Fixes#2833
This does a check for the opossum vulnerability, see https://opossum-attack.com/ .
It uses a separate function to send the payload and retrieve the result via `http_header_printf()`. It doesn't use curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header which needs to be sent must not contain LFs. This function was introduced because `http_get_header()` -- which was renamed to `http_head()` -- could use wget if curl is not available. On the way to this PR `http_head()` was improved, so that timeouts were used for curl and wget for better maturity.
`http_header_printf()` now uses bach sockets , strips the URI so that a plaintext request is made. This will be done in the background because not every host will answer.
Done also:
- handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
- print a message when no HTTP service is present
- try hard to use plaintext HTTP when auth is required for HTTPS and service HTTP would not be defined otherwise
- manpages
- help
Also when pwnedkeys are checked a not pwned certificate is labled not neutral but OK=green.
As suggested in #2780 this PR redirects all stderr on a perl level
to stdout so that we should see all errors which we miss because
we can't redirect (>/dev/null in check) or we haven't redirected yet.
Also old checks are imporved, so that $prg is used as in newer
checks.
.. to scan.
It worked in a few examples locally. Other hosts I tried so far weren't
available anymore (like scanme.nmap.org). In order to reduce the burden
we scan now only during PRs.
See #2127. the line seems very long though.
Note: this was previously commited as #2184 but as there were two mistakes
and one other thing which could be improved I decided to make a hard reset.
Apologize if it caused inconvenience.
Often in the past travis was hitting a limit (50min?).
This is a try to make reasonable cuts to the unit tests:
- For STARTTLS some checks with OPenSSL are skipped
- For JSON and HTML outputs --ids-friendly was added assumming we
don't change the output of ticketbleed, CCSI, HeartBleed and ROBOT any more.
- There's also not point to run those checks against badssl
- for the diff check we switch to 'or diag' to display a dfifference
