Feature: 4 new insecure checks

Want-Content-Digest: No Secure Algorithms Want-Content-Digest: Unsafe Algorithms Want-Repr-Digest: No Secure Algorithms Want-Repr-Digest: Unsafe Algorithms
rfc-st · Dec 13, 2024 · 0865d1c · 0865d1c
1 parent 9ffbcb3
commit 0865d1c
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 34 deletions.
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 <a target="_blank" href="https://www.python.org/downloads/" title="Minimum Python version required to run this tool"><img src="https://img.shields.io/badge/Python-%3E%3D3.8-blue?labelColor=343b41"></a>
 <a target="_blank" href="LICENSE" title="License of this tool"><img src="https://img.shields.io/badge/License-MIT-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/releases" title="Latest release of this tool"><img src="https://img.shields.io/github/v/release/rfc-st/humble?display_name=release&label=Latest%20Release&labelColor=343b41"></a>
-<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2024--12--07-blue.svg?labelColor=343b41"></a>
+<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2024--12--13-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/actions?query=workflow%3ACodeQL" title="Results of the last analysis of this tool with CodeQL"><img src="https://github.com/rfc-st/humble/workflows/CodeQL/badge.svg"></a>
 <a target="_blank" href="https://pkg.kali.org/pkg/humble" title="Official tool in Kali Linux"><img src="https://img.shields.io/badge/Kali%20Linux-Tool-blue?labelColor=343b41"></a>
 <br />
@@ -53,10 +53,10 @@
 
 ## Features
 
-:heavy_check_mark: 56 [checks](#checks-enabled-headers) for enabled security-related HTTP response headers.<br />
+:heavy_check_mark: 58 [checks](#checks-enabled-headers) for enabled security-related HTTP response headers.<br />
 :heavy_check_mark: 14 [checks](#checks-missing-headers) for missing security-related HTTP response headers (the ones I consider essential).<br />
 :heavy_check_mark: 1186 [checks](#checks-fingerprint-headers) for fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 122 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
+:heavy_check_mark: 126 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
 :heavy_check_mark: SSL/TLS checks: requires the **amazing** https://testssl.sh/.<br />
 :heavy_check_mark: Browser support references for enabled HTTP security headers: provided by https://caniuse.com/.<br />
 :heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.<br />

diff --git a/additional/insecure.txt b/additional/insecure.txt
@@ -117,7 +117,11 @@ Tk: Deprecated Header
 Trailer: Disallowed Directives
 Transfer-Encoding: No Valid Directives
 Vary: Potentially Unsafe Header
+Want-Content-Digest: No Secure Algorithms
+Want-Content-Digest: Unsafe Algorithms
 Want-Digest: Deprecated Header
+Want-Repr-Digest: No Secure Algorithms
+Want-Repr-Digest: Unsafe Algorithms
 Warning: Deprecated Header
 WWW-Authenticate: Unsafe Value
 X-Content-Security-Policy: Deprecated Header

diff --git a/additional/security.txt b/additional/security.txt
@@ -67,6 +67,8 @@ Set-Cookie
 Set-Login
 Strict-Transport-Security
 Supports-Loading-Mode
+Want-Content-Digest
+Want-Repr-Digest
 WWW-Authenticate
 X-Content-Security-Policy
 X-Content-Security-Policy-Report-Only

diff --git a/humble.py b/humble.py
@@ -133,7 +133,7 @@
 URL_STRING = ('rfc-st', ' URL  : ', 'caniuse')
 
 current_time = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
-local_version = datetime.strptime('2024-12-07', '%Y-%m-%d').date()
+local_version = datetime.strptime('2024-12-13', '%Y-%m-%d').date()
 
 
 class SSLContextAdapter(requests.adapters.HTTPAdapter):
@@ -1858,7 +1858,8 @@ def custom_help_formatter(prog):
          'SourceMap', 'Speculation-Rules', 'Strict-Dynamic',
          'Supports-Loading-Mode', 'Surrogate-Control', 'Timing-Allow-Origin',
          'Tk', 'Trailer', 'Transfer-Encoding', 'Vary', 'Want-Digest',
-         'Warning', 'WWW-Authenticate', 'X-Content-Security-Policy',
+         'Want-Content-Digest', 'Want-Repr-Digest', 'Warning',
+         'WWW-Authenticate', 'X-Content-Security-Policy',
          'X-Content-Security-Policy-Report-Only', 'X-DNS-Prefetch-Control',
          'X-Download-Options', 'X-Pad', 'X-Pingback', 'X-Robots-Tag',
          'X-Runtime', 'X-SourceMap', 'X-UA-Compatible', 'X-Webkit-CSP',
@@ -1888,8 +1889,11 @@ def custom_help_formatter(prog):
             '*')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Digest
-t_contdig_sec = ('sha-256', 'sha-512')
-t_contdig_ins = ('adler', 'crc32c', 'md5', 'sha-1', 'unixsum', 'unixcksum')
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Repr-Digest
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Content-Digest
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest
+t_digest_sec = ('sha-256', 'sha-512')
+t_digest_ins = ('adler', 'crc32c', 'md5', 'sha-1', 'unixsum', 'unixcksum')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
 t_contdisp = ('filename', 'filename*')
@@ -2015,10 +2019,6 @@ def custom_help_formatter(prog):
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Refresh
 t_refresh = ('QA==', '@')
 
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Repr-Digest
-t_repdig_sec = ('sha-256', 'sha-512')
-t_repdig_ins = ('adler', 'crc32c', 'md5', 'sha-1', 'unixsum', 'unixcksum')
-
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
 t_cookie_prf = ('__Host-', '__Secure-')
 t_cookie_sec = ('httponly', 'secure')
@@ -2144,9 +2144,9 @@ def custom_help_formatter(prog):
 
 contdig_header = headers_l.get('content-digest', '')
 if contdig_header and '12' not in skip_list:
-    if not any(elem in contdig_header for elem in t_contdig_sec):
+    if not any(elem in contdig_header for elem in t_digest_sec):
         print_details('[icontdig_h]', '[icontdig]', 'd', i_cnt)
-    if any(elem in contdig_header for elem in t_contdig_ins):
+    if any(elem in contdig_header for elem in t_digest_ins):
         print_details('[icontdigi_h]', '[icontdigi]', 'm', i_cnt)
 
 if 'content-dpr' in headers_l and '13' not in skip_list:
@@ -2355,9 +2355,9 @@ def custom_help_formatter(prog):
 
 repdig_header = headers_l.get('repr-digest', '')
 if repdig_header and '48' not in skip_list:
-    if not any(elem in repdig_header for elem in t_repdig_sec):
+    if not any(elem in repdig_header for elem in t_digest_sec):
         print_details('[irepdig_h]', '[irepdig]', 'd', i_cnt)
-    if any(elem in repdig_header for elem in t_repdig_ins):
+    if any(elem in repdig_header for elem in t_digest_ins):
         print_details('[irepdigi_h]', '[irepdigi]', 'm', i_cnt)
 
 if 'server-timing' in headers_l and '49' not in skip_list:
@@ -2443,76 +2443,90 @@ def custom_help_formatter(prog):
 if 'vary' in headers_l and '62' not in skip_list:
     print_details('[ixvary_h]', '[ixvary]', 'm', i_cnt)
 
-if 'want-digest' in headers_l and '63' not in skip_list:
+wcondig_header = headers_l.get('want-content-digest', '')
+if wcondig_header and '63' not in skip_list:
+    if not any(elem in wcondig_header for elem in t_digest_sec):
+        print_details('[iwcondig_h]', '[iwcondig]', 'd', i_cnt)
+    if any(elem in wcondig_header for elem in t_digest_ins):
+        print_details('[iwcondigi_h]', '[iwcondigi]', 'm', i_cnt)
+
+if 'want-digest' in headers_l and '64' not in skip_list:
     print_details('[ixwandig_h]', '[ixwandig]', 'd', i_cnt)
 
-if 'warning' in headers_l and '64' not in skip_list:
+wreprdig_header = headers_l.get('want-repr-digest', '')
+if wreprdig_header and '65' not in skip_list:
+    if not any(elem in wreprdig_header for elem in t_digest_sec):
+        print_details('[iwreprdig_h]', '[iwreprdig]', 'd', i_cnt)
+    if any(elem in wreprdig_header for elem in t_digest_ins):
+        print_details('[iwreprdigi_h]', '[iwreprdigi]', 'm', i_cnt)
+
+if 'warning' in headers_l and '66' not in skip_list:
     print_details('[ixwar_h]', '[ixward]', 'd', i_cnt)
 
 wwwa_header = headers_l.get('www-authenticate', '')
-if wwwa_header and unsafe_scheme and ('basic' in wwwa_header) and '65' not in \
+if wwwa_header and unsafe_scheme and ('basic' in wwwa_header) and '67' not in \
      skip_list:
     print_details('[ihbas_h]', '[ihbas]', 'd', i_cnt)
 
-if 'x-content-security-policy' in headers_l and '66' not in skip_list:
+if 'x-content-security-policy' in headers_l and '68' not in skip_list:
     print_details('[ixcsp_h]', '[ixcsp]', 'd', i_cnt)
 
-if 'x-content-security-policy-report-only' in headers_l and '67' not in \
+if 'x-content-security-policy-report-only' in headers_l and '69' not in \
      skip_list:
     print_details('[ixcspr_h]', '[ixcspr]', 'd', i_cnt)
 
-if 'x-content-type-options' in headers_l and '68' not in skip_list:
+if 'x-content-type-options' in headers_l and '70' not in skip_list:
     if ',' in headers_l['x-content-type-options']:
         print_details('[ictpd_h]', '[ictpd]', 'd', i_cnt)
     elif 'nosniff' not in headers_l['x-content-type-options']:
         print_details('[ictp_h]', '[ictp]', 'd', i_cnt)
 
-if headers_l.get('x-dns-prefetch-control', '') == 'on' and '69' not in \
+if headers_l.get('x-dns-prefetch-control', '') == 'on' and '71' not in \
      skip_list:
     print_details('[ixdp_h]', '[ixdp]', 'd', i_cnt)
 
-if 'x-download-options' in headers_l and '70' not in skip_list:
+if 'x-download-options' in headers_l and '72' not in skip_list:
     print_details('[ixdow_h]', '[ixdow]', 'm', i_cnt)
 
 xfo_header = headers_l.get('x-frame-options', '')
-if xfo_header and '71' not in skip_list:
+if xfo_header and '73' not in skip_list:
     if ',' in xfo_header:
         print_details('[ixfo_h]', '[ixfo]', 'm', i_cnt)
     if 'allow-from' in xfo_header:
         print_details('[ixfod_h]', '[ixfod]', 'm', i_cnt)
     if xfo_header not in t_xfo_dir:
         print_details('[ixfoi_h]', '[ixfodi]', 'm', i_cnt)
 
-if 'x-pad' in headers_l and '72' not in skip_list:
+if 'x-pad' in headers_l and '74' not in skip_list:
     print_details('[ixpad_h]', '[ixpad]', 'd', i_cnt)
 
 permcross_header = headers_l.get('x-permitted-cross-domain-policies', '')
-if permcross_header and '73' not in skip_list:
+if permcross_header and '75' not in skip_list:
     if not any(elem in permcross_header for elem in t_permcross):
         print_details('[ixpermcross_h]', '[ixpermcross]', 'm', i_cnt)
     if 'all' in permcross_header:
         print_details('[ixpermcrossu_h]', '[ixpermcrossu]', 'm', i_cnt)
     if ',' in permcross_header:
         print_details('[ixpermcrossd_h]', '[ixpermcrossd]', 'm', i_cnt)
 
-if headers_l.get('x-pingback', '').endswith('xmlrpc.php') and '74' not in \
+if headers_l.get('x-pingback', '').endswith('xmlrpc.php') and '76' not in \
      skip_list:
     print_details('[ixpb_h]', '[ixpb]', 'd', i_cnt)
 
 robots_header = headers_l.get('x-robots-tag', '')
-if robots_header and '75' not in skip_list:
+if robots_header and '77' not in skip_list:
     if not any(elem in robots_header for elem in t_robots):
         print_details('[ixrobv_h]', '[ixrobv]', 'm', i_cnt)
     if 'all' in robots_header:
         print_details('[ixrob_h]', '[ixrob]', 'm', i_cnt)
 
-if 'x-runtime' in headers_l and '76' not in skip_list:
+if 'x-runtime' in headers_l and '78' not in skip_list:
     print_details('[ixrun_h]', '[ixrun]', 'd', i_cnt)
 
-if 'x-sourcemap' in headers_l and '77' not in skip_list:
+if 'x-sourcemap' in headers_l and '79' not in skip_list:
     print_details('[ixsrc_h]', '[ixsrc]', 'd', i_cnt)
 
-if 'x-ua-compatible' in headers_l and '78' not in skip_list:
+if 'x-ua-compatible' in headers_l and '80' not in skip_list:
     print_details('[ixuacom_h]', '[ixuacom]', 'm', i_cnt)
 
 if http_equiv:
@@ -2521,13 +2535,13 @@ def custom_help_formatter(prog):
                              in tuple):
         print_details('[ixuameta_h]', '[ixuameta]', 'd', i_cnt)
 
-if 'x-webkit-csp' in headers_l and '79' not in skip_list:
+if 'x-webkit-csp' in headers_l and '81' not in skip_list:
     print_details('[ixwcsp_h]', '[ixcsp]', 'd', i_cnt)
 
-if 'x-webkit-csp-report-only' in headers_l and '80' not in skip_list:
+if 'x-webkit-csp-report-only' in headers_l and '82' not in skip_list:
     print_details('[ixwcspr_h]', '[ixcspr]', 'd', i_cnt)
 
-if 'x-xss-protection' in headers_l and '81' not in skip_list:
+if 'x-xss-protection' in headers_l and '83' not in skip_list:
     print_details('[ixxpdp_h]', '[ixxpdp]', 'm', i_cnt)
     if '0' not in headers_l['x-xss-protection']:
         print_details('[ixxp_h]', '[ixxp]', 'm', i_cnt)

diff --git a/l10n/details.txt b/l10n/details.txt
@@ -603,6 +603,18 @@
 [irepdigi_h]
  Repr-Digest (Unsafe Algorithms)
 
+[iwcondig_h]
+ Want-Content-Digest (No Secure Algorithms)
+
+[iwcondigi_h]
+ Want-Content-Digest (Unsafe Algorithms)
+
+[iwreprdig_h]
+ Want-Repr-Digest (No Secure Algorithms)
+
+[iwreprdigi_h]
+ Want-Repr-Digest (Unsafe Algorithms)
+
 [itim_h]
  Server-Timing (Potentially Unsafe Header)
 
@@ -1083,6 +1095,22 @@ HTTP Response Headers
  Unsafe algorithms should not be used as collisions can be forced.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Repr-Digest
 
+[iwcondig]
+ Include a secure algorithm.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Content-Digest
+
+[iwcondigi]
+ Unsafe algorithms should not be used as collisions can be forced.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Content-Digest
+
+[iwreprdig]
+ Include a secure algorithm.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest
+
+[iwreprdigi]
+ Unsafe algorithms should not be used as collisions can be forced.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest
+
 [iset]
  Enable 'Secure' and 'HttpOnly': to send it via HTTPS and not be accessed by client APIs.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

diff --git a/l10n/details_es.txt b/l10n/details_es.txt
@@ -604,6 +604,18 @@
 [irepdigi_h]
  Repr-Digest (Algoritmos inseguros)
 
+[iwcondig_h]
+ Want-Content-Digest (Sin algoritmos seguros)
+
+[iwcondigi_h]
+ Want-Content-Digest (Algoritmos inseguros)
+
+[iwreprdig_h]
+ Want-Repr-Digest (Sin algoritmos seguros)
+
+[iwreprdigi_h]
+ Want-Repr-Digest (Algoritmos inseguros)
+
 [itim_h]
  Server-Timing (Cabecera potencialmente insegura)
 
@@ -1088,6 +1100,22 @@ Cabeceras de respuesta HTTP
  No use algoritmos inseguros, ya que se pueden forzar colisiones.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Repr-Digest
 
+[iwcondig]
+ Incluya un algoritmo seguro.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Content-Digest
+
+[iwcondigi]
+ No use algoritmos inseguros, ya que se pueden forzar colisiones.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Content-Digest
+
+[iwreprdig]
+ Incluya un algoritmo seguro.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest
+
+[iwreprdigi]
+ No use algoritmos inseguros, ya que se pueden forzar colisiones.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest
+
 [iset]
  Habilite 'Secure' y 'HttpOnly': para enviarla mediante HTTPS y evitar que sea accedida por APIs.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie