie: $cookieName" | drawInBox
echo -e "$output"
wecho -e "$output"
fi
return "$ret"

Loading…
Cancel
Save