Bin: analyse-headers: better csp, x-xss, referer-policy and simple mode
The changes amount to the following. x-xss-protection now "passes" if it's set to 1; mode=block The CSP now fails if it doesn't have either a script-src or a default-src. It now checks for referrer-policy simple mode is available which doesn't use colours, and instead prepends each line with either "Misconfigured", "Good", or "Missing. Useful for automating"
This commit is contained in:
Jonathan Hodgson
parent
2945b1f58b
commit
f7d545b57e
1 changed files with 56 additions and 13 deletions
|
|
@ -65,11 +65,20 @@ drawInBox(){
|
|||
# 1 = yellow
|
||||
# 2 = red
|
||||
getColour(){
|
||||
if [ "$simple" == "true" ]; then
|
||||
case "$1" in
|
||||
0) echo "Good - " ;;
|
||||
1) echo "Misconfigured - " ;;
|
||||
2) echo "Missing - " ;;
|
||||
esac
|
||||
|
||||
else
|
||||
case "$1" in
|
||||
0) echo -en "$GREEN" ;;
|
||||
1) echo -en "$YELLOW" ;;
|
||||
2) echo -en "$RED" ;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
printKey(){
|
||||
|
|
@ -126,8 +135,8 @@ test_x-powered-by(){
|
|||
|
||||
test_x-xss-protection(){
|
||||
local value
|
||||
value="$(echo "$1" | cut -d ':' -f 2 | grep -oE '[0-9]+' )"
|
||||
if [ "$value" = "0" ]; then
|
||||
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace )"
|
||||
if [ "$value" = "0" ] || [ "$value" = "1; mode=block" ]; then
|
||||
return 0
|
||||
else
|
||||
echo "X-XSS-Protection" | drawInBox
|
||||
|
|
@ -387,6 +396,7 @@ attacks (XSS).\n\n"
|
|||
|
||||
local reportURI=false
|
||||
local reportTO=false
|
||||
local scriptOrDefaultSrc=false
|
||||
|
||||
[ -f "$lotsfile" ] || message+="WARNING: Lots file not available. Run with --fetch-lots in order to get it\n\n"
|
||||
|
||||
|
|
@ -398,6 +408,9 @@ attacks (XSS).\n\n"
|
|||
"report-to" ) reportTO=true ;;
|
||||
*"-src")
|
||||
# check sources
|
||||
if [ "$directiveName" = "script-src" ] | [ "$directiveName" = "default-src" ]; then
|
||||
scriptOrDefaultSrc=true;
|
||||
fi
|
||||
while read source; do
|
||||
sourcemessage=''
|
||||
case "$source" in
|
||||
|
|
@ -462,6 +475,12 @@ Eventually the report-to header will deprecate this directive, but it is not \
|
|||
yet supported in most browsers so including both is recomended.\n\n"
|
||||
ret=$((ret>1 ? ret : 1))
|
||||
fi
|
||||
if [ "$scriptOrDefaultSrc" == "false" ]; then
|
||||
message+="The content security policy doesn't include the \
|
||||
${ORANGE}script-src${NC} or ${ORANGE}script-src${NC} directive which are used \
|
||||
add allowed script sources. Without either, any scripts are allowed by default.\n\n"
|
||||
ret=$((ret>1 ? ret : 1))
|
||||
fi
|
||||
|
||||
# elif echo "$value" | grep -q 'unsafe-eval'; then
|
||||
# ret=$((ret>1 ? ret : 1))
|
||||
|
|
@ -715,6 +734,17 @@ they should not be cached. In order to enforce this, add the no-store directive.
|
|||
|
||||
}
|
||||
|
||||
test_referrer-policy(){
|
||||
local value
|
||||
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
|
||||
if [ -z "$1" ] || ! echo "$value" | grep -q "strict-origin"; then
|
||||
echo "Referrer-policy" | drawInBox
|
||||
wecho "This allows control over what information is sent to another site within the referrer header. The referrer header is commonly used in site analytics to understand where traffic to a site is coming from.\n"
|
||||
echo -e "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control\n\n"
|
||||
[ -z "$1" ] && return 2 || return 1
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
usage(){
|
||||
echo -n "analyse-headers [OPTIONS]... URL
|
||||
|
|
@ -767,6 +797,7 @@ set -- "${options[@]}"
|
|||
unset options
|
||||
|
||||
insecure=""
|
||||
simple="false"
|
||||
|
||||
windowsjoke=false
|
||||
if grep -q Microsoft /proc/version; then
|
||||
|
|
@ -778,6 +809,7 @@ while [[ $1 = -?* ]]; do
|
|||
case $1 in
|
||||
-h|--help) usage; exit;;
|
||||
-k|--insecure) insecure="-k" ;;
|
||||
--simple) simple="true" ;;
|
||||
--fetch-lots ) fetchLots; exit ;;
|
||||
--nojoke ) windowsjoke=false ;;
|
||||
--) shift; break ;;
|
||||
|
|
@ -806,7 +838,8 @@ x-xss-protection
|
|||
x-content-type-options
|
||||
permissions-policy
|
||||
feature-policy
|
||||
cache-control"
|
||||
cache-control
|
||||
referrer-policy"
|
||||
|
||||
tmpfile="$(mktemp)"
|
||||
touch "$tmpfile"
|
||||
|
|
@ -815,9 +848,11 @@ if [ "$windowsjoke" == "true" ]; then
|
|||
echo "Why would you use windows, do you hate yourself?"
|
||||
fi
|
||||
|
||||
if [ "$simple" == "false" ]; then
|
||||
printKey
|
||||
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
||||
echo "$headers" | sed -n '1p'
|
||||
|
||||
|
|
@ -837,19 +872,27 @@ while read -r line; do
|
|||
colour="$(getColour "$?")"
|
||||
echo -e "${colour}$line${NC}"
|
||||
else
|
||||
if [ "$simple" == "false" ]; then
|
||||
echo "$line"
|
||||
fi
|
||||
fi
|
||||
done<<<"$(echo "$headers" | sed '1d')" # We don't want the initial http banner
|
||||
|
||||
echo "$missingHeaders" | while read -r line; do
|
||||
if [ "$simple" == "false" ]; then
|
||||
echo -e "${RED}$line${NC}"
|
||||
else
|
||||
echo "Missing - $line"
|
||||
fi
|
||||
functionName="test_$line"
|
||||
"$functionName" >> "$tmpfile"
|
||||
done
|
||||
|
||||
echo ""
|
||||
|
||||
if [ "$simple" == "false" ]; then
|
||||
cat "$tmpfile"
|
||||
fi
|
||||
rm "$tmpfile"
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue