Feature: '-df' parameter (do not follow redirects) and more!:

- If this new parameter is omitted, the last redirected URL will be analyzed (default behavior). - Added a note at the beginning of the analysis result, indicating that it has been expressly indicated not to follow redirects. - Added URL scheme to the exported file name; and removed the "headers" literal. #15
rfc-st · Nov 24, 2023 · 92664d1 · 92664d1
1 parent 487745e
commit 92664d1
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 <a target="_blank" href="https://www.python.org/downloads/" title="Minimum Python version required to run this tool"><img src="https://img.shields.io/badge/Python-%3E%3D3.9-blue?labelColor=343b41"></a>
 <a target="_blank" href="LICENSE" title="License of this tool"><img src="https://img.shields.io/badge/License-MIT-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/releases" title="Latest release of this tool"><img src="https://img.shields.io/github/v/release/rfc-st/humble?display_name=release&label=Latest%20release&labelColor=343b41"></a>
-<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2023--11--18-blue.svg?labelColor=343b41"></a>
+<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2023--11--24-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/actions?query=workflow%3ACodeQL" title="Results of the last analysis of this tool with CodeQL"><img src="https://github.com/rfc-st/humble/workflows/CodeQL/badge.svg"></a>
 <a target="_blank" href="https://owasp.org/www-project-secure-headers/#div-technical" title="Tool accepted as a technical resource for OWASP"><img src="https://img.shields.io/badge/OWASP-Resource-blue?labelColor=343b41"></a>
 <a target="_blank" href="https://www.kali.org/tools/humble/" title="Tool accepted in Kali"><img src="https://img.shields.io/badge/Kali%20Linux-Tool-blue?labelColor=343b41"></a>
@@ -172,14 +172,15 @@ https://github.com/rfc-st/humble/releases
 (Windows) $ py humble.py
 (Linux)   $ python3 humble.py
 
-usage: humble.py [-h] [-a] [-b] [-e [PATH]] [-f [TERM]] [-g] [-l {es}] [-o {html,json,pdf,txt}] [-r] [-u URL] [-v]
+usage: humble.py [-h] [-a] [-b] [-df] [-e [PATH]] [-f [TERM]] [-g] [-l {es}] [-o {html,json,pdf,txt}] [-r] [-u URL] [-v]
 
 humble (HTTP Headers Analyzer) - https://github.com/rfc-st/humble
 
 options:
   -h, --help              show this help message and exit
   -a                      show statistics of the performed analysis (will be global if '-u URL' is omitted)
   -b                      show a brief analysis (if omitted, a detailed one will be shown)
+  -df                     do not follow redirects (if omitted, the last redirection will be the one analyzed)
   -e [PATH]               show TLS/SSL checks; requires the PATH of testssl.sh (https://testssl.sh/) and Unix (for now!)
   -f [TERM]               show fingerprint statistics (will be the Top 20 if "TERM", e.g. "Google", is omitted)
   -g                      show guidelines for securing popular web servers/services

diff --git a/humble.py b/humble.py
@@ -85,7 +85,7 @@
 
 export_date = datetime.now().strftime("%Y%m%d")
 now = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
-version = datetime.strptime('2023-11-18', '%Y-%m-%d').date()
+version = datetime.strptime('2023-11-24', '%Y-%m-%d').date()
 
 
 class PDF(FPDF):
@@ -716,6 +716,8 @@ def print_summary(reliable):
         print(REF_SRV_E + str(status_code))
     if reliable:
         print(get_detail('[analysis_wait_note]', replace=True))
+    if args.redirects:
+        print(get_detail('[analysis_redirects]', replace=True))
 
 
 def print_headers():
@@ -904,7 +906,11 @@ def make_http_request():
     try:
         start_time = time()
         uri_safe = quote(URL)
-        r = requests.get(uri_safe, verify=False, headers=c_headers, timeout=15)
+        # So dirty, I know!: if args.redirects ('-df' param) is not provided
+        # the last redirection will be the one analyzed (arg.redirects=True).
+        # If this is not the case, the exact URL indicated will be analyzed.
+        r = requests.get(uri_safe, allow_redirects=not args.redirects,
+                         verify=False, headers=c_headers, timeout=15)
         elapsed_time = time() - start_time
         return r, elapsed_time, None
     except requests.exceptions.RequestException as e:
@@ -973,6 +979,8 @@ def custom_help_formatter(prog):
 statistics of the performed analysis (will be global if '-u URL' is omitted)")
 parser.add_argument("-b", dest='brief', action="store_true", help="show a \
 brief analysis (if omitted, a detailed one will be shown)")
+parser.add_argument("-df", dest='redirects', action="store_true", help="do not\
+ follow redirects (if omitted, the last redirection will be the one analyzed)")
 parser.add_argument("-e", nargs='?', type=str, dest='path', help="show TLS/SSL\
  checks; requires the PATH of testssl.sh (https://testssl.sh/) and Unix (for \
 now!)")
@@ -988,7 +996,7 @@ def custom_help_formatter(prog):
 to 'URL_headers_yyyymmdd.ext' file (.json files will contain a brief analysis)\
 ")
 parser.add_argument("-r", dest='ret', action="store_true", help="show full \
-HTTP response headers and a detailed analysis")
+ HTTP response headers and a detailed analysis")
 parser.add_argument('-u', type=str, dest='URL', help="schema and URL to \
 analyze. E.g. https://google.com")
 parser.add_argument("-v", "--version", action="store_true",
@@ -1015,7 +1023,7 @@ def custom_help_formatter(prog):
 if args.lang and not (args.URL or args.URL_A) and not args.guides:
     parser.error(get_detail('[args_lang]'))
 
-if any([args.brief, args.output, args.ret]) \
+if any([args.brief, args.output, args.ret, args.redirects]) \
         and (args.URL is None or args.guides is None or args.URL_A is None):
     parser.error(get_detail('[args_several]'))
 
@@ -1074,10 +1082,11 @@ def custom_help_formatter(prog):
 if args.output:
     orig_stdout = sys.stdout
     name_s = tldextract.extract(URL)
+    name_sch = URL.split(":", 1)[0]
     name_sub = name_s.subdomain + '.' if name_s.subdomain else ''
     name_dom = name_s.domain
     name_tld = name_s.suffix
-    name_e = f"{name_sub}{name_dom}.{name_tld}_headers_{export_date}{ext}"
+    name_e = f"{name_sch}_{name_sub}{name_dom}.{name_tld}_{export_date}{ext}"
     f = open(name_e, 'w', encoding='utf8')
     sys.stdout = f
 

diff --git a/i10n/details.txt b/i10n/details.txt
@@ -642,6 +642,9 @@ HTTP Response Headers
 [analysis_wait_note]
  Note : The analysis may not be reliable because of the time it took for the URL to respond.
 
+[analysis_redirects]
+ Note : It has been expressly indicated to analyze the exact URL, without following redirects.
+
 [analysis_output]
  Analyzing URL and saving the report, please wait ...
 
@@ -1154,7 +1157,7 @@ Windows is excluded in this analysis (it should work with Cygwin//MSYS2/WSL but
 '-l' requires also '-u' or '-a'.
 
 [args_several]
-'-b', -'o' and '-r' requires also '-u'.
+'-b', '-df', '-'o' and '-r' requires also '-u'.
 
 [args_json]
 '-o json' currently requires '-b'.

diff --git a/i10n/details_es.txt b/i10n/details_es.txt
@@ -642,6 +642,9 @@ Cabeceras de respuesta HTTP
 [analysis_wait_note]
  Nota : El análisis puede no ser fiable por el tiempo que tardó en responder la URL.
 
+[analysis_redirects]
+ Nota : Se ha indicado expresamente analizar la URL exacta, sin seguir redirecciones.
+
 [analysis_output]
  Analizando URL y guardando el informe, espera por favor ...
 
@@ -1154,7 +1157,7 @@ Windows está excluido en este análisis (debería funcionar con Cygwin//MSYS2/W
 '-l' requiere '-u' o '-a'.
 
 [args_several]
-'-b', -'o' y '-r' requieren '-u'.
+-b', '-df', -'o' y '-r' requieren '-u'.
 
 [args_json]
 '-o json' requiere, por ahora, '-b'.