BIN: analyse-headers

Adds some more descriptions
master
Jonathan Hodgson 3 years ago
parent 70638ac508
commit f01fa8673f
  1. 63
      bin/.bin/webtest/analyse-headers

@ -198,29 +198,31 @@ text-align: center;
test_content-security-policy(){ test_content-security-policy(){
local value local value
local ret=0
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
# TODO: work on content security testing # TODO: work on content security testing
local message="" local message=""
if [ -z "$value" ]; then if [ -z "$value" ]; then
echo "Content-Security-Policy" | drawInBox message+="The HTTP Content-Security-Policy response header allows web site \
wecho -e "The HTTP Content-Security-Policy response header allows web site \
administrators to control resources the user agent is allowed to load for a \ administrators to control resources the user agent is allowed to load for a \
given page. With a few exceptions, policies mostly involve specifying server \ given page. With a few exceptions, policies mostly involve specifying server \
origins and script endpoints. This helps guard against cross-site scripting \ origins and script endpoints. This helps guard against cross-site scripting \
attacks (XSS).\n\n" attacks (XSS).\n\n"
return 2 ret=2
else else
if echo "$value" | grep -q 'unsafe-inline'; then if echo "$value" | grep -q 'unsafe-inline'; then
message+="The content security policy includes the \ message+="The content security policy includes the \
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \ ${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \
This prevents the content security policy from effectively mitigating against This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n" reflected or stored XSS attacks\n\n"
ret=$((ret>1 ? ret : 1))
elif echo "$value" | grep -q 'unsafe-eval'; then elif echo "$value" | grep -q 'unsafe-eval'; then
message+="The content security policy includes the \ message+="The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \ ${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n" DOM based XSS attacks\n\n"
ret=$((ret>1 ? ret : 1))
fi fi
# TODO, I'd like to check for more CSP issues. # TODO, I'd like to check for more CSP issues.
# See https://csp-evaluator.withgoogle.com/ # See https://csp-evaluator.withgoogle.com/
@ -228,10 +230,41 @@ attacks (XSS).\n\n"
# https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/ # https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/
fi fi
if [ -n "$message" ]; then if [ -n "$message" ]; then
message+="The content security policy should be carefully considered \
before implementing as mis-configuring it can lead to site breakages. Scripts \
and stylesheets should be sourced from a carefully curated list of trusted \
domains that do now allow user uploaded content. Some CDNs should also be \
avoided if they host outdated versions of libraries that are known to be \
vulnerable or JSONP content, as both of these can lead to Cross Site Scripting \
(XSS). In order to prevent other types of XSS attack, unsafe-inline and \
unsafe-eval sources should be avoided in favour of putting scripts / styles in \
external resources or, if that is not possible, whitelisted inline scripts / \
styles using <hash-algorithm>-<hash> sources.
In order to prevent use of plugins such as flash and silverlight, use the \
{code}object-src 'none'{/code} directive.
In order to prevent framing, use the {code}frame-ancestors 'none'{/code} \
directive.
The recomended header for APIs is
{code}
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
{/code}
Which disables loading of all sub-resources and stops the API response being
framed.
There is also a related content-security-policy-report-only header that will \
not enforce rules, but will report violations. This is useful for testing \
purposes
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n\n"
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
message="$(echo "$message" | tr -d '\t')" message="$(echo "$message" | tr -d '\t')"
wecho -e "$message" wecho -e "$message"
return 1 return "$ret"
fi fi
return 0 return 0
} }
@ -244,6 +277,11 @@ test_strict-transport-security(){
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)"
ret=0 ret=0
output="" output=""
if [ -z "$value" ]; then
output+="The HTTP Strict Transport Security response header intructs \
browsers to only connect to it via an encrypted channel.\n\n"
ret=2
else
maxAge="$(echo "$value" | grep -oE 'max-age=[0-9]+' | maxAge="$(echo "$value" | grep -oE 'max-age=[0-9]+' |
grep -oE '[0-9]+')" grep -oE '[0-9]+')"
@ -260,6 +298,7 @@ channel.\n\n"
ret=$((ret>1 ? ret : 1)) ret=$((ret>1 ? ret : 1))
fi fi
fi
#if ! echo "$value" | grep -q 'preload'; then #if ! echo "$value" | grep -q 'preload'; then
# output+="The preload property " # output+="The preload property "
# ret=$((ret>1 ? ret : 1)) # ret=$((ret>1 ? ret : 1))
@ -424,6 +463,20 @@ Origin. The \"null\" value for the ACAO header should therefore be avoided.\n\n"
return 0 return 0
} }
test_cache-control(){
local value
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
if [ -z "$1" ] || ! echo "$value" | grep -q "no-store"; then
echo "Cache-Control" | drawInBox
wecho "The Cache-Control header instructs the browser if and for how \
long browsers may cache responses. If responses contain sensitive information, \
they should not be cached. In order to enforce this, add the no-store directive.\n"
echo -e "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control\n\n"
[ -z "$1" ] && return 2 || return 1
fi
}
usage(){ usage(){
echo -n "analyse-headers [OPTIONS]... URL echo -n "analyse-headers [OPTIONS]... URL
@ -500,11 +553,13 @@ else
fi fi
missingHeaders="x-frame-options missingHeaders="x-frame-options
strict-transport-security
content-security-policy content-security-policy
x-xss-protection x-xss-protection
x-content-type-options x-content-type-options
feature-policy feature-policy
permissions-policy permissions-policy
cache-control
expect-ct" expect-ct"
tmpfile="$(mktemp)" tmpfile="$(mktemp)"

Loading…
Cancel
Save