Feature: New insecure check (X-XSS-Protection: Deprecated Header))

#14
rfc-st · Nov 16, 2023 · 1c3c3dc · 1c3c3dc
1 parent 1b35fd1
commit 1c3c3dc
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 <a target="_blank" href="https://www.python.org/downloads/" title="Minimum Python version required to run this tool"><img src="https://img.shields.io/badge/Python-%3E%3D3.9-blue?labelColor=343b41"></a>
 <a target="_blank" href="LICENSE" title="License of this tool"><img src="https://img.shields.io/badge/License-MIT-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/releases" title="Latest release of this tool"><img src="https://img.shields.io/github/v/release/rfc-st/humble?display_name=release&label=Latest%20release&labelColor=343b41"></a>
-<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2023--11--15-blue.svg?labelColor=343b41"></a>
+<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2023--11--16-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/actions?query=workflow%3ACodeQL" title="Results of the last analysis of this tool with CodeQL"><img src="https://github.com/rfc-st/humble/workflows/CodeQL/badge.svg"></a>
 <a target="_blank" href="https://owasp.org/www-project-secure-headers/#div-technical" title="Tool accepted as a technical resource for OWASP"><img src="https://img.shields.io/badge/OWASP-Resource-blue?labelColor=343b41"></a>
 <a target="_blank" href="https://www.kali.org/tools/humble/" title="Tool accepted in Kali"><img src="https://img.shields.io/badge/Kali%20Linux-Tool-blue?labelColor=343b41"></a>
@@ -43,7 +43,7 @@ HTTP Headers Analyzer<br />
 
 :heavy_check_mark: 14 [checks](#checks-missing-headers) of missing HTTP response headers.<br />
 :heavy_check_mark: 1000 [checks](#checks-fingerprint-headers) of fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 86 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
+:heavy_check_mark: 87 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
 :heavy_check_mark: TLS/SSL checks: requires https://testssl.sh/ and Unix machine!.<br />
 :heavy_check_mark: Browser compatibility check for enabled security headers.<br />
 :heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.<br />
@@ -306,6 +306,7 @@ Thanks for your time!! :).
 * <a href="https://github.com/gl4nce">gl4nce</a> for <a href="https://github.com/rfc-st/humble/issues/6">this</a> suggestion.
 * İDRİS BUDAK for reporting the need to <a href="https://github.com/rfc-st/humble/commit/f85dd7811859fd2e403a0ecd848b21db20949841">this</a> check.
 * <a href="https://github.com/manuel-sommer">manuel-sommer</a> for <a href="https://github.com/rfc-st/humble/issues/8">this</a>, <a href="https://github.com/rfc-st/humble/issues/10">this</a> and <a href="https://github.com/rfc-st/humble/issues/13">this</a>!.
+* <a href="https://github.com/stanley101music">stanley101music</a> for <a href="https://github.com/rfc-st/humble/issues/14">this</a> suggestion.
 
 ## License
 

diff --git a/additional/insecure.txt b/additional/insecure.txt
@@ -38,7 +38,7 @@ Clear-Site-Data: No Valid Directives
 Content-DPR: Deprecated Header
 Content-Encoding: No Valid Directives
 Content-Security-Policy: Deprecated Directives
-Content-Security-Policy: Incorrect values
+Content-Security-Policy: Incorrect Values
 Content-Security-Policy: Insecure Schemes
 Content-Security-Policy: IP detected
 Content-Security-Policy: No Valid Directives
@@ -107,5 +107,6 @@ X-SourceMap: Deprecated Header
 X-UA-Compatible: Deprecated Header
 X-Webkit-CSP: Deprecated Header
 X-Webkit-CSP-Report-Only: Deprecated Header
-X-XSS-Protection: Unsafe Value
-X-XSS-Protection: Duplicated Values
+X-XSS-Protection: Deprecated Header
+X-XSS-Protection: Duplicated Values
+X-XSS-Protection: Unsafe Value
diff --git a/humble.py b/humble.py
@@ -84,7 +84,7 @@
 
 export_date = datetime.now().strftime("%Y%m%d")
 now = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
-version = datetime.strptime('2023-11-15', '%Y-%m-%d').date()
+version = datetime.strptime('2023-11-16', '%Y-%m-%d').date()
 
 
 class PDF(FPDF):
@@ -1610,6 +1610,7 @@ def custom_help_formatter(prog):
     print_details('[ixwcspr_h]', '[ixcspr]', 'd', i_cnt)
 
 if 'X-XSS-Protection' in headers:
+    print_details('[ixxpdp_h]', '[ixxpdp]', 'm', i_cnt)
     if '0' not in headers["X-XSS-Protection"]:
         print_details('[ixxp_h]', '[ixxp]', 'd', i_cnt)
     if ',' in headers['X-XSS-Protection']:

diff --git a/i10n/details.txt b/i10n/details.txt
@@ -543,6 +543,9 @@
 [ixxp_h]
  X-XSS-Protection (Unsafe Value)
 
+[ixxpdp_h]
+ X-XSS-Protection (Deprecated Header)
+
 [ixxpd_h]
  X-XSS-Protection (Duplicated Values)
 
@@ -936,9 +939,14 @@ HTTP Response Headers
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/SourceMap
 
 [ixxp]
- To mitigate XSS attacks, restrictively enable the "Content-Security-Policy" header.
+ To mitigate XSS attacks, restrictively use the "Content-Security-Policy" header.
  Ref: https://auth0.com/blog/defending-against-xss-with-csp/
 
+[ixxpdp]
+ This header is deprecated in the three major web browsers.
+ Instead, use the "Content-Security-Policy" header restrictively.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+
 [ixxpd]
  This header, or its values, may be duplicated.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

diff --git a/i10n/details_es.txt b/i10n/details_es.txt
@@ -543,6 +543,9 @@
 [ixxp_h]
  X-XSS-Protection (Valor inseguro)
 
+[ixxpdp_h]
+ X-XSS-Protection (Cabecera obsoleta)
+
 [ixxpd_h]
  X-XSS-Protection (Valores duplicados)
 
@@ -939,6 +942,11 @@ Cabeceras de respuesta HTTP
  Para mitigar ataques Cross-site scripting, habilite la cabecera "Content-Security-Policy".
  Ref: https://auth0.com/blog/defending-against-xss-with-csp/
 
+[ixxpdp]
+ Esta cabecera está obsoleta en los tres principales navegadores.
+ En su lugar, utilice de forma restrictiva la cabecera "Content-Security-Policy".
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+
 [ixxpd]
  Esta cabecera, o sus valores, pueden estar duplicados.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection