Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 10:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check if redirect is actually a secure redirect

Browse Source
This commit is contained in:
Frank Breedijk 2015-12-21 15:31:13 +01:00
parent b2e2add7f3
commit 4be1c9cb8e
2 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CREDITS.md
View File

@ -68,6 +68,7 @@
* Frank Breedijk * Frank Breedijk
- JSON and CSV output - JSON and CSV output
- Warning when redirecting to an insecure URL
* Bug reports: * Bug reports:
- Viktor Szépe, Olivier Paroz, Jan H. Terstegge, Lorenz Adena, Jonathon Rossi, Stefan Stidl, Frank Breedijk - Viktor Szépe, Olivier Paroz, Jan H. Terstegge, Lorenz Adena, Jonathon Rossi, Stefan Stidl, Frank Breedijk

23
testssl.sh
View File

@ -694,44 +694,49 @@ run_http_header() {
301|302|307|308) 301|302|307|308)
redirect = $(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n') redirect = $(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')
out ", redirecting to \"$redirect\"" out ", redirecting to \"$redirect\""
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter, redirecting to \"$redirect\"" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter, redirecting to \"$redirect\""
if [[ -z `echo $redirect|sed -e 's/^(\/|https\:\/\/).*//'` ]]; then
output_finding "redirect" "$NODEIP" "$PORT" "INFO" "Redirect to secure url: \"$redirect\""
else
pr_litered " -- Redirect to insecure url (NOT ok)"
output_finding "redirect" "$NODEIP" "$PORT" "NOT OK" "Redirect to insecure url: \"$redirect\" (NOT ok)"
;; ;;
200) 200)
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
;; ;;
206) 206)
out " -- WTF?" out " -- WTF?"
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter -- WTF?" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter -- WTF?"
;; ;;
400) 400)
pr_litemagenta " (Hint: better try another URL)" pr_litemagenta " (Hint: better try another URL)"
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: better try another URL)" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: better try another URL)"
;; ;;
401) 401)
grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)" grep -aq "^WWW-Authenticate" $HEADERFILE && out " "; strip_lf "$(grep -a "^WWW-Authenticate" $HEADERFILE)"
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter $(grep -a "^WWW-Authenticate" $HEADERFILE)" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter $(grep -a "^WWW-Authenticate" $HEADERFILE)"
;; ;;
403) 403)
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
;; ;;
404) 404)
out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" out " (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")"
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter (Hint: supply a path which doesn't give a \"$status_code$msg_thereafter\")"
;; ;;
405) 405)
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter"
;; ;;
*) *)
pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter" pr_litemagenta ". Oh, didn't expect a $status_code$msg_thereafter"
output_finding "status_code" "$NODEIP" "$PORT" "info" \ output_finding "status_code" "$NODEIP" "$PORT" "INFO" \
"Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter" "Testing HTTP header response @ \"$URL_PATH\", $status_code$msg_thereafter. Oh, didn't expect a $status_code$msg_thereafter"
;; ;;
esac esac