Nmap Development mailing list archives

Re: NSE script contribution - http-hsts-verify

From: nnposter <nnposter () users sourceforge net>
Date: Fri, 30 Dec 2016 08:52:46 -0700



On 12/16/16 4:22 AM, jah wrote:

On 07/12/16 03:38, Ícaro Torres wrote:


I would like to contribute with a new script NSE in the Nmap Project.
It verify if the HSTS is enabled in the web servise.


Hi Ícaro,

This is a useful NSE script; thank you for sharing it.  I suggest a few
small improvements:-

Make the output concise and use the word "Header" instead of "Banner":-

The information and references can go in the description field of the
script

Finally, since the script does not use the HTTP Response Body, it should
suffice to make a HEAD request:-

response = http.head(host, port, path)

Regards,

jah


Hello Ícaro,
I would have a few more suggestions, both localized and more global:

* Use http.can_use_head(), instead of http.head(), and fall back on
  http.get() if that call fails. Not all sites support HEAD.

* Use result.header instead of result.rawheader. There are a few
  benefits of doing so:

  - Your match is allowing only two particular capitalizations of the
    header name while HTTP headers are by definition case-insensitive.
    Table result.header has the names already normalized.

  - Table result.rawheader does not account for line wrapping while
    result.header does it for you.

  - Table result.header consolidates multiple instances of the same
    header within a request. You do not have to do it manually.

  - Multiple instances of the header should be joined by comma, not by
    space. Otherwise you are technically changing the header meaning.

* Use literal string match for the header name, not an unanchored
  pattern with wildcards, e.g. use

    result.header["strict-transport-security"]

  Otherwise you are matching on headers like the following:

    "X-Foo: forget strict transport security"

* Implement XML output.
  See https://nmap.org/book/output-formats-xml-output.html

* Consider enhancing the script by recognizing and explicitly reporting
  on max-age=0, i.e. the site has HSTS configured but turned off.


Cheers,
nnposter


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE script contribution - http-hsts-verify Ícaro Torres (Dec 09)
- Re: NSE script contribution - http-hsts-verify jah (Dec 16)
  - Re: NSE script contribution - http-hsts-verify Ícaro Torres (Dec 19)
    - Re: NSE script contribution - http-hsts-verify jah (Dec 30)
  - Re: NSE script contribution - http-hsts-verify nnposter (Dec 30)