Tag: Branch: Tree: 9b1afa1aa2

master

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from '9b1afa1aa2'

${ noResults }

Commit Graph

46 Commits (9b1afa1aa2e4535cc8cde9a690f2393c4324e89b)

Author	SHA1	Message	Date
Jonathan Hodgson	9b1afa1aa2	BIN: analyse-headers: improve csp checking ... The script now checks included domains against the lots project. https://lots-project.com/ It also checks domains against a list of known jsonp hosts that was found here: a21f94e348/allowlist_bypasses/jsonp.ts	2 years ago
Jonathan Hodgson	207fc59dc8	Bin: Analyse-headers: makes includesubdomains check case insensitive	3 years ago
Jonathan Hodgson	1b77625b87	BIN: analyse-headers ... Adds some more descriptions	3 years ago
Jonathan Hodgson	dac2ea8b45	BIN: analyse-headers: adds -k flag like curl ... This flag will prevent curl from doing certificate checks The long form, `--insecure` can also be used Thanks Rob Norman for the suggestion	4 years ago
Jonathan Hodgson	298493d691	Fixes bug where it would try and test an empty line ... Thanks Rob Norman for reporting and helping debug.	4 years ago
Jonathan Hodgson	5832de6742	BIN: analyse-headers: Will attempt to decode F5 Cookies ... Thanks <Huw Edwards> for the idea and help implementing it.	4 years ago
Jonathan Hodgson	3e50eebfe3	adds getnpmversion	4 years ago
Jonathan Hodgson	a683e57409	The recommended value for x-xss-protection is now 0 ... The script will now recommend x-xss-protection is set to 0, in line with the recommendation made by owasp. https://owasp.org/www-project-secure-headers/#x-xss-protection	4 years ago
Jonathan Hodgson	f7919d0053	Bin: fixes the lucky13 check ... It apparently works with any cbc cipher and doesn't require tls1	4 years ago
Jonathan Hodgson	ba2b85b2cd	BIN: analyse-headers: bug fixes ... A couple of bug fixes, removed some unnecesary echos and fixed crash if name is too long to fit in the heading box	4 years ago
Jonathan Hodgson	15b18a4a0a	BIN: Adds lucky13 to verifySSL	4 years ago
Jonathan Hodgson	c1ba95117a	BIN: Small adjustments to verifySSL ... The script now prepends the command that is echoed with a $ in order to indicate it is a command that is run Also stops the script showing each cipher that is tested	4 years ago
Jonathan Hodgson	4c2f3dbc4d	BIN: adds sweet32 test to verifySSL	4 years ago
Jonathan Hodgson	a4dc363ee6	BIN: makes the verifySSL print progress messages to stderr ... I chose to do this because I want to be able to pipe stdout to a file and use it as evidence. I don't need the progress for that	4 years ago
Jonathan Hodgson	961f7797a7	BIN: starts verifySSL script ... This will evolve to become a script that can be used to verify the findings of a tool like testssl Currently only supports "beast"	4 years ago
Jonathan Hodgson	6dad0bf8ab	BIN: fix csp check in analyse-headers ... the csp function didn't correctly return 1 when a missconfigured csp was found	4 years ago
Jonathan Hodgson	e94ba0b5b2	Improve handling of CSP ... Although I'd like to re-do the csp handling, this change fixes the detection of unsafe-inline and unsafe-eval.	4 years ago
Jonathan Hodgson	b8f104fd00	Makes detection of x-frame-options value case insensitive ... In other words, sameorigin == SAMEORIGIN == saMeOriGIN This is in line with the spec for the header: https://tools.ietf.org/html/rfc7034	4 years ago
Jonathan Hodgson	6feffc731b	BIN: analyse-headers: improve expect-ct description	4 years ago
Jonathan Hodgson	41fd57310a	BIN: analyse-headers: Checks the access-control-allow-origin header ... Another suggestion by <Dom Ingram>. For more details on the null issue, read here: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null	4 years ago
Jonathan Hodgson	984298b29b	BIN: analyse-headers: fix most shellcheck warnings ... The only checks I haven't fixed are the unused variables for colours. I may use them in the future so haven't removed them	4 years ago
Jonathan Hodgson	6ac052cd39	BIN: analyse-headers: note on x-frame-options if frame-ancestors present ... If the frame-ancestors content security policy is present, the x-frame-options warning mentions that the content security helps mitigate against clickjacking although for greater browser support, x-frame-options should also be used Thanks <Dom Ingram> for the suggestion	4 years ago
Jonathan Hodgson	1b42f81f47	BIN: analyse-headers: Adds generic version disclosure function ... if the header contains the word "version" (case insensitively) it will flag it as potential information disclosure Thanks <Dom Ingram> for the suggestion	4 years ago
Jonathan Hodgson	e247c85bc9	BIN: analyse-headers: read from stdin if first arg is - ... This makes testing much easier	4 years ago
Jonathan Hodgson	cad2f2d2d5	BIN: analyse-headers: Add more notes to expect-ct description ... As pointed out by <Dom Ingram>, the expect-ct is likely to become obsolete in June 2012 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT	4 years ago
Jonathan Hodgson	7ea1e9a964	BIN: analyse-headers: Fix incorrect reporting of SSL issues ... It turns out the SSL flags secure and httponly are not case sensitive. https://tools.ietf.org/html/rfc6265#section-5.2.5 I cannot find any documentation about the SameSite=Strict so I will leave it case sensitive for now. The spec for that section is here: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2 Thanks <Dom Ingram> for flagging this	4 years ago
Jonathan Hodgson	7a7ffc608d	BIN: analyse-headers: add expect-ct and start referrer-policy	4 years ago
Jonathan Hodgson	3ce547a0b2	BIN: Analyse-headers: Adds to description for cookie flag	4 years ago
Jonathan Hodgson	fb5774a584	BIN: analyse-headers: fix error "wrap command not found"	4 years ago
Jonathan Hodgson	9ef36af8f7	BIN: analyse-headers: adds feature-policy and permissions-policy checks	4 years ago
Jonathan Hodgson	61097006a4	BIN: analyse-headers: Wrap text in descriptions ... The text in descriptions is now wrapped to 80 chars. This does not affect the headers printed at the top which are not wrapped	4 years ago
Jonathan Hodgson	af81ccd62e	BIN: Adds SameSite check in analyse-headers script ... The script will now warn you if the SameSite option is not set to Strict on cookies.	4 years ago
Jonathan Hodgson	1f29c17ab5	BIN: Fix webtest script when : in cookies ... If there was a colon in a cookie, the script would misidentify insecure cookie configurations	4 years ago
Jonathan Hodgson	a3f75d9b32	BIN: Adds analyse-headers script ... The script is in early stages of development but should work for some of the most common mis-configurtaions.	4 years ago
Jonathan Hodgson	ad03136de5	Adds scripts to help with ssl testing	4 years ago
Jonathan Hodgson	af04f665cd	Renames jwtcat to catjwt to avoid clash with 3rd party tool	4 years ago
Jonathan Hodgson	c5fd08bb76	Creates script for printing jwt web tokens	4 years ago
Jonathan Hodgson	3ba3ca03b5	A start to webtest script	4 years ago
Jonathan Hodgson	74578ef182	Adds getpaths script	4 years ago
Jonathan Hodgson	b8fad36f8d	changed profile name to headless	5 years ago
Jonathan Hodgson	34ea59f0f6	Will create firefox profile	5 years ago
Jonathan Hodgson	c21d54d9a4	Adds help and checks url is given	5 years ago
Jonathan Hodgson	518d11f4ce	Makes clickjacking script look for ff dev edition	5 years ago
Jonathan Hodgson	45ac26d2d7	Adds script to make clickjacking screenshot	5 years ago
Jonathan Hodgson	121798e075	Lots of bin changes	5 years ago
Jonathan Hodgson	a01077a8e9	Adds a script for turning an html form into a curl requst	5 years ago