As suggested in https://github.com/testssl/testssl.sh/pull/2885 parsing
of the server determined HTTP age var wasn't strict enough.
https://www.rfc-editor.org/rfc/rfc7234#section-1.2.1 requires the
variable to be a non-negative integer but testssl.sh assumed it was
like that but did't check whether that really was the case. This was
labled as a (potential) security problem. Potential as it didn't
look exploitable after review -- the header as a whole was already
sanitized.
This PR fixes the typs confusion and the garbled screen by checking
the variable early in run_http_header() and reset it to NaN. That
will be used later in run_http_date() to raise a low severity finding.
Kudos to @Tristanhx for catching this and for the suggested PR.
Also, only when running in debug mode, this PR fixes that during
service_detection() parts of the not-yet-sanitized header ended
up on the screen. The fix just calls sanitze_http_header() for the
temporary variable $TMPFILE.
... which leads to a performance gain., most noteably on Macs.
All times when calling were re-adjusted.
Also:
* PROXY_WAIT was decrease to 10 seconds. 20 seemed just too much
* passed var to `starttls_just_read()` was simplyfied
The site from that billioniare who made nazi gestures delivers a UDP
response without proper TLS handshake. This led to a false positive
as if the site supports QUIC via h3.
This PR makes the detection of QUIC more robust by adding a certificate check
and also take better the return values from `wait_kill()` into account.
It also introduces a function to remove any non printable chars (depending
on the LC_ALL var): `filter_printable()`
Also `sanitze_http_header()` doesn't operate anymore on a global variable
which is kind of not best practise as it is easily to avoid here.
... for t/32_isHTML_valid.t .
Github.com seems to be most reliable from the ones tested so far.
bahn.de has one IP to the outside however Session resumption seems
to come from different hosts behind that IP. Bad choice for this
test.
Seems the patch in #2856 wasn't complete. So that it was forgotten to add also manually specified IPv6 addresses to the IP addresses to show and to scan.
This makes sure it does, so this fixes#2854 finally.
Also statements were added to reset do_ipv4_only and do_ipv6_only correctly so that later the output "Testing all IP** addresses" is correct.
* `code2network()` was improved to just use internal bash functions, except sed
* `socksend()` was renamed to `socksend_x()` to clarify that the string passed contains already a leading x
We might want to try using in `code2network()` only bash internal functions like in `socksend_x()`.
And maybe decide for onee format of hexbytes in the code -- with x or without.
Due to rebasing determine_ip_addresses() in #2852 it was
forgotten to add any manually specified IP address to
the IP addresses to show and to scan.
This fixes#2854 .
This labels the result of a failed test for reaching
port 80 when no direct connection is possible as likely not
vulnerable.
This seems safe to say, as there's another check whether
a proxy is configured, like for corporate environments where
a connection is only allowed though the proxy.
