Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 05:45:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

NEW: added security headers

Browse Source
This commit is contained in:
Dirk
2015-04-02 13:04:57 +02:00
parent 8da96f78f2
commit 2cc56c4d1f
1 changed files with 47 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
testssl.sh
View File

@@ -453,7 +453,7 @@ hsts() {
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3 http_header "$1" || return 3
fi fi
pr_bold " HSTS " pr_bold " HSTS "
grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE grep -iaw '^Strict-Transport-Security' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -wq "1" || out "(two HSTS header, using 1st one) " grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -wq "1" || out "(two HSTS header, using 1st one) "
@@ -486,7 +486,7 @@ hpkp() {
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3 http_header "$1" || return 3
fi fi
pr_bold " HPKP " pr_bold " HPKP "
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) " egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) "
@@ -535,7 +535,7 @@ serverbanner() {
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3 http_header "$1" || return 3
fi fi
pr_bold " Server " pr_bold " Server "
grep -ai '^Server' $HEADERFILE >$TMPFILE grep -ai '^Server' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
serverbanner=$(sed -e 's/^Server: //' -e 's/^server: //' $TMPFILE) serverbanner=$(sed -e 's/^Server: //' -e 's/^server: //' $TMPFILE)
@@ -556,10 +556,12 @@ applicationbanner() {
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3 http_header "$1" || return 3
fi fi
pr_bold " Application " pr_bold " Application "
# examples: dev.testssl.sh, php.net, asp.net , www.regonline.com # examples: dev.testssl.sh, php.net, asp.net , www.regonline.com
egrep -ai '^X-Powered-By|^X-AspNet-Version|^X-Runtime|^X-Version' $HEADERFILE >$TMPFILE egrep -ai '^X-Powered-By|^X-AspNet-Version|^X-Runtime|^X-Version' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -ne 0 ]; then
outln " (no banner at \"$url\")"
else
#cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g' #cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g'
#sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ' | sed "s/\([0-9]\)/$pr_red\1$off/g" #sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ' | sed "s/\([0-9]\)/$pr_red\1$off/g"
emphasize_numbers_in_headers "$(sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ')" emphasize_numbers_in_headers "$(sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' ')"
@@ -571,8 +573,6 @@ applicationbanner() {
# i=1 # i=1
# fi # fi
#done #done
else
outln " (no banner at \"$url\")"
fi fi
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
@@ -583,7 +583,7 @@ cookieflags() { # ARG1: Path, ARG2: path
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3 http_header "$1" || return 3
fi fi
pr_bold " Cookie(s) " pr_bold " Cookie(s) "
grep -ai '^Set-Cookie' $HEADERFILE >$TMPFILE grep -ai '^Set-Cookie' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
nr_cookies=$(wc -l < $TMPFILE) nr_cookies=$(wc -l < $TMPFILE)
@@ -611,8 +611,41 @@ cookieflags() { # ARG1: Path, ARG2: path
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 0 return 0
} }
#FIXME: Access-Control-Allow-Origin, CSP, Upgrade, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options
# https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
moreflags() {
local flags2test="Access-Control-Allow-Origin Upgrade X-Frame-Options X-XSS-Protection X-Content-Type-Options Via Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP"
local egrep_pattern=""
local f2t result_str
local blanks=" "
if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3
fi
pr_bold " Security headers "
egrep_pattern=$(echo $flags2test| sed -e 's/ /|\^/g' -e 's/^/\^/g')
egrep -ai $egrep_pattern $HEADERFILE >$TMPFILE
if [ $? -ne 0 ]; then
outln " (none at \"$url\")"
ret=1
else
ret=0
first=true
for f2t in $flags2test; do
result_str=$(grep "^$f2t" $TMPFILE)
[ -z "$result_str" ] && continue
if $first; then
pr_litegreenln "$result_str"
first=false
else
out "$blanks"; pr_litegreenln "$result_str"
fi
done
fi
tmpfile_handle $FUNCNAME.txt
return $ret
}
# #1: string with 2 opensssl codes, HEXC= same in NSS/ssllab terminology # #1: string with 2 opensssl codes, HEXC= same in NSS/ssllab terminology
@@ -3030,6 +3063,8 @@ case "$1" in
ret=$(($? + ret)) ret=$(($? + ret))
applicationbanner "$URL_PATH" applicationbanner "$URL_PATH"
ret=$(($? + ret)) ret=$(($? + ret))
moreflags "$URL_PATH"
ret=$(($? + ret))
cookieflags "$URL_PATH" cookieflags "$URL_PATH"
ret=$(($? + ret)) ret=$(($? + ret))
else else
@@ -3066,6 +3101,7 @@ case "$1" in
hpkp "$URL_PATH" ; ret=$(($? + ret)) hpkp "$URL_PATH" ; ret=$(($? + ret))
serverbanner "$URL_PATH" ; ret=$(($? + ret)) serverbanner "$URL_PATH" ; ret=$(($? + ret))
applicationbanner "$URL_PATH" ; ret=$(($? + ret)) applicationbanner "$URL_PATH" ; ret=$(($? + ret))
moreflags "$URL_PATH" ; ret=$(($? + ret))
cookieflags "$URL_PATH" ; ret=$(($? + ret)) cookieflags "$URL_PATH" ; ret=$(($? + ret))
fi fi
@@ -3086,5 +3122,5 @@ case "$1" in
esac esac
# $Id: testssl.sh,v 1.218 2015/04/02 10:19:22 dirkw Exp $ # $Id: testssl.sh,v 1.219 2015/04/02 11:04:56 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5