From 9254872a1da29dc3b51bca5d45b4a17d2bcb491a Mon Sep 17 00:00:00 2001 From: Rafa Faura Date: Fri, 10 Nov 2023 19:28:14 +0100 Subject: [PATCH] Feature: New insecure check (Supports-Loading-Mode: No Valid Directives) --- README.md | 2 +- additional/insecure.txt | 1 + humble.py | 8 ++++++++ i10n/details.txt | 7 +++++++ i10n/details_es.txt | 7 +++++++ 5 files changed, 24 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c5327f21..cb118a14 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ HTTP Headers Analyzer
:heavy_check_mark: 14 [checks](#checks-missing-headers) of missing HTTP response headers.
:heavy_check_mark: 997 [checks](#checks-fingerprint-headers) of fingerprinting through HTTP response headers.
-:heavy_check_mark: 85 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.
+:heavy_check_mark: 86 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.
:heavy_check_mark: Browser compatibility check for enabled security headers.
:heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.
:heavy_check_mark: Export of analysis to HTML5, JSON, PDF 1.4 and TXT.
diff --git a/additional/insecure.txt b/additional/insecure.txt index f1bf2d2f..81759cb9 100644 --- a/additional/insecure.txt +++ b/additional/insecure.txt @@ -56,6 +56,7 @@ Strict-Dynamic: Incorrect Header Strict-Transport-Security: Duplicated Values Strict-Transport-Security: Ignored Header via Unsafe Scheme Strict-Transport-Security: Recommended Values +Supports-Loading-Mode: No Valid Directives Timing-Allow-Origin: Potentially Unsafe Header Tk: Deprecated Header Trailer: Disallowed Directives diff --git a/humble.py b/humble.py index 44f335e7..09774555 100644 --- a/humble.py +++ b/humble.py @@ -1211,6 +1211,9 @@ def custom_help_formatter(prog): 'noindex', 'none', 'nopagereadaloud', 'nositelinkssearchbox', 'nosnippet', 'notranslate', 'noydir', 'unavailable_after'] +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode +l_support_mode = ['credentialed-prerender'] + if 'Accept-CH' in headers: acceptch_header = headers['Accept-CH'].lower() if URL.startswith(INS_S): @@ -1435,6 +1438,11 @@ def custom_help_formatter(prog): if ',' in sts_header: print_details('[istsd_h]', '[istsd]', 'd', i_cnt) +if 'Supports-Loading-Mode' in headers: + support_mode_h = headers['Supports-Loading-Mode'].lower() + if not any(elem in support_mode_h for elem in l_support_mode): + print_details('[islmode_h]', '[islmode]', 'd', i_cnt) + if (sts_header) and (URL.startswith(INS_S)): print_details('[ihsts_h]', '[ihsts]', 'd', i_cnt) diff --git a/i10n/details.txt b/i10n/details.txt index 9bcb8e35..856056e3 100644 --- a/i10n/details.txt +++ b/i10n/details.txt @@ -488,6 +488,9 @@ [ictrf_h] Transfer-Encoding (No Valid Directives) +[islmode_h] + Supports-Loading-Mode (No Valid Directives) + [ihbas_h] WWW-Authenticate (Unsafe Value) @@ -848,6 +851,10 @@ HTTP Response Headers This header, or its values, may be duplicated. Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +[islmode] + Include at least one valid directive. + Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode + [ihsts] This header is ignored by the browser when accessing via HTTP. Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security diff --git a/i10n/details_es.txt b/i10n/details_es.txt index 3385c095..31867c2e 100644 --- a/i10n/details_es.txt +++ b/i10n/details_es.txt @@ -488,6 +488,9 @@ [ictrf_h] Transfer-Encoding (Sin directivas adecuadas) +[islmode_h] + Supports-Loading-Mode (Sin directivas adecuadas) + [ihbas_h] WWW-Authenticate (Valor inseguro) @@ -848,6 +851,10 @@ Cabeceras de respuesta HTTP Esta cabecera, o sus valores, pueden estar duplicados. Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +[islmode] + Incluya, al menos, una directiva correcta. + Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode + [ihsts] Al acceder mediante HTTP los navegadores ignoran esta cabecera. Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security