Nmap Development mailing list archives
Re: NSE script contribution - clickjacking-prevent-check
From: Ícaro Torres <icaro.redes.ifpb () gmail com>
Date: Tue, 10 Jan 2017 18:27:59 -0300
Hello Dan, I don't see any problem in unifying these scripts in one called http-vuln-headers (it will pinpoint more web application security issues and allow more security counter-measures in this area). I developed two different scripts before because my profissional demand asked this. Anyway, I would like to know what will be the next step? Will be formed a group or it will be done by who become interested? I am available to try. Thank you for all orientation, and I hope this collaboration keeps for a long time. Best Regards. 2017-01-10 17:23 GMT-03:00 Daniel Miller <bonsaiviking () gmail com>:
Ícaro, Thanks for this contribution. I notice that both this and http-hsts-verify are simply analysis of returned HTTP headers, reporting potential vulnerabilities in the target web app. I think that the best approach here would be to have a single script to check for those security issues that can be determined from a single request's response headers. The script would be called http-vuln-headers and would cover most of the things from the OWASP Secure Headers project [1] (CSP, HSTS, clickjacking, content sniffing, etc.) We could even extend it to cover cookie issues like HttpOnly and Secure (if HTTPS). Having a separate script from http-headers makes sense because it allows users to select it based on the "vuln" category. Proper use of the http caching options would help reduce the number of requests sent. Dan [1] https://www.owasp.org/index.php/OWASP_Secure_Headers_Project On Tue, Jan 3, 2017 at 6:44 PM, Ícaro Torres <icaro.redes.ifpb () gmail com> wrote:Hello, I would like to contribute with another NSE script in the Nmap Project. This one verifies if the X-Frame-Options (RFC 7034) is enabled in a web service and show the permissive level configured. This subject is listed in the "OWASP Testing Guide v4" (OWASP project: https://www.owasp.org/index.php?title=Testing_for_Clickjacki ng_(OTG-CLIENT-009)&setlang=en) and I think it is a good topic to observe in the hardening process of a web service. The script is attached. Best regards. -- Ícaro Torres Tecnólogo em Redes de Computadores - IFPB Pós-Graduado em Segurança da Informação - faculdade IDEZ Twitter: @IcaroTorres _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
-- Ícaro Torres Tecnólogo em Redes de Computadores - IFPB Pós-Graduado em Segurança da Informação - faculdade IDEZ Twitter: @IcaroTorres
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script contribution - clickjacking-prevent-check Ícaro Torres (Jan 03)
- Re: NSE script contribution - clickjacking-prevent-check Patricio Castagnaro (Jan 09)
- Re: NSE script contribution - clickjacking-prevent-check Daniel Miller (Jan 10)
- Re: NSE script contribution - clickjacking-prevent-check Ícaro Torres (Jan 10)