Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changed parameter to --reqheader for custom HTTP headers.

Browse Source
This commit is contained in:
tosticated
2020-12-25 20:10:02 +01:00
parent 1473cdf02d
commit 351f36c943
5 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@@ -28,7 +28,7 @@
* Added --overwrite argument to support overwriting output files without warning * Added --overwrite argument to support overwriting output files without warning
* Headerflag X-XSS-Protection is now labeled as INFO * Headerflag X-XSS-Protection is now labeled as INFO
* Client simulation runs in wide mode which is even better readable * Client simulation runs in wide mode which is even better readable
* Added --customhttpheader to support custom headers in HTTP requests * Added --reqheader to support custom headers in HTTP requests
### Features implemented / improvements in 3.0 ### Features implemented / improvements in 3.0

2
doc/testssl.1
View File

@@ -137,7 +137,7 @@ Please note that \fBfname\fR has to be in Unix format\. DOS carriage returns won
\fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\. \fB\-\-basicauth <user:pass>\fR This can be set to provide HTTP basic auth credentials which are used during checks for security headers\. BASICAUTH is the ENV variable you can use instead\.
. .
.P .P
\fB\-\-customhttpheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-customhttpheader \'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==\' \-\-customhttpheader \'ClientID: 0xDEADBEAF\'\fR\. CUSTOMHTTPHEADER is the corresponding environment variable\. \fB\-\-reqheader <header>\fR This can be used to add additional HTTP request headers in the correct format \fBHeadername: headercontent\fR\. This parameter can be called multiple times if required\. For example: \fB\-\-reqheader \'Proxy\-Authorization: Basic dGVzdHNzbDpydWxlcw==\' \-\-reqheader \'ClientID: 0xDEADBEAF\'\fR\. REQHEADER is the corresponding environment variable\.
. .
.SS "SPECIAL INVOCATIONS" .SS "SPECIAL INVOCATIONS"
\fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBxmpp-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\. \fB\-t <protocol>, \-\-starttls <protocol>\fR does a default run against a STARTTLS enabled \fBprotocol\fR\. \fBprotocol\fR must be one of \fBftp\fR, \fBsmtp\fR, \fBpop3\fR, \fBimap\fR, \fBxmpp\fR, \fBxmpp-server\fR, \fBtelnet\fR, \fBldap\fR, \fBirc\fR, \fBlmtp\fR, \fBnntp\fR, \fBpostgres\fR, \fBmysql\fR\. For the latter four you need e\.g\. the supplied OpenSSL or OpenSSL version 1\.1\.1\. Please note: MongoDB doesn\'t offer a STARTTLS connection, LDAP currently only works with \fB\-\-ssl\-native\fR\. \fBtelnet\fR and \fBirc\fR is WIP\.

2
doc/testssl.1.html
View File

@@ -187,7 +187,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod
<p><code>--basicauth &lt;user:pass&gt;</code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p> <p><code>--basicauth &lt;user:pass&gt;</code> This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.</p>
<p><code>--customhttpheader &lt;header&gt;</code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--customhttpheader &#39;Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==&#39; --customhttpheader &#39;ClientID: 0xDEADBEAF&#39;</code>. CUSTOMHTTPHEADER is the corresponding environment variable.</p> <p><code>--reqheader &lt;header&gt;</code> This can be used to add additional HTTP request headers in the correct format <code>Headername: headercontent</code>. This parameter can be called multiple times if required. For example: <code>--reqheader &#39;Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==&#39; --reqheader &#39;ClientID: 0xDEADBEAF&#39;</code>. REQHEADER is the corresponding environment variable.</p>
<h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3> <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>

2
doc/testssl.1.md
View File

@@ -110,7 +110,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead. `--basicauth <user:pass>` This can be set to provide HTTP basic auth credentials which are used during checks for security headers. BASICAUTH is the ENV variable you can use instead.
`--customhttpheader <header>` This can be used to add additional HTTP request headers in the correct format `Headername: headercontent`. This parameter can be called multiple times if required. For example: `--customhttpheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --customhttpheader 'ClientID: 0xDEADBEAF'`. CUSTOMHTTPHEADER is the corresponding environment variable. `--reqheader <header>` This can be used to add additional HTTP request headers in the correct format `Headername: headercontent`. This parameter can be called multiple times if required. For example: `--reqheader 'Proxy-Authorization: Basic dGVzdHNzbDpydWxlcw==' --reqheader 'ClientID: 0xDEADBEAF'`. REQHEADER is the corresponding environment variable.
### SPECIAL INVOCATIONS ### SPECIAL INVOCATIONS

22
testssl.sh
View File

@@ -162,7 +162,7 @@ QUIET=${QUIET:-false} # don't output the banner. By doing this
SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native" SSL_NATIVE=${SSL_NATIVE:-false} # we do per default bash sockets where possible "true": switch back to "openssl native"
ASSUME_HTTP=${ASSUME_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks ASSUME_HTTP=${ASSUME_HTTP:-false} # in seldom cases (WAF, old servers, grumpy SSL) service detection fails. "True" enforces HTTP checks
BASICAUTH=${BASICAUTH:-""} # HTTP basic auth credentials can be set here like user:pass BASICAUTH=${BASICAUTH:-""} # HTTP basic auth credentials can be set here like user:pass
CUSTOMHTTPHEADER=${CUSTOMHTTPHEADER:-""} # HTTP custom request header can be set here like Header: content. Can be used multiple times. REQHEADER=${REQHEADER:-""} # HTTP custom request header can be set here like Header: content. Can be used multiple times.
BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5 BUGS=${BUGS:-""} # -bugs option from openssl, needed for some BIG IP F5
WARNINGS=${WARNINGS:-""} # can be either off or batch WARNINGS=${WARNINGS:-""} # can be either off or batch
DEBUG=${DEBUG:-0} # 1: normal output the files in /tmp/ are kept for further debugging purposes DEBUG=${DEBUG:-0} # 1: normal output the files in /tmp/ are kept for further debugging purposes
@@ -374,7 +374,7 @@ TLS_NOW="" # Similar
TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not TLS_DIFFTIME_SET=false # Tells TLS functions to measure the TLS difftime or not
NOW_TIME="" NOW_TIME=""
HTTP_TIME="" HTTP_TIME=""
CUSTOMHTTPHEADERS=() REQHEADERS=()
GET_REQ11="" GET_REQ11=""
START_TIME=0 # time in epoch when the action started START_TIME=0 # time in epoch when the action started
END_TIME=0 # .. ended END_TIME=0 # .. ended
@@ -19250,7 +19250,7 @@ tuning / connect options (most also can be preset via environment variables):
--phone-out allow to contact external servers for CRL download and querying OCSP responder --phone-out allow to contact external servers for CRL download and querying OCSP responder
--add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check --add-ca <CA files|CA dir> path to <CAdir> with *.pem or a comma separated list of CA files to include in trust check
--basicauth <user:pass> provide HTTP basic auth information. --basicauth <user:pass> provide HTTP basic auth information.
--customhttpheader <header> add custom http request headers --reqheader <header> add custom http request headers
output options (can also be preset via environment variables): output options (can also be preset via environment variables):
--quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner --quiet don't output the banner. By doing this you acknowledge usage terms normally appearing in the banner
@@ -19403,7 +19403,7 @@ SHOW_EACH_C: $SHOW_EACH_C
SSL_NATIVE: $SSL_NATIVE SSL_NATIVE: $SSL_NATIVE
ASSUME_HTTP $ASSUME_HTTP ASSUME_HTTP $ASSUME_HTTP
BASICAUTH: $BASICAUTH BASICAUTH: $BASICAUTH
CUSTOMHTTPHEADER: $CUSTOMHTTPHEADER REQHEADER: $REQHEADER
SNEAKY: $SNEAKY SNEAKY: $SNEAKY
OFFENSIVE: $OFFENSIVE OFFENSIVE: $OFFENSIVE
PHONE_OUT: $PHONE_OUT PHONE_OUT: $PHONE_OUT
@@ -20527,7 +20527,7 @@ determine_service() {
local ua local ua
local protocol local protocol
local basicauth_header="" local basicauth_header=""
local customhttpheader="" local reqheader=""
# Check if we can connect to $NODEIP:$PORT. Attention: This ALWAYS uses sockets. Thus timeouts for --ssl-=native do not apply # Check if we can connect to $NODEIP:$PORT. Attention: This ALWAYS uses sockets. Thus timeouts for --ssl-=native do not apply
if ! fd_socket 5; then if ! fd_socket 5; then
@@ -20555,10 +20555,10 @@ determine_service() {
if [[ -n "$BASICAUTH" ]]; then if [[ -n "$BASICAUTH" ]]; then
basicauth_header="Authorization: Basic $(safe_echo "$BASICAUTH" | $OPENSSL base64 2>/dev/null)\r\n" basicauth_header="Authorization: Basic $(safe_echo "$BASICAUTH" | $OPENSSL base64 2>/dev/null)\r\n"
fi fi
if [[ -n "$CUSTOMHTTPHEADERS" ]]; then if [[ -n "$REQHEADERS" ]]; then
customhttpheader="$(join_by "\r\n" "${CUSTOMHTTPHEADERS[@]}")\r\n" #Add all required custom http headers to one string with newlines reqheader="$(join_by "\r\n" "${REQHEADERS[@]}")\r\n" #Add all required custom http headers to one string with newlines
fi fi
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${customhttpheader}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n" GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${reqheader}Accept-Encoding: identity\r\nAccept: text/*\r\nConnection: Close\r\n\r\n"
# returns always 0: # returns always 0:
service_detection $OPTIMAL_PROTO service_detection $OPTIMAL_PROTO
else # STARTTLS else # STARTTLS
@@ -22210,10 +22210,10 @@ parse_cmd_line() {
BASICAUTH="$(parse_opt_equal_sign "$1" "$2")" BASICAUTH="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
;; ;;
--customhttpheader|--customhttpheader=*) --reqheader|--reqheader=*)
CUSTOMHTTPHEADER="$(parse_opt_equal_sign "$1" "$2")" REQHEADER="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
CUSTOMHTTPHEADERS+=("$CUSTOMHTTPHEADER") REQHEADERS+=("$REQHEADER")
;; ;;
(--) shift (--) shift
break break