jab2870/Dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
923 commits 1 branch 0 tags 15 MiB
Commit graph

42 commits

Author SHA1 Message Date
Jonathan Hodgson
298493d691 Fixes bug where it would try and test an empty line 
Thanks Rob Norman for reporting and helping debug.
 2021-04-09 11:45:05 +01:00
Jonathan Hodgson
5832de6742 BIN: analyse-headers: Will attempt to decode F5 Cookies 
Thanks <Huw Edwards> for the idea and help implementing it.
 2021-03-31 11:12:05 +01:00
Jonathan Hodgson
3e50eebfe3 adds getnpmversion 2021-03-31 09:44:50 +01:00
Jonathan Hodgson
a683e57409 The recommended value for x-xss-protection is now 0 
The script will now recommend x-xss-protection is set to 0, in line with
the recommendation made by owasp.

https://owasp.org/www-project-secure-headers/#x-xss-protection
 2021-03-24 13:48:07 +00:00
Jonathan Hodgson
f7919d0053 Bin: fixes the lucky13 check 
It apparently works with any cbc cipher and doesn't require tls1
 2021-02-13 20:11:16 +00:00
Jonathan Hodgson
ba2b85b2cd BIN: analyse-headers: bug fixes 
A couple of bug fixes, removed some unnecesary echos and fixed crash if
name is too long to fit in the heading box
 2021-01-25 11:14:57 +00:00
Jonathan Hodgson
15b18a4a0a BIN: Adds lucky13 to verifySSL 2021-01-13 16:39:34 +00:00
Jonathan Hodgson
c1ba95117a BIN: Small adjustments to verifySSL 
The script now prepends the command that is echoed with a $ in order to
indicate it is a command that is run

Also stops the script showing each cipher that is tested
 2021-01-13 16:30:33 +00:00
Jonathan Hodgson
4c2f3dbc4d BIN: adds sweet32 test to verifySSL 2021-01-13 16:27:59 +00:00
Jonathan Hodgson
a4dc363ee6 BIN: makes the verifySSL print progress messages to stderr 
I chose to do this because I want to be able to pipe stdout to a file
and use it as evidence. I don't need the progress for that
 2021-01-13 16:21:01 +00:00
Jonathan Hodgson
961f7797a7 BIN: starts verifySSL script 
This will evolve to become a script that can be used to verify the
findings of a tool like testssl

Currently only supports "beast"
 2021-01-13 16:09:28 +00:00
Jonathan Hodgson
6dad0bf8ab BIN: fix csp check in analyse-headers 
the csp function didn't correctly return 1 when a missconfigured csp was
found
 2021-01-11 14:09:40 +00:00
Jonathan Hodgson
e94ba0b5b2 Improve handling of CSP 
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
 2021-01-11 12:16:18 +00:00
Jonathan Hodgson
b8f104fd00 Makes detection of x-frame-options value case insensitive 
In other words, sameorigin == SAMEORIGIN == saMeOriGIN

This is in line with the spec for the header:

https://tools.ietf.org/html/rfc7034
 2021-01-11 12:07:07 +00:00
Jonathan Hodgson
6feffc731b BIN: analyse-headers: improve expect-ct description 2020-12-11 15:38:28 +00:00
Jonathan Hodgson
41fd57310a BIN: analyse-headers: Checks the access-control-allow-origin header 
Another suggestion by <Dom Ingram>.

For more details on the null issue, read here:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
 2020-12-11 15:26:32 +00:00
Jonathan Hodgson
984298b29b BIN: analyse-headers: fix most shellcheck warnings 
The only checks I haven't fixed are the unused variables for colours. I
may use them in the future so haven't removed them
 2020-12-11 15:01:53 +00:00
Jonathan Hodgson
6ac052cd39 BIN: analyse-headers: note on x-frame-options if frame-ancestors present 
If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
 2020-12-09 16:39:11 +00:00
Jonathan Hodgson
1b42f81f47 BIN: analyse-headers: Adds generic version disclosure function 
if the header contains the word "version" (case insensitively) it will
flag it as potential information disclosure

Thanks <Dom Ingram> for the suggestion
 2020-12-09 16:26:47 +00:00
Jonathan Hodgson
e247c85bc9 BIN: analyse-headers: read from stdin if first arg is - 
This makes testing much easier
 2020-12-09 16:24:59 +00:00
Jonathan Hodgson
cad2f2d2d5 BIN: analyse-headers: Add more notes to expect-ct description 
As pointed out by <Dom Ingram>, the expect-ct is likely to become
obsolete in June 2012

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
 2020-12-09 16:13:39 +00:00
Jonathan Hodgson
7ea1e9a964 BIN: analyse-headers: Fix incorrect reporting of SSL issues 
It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
 2020-12-09 16:08:26 +00:00
Jonathan Hodgson
7a7ffc608d BIN: analyse-headers: add expect-ct and start referrer-policy 2020-12-03 11:19:35 +00:00
Jonathan Hodgson
3ce547a0b2 BIN: Analyse-headers: Adds to description for cookie flag 2020-12-02 10:54:10 +00:00
Jonathan Hodgson
fb5774a584 BIN: analyse-headers: fix error "wrap command not found" 2020-12-02 09:19:47 +00:00
Jonathan Hodgson
9ef36af8f7 BIN: analyse-headers: adds feature-policy and permissions-policy checks 2020-12-02 09:11:52 +00:00
Jonathan Hodgson
61097006a4 BIN: analyse-headers: Wrap text in descriptions 
The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
 2020-12-02 08:32:10 +00:00
Jonathan Hodgson
af81ccd62e BIN: Adds SameSite check in analyse-headers script 
The script will now warn you if the SameSite option is not set to Strict
on cookies.
 2020-12-01 21:17:34 +00:00
Jonathan Hodgson
1f29c17ab5 BIN: Fix webtest script when : in cookies 
If there was a colon in a cookie, the script would misidentify insecure
cookie configurations
 2020-12-01 19:56:33 +00:00
Jonathan Hodgson
a3f75d9b32 BIN: Adds analyse-headers script 
The script is in early stages of development but should work for some of
the most common mis-configurtaions.
 2020-12-01 18:15:01 +00:00
Jonathan Hodgson
ad03136de5 Adds scripts to help with ssl testing 2020-09-22 15:49:42 +01:00
Jonathan Hodgson
af04f665cd Renames jwtcat to catjwt to avoid clash with 3rd party tool 2020-09-22 15:41:06 +01:00
Jonathan Hodgson
c5fd08bb76 Creates script for printing jwt web tokens 2020-09-22 15:40:20 +01:00
Jonathan Hodgson
3ba3ca03b5 A start to webtest script 2020-09-19 11:18:55 +01:00
Jonathan Hodgson
74578ef182 Adds getpaths script 2020-07-29 17:34:17 +01:00
Jonathan Hodgson
b8fad36f8d changed profile name to headless 2020-05-25 18:29:18 +01:00
Jonathan Hodgson
34ea59f0f6 Will create firefox profile 2020-05-25 18:13:43 +01:00
Jonathan Hodgson
c21d54d9a4 Adds help and checks url is given 2020-05-25 18:04:55 +01:00
Jonathan Hodgson
518d11f4ce Makes clickjacking script look for ff dev edition 2020-05-25 17:56:29 +01:00
Jonathan Hodgson
45ac26d2d7 Adds script to make clickjacking screenshot 2020-05-25 17:48:56 +01:00
Jonathan Hodgson
121798e075 Lots of bin changes 2020-01-04 13:21:05 +00:00
Jonathan Hodgson
a01077a8e9 Adds a script for turning an html form into a curl requst 2019-12-17 12:30:12 +00:00