2021-07-28 14:40:20 +02:00
|
|
|
id: http-missing-security-headers
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: HTTP Missing Security Headers
|
2024-09-02 14:52:13 +02:00
|
|
|
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass,jub0bs,userdehghani
|
2021-07-28 14:40:20 +02:00
|
|
|
severity: info
|
2022-05-20 17:38:52 -04:00
|
|
|
description: |
|
|
|
|
|
This template searches for missing HTTP security headers. The impact of these missing headers can vary.
|
2023-04-28 13:41:21 +05:30
|
|
|
metadata:
|
|
|
|
|
max-request: 1
|
2023-10-14 16:57:55 +05:30
|
|
|
tags: misconfig,headers,generic
|
2021-07-28 14:40:20 +02:00
|
|
|
|
2023-04-27 09:58:59 +05:30
|
|
|
http:
|
2021-07-28 14:40:20 +02:00
|
|
|
- method: GET
|
|
|
|
|
path:
|
|
|
|
|
- "{{BaseURL}}"
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-10-08 02:57:25 +05:30
|
|
|
host-redirects: true
|
2021-07-28 14:40:20 +02:00
|
|
|
max-redirects: 3
|
2023-10-14 16:57:55 +05:30
|
|
|
|
2021-07-28 14:40:20 +02:00
|
|
|
matchers-condition: or
|
|
|
|
|
matchers:
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: strict-transport-security
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)strict-transport-security', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: content-security-policy
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)content-security-policy', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2022-09-23 13:56:33 +03:00
|
|
|
name: permissions-policy
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)permissions-policy', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-12-29 09:36:58 -05:00
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: x-frame-options
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)x-frame-options', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: x-content-type-options
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)x-content-type-options', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: x-permitted-cross-domain-policies
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)x-permitted-cross-domain-policies', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: referrer-policy
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)referrer-policy', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: clear-site-data
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)clear-site-data', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: cross-origin-embedder-policy
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)cross-origin-embedder-policy', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: cross-origin-opener-policy
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)cross-origin-opener-policy', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2021-09-03 22:24:11 +05:30
|
|
|
|
2022-05-17 23:49:08 +03:00
|
|
|
- type: dsl
|
2021-09-03 22:24:11 +05:30
|
|
|
name: cross-origin-resource-policy
|
2022-05-17 23:49:08 +03:00
|
|
|
dsl:
|
2023-06-20 02:40:30 +05:30
|
|
|
- "!regex('(?i)cross-origin-resource-policy', header)"
|
2022-05-17 23:49:08 +03:00
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2023-10-20 11:41:13 +00:00
|
|
|
|
2024-09-02 14:52:13 +02:00
|
|
|
- type: dsl
|
|
|
|
|
name: content-type-charset-specification
|
|
|
|
|
dsl:
|
|
|
|
|
- "!regex('(?i)content-type', header)"
|
|
|
|
|
- "!regex('(?i)charset', header)"
|
|
|
|
|
- "status_code != 301 && status_code != 302"
|
|
|
|
|
condition: and
|
2024-12-01 13:57:55 +00:00
|
|
|
# digest: 490a004630440220110fc130c64d1a2457f00589a17845e05696ea7542f4d08c986419923c38b9ac02202e073e983f5bebb71f2673a20f04c51b2c4a81cb9f7e747a4e74b3272fe047d4:922c64590222798bb761d5b6d8e72950
|
