Nmap Development mailing list archives
Re: NSE script contribution - clickjacking-prevent-check
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 10 Jan 2017 14:23:39 -0600
Ícaro, Thanks for this contribution. I notice that both this and http-hsts-verify are simply analysis of returned HTTP headers, reporting potential vulnerabilities in the target web app. I think that the best approach here would be to have a single script to check for those security issues that can be determined from a single request's response headers. The script would be called http-vuln-headers and would cover most of the things from the OWASP Secure Headers project [1] (CSP, HSTS, clickjacking, content sniffing, etc.) We could even extend it to cover cookie issues like HttpOnly and Secure (if HTTPS). Having a separate script from http-headers makes sense because it allows users to select it based on the "vuln" category. Proper use of the http caching options would help reduce the number of requests sent. Dan [1] https://www.owasp.org/index.php/OWASP_Secure_Headers_Project On Tue, Jan 3, 2017 at 6:44 PM, Ícaro Torres <icaro.redes.ifpb () gmail com> wrote:
Hello, I would like to contribute with another NSE script in the Nmap Project. This one verifies if the X-Frame-Options (RFC 7034) is enabled in a web service and show the permissive level configured. This subject is listed in the "OWASP Testing Guide v4" (OWASP project: https://www.owasp.org/index. php?title=Testing_for_Clickjacking_(OTG-CLIENT-009)&setlang=en) and I think it is a good topic to observe in the hardening process of a web service. The script is attached. Best regards. -- Ícaro Torres Tecnólogo em Redes de Computadores - IFPB Pós-Graduado em Segurança da Informação - faculdade IDEZ Twitter: @IcaroTorres _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script contribution - clickjacking-prevent-check Ícaro Torres (Jan 03)
- Re: NSE script contribution - clickjacking-prevent-check Patricio Castagnaro (Jan 09)
- Re: NSE script contribution - clickjacking-prevent-check Daniel Miller (Jan 10)
- Re: NSE script contribution - clickjacking-prevent-check Ícaro Torres (Jan 10)