jab2870/Dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
923 commits 1 branch 0 tags 15 MiB
Commit graph

23 commits

Author SHA1 Message Date
Jonathan Hodgson
298493d691 Fixes bug where it would try and test an empty line 
Thanks Rob Norman for reporting and helping debug.
 2021-04-09 11:45:05 +01:00
Jonathan Hodgson
5832de6742 BIN: analyse-headers: Will attempt to decode F5 Cookies 
Thanks <Huw Edwards> for the idea and help implementing it.
 2021-03-31 11:12:05 +01:00
Jonathan Hodgson
a683e57409 The recommended value for x-xss-protection is now 0 
The script will now recommend x-xss-protection is set to 0, in line with
the recommendation made by owasp.

https://owasp.org/www-project-secure-headers/#x-xss-protection
 2021-03-24 13:48:07 +00:00
Jonathan Hodgson
ba2b85b2cd BIN: analyse-headers: bug fixes 
A couple of bug fixes, removed some unnecesary echos and fixed crash if
name is too long to fit in the heading box
 2021-01-25 11:14:57 +00:00
Jonathan Hodgson
6dad0bf8ab BIN: fix csp check in analyse-headers 
the csp function didn't correctly return 1 when a missconfigured csp was
found
 2021-01-11 14:09:40 +00:00
Jonathan Hodgson
e94ba0b5b2 Improve handling of CSP 
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
 2021-01-11 12:16:18 +00:00
Jonathan Hodgson
b8f104fd00 Makes detection of x-frame-options value case insensitive 
In other words, sameorigin == SAMEORIGIN == saMeOriGIN

This is in line with the spec for the header:

https://tools.ietf.org/html/rfc7034
 2021-01-11 12:07:07 +00:00
Jonathan Hodgson
6feffc731b BIN: analyse-headers: improve expect-ct description 2020-12-11 15:38:28 +00:00
Jonathan Hodgson
41fd57310a BIN: analyse-headers: Checks the access-control-allow-origin header 
Another suggestion by <Dom Ingram>.

For more details on the null issue, read here:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
 2020-12-11 15:26:32 +00:00
Jonathan Hodgson
984298b29b BIN: analyse-headers: fix most shellcheck warnings 
The only checks I haven't fixed are the unused variables for colours. I
may use them in the future so haven't removed them
 2020-12-11 15:01:53 +00:00
Jonathan Hodgson
6ac052cd39 BIN: analyse-headers: note on x-frame-options if frame-ancestors present 
If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
 2020-12-09 16:39:11 +00:00
Jonathan Hodgson
1b42f81f47 BIN: analyse-headers: Adds generic version disclosure function 
if the header contains the word "version" (case insensitively) it will
flag it as potential information disclosure

Thanks <Dom Ingram> for the suggestion
 2020-12-09 16:26:47 +00:00
Jonathan Hodgson
e247c85bc9 BIN: analyse-headers: read from stdin if first arg is - 
This makes testing much easier
 2020-12-09 16:24:59 +00:00
Jonathan Hodgson
cad2f2d2d5 BIN: analyse-headers: Add more notes to expect-ct description 
As pointed out by <Dom Ingram>, the expect-ct is likely to become
obsolete in June 2012

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
 2020-12-09 16:13:39 +00:00
Jonathan Hodgson
7ea1e9a964 BIN: analyse-headers: Fix incorrect reporting of SSL issues 
It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
 2020-12-09 16:08:26 +00:00
Jonathan Hodgson
7a7ffc608d BIN: analyse-headers: add expect-ct and start referrer-policy 2020-12-03 11:19:35 +00:00
Jonathan Hodgson
3ce547a0b2 BIN: Analyse-headers: Adds to description for cookie flag 2020-12-02 10:54:10 +00:00
Jonathan Hodgson
fb5774a584 BIN: analyse-headers: fix error "wrap command not found" 2020-12-02 09:19:47 +00:00
Jonathan Hodgson
9ef36af8f7 BIN: analyse-headers: adds feature-policy and permissions-policy checks 2020-12-02 09:11:52 +00:00
Jonathan Hodgson
61097006a4 BIN: analyse-headers: Wrap text in descriptions 
The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
 2020-12-02 08:32:10 +00:00
Jonathan Hodgson
af81ccd62e BIN: Adds SameSite check in analyse-headers script 
The script will now warn you if the SameSite option is not set to Strict
on cookies.
 2020-12-01 21:17:34 +00:00
Jonathan Hodgson
1f29c17ab5 BIN: Fix webtest script when : in cookies 
If there was a colon in a cookie, the script would misidentify insecure
cookie configurations
 2020-12-01 19:56:33 +00:00
Jonathan Hodgson
a3f75d9b32 BIN: Adds analyse-headers script 
The script is in early stages of development but should work for some of
the most common mis-configurtaions.
 2020-12-01 18:15:01 +00:00