Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 10:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

First attempt to create a JSON file. Incomplete

Browse Source
This commit is contained in:
Frank Breedijk 2015-12-10 10:44:03 +01:00
parent b97788ba73
commit 36043ad925
1 changed files with 104 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
testssl.sh
View File

@ -145,6 +145,7 @@ DEBUG=${DEBUG:-0} # 1.: the temp files won't be erased.
# 4: display bytes sent via sockets, 5: display bytes received via sockets, 6: whole 9 yards # 4: display bytes sent via sockets, 5: display bytes received via sockets, 6: whole 9 yards
WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc. WIDE=${WIDE:-false} # whether to display for some options the cipher or the table with hexcode/KX,Enc,strength etc.
LOGFILE=${LOGFILE:-""} # logfile if used LOGFILE=${LOGFILE:-""} # logfile if used
JSONFILE="testssl.json" # jsonfile if used
HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support AND IPv6 networking set it to yes and testssl.sh works! HAS_IPv6=${HAS_IPv6:-false} # if you have OPENSSL with IPv6 support AND IPv6 networking set it to yes and testssl.sh works!
# tuning vars, can not be set by a cmd line switch # tuning vars, can not be set by a cmd line switch
@ -226,6 +227,7 @@ GET_REQ11=""
HEAD_REQ10="" HEAD_REQ10=""
readonly UA_STD="TLS tester from $SWURL" readonly UA_STD="TLS tester from $SWURL"
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
FIRST_FINDING=true # Is this the first finding we are outputting to file?
# Devel stuff, see -q below # Devel stuff, see -q below
TLS_LOW_BYTE="" TLS_LOW_BYTE=""
@ -418,6 +420,36 @@ set_color_functions() {
fi fi
} }
open_json_file() {
if $do_json; then
echo "[" > $JSONFILE
fi
}
close_json_file() {
if $do_json; then
echo "]" >> $JSONFILE
fi
}
output_finding() { # ID, IP, PORT, SEVERITY, FINDING
if $do_json; then
if ! $FIRST_FINDING; then
echo "," >> $JSONFILE
fi
echo "
{
'id' : '$1',
'ip' : '$2',
'port' : '$3',
'severity' : '$4',
'finding' : '$5'
}" >> $JSONFILE
fi
if $FIRST_FINDING; then
FIRST_FINDING=false
fi
}
###### helper function definitions ###### ###### helper function definitions ######
@ -577,21 +609,26 @@ runs_HTTP() {
case $SERVICE in case $SERVICE in
HTTP) HTTP)
out " $SERVICE" out " $SERVICE"
output_finding "service" "$NODEIP" "$PORT" "info" "Service detected: $SERVICE"
ret=0 ;; ret=0 ;;
IMAP|POP|SMTP|NNTP) IMAP|POP|SMTP|NNTP)
out " $SERVICE, thus skipping HTTP specific checks" out " $SERVICE, thus skipping HTTP specific checks"
output_finding "service" "$NODEIP" "$PORT" "info" "Service detected: $SERVICE, thus skipping HTTP specific checks"
ret=0 ;; ret=0 ;;
*) if $CLIENT_AUTH; then *) if $CLIENT_AUTH; then
out "certificate based authentication => skipping all HTTP checks" out "certificate based authentication => skipping all HTTP checks"
echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE
output_finding "client_auth" "$NODEIP" "$PORT" "warn" "certificate based authentication => skipping all HTTP checks"
else else
out " Couldn't determine what's running on port $PORT" out " Couldn't determine what's running on port $PORT"
if $ASSUMING_HTTP; then if $ASSUMING_HTTP; then
SERVICE=HTTP SERVICE=HTTP
out " -- ASSUMING_HTTP set though" out " -- ASSUMING_HTTP set though"
output_finding "service" "$NODEIP" "$PORT" "warn" "Couldn't determine service, --ASSUMING_HTTP set"
ret=0 ret=0
else else
out ", assuming no HTTP service => skipping all HTTP checks" out ", assuming no HTTP service => skipping all HTTP checks"
output_finding "service" "$NODEIP" "$PORT" "warn" "Couldn't determine service, skipping all HTTP checks"
ret=1 ret=1
fi fi
fi fi
@ -657,21 +694,52 @@ run_http_header() {
out " $status_code$msg_thereafter" out " $status_code$msg_thereafter"
case $status_code in case $status_code in
301|302|307|308) 301|302|307|308)
redirect=$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n') redirect = $(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')
out ", redirecting to \"$redirect"\" out ", redirecting to \"$redirect\""
if [[ $redirect == "http://"* ]]; then if [[ $redirect != "https://"* ]]; then
pr_litered " -- Redirect to insecure URL (NOT ok)" pr_litered " -- Redirect to insecure URL (NOT ok)"
output_finding "status_code" "$NODEIP" "$PORT" "NOT OK" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\""
fi fi
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter, redirecting to \"$redirect\""
;; ;;
200) ;; 200)
206) out " -- WTF?" ;; output_finding "status_code" "$NODEIP" "$PORT" "info" \
400) pr_litemagenta " (Hint: better try another URL)" ;; "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
401) grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)" ;;
206)
out " -- WTF?"
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter -- WTF?"
;;
400)
pr_litemagenta " (Hint: better try another URL)"
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: better try another URL)"
;;
401)
grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)"
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter $(grep -a "^WWW-Authenticate" $HEADERFILE)"
;;
403)
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
;;
404)
out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")"
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")"
;;
405)
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
;;
*)
pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter"
output_finding "status_code" "$NODEIP" "$PORT" "info" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
;; ;;
403) ;;
404) out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" ;;
405) ;;
*) pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter";;
esac esac
outln outln
@ -687,6 +755,7 @@ detect_ipv4() {
local result local result
local first=true local first=true
local spaces=" " local spaces=" "
local count
if [[ ! -s $HEADERFILE ]]; then if [[ ! -s $HEADERFILE ]]; then
run_http_header "$1" || return 3 run_http_header "$1" || return 3
@ -696,6 +765,7 @@ detect_ipv4() {
# also facebook has a CSP rule for 127.0.0.1 # also facebook has a CSP rule for 127.0.0.1
if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE "$ipv4address"; then if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE "$ipv4address"; then
pr_bold " IPv4 address in header " pr_bold " IPv4 address in header "
count=0
while read line; do while read line; do
result="$(grep -E "$ipv4address" <<< "$line")" result="$(grep -E "$ipv4address" <<< "$line")"
result=$(strip_lf "$result") result=$(strip_lf "$result")
@ -708,7 +778,9 @@ detect_ipv4() {
fi fi
pr_litered "$result" pr_litered "$result"
outln "\n$spaces$your_ip_msg" outln "\n$spaces$your_ip_msg"
output_finding "ip_in_header_$count" "$NODEIP" "$PORT" "NOT OK" "IPv4 address in header $result $your_ip_msg"
fi fi
count=$count+1
done < $HEADERFILE done < $HEADERFILE
fi fi
} }
@ -736,8 +808,10 @@ run_http_date() {
# process was killed, so we need to add an error: # process was killed, so we need to add an error:
[[ $HAD_SLEPT -ne 0 ]] && difftime="$difftime (± 1.5)" [[ $HAD_SLEPT -ne 0 ]] && difftime="$difftime (± 1.5)"
out "$difftime sec from localtime"; out "$difftime sec from localtime";
output_finding "http_clock_skew" "$NODEIP" "$PORT" "INFO" "HTTP clock skew $difftime sec from localtime"
else else
out "Got no HTTP time, maybe try different URL?"; out "Got no HTTP time, maybe try different URL?";
output_finding "http_clock_skew" "$NODEIP" "$PORT" "INFO" "HTTP clock skew not measured. Got no HTTP time, maybe try different URL?"
fi fi
debugme out ", epoch: $HTTP_TIME" debugme out ", epoch: $HTTP_TIME"
fi fi
@ -4603,7 +4677,7 @@ EOF
#' Fix syntax highlight on sublime #' Fix syntax highlight on sublime
exit $1 exit $1
} }
#' Do not break syntax highlighting in Sublime
maketempf() { maketempf() {
TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit -6 TEMPDIR=$(mktemp -d /tmp/ssltester.XXXXXX) || exit -6
@ -5399,6 +5473,7 @@ initialize_globals() {
do_mx_all_ips=false do_mx_all_ips=false
do_mass_testing=false do_mass_testing=false
do_logging=false do_logging=false
do_json=false
do_pfs=false do_pfs=false
do_protocols=false do_protocols=false
do_rc4=false do_rc4=false
@ -5714,6 +5789,15 @@ parse_cmd_line() {
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
do_logging=true do_logging=true
;; ;;
--json)
do_json=true
;; # DEFINITION of JSONFILE is not arg specified via ENV or automagically in parse_hn_ports()
# following does the same but we can specify a log location additionally
--jsonfile=*)
JSONFILE=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift
do_json=true
;;
--openssl|--openssl=*) --openssl|--openssl=*)
OPENSSL=$(parse_opt_equal_sign "$1" "$2") OPENSSL=$(parse_opt_equal_sign "$1" "$2")
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
@ -5778,6 +5862,7 @@ reset_hostdepended_vars() {
OPTIMAL_PROTO="" OPTIMAL_PROTO=""
} }
lets_roll() { lets_roll() {
local ret local ret
@ -5857,8 +5942,9 @@ maketempf
mybanner mybanner
check_proxy check_proxy
openssl_age openssl_age
open_json_file
# TODO: it's ugly to have those two vars here --> main() # TODO: it is ugly to have those two vars here --> main()
ret=0 ret=0
ip="" ip=""
@ -5902,6 +5988,8 @@ else
fi fi
fi fi
close_json_file
exit $? exit $?