-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcheck.sh
executable file
·168 lines (146 loc) · 4.92 KB
/
check.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#!/bin/bash
# Output constants
RED='\033[31m'
GREEN='\033[32m'
YELLOW='\033[33m'
BLUE='\033[34m'
NC='\033[0m'
FAIL="${RED}FAIL: ${NC}"
ERROR="${RED}ERROR: ${NC}"
PASS="${GREEN}PASS: ${NC}"
INFO="${BLUE}INFO: ${NC}"
UNKNOWN="${YELLOW}UNKNOWN: ${NC}"
# Default curl options
CONNECTMAX=60;
MAXTIME=32;
CURLOPTS="--connect-timeout ${CONNECTMAX} --max-time ${MAXTIME}"
HELP=$(cat <<EOF
This script scans a given URL to check for various security details.
1. Check that an http (non-secure) version of the URL redirects to an https
URL.
2. Check that the redirected https URL returns a status code in the range
200-399 (success)
3. Check that HSTS Strict-Transport-Security is present in the headers.
For more information please see LINKHERE
Usage: ${0} [OPTIONS] URL
Where URL is a URL you want to check and OPTIONS is one of:
-d: Include debug information. This includes extra information about response
data. Does nothing if -c is present.
-h: This help message and exit.
-c: CSV output. This is a very compact output of comma separated values
Data is returned in the following order:
- URL_PROVIDED: The URL provided to the script
- URL_REDIRECTED_TO: The URL the site redirected to when requesting via
http.
- HTTP_REDIRECT_TO_HTTPS[yes|no]: Whether or not an HTTP request redirects to
HTTPS.
- HTTPS_SUCCESS[yes|no]: Whether or not an HTTPS request returned a status code
in the range200-399.
- HSTS_ENABLED[yes|no]: Whether or not Strict-Transport-Security headers are set.
This mode is useful for batch calls.
Note that this script requires curl, and sed.
EOF
)
DEBUG=0
CSV=0
options='dch'
while getopts $options option; do
case "${option}" in
d) DEBUG=1;;
c) CSV=1;;
h) echo "${HELP}"; exit 0;;
:) echo "${HELP}"; echo "Missing option argument for -${option}" >&2; exit 1;;
*) echo "${HELP}"; echo -e "${ERROR}Unexpected option ${option}"; exit 1;;
esac
done
shift $(($OPTIND - 1))
# Check that we got one remaining parameter the path/url.
if [ -z "$1" ]; then
echo -e "${ERROR}You must supply a valid URL/path to check. eg."
echo " ${0} https://example.com"
echo " ${0} example.com"
exit 1;
fi
# Strip leading, trailing quotes and spaces and remove http(s):// if present.
path=$(echo $1 | sed -e 's/^"//' -e 's/"$//' -e 's/^//' -e 's/ $//' -e 's/https\?:\/\///')
# call output with result, message, and debug.
# Result handling:
# 'yes' is considered good (green)
# 'no' is considered bad (red)
# anything else is flagged (yellow)
output() {
if [ "$CSV" -eq "1" ]; then
echo -n ",$1"
if [ "$DEBUG" -eq "1" ]; then
echo -n ",$3";
fi
return
fi
case $1 in
'yes')
echo -e "${PASS}$2"
;;
'no')
echo -e "${FAIL}$2"
;;
:)
echo -e "${UNKNOWN}$2"
;;
esac
if [ "$DEBUG" -eq "1" ]; then
echo -e "$INFO$3\n";
fi
}
isSuccess() {
urlStatus=`curl ${CURLOPTS} -s -o /dev/null -w %{http_code} $1;`
if [ "$urlStatus" -ge "200" -a "$urlStatus" -lt "400" ]; then
echo $urlStatus
return 0
else
echo $urlStatus
return 1
fi
}
################################################################################
# check if http redirects to https
################################################################################
redirect=`curl ${CURLOPTS} -Ls -o /dev/null -w %{url_effective} http://$path`
# reset path to use the effective redirect URL
oldpath=$path
# If csv mode output old path and new path.
if [ "$CSV" -eq "1" ]; then
echo -n "$oldpath,$path"
fi
path=`echo $redirect | sed 's/https\?:\/\///'`
if [[ $redirect == https* ]]; then
output 'yes' 'http redirects to https' "${redirect}"
else
output 'no' 'http does NOT redirect to https' "${redirect}"
fi
################################################################################
# check if https request is in 200-399 range
################################################################################
httpUrl=`isSuccess http://${path}`
if [ $? -eq 0 ]; then
output 'yes' 'http returned success code' "${httpUrl}"
else
output 'no' 'http did NOT return success code' "${httpUrl}"
fi
################################################################################
# check if https request is in 200-399 range
################################################################################
https=`isSuccess https://${path}`
if [ $? -eq 0 ]; then
output 'yes' 'https returned success code' "${https}"
else
output 'no' 'https did NOT return success code' "${https}"
fi
################################################################################
# check if http includes strict transport headers
################################################################################
hsts=`curl ${CURLOPTS} -s -D- https://$path | grep Strict-Transport-Security`
if [[ -z "$hsts" ]]; then
output 'no' 'HSTS is NOT enabled' "${hsts}"
else
output 'yes' 'HSTS is enabled' "${hsts}"
fi