|
|
@ -72,8 +72,10 @@ printKey(){ |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
generic_version_disclosure(){ |
|
|
|
generic_version_disclosure(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
local value |
|
|
|
local header="$(echo "$1" | cut -d ':' -f 1 | trimWhitespace)" |
|
|
|
local header |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
|
|
|
header="$(echo "$1" | cut -d ':' -f 1 | trimWhitespace)" |
|
|
|
echo "$header" | drawInBox |
|
|
|
echo "$header" | drawInBox |
|
|
|
wecho -e "The server responds with ${ORANGE}$value${NC} in the \ |
|
|
|
wecho -e "The server responds with ${ORANGE}$value${NC} in the \ |
|
|
|
$header header" |
|
|
|
$header header" |
|
|
@ -82,7 +84,8 @@ $header header" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_server(){ |
|
|
|
test_server(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
echo "Server" | drawInBox |
|
|
|
echo "Server" | drawInBox |
|
|
|
wecho -e "The server responds with ${ORANGE}$value${NC} in the Server header" |
|
|
|
wecho -e "The server responds with ${ORANGE}$value${NC} in the Server header" |
|
|
|
wecho -e "This is potentially un-necesary information disclosure\n\n" |
|
|
|
wecho -e "This is potentially un-necesary information disclosure\n\n" |
|
|
@ -90,7 +93,8 @@ test_server(){ |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_x-powered-by(){ |
|
|
|
test_x-powered-by(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
echo "X-Powered-By" | drawInBox |
|
|
|
echo "X-Powered-By" | drawInBox |
|
|
|
wecho -e "The server responds with ${ORANGE}$value${NC} in the X-Powered-By header" |
|
|
|
wecho -e "The server responds with ${ORANGE}$value${NC} in the X-Powered-By header" |
|
|
|
wecho -e "This is potentially un-necesary information disclosure\n\n" |
|
|
|
wecho -e "This is potentially un-necesary information disclosure\n\n" |
|
|
@ -98,7 +102,8 @@ test_x-powered-by(){ |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_x-xss-protection(){ |
|
|
|
test_x-xss-protection(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )" |
|
|
|
if [ "$value" = "1" ]; then |
|
|
|
if [ "$value" = "1" ]; then |
|
|
|
return 0 |
|
|
|
return 0 |
|
|
|
else |
|
|
|
else |
|
|
@ -112,7 +117,8 @@ of old browsers\n\n" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_x-frame-options(){ |
|
|
|
test_x-frame-options(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
case "$value" in |
|
|
|
case "$value" in |
|
|
|
"SAMEORIGIN"|"DENY") return 0 ;; |
|
|
|
"SAMEORIGIN"|"DENY") return 0 ;; |
|
|
|
"ALLOW-FROM"*) |
|
|
|
"ALLOW-FROM"*) |
|
|
@ -183,7 +189,8 @@ text-align: center; |
|
|
|
#} |
|
|
|
#} |
|
|
|
|
|
|
|
|
|
|
|
test_content-security-policy(){ |
|
|
|
test_content-security-policy(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
# TODO: work on content security testing |
|
|
|
# TODO: work on content security testing |
|
|
|
|
|
|
|
|
|
|
|
if [ -z "$value" ]; then |
|
|
|
if [ -z "$value" ]; then |
|
|
@ -211,10 +218,14 @@ DOM based XSS attacks\n\n" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_strict-transport-security(){ |
|
|
|
test_strict-transport-security(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
local value |
|
|
|
local ret=0 |
|
|
|
local ret |
|
|
|
local output="" |
|
|
|
local output |
|
|
|
local maxAge="$(echo "$value" | grep -oE 'max-age=[0-9]+' | |
|
|
|
local maxAge |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" |
|
|
|
|
|
|
|
ret=0 |
|
|
|
|
|
|
|
output="" |
|
|
|
|
|
|
|
maxAge="$(echo "$value" | grep -oE 'max-age=[0-9]+' | |
|
|
|
grep -oE '[0-9]+')" |
|
|
|
grep -oE '[0-9]+')" |
|
|
|
|
|
|
|
|
|
|
|
if [ "$maxAge" -lt "31536000" ]; then |
|
|
|
if [ "$maxAge" -lt "31536000" ]; then |
|
|
@ -243,10 +254,14 @@ channel.\n\n" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_set-cookie(){ |
|
|
|
test_set-cookie(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
local value |
|
|
|
local cookieName="$(echo "$value" | cut -d '=' -f 1)" |
|
|
|
local cookieName |
|
|
|
local ret=0 |
|
|
|
local ret |
|
|
|
local output="" |
|
|
|
local output |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
|
|
|
cookieName="$(echo "$value" | cut -d '=' -f 1)" |
|
|
|
|
|
|
|
ret=0 |
|
|
|
|
|
|
|
output="" |
|
|
|
|
|
|
|
|
|
|
|
if ! echo "$value" | grep -q "HttpOnly"; then |
|
|
|
if ! echo "$value" | grep -q "HttpOnly"; then |
|
|
|
echo "$value" |
|
|
|
echo "$value" |
|
|
@ -287,7 +302,6 @@ used to allow or disallow certain browser features or apis in the interest of \ |
|
|
|
security.\n\n" |
|
|
|
security.\n\n" |
|
|
|
return 2 |
|
|
|
return 2 |
|
|
|
fi |
|
|
|
fi |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_feature-policy(){ |
|
|
|
test_feature-policy(){ |
|
|
@ -306,11 +320,11 @@ header but should still be included for legacy browsers. |
|
|
|
It has been highlighted because the Permissions-policy header wasn't found.\n\n" |
|
|
|
It has been highlighted because the Permissions-policy header wasn't found.\n\n" |
|
|
|
return 2 |
|
|
|
return 2 |
|
|
|
fi |
|
|
|
fi |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_expect-ct(){ |
|
|
|
test_expect-ct(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
if [ -z "$1" ]; then |
|
|
|
if [ -z "$1" ]; then |
|
|
|
echo "Expect-CT" | drawInBox |
|
|
|
echo "Expect-CT" | drawInBox |
|
|
|
wecho "When a site enables the Expect-CT header, they are requesting \ |
|
|
|
wecho "When a site enables the Expect-CT header, they are requesting \ |
|
|
@ -334,7 +348,8 @@ expired in June 2021.\n\n" |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
test_referer-policy-ct(){ |
|
|
|
test_referer-policy-ct(){ |
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
local value |
|
|
|
|
|
|
|
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
if [ -z "$1" ]; then |
|
|
|
if [ -z "$1" ]; then |
|
|
|
echo "Referrer-Policy" | drawInBox |
|
|
|
echo "Referrer-Policy" | drawInBox |
|
|
|
wecho "The Referrer-Policy HTTP header controls how much referrer \ |
|
|
|
wecho "The Referrer-Policy HTTP header controls how much referrer \ |
|
|
@ -394,7 +409,6 @@ done |
|
|
|
set -- "${options[@]}" |
|
|
|
set -- "${options[@]}" |
|
|
|
unset options |
|
|
|
unset options |
|
|
|
|
|
|
|
|
|
|
|
followRedirect="false" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Read the options and set stuff |
|
|
|
# Read the options and set stuff |
|
|
|
while [[ $1 = -?* ]]; do |
|
|
|
while [[ $1 = -?* ]]; do |
|
|
@ -436,9 +450,9 @@ echo "" |
|
|
|
|
|
|
|
|
|
|
|
echo "$headers" | sed -n '1p' |
|
|
|
echo "$headers" | sed -n '1p' |
|
|
|
|
|
|
|
|
|
|
|
while read line; do |
|
|
|
while read -r line; do |
|
|
|
headerKey="$(echo "$line" | cut -d ':' -f1)" |
|
|
|
headerKey="$(echo "$line" | cut -d ':' -f1)" |
|
|
|
lowercase="$(echo "$headerKey" | tr '[A-Z]' '[a-z]')" |
|
|
|
lowercase="$(echo "$headerKey" | tr '[:upper:]' '[:lower:]')" |
|
|
|
missingHeaders="$(echo -n "$missingHeaders" | sed '/'"$lowercase"'/d')" |
|
|
|
missingHeaders="$(echo -n "$missingHeaders" | sed '/'"$lowercase"'/d')" |
|
|
|
functionName="test_$lowercase" |
|
|
|
functionName="test_$lowercase" |
|
|
|
if declare -f "$functionName" > /dev/null; then |
|
|
|
if declare -f "$functionName" > /dev/null; then |
|
|
@ -453,9 +467,9 @@ while read line; do |
|
|
|
else |
|
|
|
else |
|
|
|
echo "$line" |
|
|
|
echo "$line" |
|
|
|
fi |
|
|
|
fi |
|
|
|
done<<<$(echo "$headers" | sed '1d') # We don't want the initial http banner |
|
|
|
done<<<"$(echo "$headers" | sed '1d')" # We don't want the initial http banner |
|
|
|
|
|
|
|
|
|
|
|
echo "$missingHeaders" | while read line; do |
|
|
|
echo "$missingHeaders" | while read -r line; do |
|
|
|
echo -e "${RED}$line${NC}" |
|
|
|
echo -e "${RED}$line${NC}" |
|
|
|
functionName="test_$line" |
|
|
|
functionName="test_$line" |
|
|
|
"$functionName" >> "$tmpfile" |
|
|
|
"$functionName" >> "$tmpfile" |
|
|
|