jab2870/Dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
924 commits 1 branch 0 tags 15 MiB
Commit graph

43 commits

Author SHA1 Message Date
Jonathan Hodgson
dac2ea8b45 BIN: analyse-headers: adds -k flag like curl 
This flag will prevent curl from doing certificate checks

The long form, `--insecure` can also be used

Thanks Rob Norman for the suggestion
 2021-04-09 11:55:47 +01:00
Jonathan Hodgson
298493d691 Fixes bug where it would try and test an empty line 
Thanks Rob Norman for reporting and helping debug.
 2021-04-09 11:45:05 +01:00
Jonathan Hodgson
5832de6742 BIN: analyse-headers: Will attempt to decode F5 Cookies 
Thanks <Huw Edwards> for the idea and help implementing it.
 2021-03-31 11:12:05 +01:00
Jonathan Hodgson
3e50eebfe3 adds getnpmversion 2021-03-31 09:44:50 +01:00
Jonathan Hodgson
a683e57409 The recommended value for x-xss-protection is now 0 
The script will now recommend x-xss-protection is set to 0, in line with
the recommendation made by owasp.

https://owasp.org/www-project-secure-headers/#x-xss-protection
 2021-03-24 13:48:07 +00:00
Jonathan Hodgson
f7919d0053 Bin: fixes the lucky13 check 
It apparently works with any cbc cipher and doesn't require tls1
 2021-02-13 20:11:16 +00:00
Jonathan Hodgson
ba2b85b2cd BIN: analyse-headers: bug fixes 
A couple of bug fixes, removed some unnecesary echos and fixed crash if
name is too long to fit in the heading box
 2021-01-25 11:14:57 +00:00
Jonathan Hodgson
15b18a4a0a BIN: Adds lucky13 to verifySSL 2021-01-13 16:39:34 +00:00
Jonathan Hodgson
c1ba95117a BIN: Small adjustments to verifySSL 
The script now prepends the command that is echoed with a $ in order to
indicate it is a command that is run

Also stops the script showing each cipher that is tested
 2021-01-13 16:30:33 +00:00
Jonathan Hodgson
4c2f3dbc4d BIN: adds sweet32 test to verifySSL 2021-01-13 16:27:59 +00:00
Jonathan Hodgson
a4dc363ee6 BIN: makes the verifySSL print progress messages to stderr 
I chose to do this because I want to be able to pipe stdout to a file
and use it as evidence. I don't need the progress for that
 2021-01-13 16:21:01 +00:00
Jonathan Hodgson
961f7797a7 BIN: starts verifySSL script 
This will evolve to become a script that can be used to verify the
findings of a tool like testssl

Currently only supports "beast"
 2021-01-13 16:09:28 +00:00
Jonathan Hodgson
6dad0bf8ab BIN: fix csp check in analyse-headers 
the csp function didn't correctly return 1 when a missconfigured csp was
found
 2021-01-11 14:09:40 +00:00
Jonathan Hodgson
e94ba0b5b2 Improve handling of CSP 
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
 2021-01-11 12:16:18 +00:00
Jonathan Hodgson
b8f104fd00 Makes detection of x-frame-options value case insensitive 
In other words, sameorigin == SAMEORIGIN == saMeOriGIN

This is in line with the spec for the header:

https://tools.ietf.org/html/rfc7034
 2021-01-11 12:07:07 +00:00
Jonathan Hodgson
6feffc731b BIN: analyse-headers: improve expect-ct description 2020-12-11 15:38:28 +00:00
Jonathan Hodgson
41fd57310a BIN: analyse-headers: Checks the access-control-allow-origin header 
Another suggestion by <Dom Ingram>.

For more details on the null issue, read here:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
 2020-12-11 15:26:32 +00:00
Jonathan Hodgson
984298b29b BIN: analyse-headers: fix most shellcheck warnings 
The only checks I haven't fixed are the unused variables for colours. I
may use them in the future so haven't removed them
 2020-12-11 15:01:53 +00:00
Jonathan Hodgson
6ac052cd39 BIN: analyse-headers: note on x-frame-options if frame-ancestors present 
If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
 2020-12-09 16:39:11 +00:00
Jonathan Hodgson
1b42f81f47 BIN: analyse-headers: Adds generic version disclosure function 
if the header contains the word "version" (case insensitively) it will
flag it as potential information disclosure

Thanks <Dom Ingram> for the suggestion
 2020-12-09 16:26:47 +00:00
Jonathan Hodgson
e247c85bc9 BIN: analyse-headers: read from stdin if first arg is - 
This makes testing much easier
 2020-12-09 16:24:59 +00:00
Jonathan Hodgson
cad2f2d2d5 BIN: analyse-headers: Add more notes to expect-ct description 
As pointed out by <Dom Ingram>, the expect-ct is likely to become
obsolete in June 2012

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
 2020-12-09 16:13:39 +00:00
Jonathan Hodgson
7ea1e9a964 BIN: analyse-headers: Fix incorrect reporting of SSL issues 
It turns out the SSL flags secure and httponly are not case sensitive.

https://tools.ietf.org/html/rfc6265#section-5.2.5

I cannot find any documentation about the SameSite=Strict so I will
leave it case sensitive for now. The spec for that section is here:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.2

Thanks <Dom Ingram> for flagging this
 2020-12-09 16:08:26 +00:00
Jonathan Hodgson
7a7ffc608d BIN: analyse-headers: add expect-ct and start referrer-policy 2020-12-03 11:19:35 +00:00
Jonathan Hodgson
3ce547a0b2 BIN: Analyse-headers: Adds to description for cookie flag 2020-12-02 10:54:10 +00:00
Jonathan Hodgson
fb5774a584 BIN: analyse-headers: fix error "wrap command not found" 2020-12-02 09:19:47 +00:00
Jonathan Hodgson
9ef36af8f7 BIN: analyse-headers: adds feature-policy and permissions-policy checks 2020-12-02 09:11:52 +00:00
Jonathan Hodgson
61097006a4 BIN: analyse-headers: Wrap text in descriptions 
The text in descriptions is now wrapped to 80 chars. This does not
affect the headers printed at the top which are not wrapped
 2020-12-02 08:32:10 +00:00
Jonathan Hodgson
af81ccd62e BIN: Adds SameSite check in analyse-headers script 
The script will now warn you if the SameSite option is not set to Strict
on cookies.
 2020-12-01 21:17:34 +00:00
Jonathan Hodgson
1f29c17ab5 BIN: Fix webtest script when : in cookies 
If there was a colon in a cookie, the script would misidentify insecure
cookie configurations
 2020-12-01 19:56:33 +00:00
Jonathan Hodgson
a3f75d9b32 BIN: Adds analyse-headers script 
The script is in early stages of development but should work for some of
the most common mis-configurtaions.
 2020-12-01 18:15:01 +00:00
Jonathan Hodgson
ad03136de5 Adds scripts to help with ssl testing 2020-09-22 15:49:42 +01:00
Jonathan Hodgson
af04f665cd Renames jwtcat to catjwt to avoid clash with 3rd party tool 2020-09-22 15:41:06 +01:00
Jonathan Hodgson
c5fd08bb76 Creates script for printing jwt web tokens 2020-09-22 15:40:20 +01:00
Jonathan Hodgson
3ba3ca03b5 A start to webtest script 2020-09-19 11:18:55 +01:00
Jonathan Hodgson
74578ef182 Adds getpaths script 2020-07-29 17:34:17 +01:00
Jonathan Hodgson
b8fad36f8d changed profile name to headless 2020-05-25 18:29:18 +01:00
Jonathan Hodgson
34ea59f0f6 Will create firefox profile 2020-05-25 18:13:43 +01:00
Jonathan Hodgson
c21d54d9a4 Adds help and checks url is given 2020-05-25 18:04:55 +01:00
Jonathan Hodgson
518d11f4ce Makes clickjacking script look for ff dev edition 2020-05-25 17:56:29 +01:00
Jonathan Hodgson
45ac26d2d7 Adds script to make clickjacking screenshot 2020-05-25 17:48:56 +01:00
Jonathan Hodgson
121798e075 Lots of bin changes 2020-01-04 13:21:05 +00:00
Jonathan Hodgson
a01077a8e9 Adds a script for turning an html form into a curl requst 2019-12-17 12:30:12 +00:00