@ -65,11 +65,20 @@ drawInBox(){
# 1 = yellow
# 2 = red
getColour(){
case "$1" in
0) echo -en "$GREEN" ;;
1) echo -en "$YELLOW" ;;
2) echo -en "$RED" ;;
esac
if [ "$simple" == "true" ]; then
case "$1" in
0) echo "Good - " ;;
1) echo "Misconfigured - " ;;
2) echo "Missing - " ;;
esac
else
case "$1" in
0) echo -en "$GREEN" ;;
1) echo -en "$YELLOW" ;;
2) echo -en "$RED" ;;
esac
fi
}
printKey(){
@ -126,8 +135,8 @@ test_x-powered-by(){
test_x-xss-protection(){
local value
value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )"
if [ "$value" = "0" ]; then
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace )"
if [ "$value" = "0" ] || [ "$value" = "1; mode=block" ] ; then
return 0
else
echo "X-XSS-Protection" | drawInBox
@ -387,6 +396,7 @@ attacks (XSS).\n\n"
local reportURI=false
local reportTO=false
local scriptOrDefaultSrc=false
[ -f "$lotsfile" ] || message+="WARNING: Lots file not available. Run with --fetch-lots in order to get it\n\n"
@ -398,6 +408,9 @@ attacks (XSS).\n\n"
"report-to" ) reportTO=true ;;
*"-src")
# check sources
if [ "$directiveName" = "script-src" ] | [ "$directiveName" = "default-src" ]; then
scriptOrDefaultSrc=true;
fi
while read source; do
sourcemessage=''
case "$source" in
@ -462,6 +475,12 @@ Eventually the report-to header will deprecate this directive, but it is not \
yet supported in most browsers so including both is recomended.\n\n"
ret=$((ret>1 ? ret : 1))
fi
if [ "$scriptOrDefaultSrc" == "false" ]; then
message+="The content security policy doesn't include the \
${ORANGE}script-src${NC} or ${ORANGE}script-src${NC} directive which are used \
add allowed script sources. Without either, any scripts are allowed by default.\n\n"
ret=$((ret>1 ? ret : 1))
fi
# elif echo "$value" | grep -q 'unsafe-eval'; then
# ret=$((ret>1 ? ret : 1))
@ -715,6 +734,17 @@ they should not be cached. In order to enforce this, add the no-store directive.
}
test_referrer-policy(){
local value
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
if [ -z "$1" ] || ! echo "$value" | grep -q "strict-origin"; then
echo "Referrer-policy" | drawInBox
wecho "This allows control over what information is sent to another site within the referrer header. The referrer header is commonly used in site analytics to understand where traffic to a site is coming from.\n"
echo -e "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control\n\n"
[ -z "$1" ] && return 2 || return 1
fi
}
usage(){
echo -n "analyse-headers [OPTIONS]... URL
@ -767,6 +797,7 @@ set -- "${options[@]}"
unset options
insecure=""
simple="false"
windowsjoke=false
if grep -q Microsoft /proc/version; then
@ -778,6 +809,7 @@ while [[ $1 = -?* ]]; do
case $1 in
-h|--help) usage; exit;;
-k|--insecure) insecure="-k" ;;
--simple) simple="true" ;;
--fetch-lots ) fetchLots; exit ;;
--nojoke ) windowsjoke=false ;;
--) shift; break ;;
@ -806,7 +838,8 @@ x-xss-protection
x-content-type-options
permissions-policy
feature-policy
cache-control"
cache-control
referrer-policy"
tmpfile="$(mktemp)"
touch "$tmpfile"
@ -815,9 +848,11 @@ if [ "$windowsjoke" == "true" ]; then
echo "Why would you use windows, do you hate yourself?"
fi
printKey
if [ "$simple" == "false" ]; then
printKey
echo ""
fi
echo "$headers" | sed -n '1p'
@ -837,19 +872,27 @@ while read -r line; do
colour="$(getColour "$?")"
echo -e "${colour}$line${NC}"
else
echo "$line"
if [ "$simple" == "false" ]; then
echo "$line"
fi
fi
done<<<"$(echo "$headers" | sed '1d')" # We don't want the initial http banner
echo "$missingHeaders" | while read -r line; do
echo -e "${RED}$line${NC}"
if [ "$simple" == "false" ]; then
echo -e "${RED}$line${NC}"
else
echo "Missing - $line"
fi
functionName="test_$line"
"$functionName" >> "$tmpfile"
done
echo ""
cat "$tmpfile"
if [ "$simple" == "false" ]; then
cat "$tmpfile"
fi
rm "$tmpfile"
Jonathan Hodgson
10 months ago