Tag: Branch: Tree: 85aa514a53

master

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from '85aa514a53'

${ noResults }

Commit Graph

24 Commits (85aa514a53577d40e3d0409b90999141ab40faac)

Author	SHA1	Message	Date
Jonathan Hodgson	dac2ea8b45	BIN: analyse-headers: adds -k flag like curl ... This flag will prevent curl from doing certificate checks The long form, `--insecure` can also be used Thanks Rob Norman for the suggestion	4 years ago
Jonathan Hodgson	298493d691	Fixes bug where it would try and test an empty line ... Thanks Rob Norman for reporting and helping debug.	4 years ago
Jonathan Hodgson	5832de6742	BIN: analyse-headers: Will attempt to decode F5 Cookies ... Thanks <Huw Edwards> for the idea and help implementing it.	4 years ago
Jonathan Hodgson	a683e57409	The recommended value for x-xss-protection is now 0 ... The script will now recommend x-xss-protection is set to 0, in line with the recommendation made by owasp. https://owasp.org/www-project-secure-headers/#x-xss-protection	4 years ago
Jonathan Hodgson	ba2b85b2cd	BIN: analyse-headers: bug fixes ... A couple of bug fixes, removed some unnecesary echos and fixed crash if name is too long to fit in the heading box	4 years ago
Jonathan Hodgson	6dad0bf8ab	BIN: fix csp check in analyse-headers ... the csp function didn't correctly return 1 when a missconfigured csp was found	4 years ago
Jonathan Hodgson	e94ba0b5b2	Improve handling of CSP ... Although I'd like to re-do the csp handling, this change fixes the detection of unsafe-inline and unsafe-eval.	4 years ago
Jonathan Hodgson	b8f104fd00	Makes detection of x-frame-options value case insensitive ... In other words, sameorigin == SAMEORIGIN == saMeOriGIN This is in line with the spec for the header: https://tools.ietf.org/html/rfc7034	4 years ago
Jonathan Hodgson	6feffc731b	BIN: analyse-headers: improve expect-ct description	4 years ago
Jonathan Hodgson	41fd57310a	BIN: analyse-headers: Checks the access-control-allow-origin header ... Another suggestion by <Dom Ingram>. For more details on the null issue, read here: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null	4 years ago
Jonathan Hodgson	984298b29b	BIN: analyse-headers: fix most shellcheck warnings ... The only checks I haven't fixed are the unused variables for colours. I may use them in the future so haven't removed them	4 years ago
Jonathan Hodgson	6ac052cd39	BIN: analyse-headers: note on x-frame-options if frame-ancestors present ... If the frame-ancestors content security policy is present, the x-frame-options warning mentions that the content security helps mitigate against clickjacking although for greater browser support, x-frame-options should also be used Thanks <Dom Ingram> for the suggestion	4 years ago
Jonathan Hodgson	1b42f81f47	BIN: analyse-headers: Adds generic version disclosure function ... if the header contains the word "version" (case insensitively) it will flag it as potential information disclosure Thanks <Dom Ingram> for the suggestion	4 years ago
Jonathan Hodgson	e247c85bc9	BIN: analyse-headers: read from stdin if first arg is - ... This makes testing much easier	4 years ago
Jonathan Hodgson	cad2f2d2d5	BIN: analyse-headers: Add more notes to expect-ct description ... As pointed out by <Dom Ingram>, the expect-ct is likely to become obsolete in June 2012 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT	4 years ago
Jonathan Hodgson	7ea1e9a964	BIN: analyse-headers: Fix incorrect reporting of SSL issues ... It turns out the SSL flags secure and httponly are not case sensitive. https://tools.ietf.org/html/rfc6265#section-5.2.5 I cannot find any documentation about the SameSite=Strict so I will leave it case sensitive for now. The spec for that section is here: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2 Thanks <Dom Ingram> for flagging this	4 years ago
Jonathan Hodgson	7a7ffc608d	BIN: analyse-headers: add expect-ct and start referrer-policy	4 years ago
Jonathan Hodgson	3ce547a0b2	BIN: Analyse-headers: Adds to description for cookie flag	4 years ago
Jonathan Hodgson	fb5774a584	BIN: analyse-headers: fix error "wrap command not found"	4 years ago
Jonathan Hodgson	9ef36af8f7	BIN: analyse-headers: adds feature-policy and permissions-policy checks	4 years ago
Jonathan Hodgson	61097006a4	BIN: analyse-headers: Wrap text in descriptions ... The text in descriptions is now wrapped to 80 chars. This does not affect the headers printed at the top which are not wrapped	4 years ago
Jonathan Hodgson	af81ccd62e	BIN: Adds SameSite check in analyse-headers script ... The script will now warn you if the SameSite option is not set to Strict on cookies.	4 years ago
Jonathan Hodgson	1f29c17ab5	BIN: Fix webtest script when : in cookies ... If there was a colon in a cookie, the script would misidentify insecure cookie configurations	4 years ago
Jonathan Hodgson	a3f75d9b32	BIN: Adds analyse-headers script ... The script is in early stages of development but should work for some of the most common mis-configurtaions.	4 years ago