Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-08 09:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add brotli compression detection for BREACH (backport)

Browse Source 
As noted in #1605 the brotli compression check was missing. So hosts
which didn't offer gzip deflate or compress but brotli seemed to
be fine but they shoould have been labled as potentially VULNERABLE.

This also fixes a bug: The HTTP header returned was only checking
for case-sensitive "Content-Encoding". RFC 2616 states in 4.2
(Message Headers): "Field names are case-insensitive"
This commit is contained in:
Dirk Wetter 2020-05-04 13:23:05 +02:00
parent dbff0f9673
commit 85a529ee00
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
testssl.sh
View File

@ -14607,12 +14607,14 @@ run_breach() {
[[ "$NODE" =~ google ]] && referer="https://yandex.ru/" # otherwise we have a false positive for google.com [[ "$NODE" =~ google ]] && referer="https://yandex.ru/" # otherwise we have a false positive for google.com
useragent="$UA_STD" useragent="$UA_STD"
$SNEAKY && useragent="$UA_SNEAKY" $SNEAKY && useragent="$UA_SNEAKY"
printf "GET $url HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $useragent\r\nReferer: $referer\r\nConnection: Close\r\nAccept-encoding: gzip,deflate,compress\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE & printf "GET $url HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $useragent\r\nReferer: $referer\r\nConnection: Close\r\nAccept-encoding: gzip,deflate,compress,br\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE &
wait_kill $! $HEADER_MAXSLEEP wait_kill $! $HEADER_MAXSLEEP
was_killed=$? # !=0 was killed was_killed=$? # !=0 was killed
result=$(awk '/^Content-Encoding/ { print $2 }' $TMPFILE) result="$(grep -ia Content-Encoding: $TMPFILE)"
result=$(strip_lf "$result") result="$(strip_lf "$result")"
debugme grep '^Content-Encoding' $TMPFILE result="${result#*:}"
result="$(strip_spaces "$result")"
debugme echo "$result"
if [[ ! -s $TMPFILE ]]; then if [[ ! -s $TMPFILE ]]; then
pr_warning "failed (HTTP header request stalled or empty return" pr_warning "failed (HTTP header request stalled or empty return"
if [[ $was_killed -ne 0 ]]; then if [[ $was_killed -ne 0 ]]; then
@ -14628,10 +14630,10 @@ run_breach() {
outln "$disclaimer" outln "$disclaimer"
fileout "$jsonID" "OK" "not vulnerable, no HTTP compression $disclaimer" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable, no HTTP compression $disclaimer" "$cve" "$cwe"
else else
pr_svrty_high "potentially NOT ok, uses $result HTTP compression." pr_svrty_high "potentially NOT ok, \"$result\" HTTP compression detected."
outln "$disclaimer" outln "$disclaimer"
outln "$spaces$when_makesense" outln "$spaces$when_makesense"
fileout "$jsonID" "HIGH" "potentially VULNERABLE, uses $result HTTP compression $disclaimer" "$cve" "$cwe" "$hint" fileout "$jsonID" "HIGH" "potentially VULNERABLE, $result HTTP compression detected $disclaimer" "$cve" "$cwe" "$hint"
fi fi
# Any URL can be vulnerable. I am testing now only the given URL! # Any URL can be vulnerable. I am testing now only the given URL!