hedra 2.0.3 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04726510b1778538e154b1eea4d68bbbed1fe306d9e026e73275e6f6cbf586ed
-  data.tar.gz: 36f7716980ea5fb86bd431c2b6f48ea591b4b9e793557893623d0a4c1f88a6fd
+  metadata.gz: b852e94cfa441a1597fb40438491f15939625b1da90734dcb0a05cb3ac06609a
+  data.tar.gz: 00bd6a8bccc0be126058ec0b8795f1b193d5e42c642041e2d5415955ccef9e81
 SHA512:
-  metadata.gz: d7396aca2eb8bc377f7a203c15729aa48864b3394a79b53b3490c4c2e06719696e313b3ebd097fce4f69b9006c5a44903b8ab94a7dd68da257289e584c811539
-  data.tar.gz: b50e9f48dda4b48c505ce948a01d3b5b2d5f2a669d459d6398f6c8801ce18bda53edf1da2132b045743e8575225c194fde6e42deb20eb530d5175aa1af6f54a1
+  metadata.gz: 908b5f2e81cefb60ee58af16e89e50f092fc7338af99bd89d1b47168a8b0ef1d65044344666f46581246405c291d69fe61a1b2e930234829d48b8003df3bfa65
+  data.tar.gz: 309c0cf041eb18ab775696d8b4ca9a8771cf8c57c75709ad86f422c42ee42aebb731f620d2f573ec8edc1f338a4a7d66ee2f8078939f3c75ed33c825c847c550

data/README.md

@@ -150,6 +150,30 @@ hedra plugin remove plugin_name
 - Signature algorithm strength
 - Key size validation
 - Chain verification
+- TLS version detection (TLS 1.2/1.3)
+- Certificate Transparency log verification
+
+**Protocol Security:**
+- HTTP/2 and HTTP/3 detection
+- TLS version enforcement
+- Insecure protocol warnings
+
+**CORS Security:**
+- Access-Control-Allow-Origin validation
+- Wildcard and null origin detection
+- Credentials with wildcard prevention
+- Dangerous HTTP methods detection
+- Sensitive header exposure checks
+
+**Subresource Integrity (SRI):**
+- External script/stylesheet SRI validation
+- Crossorigin attribute verification
+- Same-origin resource detection
+
+**DNS Security:**
+- DNSSEC validation
+- CAA (Certificate Authority Authorization) records
+- DNS-based security policy enforcement
 
 **RFC 9116:**
 - security.txt file presence and format
@@ -375,6 +399,80 @@ hedra scan -f urls.txt --output report.html --format html
 
 Interactive report with sorting, filtering, and charts.
 
+## Advanced Security Checks
+
+### Subresource Integrity (SRI)
+Validates that external scripts and stylesheets use SRI attributes to prevent tampering:
+```bash
+hedra scan https://myapp.com --check-sri
+```
+
+**Checks:**
+- External resources without integrity attributes
+- Missing crossorigin attributes
+- Same-origin vs cross-origin detection
+
+### CORS Policy Analysis
+Validates Cross-Origin Resource Sharing configuration for security issues:
+```bash
+hedra scan https://api.myapp.com --check-cors
+```
+
+**Detects:**
+- Wildcard origins with credentials (critical vulnerability)
+- Null origin allowance
+- Insecure HTTP origins
+- Dangerous HTTP methods (TRACE, TRACK)
+- Overly permissive configurations
+- Sensitive header exposure
+
+### Protocol Version Detection
+Checks HTTP and TLS protocol versions:
+```bash
+hedra scan https://myapp.com --check-protocol
+```
+
+**Validates:**
+- HTTP/1.1 vs HTTP/2 vs HTTP/3
+- TLS 1.2/1.3 enforcement
+- Deprecated protocol detection (SSLv3, TLS 1.0/1.1)
+- Protocol upgrade recommendations
+
+### Certificate Transparency
+Verifies certificates are logged in CT logs:
+```bash
+hedra audit https://myapp.com --check-ct
+```
+
+**Checks:**
+- SCT (Signed Certificate Timestamp) presence
+- Multiple independent CT logs
+- SCT delivery methods (extension, OCSP, TLS)
+
+### DNS Security
+Validates DNS-level security features:
+```bash
+hedra audit https://myapp.com --check-dns
+```
+
+**Validates:**
+- DNSSEC enablement
+- CAA records for certificate issuance control
+- CAA tags (issue, issuewild, iodef)
+- DNS-based security policies
+
+### Combined Advanced Scan
+Run all advanced checks together:
+```bash
+hedra audit https://myapp.com \
+  --check-sri \
+  --check-cors \
+  --check-protocol \
+  --check-ct \
+  --check-dns \
+  --output comprehensive-report.json
+```
+
 ## Real-World Examples
 
 ### Basic Security Audit
@@ -382,6 +480,23 @@ Interactive report with sorting, filtering, and charts.
 hedra scan https://myapp.com
 ```
 
+### Comprehensive Security Audit with All Checks
+```bash
+hedra audit https://myapp.com \
+  --check-sri \
+  --check-ct \
+  --check-dns \
+  --json \
+  --output full-audit.json
+```
+
+### Quick CORS and Protocol Check
+```bash
+hedra scan https://api.myapp.com \
+  --check-cors \
+  --check-protocol
+```
+
 ### Production Deployment Check
 ```bash
 # Save baseline after deployment
@@ -503,5 +618,3 @@ hedra scan https://slow-server.com --timeout 60
 MIT License - see [LICENSE](LICENSE) for details.
 
 ---
-
-**Built by [BlackStack](https://github.com/bl4ckstack)** • Securing the web, one header at a time.

data/lib/hedra/analyzer.rb

@@ -61,17 +61,22 @@ module Hedra
       }
     }.freeze
 
-    def initialize(check_certificates: true, check_security_txt: false)
+    def initialize(check_certificates: true, check_security_txt: false, check_sri: false, check_cors: true, check_protocol: true, check_ct: false, check_dns: false)
       @plugin_manager = PluginManager.new
       @scorer = Scorer.new
       @certificate_checker = check_certificates ? CertificateChecker.new : nil
       @security_txt_checker = check_security_txt ? SecurityTxtChecker.new : nil
+      @sri_checker = check_sri ? SriChecker.new : nil
+      @cors_checker = check_cors ? CorsChecker.new : nil
+      @protocol_checker = check_protocol ? ProtocolChecker.new : nil
+      @ct_checker = check_ct ? CtChecker.new : nil
+      @dns_checker = check_dns ? DnsChecker.new : nil
       @custom_rules = []
       @mutex = Mutex.new # Thread safety for custom rules
       load_custom_rules
     end
 
-    def analyze(url, headers, http_client: nil)
+    def analyze(url, headers, http_client: nil, response: nil, html_content: nil)
       normalized_headers = normalize_headers(headers)
       findings = []
 
@@ -104,6 +109,24 @@ module Hedra
       # Check security.txt
       findings.concat(@security_txt_checker.check(url, http_client)) if @security_txt_checker && http_client
 
+      # Check Subresource Integrity (SRI)
+      if @sri_checker
+        @sri_checker.instance_variable_set(:@http_client, http_client) if http_client
+        findings.concat(@sri_checker.check(url, html_content))
+      end
+
+      # Check CORS configuration
+      findings.concat(@cors_checker.check(normalized_headers, url)) if @cors_checker
+
+      # Check HTTP/TLS protocol versions
+      findings.concat(@protocol_checker.check(url, response)) if @protocol_checker
+
+      # Check Certificate Transparency
+      findings.concat(@ct_checker.check(url)) if @ct_checker
+
+      # Check DNS security (DNSSEC, CAA)
+      findings.concat(@dns_checker.check(url)) if @dns_checker
+
       # Calculate security score
       score = @scorer.calculate(normalized_headers, findings)
 

data/lib/hedra/cli.rb

@@ -71,7 +71,8 @@ module Hedra
 
       urls.each do |url|
         response = client.get(url)
-        result = analyzer.analyze(url, response.headers.to_h)
+        headers = safe_headers_to_hash(response.headers)
+        result = analyzer.analyze(url, headers)
         current_results << result
       rescue StandardError => e
         warn "Failed to scan #{url}: #{e.message}"
@@ -177,6 +178,11 @@ module Hedra
     option :cache_ttl, type: :numeric, default: 3600, desc: 'Cache TTL in seconds'
     option :check_certificates, type: :boolean, default: true, desc: 'Check SSL certificates'
     option :check_security_txt, type: :boolean, default: false, desc: 'Check for security.txt'
+    option :check_sri, type: :boolean, default: false, desc: 'Check Subresource Integrity'
+    option :check_cors, type: :boolean, default: true, desc: 'Check CORS configuration'
+    option :check_protocol, type: :boolean, default: true, desc: 'Check HTTP/TLS protocol versions'
+    option :check_ct, type: :boolean, default: false, desc: 'Check Certificate Transparency'
+    option :check_dns, type: :boolean, default: false, desc: 'Check DNSSEC and CAA records'
     option :save_baseline, type: :string, desc: 'Save results as baseline'
     option :progress, type: :boolean, default: true, desc: 'Show progress bar'
     def scan(target) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
@@ -186,7 +192,12 @@ module Hedra
       client = build_http_client
       analyzer = Analyzer.new(
         check_certificates: options[:check_certificates],
-        check_security_txt: options[:check_security_txt]
+        check_security_txt: options[:check_security_txt],
+        check_sri: options[:check_sri],
+        check_cors: options[:check_cors],
+        check_protocol: options[:check_protocol],
+        check_ct: options[:check_ct],
+        check_dns: options[:check_dns]
       )
       cache = options[:cache] ? Cache.new(ttl: options[:cache_ttl]) : nil
       rate_limiter = options[:rate] ? RateLimiter.new(options[:rate]) : nil
@@ -211,7 +222,9 @@ module Hedra
               log_info("Cache hit: #{url}") if @verbose
             else
               response = client.get(url)
-              result = analyzer.analyze(url, response.headers.to_h, http_client: client)
+              headers = safe_headers_to_hash(response.headers)
+              html_content = response.body.to_s if options[:check_sri]
+              result = analyzer.analyze(url, headers, http_client: client, response: response, html_content: html_content)
               cache&.set(url, result)
             end
 
@@ -246,17 +259,29 @@ module Hedra
     option :timeout, type: :numeric, aliases: '-t', default: 10, desc: 'Request timeout'
     option :check_certificates, type: :boolean, default: true, desc: 'Check SSL certificates'
     option :check_security_txt, type: :boolean, default: true, desc: 'Check for security.txt'
+    option :check_sri, type: :boolean, default: true, desc: 'Check Subresource Integrity'
+    option :check_cors, type: :boolean, default: true, desc: 'Check CORS configuration'
+    option :check_protocol, type: :boolean, default: true, desc: 'Check HTTP/TLS protocol versions'
+    option :check_ct, type: :boolean, default: true, desc: 'Check Certificate Transparency'
+    option :check_dns, type: :boolean, default: true, desc: 'Check DNSSEC and CAA records'
     def audit(url)
       setup_logging
       client = build_http_client
       analyzer = Analyzer.new(
         check_certificates: options[:check_certificates],
-        check_security_txt: options[:check_security_txt]
+        check_security_txt: options[:check_security_txt],
+        check_sri: options[:check_sri],
+        check_cors: options[:check_cors],
+        check_protocol: options[:check_protocol],
+        check_ct: options[:check_ct],
+        check_dns: options[:check_dns]
       )
 
       begin
         response = client.get(url)
-        result = analyzer.analyze(url, response.headers.to_h, http_client: client)
+        headers = safe_headers_to_hash(response.headers)
+        html_content = response.body.to_s if options[:check_sri]
+        result = analyzer.analyze(url, headers, http_client: client, response: response, html_content: html_content)
 
         if options[:json]
           output = JSON.pretty_generate(result)
@@ -289,7 +314,8 @@ module Hedra
       loop do
         begin
           response = client.get(url)
-          result = analyzer.analyze(url, response.headers.to_h)
+          headers = safe_headers_to_hash(response.headers)
+          result = analyzer.analyze(url, headers)
           print_result(result)
         rescue StandardError => e
           log_error("Watch check failed: #{e.message}")
@@ -311,8 +337,10 @@ module Hedra
         response1 = client.get(url1)
         response2 = client.get(url2)
 
-        result1 = analyzer.analyze(url1, response1.headers.to_h)
-        result2 = analyzer.analyze(url2, response2.headers.to_h)
+        headers1 = safe_headers_to_hash(response1.headers)
+        headers2 = safe_headers_to_hash(response2.headers)
+        result1 = analyzer.analyze(url1, headers1)
+        result2 = analyzer.analyze(url2, headers2)
 
         print_comparison(result1, result2)
       rescue StandardError => e
@@ -367,7 +395,8 @@ module Hedra
 
       urls.each do |url|
         response = client.get(url)
-        result = analyzer.analyze(url, response.headers.to_h, http_client: client)
+        headers = safe_headers_to_hash(response.headers)
+        result = analyzer.analyze(url, headers, http_client: client)
         results << result
 
         if result[:score] < options[:threshold]
@@ -558,6 +587,21 @@ module Hedra
       puts Pastel.new.cyan("INFO: #{message}")
     end
 
+    def safe_headers_to_hash(headers)
+      return {} if headers.nil?
+
+      # Handle different header object types
+      hash = headers.respond_to?(:to_h) ? headers.to_h : {}
+
+      # Clean up nil values
+      hash.compact.transform_values do |value|
+        value.nil? ? '' : value
+      end
+    rescue StandardError => e
+      log_error("Failed to convert headers: #{e.message}") if @debug
+      {}
+    end
+
     def severity_badge(severity)
       pastel = Pastel.new
       case severity.to_s

data/lib/hedra/cors_checker.rb

@@ -0,0 +1,251 @@
+# frozen_string_literal: true
+
+module Hedra
+  # Validate CORS (Cross-Origin Resource Sharing) headers for security misconfigurations
+  class CorsChecker
+    DANGEROUS_ORIGINS = [
+      '*',
+      'null'
+    ].freeze
+
+    def check(headers, url = nil)
+      findings = []
+
+      # Check Access-Control-Allow-Origin
+      if headers.key?('access-control-allow-origin')
+        acao = headers['access-control-allow-origin']
+        findings.concat(check_allow_origin(acao, headers))
+      end
+
+      # Check Access-Control-Allow-Credentials with wildcard
+      if headers.key?('access-control-allow-credentials')
+        findings.concat(check_credentials(headers))
+      end
+
+      # Check Access-Control-Allow-Methods
+      if headers.key?('access-control-allow-methods')
+        findings.concat(check_allow_methods(headers['access-control-allow-methods']))
+      end
+
+      # Check Access-Control-Allow-Headers
+      if headers.key?('access-control-allow-headers')
+        findings.concat(check_allow_headers(headers['access-control-allow-headers']))
+      end
+
+      # Check Access-Control-Max-Age
+      if headers.key?('access-control-max-age')
+        findings.concat(check_max_age(headers['access-control-max-age']))
+      end
+
+      # Check for missing CORS headers when others are present
+      if cors_headers_present?(headers) && !headers.key?('access-control-allow-origin')
+        findings << {
+          header: 'access-control-allow-origin',
+          issue: 'CORS headers present but Access-Control-Allow-Origin is missing',
+          severity: :warning,
+          recommended_fix: 'Add Access-Control-Allow-Origin header or remove other CORS headers'
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "CORS check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    private
+
+    def check_allow_origin(acao, headers)
+      findings = []
+
+      # Wildcard with credentials is a critical security issue
+      if acao == '*' && credentials_enabled?(headers)
+        findings << {
+          header: 'access-control-allow-origin',
+          issue: 'CORS allows all origins (*) with credentials enabled - critical security risk',
+          severity: :critical,
+          recommended_fix: 'Use specific origin instead of wildcard when credentials are enabled'
+        }
+      elsif acao == '*'
+        findings << {
+          header: 'access-control-allow-origin',
+          issue: 'CORS allows all origins (*) - potential security risk',
+          severity: :warning,
+          recommended_fix: 'Restrict to specific trusted origins'
+        }
+      elsif acao == 'null'
+        findings << {
+          header: 'access-control-allow-origin',
+          issue: 'CORS allows "null" origin - security vulnerability',
+          severity: :critical,
+          recommended_fix: 'Never allow "null" origin, use specific origins'
+        }
+      elsif acao.include?(',')
+        findings << {
+          header: 'access-control-allow-origin',
+          issue: 'Multiple origins in Access-Control-Allow-Origin (invalid syntax)',
+          severity: :critical,
+          recommended_fix: 'Use single origin or implement dynamic origin validation'
+        }
+      elsif acao.match?(%r{^https?://})
+        # Valid origin, check for common issues
+        if acao.start_with?('http://') && !acao.include?('localhost') && !acao.include?('127.0.0.1')
+          findings << {
+            header: 'access-control-allow-origin',
+            issue: 'CORS allows insecure HTTP origin',
+            severity: :warning,
+            recommended_fix: 'Use HTTPS origins only'
+          }
+        end
+      end
+
+      findings
+    end
+
+    def check_credentials(headers)
+      findings = []
+      acac = headers['access-control-allow-credentials']
+
+      if acac.to_s.downcase == 'true'
+        acao = headers['access-control-allow-origin']
+        
+        if acao == '*'
+          findings << {
+            header: 'access-control-allow-credentials',
+            issue: 'Credentials enabled with wildcard origin (invalid and dangerous)',
+            severity: :critical,
+            recommended_fix: 'Use specific origin when credentials are enabled'
+          }
+        elsif acao.nil?
+          findings << {
+            header: 'access-control-allow-credentials',
+            issue: 'Credentials enabled without Access-Control-Allow-Origin',
+            severity: :warning,
+            recommended_fix: 'Add Access-Control-Allow-Origin header'
+          }
+        end
+      elsif acac && acac.to_s.downcase != 'true'
+        findings << {
+          header: 'access-control-allow-credentials',
+          issue: 'Invalid Access-Control-Allow-Credentials value (must be "true" or omitted)',
+          severity: :warning,
+          recommended_fix: 'Set to "true" or remove the header'
+        }
+      end
+
+      findings
+    end
+
+    def check_allow_methods(methods)
+      findings = []
+      method_list = methods.to_s.upcase.split(',').map(&:strip)
+
+      # Check for overly permissive methods
+      dangerous_methods = ['TRACE', 'TRACK', 'CONNECT']
+      found_dangerous = method_list & dangerous_methods
+
+      if found_dangerous.any?
+        findings << {
+          header: 'access-control-allow-methods',
+          issue: "Dangerous HTTP methods allowed: #{found_dangerous.join(', ')}",
+          severity: :critical,
+          recommended_fix: 'Remove dangerous methods (TRACE, TRACK, CONNECT)'
+        }
+      end
+
+      # Check for wildcard
+      if method_list.include?('*')
+        findings << {
+          header: 'access-control-allow-methods',
+          issue: 'CORS allows all HTTP methods (*)',
+          severity: :warning,
+          recommended_fix: 'Specify only required methods (GET, POST, etc.)'
+        }
+      end
+
+      # Check for overly permissive DELETE/PUT without proper consideration
+      risky_methods = ['DELETE', 'PUT', 'PATCH']
+      found_risky = method_list & risky_methods
+
+      if found_risky.any? && method_list.length > 5
+        findings << {
+          header: 'access-control-allow-methods',
+          issue: "Potentially risky methods allowed: #{found_risky.join(', ')}",
+          severity: :info,
+          recommended_fix: 'Ensure write methods are properly protected with authentication'
+        }
+      end
+
+      findings
+    end
+
+    def check_allow_headers(headers_value)
+      findings = []
+      header_list = headers_value.to_s.downcase.split(',').map(&:strip)
+
+      # Check for wildcard
+      if header_list.include?('*')
+        findings << {
+          header: 'access-control-allow-headers',
+          issue: 'CORS allows all headers (*)',
+          severity: :warning,
+          recommended_fix: 'Specify only required headers'
+        }
+      end
+
+      # Check for sensitive headers
+      sensitive_headers = ['authorization', 'cookie', 'x-api-key', 'x-auth-token']
+      found_sensitive = header_list & sensitive_headers
+
+      if found_sensitive.any?
+        findings << {
+          header: 'access-control-allow-headers',
+          issue: "Sensitive headers exposed: #{found_sensitive.join(', ')}",
+          severity: :info,
+          recommended_fix: 'Ensure sensitive headers are only allowed for trusted origins'
+        }
+      end
+
+      findings
+    end
+
+    def check_max_age(max_age)
+      findings = []
+      age = max_age.to_i
+
+      if age <= 0
+        findings << {
+          header: 'access-control-max-age',
+          issue: 'Invalid Access-Control-Max-Age value',
+          severity: :info,
+          recommended_fix: 'Set to positive number of seconds (e.g., 3600)'
+        }
+      elsif age > 86400
+        findings << {
+          header: 'access-control-max-age',
+          issue: 'Very long preflight cache duration (>24 hours)',
+          severity: :info,
+          recommended_fix: 'Consider shorter duration for security updates'
+        }
+      end
+
+      findings
+    end
+
+    def credentials_enabled?(headers)
+      headers['access-control-allow-credentials'].to_s.downcase == 'true'
+    end
+
+    def cors_headers_present?(headers)
+      cors_header_keys = [
+        'access-control-allow-credentials',
+        'access-control-allow-methods',
+        'access-control-allow-headers',
+        'access-control-max-age',
+        'access-control-expose-headers'
+      ]
+
+      cors_header_keys.any? { |key| headers.key?(key) }
+    end
+  end
+end