hsecscan – HTTP Headers Scan – Penetration Testing

A security scanner for HTTP response headers.

Installation

Requirement:
Python 2.x
Installation
git clone http://ift.tt/2szzFi6

Usage

$ ./hsecscan.py
usage: hsecscan.py [-h] [-P] [-p] [-u URL] [-R] [-i] [-U User-Agent]
[-D DBFILE] [-d ‘POST data’] [-x PROXY] [-a]

A security scanner for HTTP response headers.

optional arguments:
-h, –help show this help message and exit
-P, –database Print the entire response headers database.
-p, –headers Print only the enabled response headers from database.
-u URL, –URL URL The URL to be scanned.
-R, –redirect Print redirect headers.
-i, –insecure Disable certificate verification.
-U User-Agent, –useragent User-Agent
Set the User-Agent request header (default: hsecscan).
-D DBFILE, –dbfile DBFILE
Set the database file (default: hsecscan.db).
-d ‘POST data’, –postdata ‘POST data’
Set the POST data (between single quotes) otherwise
will be a GET (example: ‘{ “q”:”query string”,
“foo”:”bar” }’).
-x PROXY, –proxy PROXY
Set the proxy server (example: 192.168.1.1:8080).
-a, –all Print details for all response headers. Good for check
the related RFC.

Example

$ ./hsecscan.py -u https://google.com
>> RESPONSE INFO <> RESPONSE HEADERS DETAILS <<
Header Field Name: X-XSS-Protection
Value: 1; mode=block
Reference: http://ift.tt/P8AdzY
Security Description: This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
Security Reference: http://ift.tt/Xx94b6
Recommendations: Use "X-XSS-Protection: 1; mode=block" whenever is possible (ref. http://ift.tt/1zsHbq8).
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE URL: http://ift.tt/1sECy8t

Header Field Name: Set-Cookie
Value: NID=79=hDENeVI81zBYDtmqeCKAc5mxg6AQ-S24ahNqZ8El37rlJmYwUtgJg4vXAya7jKSyB2VqYI33JlLPacGonMPajpcDpUkb7mMtWMbNwIZQ8CyQBA1qXsRhjlLXU_4WExlI; expires=Fri, 25-Nov-2016 20:35:36 GMT; path=/; domain=.google.com.br; HttpOnly
Reference: http://ift.tt/YrgymC
Security Description: Cookies have a number of security pitfalls. In particular, cookies encourage developers to rely on ambient authority for authentication, often becoming vulnerable to attacks such as cross-site request forgery. Also, when storing session identifiers in cookies, developers often create session fixation vulnerabilities. Transport-layer encryption, such as that employed in HTTPS, is insufficient to prevent a network attacker from obtaining or altering a victim's cookies because the cookie protocol itself has various vulnerabilities. In addition, by default, cookies do not provide confidentiality or integrity from network attackers, even when used in conjunction with HTTPS.
Security Reference: http://ift.tt/1NkXhcD
Recommendations: Please at least read these references: http://ift.tt/1NkXhcD and http://ift.tt/1I6vbO5.
CWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE URL: http://ift.tt/1MJYaIs

Header Field Name: Accept-Ranges
Value: none
Reference: http://ift.tt/1N3mRUL
Security Description: Unconstrained multiple range requests are susceptible to denial-of-service attacks because the effort required to request many overlapping ranges of the same data is tiny compared to the time, memory, and bandwidth consumed by attempting to serve the requested data in many parts.
Security Reference: http://ift.tt/1I6v98S
Recommendations: Servers ought to ignore, coalesce, or reject egregious range requests, such as requests for more than two overlapping ranges or for many small ranges in a single set, particularly when the ranges are requested out of order for no apparent reason.
CWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE URL: http://ift.tt/1N3mTfk

Header Field Name: Server
Value: gws
Reference: http://ift.tt/1I6v98W
Security Description: Overly long and detailed Server field values increase response latency and potentially reveal internal implementation details that might make it (slightly) easier for attackers to find and exploit known security holes.
Security Reference: http://ift.tt/1I6v98W
Recommendations: An origin server SHOULD NOT generate a Server field containing needlessly fine-grained detail and SHOULD limit the addition of subproducts by third parties.
CWE: CWE-200: Information Exposure
CWE URL: http://ift.tt/1eDYFur

Header Field Name: Cache-Control
Value: private, max-age=0
Reference: http://ift.tt/1N3mTfo
Security Description: Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected as sensitive information.
Security Reference: http://ift.tt/1I6v9pb
Recommendations: Do not store unnecessarily sensitive information in the cache.
CWE: CWE-524: Information Exposure Through Caching
CWE URL: http://ift.tt/1O5oJhn

Header Field Name: P3P
Value: CP="This is not a P3P policy! See http://ift.tt/1mIyuqL for more info."
Reference: http://ift.tt/1N3mRUV
Security Description: While P3P itself does not include security mechanisms, it is intended to be used in conjunction with security tools. Users' personal information should always be protected with reasonable security safeguards in keeping with the sensitivity of the information.
Security Reference: http://ift.tt/1N3mTfs
Recommendations: –
CWE: –
CWE URL: –

Header Field Name: Content-Type
Value: text/html; charset=ISO-8859-1
Reference: http://ift.tt/1I6v9ph
Security Description: In practice, resource owners do not always properly configure their origin server to provide the correct Content-Type for a given representation, with the result that some clients will examine a payload's content and override the specified type. Clients that do so risk drawing incorrect conclusions, which might expose additional security risks (e.g., "privilege escalation").
Security Reference: http://ift.tt/1I6v9ph
Recommendations: Properly configure their origin server to provide the correct Content-Type for a given representation.
CWE: CWE-430: Deployment of Wrong Handler
CWE URL: http://ift.tt/1N3mRUX

Header Field Name: X-Frame-Options
Value: SAMEORIGIN
Reference: http://ift.tt/15sAhEb
Security Description: The use of "X-Frame-Options" allows a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations.
Security Reference: http://ift.tt/15sAhEb
Recommendations: In 2009 and 2010, many browser vendors ([Microsoft-X-Frame-Options] and [Mozilla-X-Frame-Options]) introduced the use of a non-standard HTTP [RFC2616] header field “X-Frame-Options” to protect against clickjacking. Please check here http://ift.tt/1ldsjo2 what’s the best option for your case.
CWE: CWE-693: Protection Mechanism Failure
CWE URL: http://ift.tt/1I6vc4t

>> RESPONSE MISSING HEADERS <<
Header Field Name: Pragma
Reference: http://ift.tt/1N3mTfu
Security Description: Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation.
Security Reference: http://ift.tt/1I6v9pb
Recommendations: The "Pragma" header field allows backwards compatibility with HTTP/1.0 caches, so that clients can specify a "no-cache" request that they will understand (as Cache-Control was not defined until HTTP/1.1). When the Cache-Control header field is also present and understood in a request, Pragma is ignored. Define "Pragma: no-cache" whenever is possible.
CWE: CWE-524: Information Exposure Through Caching
CWE URL: http://ift.tt/1O5oJhn

Header Field Name: Public-Key-Pins
Reference: http://ift.tt/1OPqqNj
Security Description: HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities. The security context or pinset data is supplied by the site or origin.
Security Reference: http://ift.tt/1OPqqNj
Recommendations: Deploying Public Key Pinning (PKP) safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of SPKIs that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false- authentication problems for their users without incurring undue risk. PKP is meant to be used together with HTTP Strict Transport Security (HSTS) [RFC6797], but it is possible to pin keys without requiring HSTS.
CWE: CWE-295: Improper Certificate Validation
CWE URL: http://ift.tt/1HNigj0

Header Field Name: Public-Key-Pins-Report-Only
Reference: http://ift.tt/1OPqqNj
Security Description: HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities. The security context or pinset data is supplied by the site or origin.
Security Reference: http://ift.tt/1OPqqNj
Recommendations: Deploying Public Key Pinning (PKP) safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of SPKIs that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false- authentication problems for their users without incurring undue risk. PKP is meant to be used together with HTTP Strict Transport Security (HSTS) [RFC6797], but it is possible to pin keys without requiring HSTS.
CWE: CWE-295: Improper Certificate Validation
CWE URL: http://ift.tt/1HNigj0

Header Field Name: Strict-Transport-Security
Reference: http://ift.tt/1jbTaAT
Security Description: HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.
Security Reference: http://ift.tt/1jbTaAT
Recommendations: Please at least read this reference: http://ift.tt/1nJn3wu.
CWE: CWE-311: Missing Encryption of Sensitive Data
CWE URL: http://ift.tt/1EetMZf

Header Field Name: Frame-Options
Reference: http://ift.tt/15sAhEb
Security Description: The use of "X-Frame-Options" allows a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations.
Security Reference: http://ift.tt/15sAhEb
Recommendations: In 2009 and 2010, many browser vendors ([Microsoft-X-Frame-Options] and [Mozilla-X-Frame-Options]) introduced the use of a non-standard HTTP [RFC2616] header field “X-Frame-Options” to protect against clickjacking. Please check here http://ift.tt/1ldsjo2 what’s the best option for your case.
CWE: CWE-693: Protection Mechanism Failure
CWE URL: http://ift.tt/1I6vc4t

Header Field Name: X-Content-Type-Options
Reference: http://ift.tt/pwBvFJ
Security Description: The only defined value, “nosniff”, prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
Security Reference: http://ift.tt/Xx94b6
Recommendations: Always use the only defined value, “nosniff”.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE URL: http://ift.tt/1sECy8t

Header Field Name: Content-Security-Policy
Reference: http://ift.tt/LOaqK2
Security Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Security Reference: http://ift.tt/Xx94b6
Recommendations: Read the reference http://ift.tt/LOaqK2 and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE URL: http://ift.tt/1sECy8t

Header Field Name: X-Content-Security-Policy
Reference: http://ift.tt/LOaqK2
Security Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Security Reference: http://ift.tt/Xx94b6
Recommendations: Read the reference http://ift.tt/LOaqK2 and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE URL: http://ift.tt/1sECy8t

Header Field Name: X-WebKit-CSP
Reference: http://ift.tt/LOaqK2
Security Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Security Reference: http://ift.tt/Xx94b6
Recommendations: Read the reference http://ift.tt/LOaqK2 and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE URL: http://ift.tt/1sECy8t

Header Field Name: Content-Security-Policy-Report-Only
Reference: http://ift.tt/LOaqK2
Security Description: Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts.
Security Reference: http://ift.tt/Xx94b6
Recommendations: Read the reference http://ift.tt/LOaqK2 and set according to your case. This is not a easy job.
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE URL: http://ift.tt/1sECy8t

Source: Github

The post hsecscan – HTTP Headers Scan appeared first on Penetration Testing.

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s