Nmap Development mailing list archives

Re: NSE script contribution - clickjacking-prevent-check

From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 10 Jan 2017 14:23:39 -0600

Ícaro,

Thanks for this contribution. I notice that both this and http-hsts-verify
are simply analysis of returned HTTP headers, reporting potential
vulnerabilities in the target web app. I think that the best approach here
would be to have a single script to check for those security issues that
can be determined from a single request's response headers. The script
would be called http-vuln-headers and would cover most of the things from
the OWASP Secure Headers project [1] (CSP, HSTS, clickjacking, content
sniffing, etc.) We could even extend it to cover cookie issues like
HttpOnly and Secure (if HTTPS).

Having a separate script from http-headers makes sense because it allows
users to select it based on the "vuln" category. Proper use of the http
caching options would help reduce the number of requests sent.

Dan


[1] https://www.owasp.org/index.php/OWASP_Secure_Headers_Project

On Tue, Jan 3, 2017 at 6:44 PM, Ícaro Torres <icaro.redes.ifpb () gmail com>
wrote:

Hello,

I would like to contribute with another NSE script in the Nmap Project.
This one verifies if the X-Frame-Options (RFC 7034) is enabled in a web
service and show the permissive level configured. This subject is listed in
the "OWASP Testing Guide v4" (OWASP project: https://www.owasp.org/index.
php?title=Testing_for_Clickjacking_(OTG-CLIENT-009)&setlang=en) and I
think it is a good topic to observe in the hardening process of a web
service.

The script is attached.

Best regards.

--

Ícaro Torres
Tecnólogo em Redes de Computadores - IFPB
Pós-Graduado em Segurança da Informação - faculdade IDEZ
Twitter: @IcaroTorres

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE script contribution - clickjacking-prevent-check Ícaro Torres (Jan 03)
- Re: NSE script contribution - clickjacking-prevent-check Patricio Castagnaro (Jan 09)
- Re: NSE script contribution - clickjacking-prevent-check Daniel Miller (Jan 10)
  - Re: NSE script contribution - clickjacking-prevent-check Ícaro Torres (Jan 10)