diff --git a/bin/.bin/webtest/analyse-headers b/bin/.bin/webtest/analyse-headers index 0cc842b6..f2ac8a8a 100755 --- a/bin/.bin/webtest/analyse-headers +++ b/bin/.bin/webtest/analyse-headers @@ -65,11 +65,20 @@ drawInBox(){ # 1 = yellow # 2 = red getColour(){ - case "$1" in - 0) echo -en "$GREEN" ;; - 1) echo -en "$YELLOW" ;; - 2) echo -en "$RED" ;; - esac + if [ "$simple" == "true" ]; then + case "$1" in + 0) echo "Good - " ;; + 1) echo "Misconfigured - " ;; + 2) echo "Missing - " ;; + esac + + else + case "$1" in + 0) echo -en "$GREEN" ;; + 1) echo -en "$YELLOW" ;; + 2) echo -en "$RED" ;; + esac + fi } printKey(){ @@ -126,8 +135,8 @@ test_x-powered-by(){ test_x-xss-protection(){ local value - value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )" - if [ "$value" = "0" ]; then + value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace )" + if [ "$value" = "0" ] || [ "$value" = "1; mode=block" ]; then return 0 else echo "X-XSS-Protection" | drawInBox @@ -387,6 +396,7 @@ attacks (XSS).\n\n" local reportURI=false local reportTO=false + local scriptOrDefaultSrc=false [ -f "$lotsfile" ] || message+="WARNING: Lots file not available. Run with --fetch-lots in order to get it\n\n" @@ -398,6 +408,9 @@ attacks (XSS).\n\n" "report-to" ) reportTO=true ;; *"-src") # check sources + if [ "$directiveName" = "script-src" ] | [ "$directiveName" = "default-src" ]; then + scriptOrDefaultSrc=true; + fi while read source; do sourcemessage='' case "$source" in @@ -462,6 +475,12 @@ Eventually the report-to header will deprecate this directive, but it is not \ yet supported in most browsers so including both is recomended.\n\n" ret=$((ret>1 ? ret : 1)) fi + if [ "$scriptOrDefaultSrc" == "false" ]; then + message+="The content security policy doesn't include the \ +${ORANGE}script-src${NC} or ${ORANGE}script-src${NC} directive which are used \ +add allowed script sources. Without either, any scripts are allowed by default.\n\n" + ret=$((ret>1 ? ret : 1)) + fi # elif echo "$value" | grep -q 'unsafe-eval'; then # ret=$((ret>1 ? ret : 1)) @@ -715,6 +734,17 @@ they should not be cached. In order to enforce this, add the no-store directive. } +test_referrer-policy(){ + local value + value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" + if [ -z "$1" ] || ! echo "$value" | grep -q "strict-origin"; then + echo "Referrer-policy" | drawInBox + wecho "This allows control over what information is sent to another site within the referrer header. The referrer header is commonly used in site analytics to understand where traffic to a site is coming from.\n" + echo -e "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control\n\n" + [ -z "$1" ] && return 2 || return 1 + fi + +} usage(){ echo -n "analyse-headers [OPTIONS]... URL @@ -767,6 +797,7 @@ set -- "${options[@]}" unset options insecure="" +simple="false" windowsjoke=false if grep -q Microsoft /proc/version; then @@ -778,6 +809,7 @@ while [[ $1 = -?* ]]; do case $1 in -h|--help) usage; exit;; -k|--insecure) insecure="-k" ;; + --simple) simple="true" ;; --fetch-lots ) fetchLots; exit ;; --nojoke ) windowsjoke=false ;; --) shift; break ;; @@ -806,7 +838,8 @@ x-xss-protection x-content-type-options permissions-policy feature-policy -cache-control" +cache-control +referrer-policy" tmpfile="$(mktemp)" touch "$tmpfile" @@ -815,9 +848,11 @@ if [ "$windowsjoke" == "true" ]; then echo "Why would you use windows, do you hate yourself?" fi -printKey - +if [ "$simple" == "false" ]; then + printKey echo "" +fi + echo "$headers" | sed -n '1p' @@ -837,19 +872,27 @@ while read -r line; do colour="$(getColour "$?")" echo -e "${colour}$line${NC}" else - echo "$line" + if [ "$simple" == "false" ]; then + echo "$line" + fi fi done<<<"$(echo "$headers" | sed '1d')" # We don't want the initial http banner echo "$missingHeaders" | while read -r line; do - echo -e "${RED}$line${NC}" + if [ "$simple" == "false" ]; then + echo -e "${RED}$line${NC}" + else + echo "Missing - $line" + fi functionName="test_$line" "$functionName" >> "$tmpfile" done echo "" -cat "$tmpfile" +if [ "$simple" == "false" ]; then + cat "$tmpfile" +fi rm "$tmpfile"