Commit graph

42 commits

Author SHA1 Message Date
Jonathan Hodgson
b943a3e03b Fixes bug where it would try and test an empty line
Thanks Rob Norman for reporting and helping debug.
2021-04-09 11:45:05 +01:00
Jonathan Hodgson
c6a0909917 BIN: analyse-headers: Will attempt to decode F5 Cookies
Thanks <Huw Edwards> for the idea and help implementing it.
2021-03-31 11:12:05 +01:00
Jonathan Hodgson
12830226e8 adds getnpmversion 2021-03-31 09:44:50 +01:00
Jonathan Hodgson
4d99c42607 The recommended value for x-xss-protection is now 0
The script will now recommend x-xss-protection is set to 0, in line with
the recommendation made by owasp.

https://owasp.org/www-project-secure-headers/#x-xss-protection
2021-03-24 13:48:07 +00:00
Jonathan Hodgson
865566dd04 Bin: fixes the lucky13 check
It apparently works with any cbc cipher and doesn't require tls1
2021-02-13 20:11:16 +00:00
Jonathan Hodgson
30dd026965 BIN: analyse-headers: bug fixes
A couple of bug fixes, removed some unnecesary echos and fixed crash if
name is too long to fit in the heading box
2021-01-25 11:14:57 +00:00
Jonathan Hodgson
d8e3b894c0 BIN: Adds lucky13 to verifySSL 2021-01-13 16:39:34 +00:00
Jonathan Hodgson
bd7337926e BIN: Small adjustments to verifySSL
The script now prepends the command that is echoed with a $ in order to
indicate it is a command that is run

Also stops the script showing each cipher that is tested
2021-01-13 16:30:33 +00:00
Jonathan Hodgson
064b53f2bf BIN: adds sweet32 test to verifySSL 2021-01-13 16:27:59 +00:00
Jonathan Hodgson
dd4b8e5161 BIN: makes the verifySSL print progress messages to stderr
I chose to do this because I want to be able to pipe stdout to a file
and use it as evidence. I don't need the progress for that
2021-01-13 16:21:01 +00:00
Jonathan Hodgson
995b2a516e BIN: starts verifySSL script
This will evolve to become a script that can be used to verify the
findings of a tool like testssl

Currently only supports "beast"
2021-01-13 16:09:28 +00:00
Jonathan Hodgson
349963cdad BIN: fix csp check in analyse-headers
the csp function didn't correctly return 1 when a missconfigured csp was
found
2021-01-11 14:09:40 +00:00
Jonathan Hodgson
3f01926ab6 Improve handling of CSP
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
2021-01-11 12:16:18 +00:00
Jonathan Hodgson
e77aa36e70 Makes detection of x-frame-options value case insensitive
In other words, sameorigin == SAMEORIGIN == saMeOriGIN

This is in line with the spec for the header:

https://tools.ietf.org/html/rfc7034
2021-01-11 12:07:07 +00:00
Jonathan Hodgson
909a6e5e3c BIN: analyse-headers: improve expect-ct description 2020-12-11 15:38:28 +00:00
Jonathan Hodgson
b49d000408 BIN: analyse-headers: Checks the access-control-allow-origin header
Another suggestion by <Dom Ingram>.

For more details on the null issue, read here:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
2020-12-11 15:26:32 +00:00
Jonathan Hodgson
f669880037 BIN: analyse-headers: fix most shellcheck warnings
The only checks I haven't fixed are the unused variables for colours. I
may use them in the future so haven't removed them
2020-12-11 15:01:53 +00:00
Jonathan Hodgson
2e1dff91a3 BIN: analyse-headers: note on x-frame-options if frame-ancestors present
If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
2020-12-09 16:39:11 +00:00
Jonathan Hodgson
1fabc27b79 BIN: analyse-headers: Adds generic version disclosure function
if the header contains the word "version" (case insensitively) it will
flag it as potential information disclosure

Thanks <Dom Ingram> for the suggestion
2020-12-09 16:26:47 +00:00
Jonathan Hodgson
27b9af6327 BIN: analyse-headers: read from stdin if first arg is -
This makes testing much easier
2020-12-09 16:24:59 +00:00
Jonathan Hodgson
039f4e2270 BIN: analyse-headers: Add more notes to expect-ct description
As pointed out by <Dom Ingram>, the expect-ct is likely to become
obsolete in June 2012

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
2020-12-09 16:13:39 +00:00
Jonathan Hodgson
bf132e16c2 BIN: analyse-headers: Fix incorrect reporting of SSL issues
It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
2020-12-09 16:08:26 +00:00
Jonathan Hodgson
69c7355225 BIN: analyse-headers: add expect-ct and start referrer-policy 2020-12-03 11:19:35 +00:00
Jonathan Hodgson
5369861bc8 BIN: Analyse-headers: Adds to description for cookie flag 2020-12-02 10:54:10 +00:00
Jonathan Hodgson
3665bb63a2 BIN: analyse-headers: fix error "wrap command not found" 2020-12-02 09:19:47 +00:00
Jonathan Hodgson
97df97a48b BIN: analyse-headers: adds feature-policy and permissions-policy checks 2020-12-02 09:11:52 +00:00
Jonathan Hodgson
afa3f3495a BIN: analyse-headers: Wrap text in descriptions
The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
2020-12-02 08:32:10 +00:00
Jonathan Hodgson
fb5d25dc6c BIN: Adds SameSite check in analyse-headers script
The script will now warn you if the SameSite option is not set to Strict
on cookies.
2020-12-01 21:17:34 +00:00
Jonathan Hodgson
c384064641 BIN: Fix webtest script when : in cookies
If there was a colon in a cookie, the script would misidentify insecure
cookie configurations
2020-12-01 19:56:33 +00:00
Jonathan Hodgson
ab2c56d9b5 BIN: Adds analyse-headers script
The script is in early stages of development but should work for some of
the most common mis-configurtaions.
2020-12-01 18:15:01 +00:00
Jonathan Hodgson
085f17ab1f Adds scripts to help with ssl testing 2020-09-22 15:49:42 +01:00
Jonathan Hodgson
77955b1e18 Renames jwtcat to catjwt to avoid clash with 3rd party tool 2020-09-22 15:41:06 +01:00
Jonathan Hodgson
d106799a8b Creates script for printing jwt web tokens 2020-09-22 15:40:20 +01:00
Jonathan Hodgson
b19db697e8 A start to webtest script 2020-09-19 11:18:55 +01:00
Jonathan Hodgson
b4bdba9e24 Adds getpaths script 2020-07-29 17:34:17 +01:00
Jonathan Hodgson
4ac6ff54dc changed profile name to headless 2020-05-25 18:29:18 +01:00
Jonathan Hodgson
031ae34a60 Will create firefox profile 2020-05-25 18:13:43 +01:00
Jonathan Hodgson
045a120083 Adds help and checks url is given 2020-05-25 18:04:55 +01:00
Jonathan Hodgson
f0404cd7fc Makes clickjacking script look for ff dev edition 2020-05-25 17:56:29 +01:00
Jonathan Hodgson
e973957094 Adds script to make clickjacking screenshot 2020-05-25 17:48:56 +01:00
Jonathan Hodgson
55a7d2da4f Lots of bin changes 2020-01-04 13:21:05 +00:00
Jonathan Hodgson
187872ab6a Adds a script for turning an html form into a curl requst 2019-12-17 12:30:12 +00:00