Commit graph

23 commits

Author SHA1 Message Date
Jonathan Hodgson
b943a3e03b Fixes bug where it would try and test an empty line
Thanks Rob Norman for reporting and helping debug.
2021-04-09 11:45:05 +01:00
Jonathan Hodgson
c6a0909917 BIN: analyse-headers: Will attempt to decode F5 Cookies
Thanks <Huw Edwards> for the idea and help implementing it.
2021-03-31 11:12:05 +01:00
Jonathan Hodgson
4d99c42607 The recommended value for x-xss-protection is now 0
The script will now recommend x-xss-protection is set to 0, in line with
the recommendation made by owasp.

https://owasp.org/www-project-secure-headers/#x-xss-protection
2021-03-24 13:48:07 +00:00
Jonathan Hodgson
30dd026965 BIN: analyse-headers: bug fixes
A couple of bug fixes, removed some unnecesary echos and fixed crash if
name is too long to fit in the heading box
2021-01-25 11:14:57 +00:00
Jonathan Hodgson
349963cdad BIN: fix csp check in analyse-headers
the csp function didn't correctly return 1 when a missconfigured csp was
found
2021-01-11 14:09:40 +00:00
Jonathan Hodgson
3f01926ab6 Improve handling of CSP
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
2021-01-11 12:16:18 +00:00
Jonathan Hodgson
e77aa36e70 Makes detection of x-frame-options value case insensitive
In other words, sameorigin == SAMEORIGIN == saMeOriGIN

This is in line with the spec for the header:

https://tools.ietf.org/html/rfc7034
2021-01-11 12:07:07 +00:00
Jonathan Hodgson
909a6e5e3c BIN: analyse-headers: improve expect-ct description 2020-12-11 15:38:28 +00:00
Jonathan Hodgson
b49d000408 BIN: analyse-headers: Checks the access-control-allow-origin header
Another suggestion by <Dom Ingram>.

For more details on the null issue, read here:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
2020-12-11 15:26:32 +00:00
Jonathan Hodgson
f669880037 BIN: analyse-headers: fix most shellcheck warnings
The only checks I haven't fixed are the unused variables for colours. I
may use them in the future so haven't removed them
2020-12-11 15:01:53 +00:00
Jonathan Hodgson
2e1dff91a3 BIN: analyse-headers: note on x-frame-options if frame-ancestors present
If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
2020-12-09 16:39:11 +00:00
Jonathan Hodgson
1fabc27b79 BIN: analyse-headers: Adds generic version disclosure function
if the header contains the word "version" (case insensitively) it will
flag it as potential information disclosure

Thanks <Dom Ingram> for the suggestion
2020-12-09 16:26:47 +00:00
Jonathan Hodgson
27b9af6327 BIN: analyse-headers: read from stdin if first arg is -
This makes testing much easier
2020-12-09 16:24:59 +00:00
Jonathan Hodgson
039f4e2270 BIN: analyse-headers: Add more notes to expect-ct description
As pointed out by <Dom Ingram>, the expect-ct is likely to become
obsolete in June 2012

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
2020-12-09 16:13:39 +00:00
Jonathan Hodgson
bf132e16c2 BIN: analyse-headers: Fix incorrect reporting of SSL issues
It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
2020-12-09 16:08:26 +00:00
Jonathan Hodgson
69c7355225 BIN: analyse-headers: add expect-ct and start referrer-policy 2020-12-03 11:19:35 +00:00
Jonathan Hodgson
5369861bc8 BIN: Analyse-headers: Adds to description for cookie flag 2020-12-02 10:54:10 +00:00
Jonathan Hodgson
3665bb63a2 BIN: analyse-headers: fix error "wrap command not found" 2020-12-02 09:19:47 +00:00
Jonathan Hodgson
97df97a48b BIN: analyse-headers: adds feature-policy and permissions-policy checks 2020-12-02 09:11:52 +00:00
Jonathan Hodgson
afa3f3495a BIN: analyse-headers: Wrap text in descriptions
The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
2020-12-02 08:32:10 +00:00
Jonathan Hodgson
fb5d25dc6c BIN: Adds SameSite check in analyse-headers script
The script will now warn you if the SameSite option is not set to Strict
on cookies.
2020-12-01 21:17:34 +00:00
Jonathan Hodgson
c384064641 BIN: Fix webtest script when : in cookies
If there was a colon in a cookie, the script would misidentify insecure
cookie configurations
2020-12-01 19:56:33 +00:00
Jonathan Hodgson
ab2c56d9b5 BIN: Adds analyse-headers script
The script is in early stages of development but should work for some of
the most common mis-configurtaions.
2020-12-01 18:15:01 +00:00