Nmap Development mailing list archives
Re: NSE script contribution - http-hsts-verify
From: Ícaro Torres <icaro.redes.ifpb () gmail com>
Date: Mon, 19 Dec 2016 12:02:36 -0300
Hello Jah, Thank you for all attention and tips. I am sorry the delay in this response, I only saw this message yesterday in the morning. All the improvement recomended was done, please, see the code in the NSE file attached. Best Regards for all. 2016-12-16 8:22 GMT-03:00 jah <jah () zadkiel plus com>:
On 07/12/16 03:38, Ícaro Torres wrote: I would like to contribute with a new script NSE in the Nmap Project. It verify if the HSTS is enabled in the web servise. Hi Ícaro, This is a useful NSE script; thank you for sharing it. I suggest a few small improvements:- Make the output concise and use the word "Header" instead of "Banner":- PORT STATE SERVICE 443/tcp open https | http-hsts-verify: | HSTS is configured. |_ Header: Strict-Transport-Security: max-age=31558150; includeSubDomains and:- PORT STATE SERVICE 443/tcp open https | http-hsts-verify: |_ HSTS is not configured. The information and references can go in the description field of the script, so that when users do:- nmap --script-help http-hsts-verify they see something like:- """ Verify that HTTP Strict Transport Security is enabled. HTTP Strict-Transport-Security (HSTS) (RFC 6797) forces a web browser to communicate with a web server over HTTPS. This script examines HTTP Response Headers to determine whether HSTS is configured. References: https://www.owasp.org/index.php/HTTP_Strict_Transport_ Security_Cheat_Sheet """ Finally, since the script does not use the HTTP Response Body, it should suffice to make a HEAD request:- response = http.head(host, port, path) Regards, jah
-- Ícaro Evangelista Torres Tecnólogo em Redes de Computadores - IFPB Pós-Graduado em Segurança da Informação - faculdade IDEZ Twitter: @IcaroTorres
Attachment:
http-hsts-verify.nse
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script contribution - http-hsts-verify Ícaro Torres (Dec 09)
- Re: NSE script contribution - http-hsts-verify jah (Dec 16)
- Re: NSE script contribution - http-hsts-verify Ícaro Torres (Dec 19)
- Re: NSE script contribution - http-hsts-verify jah (Dec 30)
- Re: NSE script contribution - http-hsts-verify nnposter (Dec 30)
- Re: NSE script contribution - http-hsts-verify Ícaro Torres (Dec 19)
- Re: NSE script contribution - http-hsts-verify jah (Dec 16)