Redirect test that doesn't depend om JSON/CSV output

2025-10-31 05:45:26 +01:00 · 2015-12-21 20:59:40 +01:00
parent bac7cde3bd
commit 826ac43504
2 changed files with 11 additions and 1 deletions
--- a/CREDITS.md
+++ b/CREDITS.md
@@ -66,6 +66,9 @@
 * Dmitri S
 - inspiration & help for Darwin port

+* Frank Breedijk
+ - Detection of insecure redirect
+
 * Bug reports:
  - Viktor Szépe, Olivier Paroz, Jan H. Terstegge, Lorenz Adena, Jonathon Rossi, Stefan Stidl

--- a/testssl.sh
+++ b/testssl.sh
@@ -643,7 +643,14 @@ run_http_header() {

     out "  $status_code$msg_thereafter" 
     case $status_code in
-          301|302|307|308)    out ", redirecting to \"$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')\"" ;;
+          301|302|307|308)    
+               out ", redirecting to \"$(grep -a '^Location' $HEADERFILE | sed 's/Location: //' | tr -d '\r\n')\"" 
+               if [[ ( $redirect == https* ) || ( $redirect == /* ) ]]; then
+                    # Ok
+               else
+                    pr_litered " -- Redirect to insecure url (NOT ok)"
+               fi
+               ;;
          200) ;;
          206) out " -- WTF?" ;;
          400) pr_litemagenta " (Hint: better try another URL)" ;;