mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-21 07:59:31 +01:00
duplicate headers fixed, #FIX 488, outstanding: proper treatment of simulatenous Public-Key-Pins|Public-Key-Pins-Report-Only
This commit is contained in:
parent
e2023f51ac
commit
19b63aa8a9
109
testssl.sh
109
testssl.sh
@ -894,28 +894,39 @@ run_http_date() {
|
|||||||
detect_ipv4
|
detect_ipv4
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# HEADERFILE needs to contain the HTTP header (made sure by invoker)
|
# HEADERFILE needs to contain the HTTP header (made sure by invoker)
|
||||||
# arg1: key=word to match
|
# arg1: key=word to match
|
||||||
# arg2: hint for fileout()
|
# arg2: hint for fileout()
|
||||||
# output: value after ":"
|
# returns:
|
||||||
|
# 0 if header not found
|
||||||
|
# 1-n nr of headers found, then in HEADERVALUE the first value from key
|
||||||
|
|
||||||
detect_headerdups() {
|
detect_header() {
|
||||||
local -i nr=$(grep -Faciw "$1:" $HEADERFILE)
|
local key="$1"
|
||||||
|
local -i nr=0
|
||||||
|
|
||||||
if [[ $nr -gt 1 ]]; then
|
nr=$(grep -Faciw "$key:" $HEADERFILE)
|
||||||
|
if [[ $nr -eq 0 ]]; then
|
||||||
|
HEADERVALUE=""
|
||||||
|
return 0
|
||||||
|
elif [[ $nr -eq 1 ]]; then
|
||||||
|
HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE | sed 's/^.*://')
|
||||||
|
return 1
|
||||||
|
else
|
||||||
pr_svrty_medium "misconfiguration: $nr headers "
|
pr_svrty_medium "misconfiguration: $nr headers "
|
||||||
pr_italic "$1"
|
pr_italic "$key"
|
||||||
out " -- checking first one "
|
out " -- checking first one "
|
||||||
out "\n$spaces"
|
out "\n$spaces"
|
||||||
# first awk matches the key, second extracts the from the first line the value, be careful with quotes here!
|
# first awk matches the key, second extracts the from the first line the value, be careful with quotes here!
|
||||||
HEADERVALUE=$(awk "/$1:/" $HEADERFILE | head -1 | awk "{ sub(/$1:/,\"\"); print }")
|
HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE | sed 's/^.*://' | head -1)
|
||||||
[[ $DEBUG -ge 2 ]] && pr_italic "$HEADERVALUE" && out "\n$spaces"
|
[[ $DEBUG -ge 2 ]] && pr_italic "$HEADERVALUE" && out "\n$spaces"
|
||||||
fileout "$2""_multiple" "WARN" "Multiple $2 headers. Using first header: $HEADERVALUE"
|
fileout "$2""_multiple" "WARN" "Multiple $2 headers. Using first header: $HEADERVALUE"
|
||||||
return 1
|
return $nr
|
||||||
fi
|
fi
|
||||||
HEADERVALUE=$(awk "/$1:/" $HEADERFILE | head -1 | awk "{ sub(/$1:/,\"\"); print }")
|
|
||||||
return 0
|
|
||||||
}
|
}
|
||||||
|
# wir brauchen hier eine Funktion, die generell den Header detectiert
|
||||||
|
|
||||||
|
|
||||||
includeSubDomains() {
|
includeSubDomains() {
|
||||||
@ -946,11 +957,10 @@ run_hsts() {
|
|||||||
if [[ ! -s $HEADERFILE ]]; then
|
if [[ ! -s $HEADERFILE ]]; then
|
||||||
run_http_header "$1" || return 3
|
run_http_header "$1" || return 3
|
||||||
fi
|
fi
|
||||||
#pr_bold " HSTS "
|
|
||||||
pr_bold " Strict Transport Security "
|
pr_bold " Strict Transport Security "
|
||||||
grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE
|
detect_header "Strict-Transport-Security" "HSTS"
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -ne 0 ]]; then
|
||||||
detect_headerdups "Strict-Transport-Security" "HSTS"
|
echo "$HEADERVALUE" >$TMPFILE
|
||||||
hsts_age_sec=$(sed -e 's/[^0-9]*//g' <<< $HEADERVALUE)
|
hsts_age_sec=$(sed -e 's/[^0-9]*//g' <<< $HEADERVALUE)
|
||||||
debugme echo "hsts_age_sec: $hsts_age_sec"
|
debugme echo "hsts_age_sec: $hsts_age_sec"
|
||||||
if [[ -n $hsts_age_sec ]]; then
|
if [[ -n $hsts_age_sec ]]; then
|
||||||
@ -980,9 +990,10 @@ run_hsts() {
|
|||||||
fileout "hsts_preload" "OK" "HSTS domain is marked for preloading"
|
fileout "hsts_preload" "OK" "HSTS domain is marked for preloading"
|
||||||
else
|
else
|
||||||
fileout "hsts_preload" "INFO" "HSTS domain is NOT marked for preloading"
|
fileout "hsts_preload" "INFO" "HSTS domain is NOT marked for preloading"
|
||||||
|
#FIXME: To be checked against preloading lists,
|
||||||
|
# e.g. https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc
|
||||||
|
# https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json
|
||||||
fi
|
fi
|
||||||
#FIXME: To be checked against e.g. https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc
|
|
||||||
# and https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json
|
|
||||||
else
|
else
|
||||||
out "--"
|
out "--"
|
||||||
fileout "hsts" "NOT ok" "No support for HTTP Strict Transport Security"
|
fileout "hsts" "NOT ok" "No support for HTTP Strict Transport Security"
|
||||||
@ -1010,11 +1021,11 @@ run_hpkp() {
|
|||||||
pr_bold " Public Key Pinning "
|
pr_bold " Public Key Pinning "
|
||||||
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
detect_headerdups "Public-Key-Pins" "HPKP"
|
detect_header "Public-Key-Pins" "HPKP"
|
||||||
hpkp_header=$HEADERVALUE
|
hpkp_header=$HEADERVALUE
|
||||||
|
|
||||||
#FIXME: we should treat report_only maybe seperately
|
#FIXME: we should treat report_only seperately
|
||||||
detect_headerdups "Public-Key-Pins-Report-Only" "HPKP_report_only"
|
detect_header "Public-Key-Pins-Report-Only" "HPKP_report_only"
|
||||||
hpkp_header+="$HEADERVALUE "
|
hpkp_header+="$HEADERVALUE "
|
||||||
|
|
||||||
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
|
# remove leading Public-Key-Pins*, any colons, double quotes and trailing spaces and taking the first -- whatever that is
|
||||||
@ -1296,50 +1307,44 @@ run_more_flags() {
|
|||||||
if [[ ! -s $HEADERFILE ]]; then
|
if [[ ! -s $HEADERFILE ]]; then
|
||||||
run_http_header "$1" || return 3
|
run_http_header "$1" || return 3
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " Security headers "
|
pr_bold " Security headers "
|
||||||
# convert spaces to | (for egrep)
|
for f2t in $good_flags2test; do
|
||||||
egrep_pattern=$(echo "$good_flags2test $other_flags2test"| sed -e 's/ /|\^/g' -e 's/^/\^/g')
|
debugme echo "---> $f2t"
|
||||||
egrep -ai "$egrep_pattern" $HEADERFILE >$TMPFILE
|
detect_header $f2t $f2t
|
||||||
if [[ $? -ne 0 ]]; then
|
if [[ $? -ge 1 ]]; then
|
||||||
outln "--"
|
|
||||||
fileout "sec_headers" "WARN" "No security (or other interesting) headers detected"
|
|
||||||
ret=1
|
|
||||||
else
|
|
||||||
ret=0
|
|
||||||
for f2t in $good_flags2test; do
|
|
||||||
debugme echo "---> $f2t"
|
|
||||||
result_str=$(grep -wi "^$f2t" $TMPFILE | grep -vi "$f2t"-)
|
|
||||||
result_str=$(strip_lf "$result_str")
|
|
||||||
[[ -z "$result_str" ]] && continue
|
|
||||||
if ! "$first"; then
|
if ! "$first"; then
|
||||||
out "$spaces" # output leading spaces if the first header
|
out "$spaces" # output leading spaces if the first header
|
||||||
else
|
else
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
# extract and print key(=flag) in green:
|
pr_done_good "$f2t"; outln "$HEADERVALUE"
|
||||||
pr_done_good "${result_str%%:*}:"
|
fileout "$f2t" "OK" "$f2t: $HEADERVALUE"
|
||||||
#pr_done_good "$(sed 's/:.*$/:/' <<< "$result_str")"
|
fi
|
||||||
# print value in plain text:
|
done
|
||||||
outln "${result_str#*:}"
|
|
||||||
fileout "${result_str%%:*}" "OK" "${result_str%%:*}: ${result_str#*:}"
|
for f2t in $other_flags2test; do
|
||||||
done
|
debugme echo "---> $f2t"
|
||||||
# now the same with other flags
|
detect_header $f2t $f2t
|
||||||
for f2t in $other_flags2test; do
|
if [[ $? -ge 1 ]]; then
|
||||||
result_str=$(grep -i "^$f2t" $TMPFILE)
|
if ! "$first"; then
|
||||||
[[ -z "$result_str" ]] && continue
|
|
||||||
if ! $first; then
|
|
||||||
out "$spaces" # output leading spaces if the first header
|
out "$spaces" # output leading spaces if the first header
|
||||||
else
|
else
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
# extract and print key(=flag) underlined
|
pr_litecyan "$f2t"; outln "$HEADERVALUE"
|
||||||
pr_litecyan "${result_str%%:*}:"
|
fileout "$f2t" "WARN" "$f2t: $HEADERVALUE"
|
||||||
# print value in plain text:
|
fi
|
||||||
outln "${result_str#*:}"
|
done
|
||||||
fileout "${result_str%%:*}" "WARN" "${result_str%%:*}: ${result_str#*:}"
|
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" or Access-Control-Allow-Origin: *
|
||||||
done
|
|
||||||
|
if "$first"; then
|
||||||
|
pr_svrty_mediumln "--"
|
||||||
|
fileout "sec_headers" "MEDIUM" "No security (or other interesting) headers detected"
|
||||||
|
ret=1
|
||||||
|
else
|
||||||
|
ret=0
|
||||||
fi
|
fi
|
||||||
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
@ -8886,4 +8891,4 @@ fi
|
|||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.554 2016/10/02 16:15:12 dirkw Exp $
|
# $Id: testssl.sh,v 1.555 2016/10/03 16:52:47 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user