kylefang/mitmproxy
1
0
Fork 0
mirror of https://github.com/zhigang1992/mitmproxy.git synced 2026-04-10 22:46:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c0edb7ddec28734420bc75ee8bd69a4e3d670a01
mitmproxy/scripts/gui/audit.js
Maximilian Hils c0edb7ddec add report scripts and dnschef script
2013-08-07 18:37:22 +02:00

103 lines
3.4 KiB
JavaScript
Raw Blame History

/*
* This report script checks for common security shortcomings on webapges
*/
//you can get the flow id by hovering over the leftmost 10px of the traffic table.
var flow_id = 41;
var flow = traffic.get(flow_id);
if(!flow) {
alert("Flow not found!");
} else {
domConstruct.create("h2",{innerHTML:"Audit for "+_.escape(RequestUtils.getFullPath(flow.request))},out);
domConstruct.create(
"p",
{
innerHTML:
"Please note that this audit checks for best practices, not for security holes. "+
"A website can be fully secure with all headers absent. "+
"However, usually it's a good idea to limit the possible impact of security breaches in your page by specifying these headers."}, out);
var result = {
"Good": [],
"Neutral": [],
"Bad": []
};
var style = {
"Good":"color: green",
"Neutral":"",
"Bad":"color: red"
}
function goodHeader(name, value) {
result.Good.push("The page is served with a limiting <code>"+name+"</code> header: <code>"+_.escape(value)+"</code>");
}
function badHeader(name, suffix) {
result.Bad.push("The page is not served with a <code>"+name+"</code> header" + (suffix || "."));
}
// X-Frame-Options Header
var xFrameOptions = ResponseUtils.getHeader(flow.response,/X-Frame-Options/i);
if(!xFrameOptions || !xFrameOptions.match(/Deny|SameOrigin|Allow-From/i)) {
badHeader("X-Frame-Options"," and is vulnerable to clickjacking therefore.");
} else {
goodHeader("X-Frame-Options",xFrameOptions);
}
// Strict-Transport-Security Header
var isSSL = (flow.request.scheme === "https");
if(isSSL){
var stt = ResponseUtils.getHeader(flow.response,/Strict-Transport-Security/i);
if(!stt) {
badHeader("Strict-Transport-Security"," and is vulnerable to man-in-the-middle attacks therefore.");
} else if(!stt.match(/includeSubDomains/i)) {
result.Neutral.push("The page is served with a limiting <code>Strict-Transport-Security</code> header. However, the header does not cover subdomains: <code>"+_.escape(stt)+"</code>");
} else {
goodHeader("Strict-Transport-Security",stt);
}
} else {
result.Neutral.push("The page is not secured by SSL.");
}
// X-Content-Security-Policy
var xCSP = ResponseUtils.getHeader(flow.response,/X-Content-Security-Policy/i);
if(xCSP) {
goodHeader("X-Content-Security-Policy",xCSP);
} else {
badHeader("X-Content-Security-Policy",". You should list all valid sources for scripts.");
}
// X-Content-Type-Options
var xCTO = ResponseUtils.getHeader(flow.response,/X-Content-Type-Options/i);
var CT = ResponseUtils.getHeader(flow.response,/Content-Type/i);
if(!CT)
badHeader("Content-Type",". Always specify a valid MIME type!");
if(CT && xCTO && !!xCTO.match(/nosniff/i)) {
goodHeader("X-Content-Type-Options",xCTO);
} else {
badHeader("X-Content-Type-Options",". This is a security feature that helps prevent attacks based on MIME-type confusion.");
}
// X-XSS-Protection
var xXSSP = ResponseUtils.getHeader(flow.response,/X-XSS-Protection/i);
if(xXSSP) {
goodHeader("X-XSS-Protection",xXSSP);
} else {
badHeader("X-XSS-Protection",".");
}
//Output
for(i in result){
domConstruct.create("h3",{innerHTML:i, style: style[i]},out);
var ul = domConstruct.create("ul",{},out);
result[i].forEach(function(bp){
domConstruct.create("li",{"innerHTML":bp},ul);
});
}
detailView.showDetails(flow);
}
Reference in New Issue View Git Blame Copy Permalink