From 85a529ee00eb5f3433c2470db16f761aff3ddfec Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 4 May 2020 13:23:05 +0200 Subject: [PATCH] Add brotli compression detection for BREACH (backport) As noted in #1605 the brotli compression check was missing. So hosts which didn't offer gzip deflate or compress but brotli seemed to be fine but they shoould have been labled as potentially VULNERABLE. This also fixes a bug: The HTTP header returned was only checking for case-sensitive "Content-Encoding". RFC 2616 states in 4.2 (Message Headers): "Field names are case-insensitive" --- testssl.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index eef0238..afd11a9 100755 --- a/testssl.sh +++ b/testssl.sh @@ -14607,12 +14607,14 @@ run_breach() { [[ "$NODE" =~ google ]] && referer="https://yandex.ru/" # otherwise we have a false positive for google.com useragent="$UA_STD" $SNEAKY && useragent="$UA_SNEAKY" - printf "GET $url HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $useragent\r\nReferer: $referer\r\nConnection: Close\r\nAccept-encoding: gzip,deflate,compress\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE & + printf "GET $url HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $useragent\r\nReferer: $referer\r\nConnection: Close\r\nAccept-encoding: gzip,deflate,compress,br\r\nAccept: text/*\r\n\r\n" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") 1>$TMPFILE 2>$ERRFILE & wait_kill $! $HEADER_MAXSLEEP was_killed=$? # !=0 was killed - result=$(awk '/^Content-Encoding/ { print $2 }' $TMPFILE) - result=$(strip_lf "$result") - debugme grep '^Content-Encoding' $TMPFILE + result="$(grep -ia Content-Encoding: $TMPFILE)" + result="$(strip_lf "$result")" + result="${result#*:}" + result="$(strip_spaces "$result")" + debugme echo "$result" if [[ ! -s $TMPFILE ]]; then pr_warning "failed (HTTP header request stalled or empty return" if [[ $was_killed -ne 0 ]]; then @@ -14628,10 +14630,10 @@ run_breach() { outln "$disclaimer" fileout "$jsonID" "OK" "not vulnerable, no HTTP compression $disclaimer" "$cve" "$cwe" else - pr_svrty_high "potentially NOT ok, uses $result HTTP compression." + pr_svrty_high "potentially NOT ok, \"$result\" HTTP compression detected." outln "$disclaimer" outln "$spaces$when_makesense" - fileout "$jsonID" "HIGH" "potentially VULNERABLE, uses $result HTTP compression $disclaimer" "$cve" "$cwe" "$hint" + fileout "$jsonID" "HIGH" "potentially VULNERABLE, $result HTTP compression detected $disclaimer" "$cve" "$cwe" "$hint" fi # Any URL can be vulnerable. I am testing now only the given URL!