* NEW: cookie flags (experimental) [URL is missing]

* FIX: 30x handling for http_header (hint for final URL if stalled)
* FIX: proper display of app-banners if >1
This commit is contained in:
Dirk 2015-01-14 09:48:44 +01:00
parent 44d8f67998
commit 3d81a7b5ec

View File

@ -14,7 +14,7 @@ VERSION="2.3dev" # any char suffixes denotes non=stable
SWURL="https://testssl.sh" SWURL="https://testssl.sh"
SWCONTACT="dirk aet testssl dot sh" SWCONTACT="dirk aet testssl dot sh"
# Author: Dirk Wetter, copyleft: 2007-2014, contributions so far see CREDIT.md # Author: Dirk Wetter, copyleft: 2007-2015, contributions so far see CREDIT.md
# #
# License: GPLv2, see http://www.fsf.org/licensing/licenses/info/GPLv2.html # License: GPLv2, see http://www.fsf.org/licensing/licenses/info/GPLv2.html
# and accompanying license "LICENSE.txt". Redistribution + modification under this # and accompanying license "LICENSE.txt". Redistribution + modification under this
@ -34,7 +34,7 @@ SWCONTACT="dirk aet testssl dot sh"
# Q: So what's the difference between https://www.ssllabs.com/ssltest or # Q: So what's the difference between https://www.ssllabs.com/ssltest or
# https://sslcheck.globalsign.com/? # https://sslcheck.globalsign.com/?
# A: As of now ssllabs only check webservers on standard ports, reachable from # A: As of now ssllabs only check webservers on standard ports, reachable from
# the internet. And those are 3rd parties. If those four restrictions are fine # the internet. And the two above are 3rd parties. If those restrictions are fine
# with you, they might tell you more than this tool -- as of now. # with you, they might tell you more than this tool -- as of now.
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities) # Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
@ -44,7 +44,7 @@ SWCONTACT="dirk aet testssl dot sh"
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host> # following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
CAPATH="${CAPATH:-/etc/ssl/certs/}" # same as previous. Doing nothing yet. FC has only a CA bundle per default, ==> openssl version -d CAPATH="${CAPATH:-/etc/ssl/certs/}" # Does nothing yet. FC has only a CA bundle per default, ==> openssl version -d
ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS. ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all
SHOW_LOC_CIPH=${SHOW_LOC_CIPH}=0 # determines whether the client side ciphers are displayed at all (makes no sense normally) SHOW_LOC_CIPH=${SHOW_LOC_CIPH}=0 # determines whether the client side ciphers are displayed at all (makes no sense normally)
@ -82,7 +82,7 @@ OSSL_VER_APPENDIX="none"
NODEIP="" NODEIP=""
IPS="" IPS=""
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP? SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
HEADER_MAXSLEEP=4 # we wait this long before killing the process to retrieve a service banner / http header HEADER_MAXSLEEP=${HEADER_MAXSLEEP:-3} # we wait this long before killing the process to retrieve a service banner / http header
NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1" NPN_PROTOs="spdy/4a2,spdy/3,spdy/3.1,spdy/2,spdy/1,http/1.1"
RUN_DIR=`dirname $0` RUN_DIR=`dirname $0`
@ -349,11 +349,11 @@ poodle() {
return $ret return $ret
} }
#problems not handled: chunked, 302 #problems not handled: chunked
http_header() { http_header() {
[ -z "$1" ] && url="/" [ -z "$1" ] && url="/" || url="$1"
if [ $SNEAKY -eq 0 ] ; then if [ $SNEAKY -eq 0 ] ; then
referer="Referer: " referer="Referer: http://google.com/"
useragent="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" useragent="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
else else
referer="Referer: TLS/SSL-Tester from $SWURL" referer="Referer: TLS/SSL-Tester from $SWURL"
@ -363,8 +363,9 @@ http_header() {
$OPENSSL s_client -quiet -connect $NODEIP:$PORT $SNI << EOF $OPENSSL s_client -quiet -connect $NODEIP:$PORT $SNI << EOF
GET $url HTTP/1.1 GET $url HTTP/1.1
Host: $NODE Host: $NODE
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,de-de;q=0.3
$useragent $useragent
Accept-Language: en-US,en
$referer $referer
Connection: close Connection: close
@ -378,8 +379,13 @@ EOF
mv $HEADERFILE.2 $HEADERFILE # sed'ing in place doesn't work with BSD and Linux simultaneously mv $HEADERFILE.2 $HEADERFILE # sed'ing in place doesn't work with BSD and Linux simultaneously
ret=0 ret=0
else else
magenta " header request stalled"
egrep -wq "301|302|^Location" $HEADERFILE
if [ $? -eq 0 ]; then
redir2=`grep '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n'`
outln " (30x to $redir2, tried this URL?)"
fi
[[ $DEBUG -eq 0 ]] && rm $HEADERFILE.2 $HEADERFILE 2>/dev/null [[ $DEBUG -eq 0 ]] && rm $HEADERFILE.2 $HEADERFILE 2>/dev/null
magentaln " Test failed (requsting header stalled)"
ret=3 ret=3
fi fi
return $ret return $ret
@ -395,7 +401,7 @@ includeSubDomains() {
#FIXME: it doesn't follow a 30x. At least a path should be possible to provide #FIXME: it doesn't follow a 30x. At least a path should be possible to provide
hsts() { hsts() {
bold " HSTS " bold " HSTS "
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header || return 3 http_header || return 3
fi fi
@ -420,7 +426,7 @@ hsts() {
} }
hpkp() { hpkp() {
bold " HPKP " bold " HPKP "
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header || return 3 http_header || return 3
fi fi
@ -448,7 +454,7 @@ hpkp() {
#FIXME: once checkcert.sh is here: fingerprints! #FIXME: once checkcert.sh is here: fingerprints!
serverbanner() { serverbanner() {
bold " Server " bold " Server "
if [ ! -s $HEADERFILE ] ; then if [ ! -s $HEADERFILE ] ; then
http_header || return 3 http_header || return 3
fi fi
@ -465,36 +471,54 @@ serverbanner() {
outln "(None, interesting!)" outln "(None, interesting!)"
fi fi
bold " Application" bold " Application "
# examples: php.net, asp.net , www.regonline.com # examples: php.net, asp.net , www.regonline.com
egrep -i '^X-Powered-By|^X-AspNet-Version|^X-Runtime|^X-Version' $HEADERFILE >$TMPFILE egrep -i '^X-Powered-By|^X-AspNet-Version|^X-Runtime|^X-Version' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
#cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g' #cat $TMPFILE | sed 's/^.*:/:/' | sed -e :a -e '$!N;s/\n:/ \n\ +/;ta' -e 'P;D' | sed 's/://g'
cat $TMPFILE | sed 's/^/ /' sed 's/^/ /g' $TMPFILE | tr -t '\n\r' ' '
outln
#i=0
#cat $TMPFILE | sed 's/^/ /' | while read line; do
# out "$line"
# if [[ $i -eq 0 ]] ; then
# out " "
# i=1
# fi
#done
else else
litegrey " (None, checked \"/\")" litegreyln " (None, checked \"/\")"
fi fi
outln
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return $? return $?
} }
#dead function as of now #dead function as of now
secure_cookie() { # ARG1: Path cookieflags() { # ARG1: Path, ARG2: path
if [ -s $HEADERFILE ] ; then bold " Cookie(s) "
http_header || return 3 if [ ! -s $HEADERFILE ] ; then
http_header "$1" || return 3
fi fi
grep -i '^Set-Cookie' $HEADERFILE >$TMPFILE grep -i '^Set-Cookie' $HEADERFILE >$TMPFILE
# lines!
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
outln "Cookie issued, status: " out $(wc -l $TMPFILE)
out ": "
if grep -q -i secure $TMPFILE; then if grep -q -i secure $TMPFILE; then
litegreenln "Secure Flag" litegreen "Secure, "
echo $TMPFILE
else else
outln "no secure flag" out "NOT secure, "
fi fi
if grep -q -i httponly $TMPFILE; then
litegreen "HttpOnly "
else
out "NOT HttpOnly"
fi
else
out "none issued"
fi fi
outln
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 0 return 0
@ -2213,6 +2237,8 @@ case "$1" in
ret=$? ret=$?
serverbanner serverbanner
ret=`expr $? + $ret` ret=`expr $? + $ret`
cookieflags
ret=`expr $? + $ret`
else else
litemagentaln " Wrong usage: You're not targetting a HTTP service" litemagentaln " Wrong usage: You're not targetting a HTTP service"
ret=2 ret=2
@ -2253,6 +2279,6 @@ case "$1" in
exit $ret ;; exit $ret ;;
esac esac
# $Id: testssl.sh,v 1.164 2015/01/08 13:16:21 dirkw Exp $ # $Id: testssl.sh,v 1.165 2015/01/14 08:48:02 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5