Nmap Development mailing list archives

Re: NSE script contribution - http-hsts-verify

From: Ícaro Torres <icaro.redes.ifpb () gmail com>
Date: Mon, 19 Dec 2016 12:02:36 -0300

Hello Jah,

Thank you for all attention and tips.

I am sorry the delay in this response, I only saw this message yesterday in
the morning.

All the improvement recomended was done, please, see the code in the NSE
file attached.

Best Regards for all.

2016-12-16 8:22 GMT-03:00 jah <jah () zadkiel plus com>:

On 07/12/16 03:38, Ícaro Torres wrote:


I would like to contribute with a new script NSE in the Nmap Project. It
verify if the HSTS is enabled in the web servise.


Hi Ícaro,

This is a useful NSE script; thank you for sharing it.  I suggest a few
small improvements:-

Make the output concise and use the word "Header" instead of "Banner":-

PORT    STATE SERVICE
443/tcp open  https
| http-hsts-verify:
|   HSTS is configured.
|_  Header: Strict-Transport-Security: max-age=31558150; includeSubDomains

and:-

PORT    STATE SERVICE
443/tcp open  https
| http-hsts-verify:
|_  HSTS is not configured.

The information and references can go in the description field of the
script, so that when users do:-

nmap --script-help http-hsts-verify

they see something like:-

"""
Verify that HTTP Strict Transport Security is enabled.

HTTP Strict-Transport-Security (HSTS) (RFC 6797) forces a web browser to
communicate with a web server over HTTPS.
This script examines HTTP Response Headers to determine whether HSTS is
configured.

References: https://www.owasp.org/index.php/HTTP_Strict_Transport_
Security_Cheat_Sheet
"""

Finally, since the script does not use the HTTP Response Body, it should
suffice to make a HEAD request:-

response = http.head(host, port, path)

Regards,

jah



-- 

Ícaro Evangelista Torres
Tecnólogo em Redes de Computadores - IFPB
Pós-Graduado em Segurança da Informação - faculdade IDEZ
Twitter: @IcaroTorres

Attachment: http-hsts-verify.nse
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE script contribution - http-hsts-verify Ícaro Torres (Dec 09)
- Re: NSE script contribution - http-hsts-verify jah (Dec 16)
  - Re: NSE script contribution - http-hsts-verify Ícaro Torres (Dec 19)
    - Re: NSE script contribution - http-hsts-verify jah (Dec 30)
  - Re: NSE script contribution - http-hsts-verify nnposter (Dec 30)