Re: NSE script contribution - clickjacking-prevent-check

[Ícaro Torres <icaro.redes.ifpb () gmail com>]

Hello Dan,

I don't see any problem in unifying these scripts in one called
http-vuln-headers (it will pinpoint more web application security issues
and allow more security counter-measures in this area).

I developed two different scripts before because my profissional demand
asked this. Anyway, I would like to know what will be the next step? Will
be formed a group or it will be done by who become interested? I am
available to try.

Thank you for all orientation, and I hope this collaboration keeps for a
long time.

Best Regards.

2017-01-10 17:23 GMT-03:00 Daniel Miller <bonsaiviking () gmail com>:

> Ícaro,
>
> Thanks for this contribution. I notice that both this and http-hsts-verify
> are simply analysis of returned HTTP headers, reporting potential
> vulnerabilities in the target web app. I think that the best approach here
> would be to have a single script to check for those security issues that
> can be determined from a single request's response headers. The script
> would be called http-vuln-headers and would cover most of the things from
> the OWASP Secure Headers project [1] (CSP, HSTS, clickjacking, content
> sniffing, etc.) We could even extend it to cover cookie issues like
> HttpOnly and Secure (if HTTPS).
>
> Having a separate script from http-headers makes sense because it allows
> users to select it based on the "vuln" category. Proper use of the http
> caching options would help reduce the number of requests sent.
>
> Dan
>
>
> [1] https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
>
> On Tue, Jan 3, 2017 at 6:44 PM, Ícaro Torres <icaro.redes.ifpb () gmail com>
> wrote:
>
> > Hello,
> >
> > I would like to contribute with another NSE script in the Nmap Project.
> > This one verifies if the X-Frame-Options (RFC 7034) is enabled in a web
> > service and show the permissive level configured. This subject is listed in
> > the "OWASP Testing Guide v4" (OWASP project:
> > https://www.owasp.org/index.php?title=Testing_for_Clickjacki
> > ng_(OTG-CLIENT-009)&setlang=en) and I think it is a good topic to
> > observe in the hardening process of a web service.
> >
> > The script is attached.
> >
> > Best regards.
> >
> > --
> >
> > Ícaro Torres
> > Tecnólogo em Redes de Computadores - IFPB
> > Pós-Graduado em Segurança da Informação - faculdade IDEZ
> > Twitter: @IcaroTorres
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > https://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/


-- 

Ícaro Torres
Tecnólogo em Redes de Computadores - IFPB
Pós-Graduado em Segurança da Informação - faculdade IDEZ
Twitter: @IcaroTorres

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/