← Back to context

Comment by Bender

1 day ago

In a similar spirit there is also a site to scan security headers of any site [1] and another to verify the TLS settings from the Mozilla SSL Configuration Generator [2] and a git repo with code to scan sites from the command line [3] useful if the site is not reachable on the internet or automated scans to HTML reports.

[1] - https://securityheaders.com/

[2] - https://www.ssllabs.com/ssltest/

[3] - https://github.com/testssl/testssl.sh

8 comments

Bender

Reply
BoppreH  12 hours ago

I needed to perform scans internally, and testssl.sh was too slow (minimum 20 seconds with parallelization and all optional scans disabled). So I made my own scanner, for a 60-100x speedup: https://github.com/boppreh/hello_tls . It doesn't do vulnerability assessment, but I was more interested in extracting the configuration.

  • 1over137  7 hours ago

    Why is 20 s too slow? How often do you run it?

    • BoppreH  4 hours ago

      We also it at my work, where it's used both for mass scans of internal hosts, and scanning the same host many times during incidents/configuration changes.

      And the 20s is extra annoying because it's completely unnecessary. The tool is so slow because it's thousands of lines of pure bash, manipulating individual bytes. And because it's bash, it also breaks in confusing ways when you look at it wrong[1].

      [1] https://github.com/testssl/testssl.sh/pull/2429

bawolff  1 day ago

Honestly, i disagree with the security headers one. Various security headers do different things and should not be applied blindly. While some are always appropriate there are also some that make sense to skip depending on what specificly your site is doing.

Not to mention, when i looked at the hall of fame entries, most had a CSP header, but it was a useless CSP header that was meaningless. It doesn't seem to distinguish between having the header and actually using it correctly.

  • Calamityjanitor  1 day ago

    This was always my pet peeve when working as a penetration tester. We'd run simple tools like this to cover the basics, but so many coworkers would blindly copy paste the issues without considering the site's context and suitability. Not to knock their skills, they'd find real vulnerabilities too. It's just that this stuff was considered beneath them, while I felt that giving a client tailored advice on little details like this is what they were looking for and shows attention to detail.

    • poink  19 hours ago

      As a security conscious dev that has worked in various highly regulated spaces I want to say we really appreciate people like you, because they’re super rare

  • kro  18 hours ago

    It's seriously infuriating receiving these "Critical vulnerability reports" customers let other agencies do, and having to justify why you have no Referer-Policy header.

    Nice to read that you are reasonable.

    Also, they want a strict CSP while serving 10 different ad networks :)