-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Growing together! #19
Comments
it would be a good idea to register a Humble formula in HomeBrew, which is one of the most popular package managers for macOSX and Linux, and which also greatly simplifies the compilation and installation of libraries and dependencies. |
Hi, @jdelamo3 I have “zero” experience in the macOS and HomeBrew worlds :); but I promise to take a look and see what the process is like. Regards, |
Hi, @jdelamo3 Reviewing the necessary steps to make your suggestion possible ... we will keep in touch. Best regards, |
check for security headers via meta tags. in this report for
|
Hello, @cr4zyfish Good suggestions, thanks!. I will take them into account.
Regards, |
Hi, @cr4zyfish Check out this commit: aeabd4b 'humble' checks, thanks to your suggestion, the values of headers defined via meta tags. For now two of them; I will improve this functionality. I've added you at https://github.com/rfc-st/humble/?tab=readme-ov-file#acknowledgements. Thanks & regards!. |
I scanned a target it has this header: The result:
why there is a warning here? is anything wrong with this header reported in
is it a necessary header? May be more explanation is needed for user why
These headers are in my target:
but in reports says:
The value of Connection is Keep-Alive but still this result shows up in scan. |
Hi, @cr4zyfish Regarding 'Cache-Control' the warning is more of a recommendation (hence the indication of 'Recommended Values'), to completely avoid caching resources that may be associated with sensitive information, if indeed there is any in the URL being analyzed. Regarding NEL, 'humble' not only analyzes the set of HTTP response headers considered secure by OWASP, but is much strict and comprehensive, extending checks to more headers, including experimental ones: https://github.com/rfc-st/humble/?tab=readme-ov-file#checks-deprecated-headersprotocols-and-insecure-values & https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/NEL Regarding 'X-XSS-Protection', indeed, I will include an additional reference indicating why '1; mode=block' is not recommended: in some cases XSS protection can create XSS vulnerabilities (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection) and also this header is deprecated in the three major web browsers. (You can always use the -s parameter in 'humble', excluding the HTTP headers of your choice from the analysis). And finally, regarding 'Keep-Alive', it seems the value for that header should be exactly 'keep-alive', according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection. Thanks & regards!. |
Hi, @cr4zyfish Check out this commit: 07fcb54 Thanks to your suggestion, I have improved the message and the reference associated with checking for values other than '0' in the 'X-XSS-Protection' header. Regards! |
Hi, @cr4zyfish Check out this commit: 7bf8632 You were absolutely right: now 'humble', when checking for missing HTTP headers (e.g. 'NEL'), shows whether the header is Experimental or not, based on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers: It's a start; I will think of ways to improve these messages. Regards! |
Hi, @cr4zyfish Take a look at this. I think 'humble' reflects now more clearly everything related to experimental HTTP headers :). Regards! |
I have a humble feature request. Is it possible to show which headers are present (like in "test passed")? Would be nice to have that in Json output too! Thanks! |
Hi, @vincentcox Thanks for your suggestion: on which specific HTTP response headers would you want to see if they have passed or not? humble, currently, has 113 checks (focused on insecure values or those considered deprecated), 14 checks (focused on missing headers) and 1186 checks (focused on fingerprint headers). Do you have an example, in text, of what you would like to see displayed? Additionally, with the '-r' parameter humble shows the HTTP response headers enabled on the analyzed URL. Regards!, |
@rfc-st Thanks for the reply. To show you what I mean, I can best show it by the tool shcheck, a similar tool like yours.
It would be nice to see which security headers are present in this tool too. The It would be nice to have this too in this tool. I find this tool more reliable than shcheck, because this tool can properly follow redirections and if you check I don't know how hard it is to implement, but if it's not much work it would be highly appreciated! I think this is easiest done in the
In this pseudo code the present headers will be given when the flag "-p" is given. It will also output it if json output is used. |
Hi, @vincentcox Allow me to show you a couple of WIP screenshots (brief, detailed analysis and JSON export) :): Let's see if I can finish everything today (I have to check the formatting when exporting to html, json, csv), etc. I'll let you know!. Regards, |
Hi, @vincentcox I do not see, at least today, how to make this functionality possible :). I've been stuck for quite some time with the formatting of this new feature, especially when it comes to exporting it to HTML/PDF ... I hope to have progress in the next few days, Regards, |
Hi, @vincentcox, Take a look at this commit 473cce4 ... I think you might be interested! :) I have mentioned you in the acknowledgements ... great idea! Regards. |
Hi @vincentcox, Thanks for the PR!, accepted. Regards, |
What is 'humble' missing?; being reasonable :):
Let's use this issue to talk about the shortcomings of 'humble' (without preventing specific issues to be created for specific topics), ideas to make it more interesting and accessible for everyone. With total freedom and regardless of your technical knowledge,
I have the healthy habit of thanking all the contributions that result in an improvement of this tool: https://github.com/rfc-st/humble/?tab=readme-ov-file#acknowledgements .
Thanks for your time!.
The text was updated successfully, but these errors were encountered: