@soulofzephir/pi-skill-pentesting 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/PUBLISH.md +97 -0
- package/README.md +255 -0
- package/package.json +39 -0
- package/skills/pentesting/SKILL.md +399 -0
- package/skills/pentesting/checklists/headers.md +286 -0
- package/skills/pentesting/checklists/injection.md +456 -0
- package/skills/pentesting/checklists/owasp.md +291 -0
- package/skills/pentesting/checklists/ports.md +323 -0
- package/skills/pentesting/reports/template.md +268 -0
- package/skills/pentesting/tools/generate-report.ps1 +327 -0
- package/skills/pentesting/tools/header-scan.ps1 +202 -0
- package/skills/pentesting/tools/header-scan.sh +173 -0
- package/skills/pentesting/tools/security-scan.ps1 +338 -0
|
@@ -0,0 +1,399 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: pentesting
|
|
3
|
+
description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, and SSL/TLS audit. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, or bug bounty testing. Generates reports to site/domainname-date.md format.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# 🛡️ Pentesting & Security Check Skill
|
|
7
|
+
|
|
8
|
+
> **AUTHOR:** Rz | **VERSION:** 2.0 | **LAST UPDATED:** 2025-07-05
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## 📋 CAPABILITIES OVERVIEW
|
|
13
|
+
|
|
14
|
+
This skill provides **COMPREHENSIVE PENTESTING** capabilities:
|
|
15
|
+
|
|
16
|
+
| Category | Coverage | Automated |
|
|
17
|
+
|----------|----------|-----------|
|
|
18
|
+
| **Security Headers** | 9 critical headers | ✅ Script |
|
|
19
|
+
| **Port Scanning** | 20+ common ports | ✅ Nmap/Script |
|
|
20
|
+
| **SQL Injection** | Union, Blind, Time-based | ✅ SQLMap + Manual |
|
|
21
|
+
| **XSS Testing** | Reflected, Stored, DOM | ✅ Payloads + Tools |
|
|
22
|
+
| **Command Injection** | Linux & Windows | ✅ Commix + Manual |
|
|
23
|
+
| **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
|
|
24
|
+
| **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
|
|
25
|
+
| **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
|
|
26
|
+
| **Report Generation** | .md format | ✅ Auto |
|
|
27
|
+
|
|
28
|
+
---
|
|
29
|
+
|
|
30
|
+
## 🔔 AUTO-LOAD TRIGGERS
|
|
31
|
+
|
|
32
|
+
This skill auto-loads when user mentions:
|
|
33
|
+
- pentest, pentesting, penetration test
|
|
34
|
+
- security check, security audit, security scan
|
|
35
|
+
- vulnerability scan, vulnerability assessment
|
|
36
|
+
- ethical hacking, bug bounty
|
|
37
|
+
- header security, security headers, CSP, HSTS
|
|
38
|
+
- port scan, open ports, network scan
|
|
39
|
+
- SQL injection, SQLi, XSS, command injection
|
|
40
|
+
- OWASP, OWASP Top 10
|
|
41
|
+
- "test keamanan", "cek security", "audit keamanan"
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
## ⚡ COMPLETE TEST CHECKLIST
|
|
46
|
+
|
|
47
|
+
For a **comprehensive security assessment**, run these tests in order:
|
|
48
|
+
|
|
49
|
+
### Phase 1: Reconnaissance (Information Gathering)
|
|
50
|
+
```
|
|
51
|
+
[ ] Domain enumeration (subdomains, WHOIS)
|
|
52
|
+
[ ] Technology fingerprinting (CMS, framework, libraries)
|
|
53
|
+
[ ] Directory enumeration (/admin, /api, /backup)
|
|
54
|
+
[ ] Parameter discovery
|
|
55
|
+
[ ] Social media / leak analysis
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
### Phase 2: Security Headers Analysis
|
|
59
|
+
```
|
|
60
|
+
[ ] Content-Security-Policy (CSP)
|
|
61
|
+
[ ] Strict-Transport-Security (HSTS)
|
|
62
|
+
[ ] X-Content-Type-Options
|
|
63
|
+
[ ] X-Frame-Options
|
|
64
|
+
[ ] Referrer-Policy
|
|
65
|
+
[ ] Permissions-Policy
|
|
66
|
+
[ ] Cache-Control
|
|
67
|
+
[ ] Server header (version hiding)
|
|
68
|
+
[ ] X-Powered-By (tech hiding)
|
|
69
|
+
[ ] Cross-Origin policies (COOP, CORP, COEP)
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### Phase 3: Port & Network Scanning
|
|
73
|
+
```
|
|
74
|
+
[ ] Full port scan (1-65535)
|
|
75
|
+
[ ] Service version detection
|
|
76
|
+
[ ] High-risk port exposure check:
|
|
77
|
+
[ ] Port 22 (SSH) - brute force, key-only?
|
|
78
|
+
[ ] Port 3306 (MySQL) - remote access?
|
|
79
|
+
[ ] Port 5432 (PostgreSQL) - remote access?
|
|
80
|
+
[ ] Port 27017 (MongoDB) - no-auth?
|
|
81
|
+
[ ] Port 6379 (Redis) - no-auth?
|
|
82
|
+
[ ] Port 11211 (Memcached) - DDoS risk?
|
|
83
|
+
[ ] Port 2375 (Docker) - NEVER expose!
|
|
84
|
+
[ ] Port 9200 (Elasticsearch) - data exposure?
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
### Phase 4: SSL/TLS Audit
|
|
88
|
+
```
|
|
89
|
+
[ ] Certificate validity (not expired, trusted CA)
|
|
90
|
+
[ ] TLS version (no SSLv3, TLS 1.0, TLS 1.1)
|
|
91
|
+
[ ] Weak ciphers disabled?
|
|
92
|
+
[ ] HSTS implementation
|
|
93
|
+
[ ] Certificate chain complete?
|
|
94
|
+
[ ] Self-signed cert check
|
|
95
|
+
[ ] OCSP stapling enabled?
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### Phase 5: Authentication Testing
|
|
99
|
+
```
|
|
100
|
+
[ ] Login page brute force protection
|
|
101
|
+
[ ] Password policy enforcement
|
|
102
|
+
[ ] MFA availability
|
|
103
|
+
[ ] Session management:
|
|
104
|
+
[ ] Session ID randomness
|
|
105
|
+
[ ] Session timeout
|
|
106
|
+
[ ] HttpOnly cookies
|
|
107
|
+
[ ] Secure cookies
|
|
108
|
+
[ ] SameSite attribute
|
|
109
|
+
[ ] Password reset flow:
|
|
110
|
+
[ ] Token randomness
|
|
111
|
+
[ ] Token expiration
|
|
112
|
+
[ ] Email enumeration
|
|
113
|
+
[ ] Account lockout policy
|
|
114
|
+
[ ] CAPTCHA implementation
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
### Phase 6: Injection Testing
|
|
118
|
+
```
|
|
119
|
+
[ ] SQL Injection:
|
|
120
|
+
[ ] UNION-based
|
|
121
|
+
[ ] Boolean-based blind
|
|
122
|
+
[ ] Time-based blind
|
|
123
|
+
[ ] Error-based
|
|
124
|
+
[ ] Stacked queries
|
|
125
|
+
[ ] XSS (Cross-Site Scripting):
|
|
126
|
+
[ ] Reflected XSS
|
|
127
|
+
[ ] Stored/Persistent XSS
|
|
128
|
+
[ ] DOM-based XSS
|
|
129
|
+
[ ] Polyglot XSS
|
|
130
|
+
[ ] Command Injection:
|
|
131
|
+
[ ] Linux commands
|
|
132
|
+
[ ] Windows commands
|
|
133
|
+
[ ] XXE (XML External Entity)
|
|
134
|
+
[ ] LDAP Injection
|
|
135
|
+
[ ] XPath Injection
|
|
136
|
+
[ ] SSTI (Server-Side Template Injection)
|
|
137
|
+
[ ] SSTRF (Server-Side Request Forgery)
|
|
138
|
+
[ ] Expression Language Injection
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
### Phase 7: Business Logic Testing
|
|
142
|
+
```
|
|
143
|
+
[ ] IDOR (Insecure Direct Object Reference)
|
|
144
|
+
[ ] Horizontal privilege escalation
|
|
145
|
+
[ ] Vertical privilege escalation
|
|
146
|
+
[ ] Price/total manipulation
|
|
147
|
+
[ ] Quantity manipulation
|
|
148
|
+
[ ] Coupon/promotion abuse
|
|
149
|
+
[ ] Race condition (concurrency)
|
|
150
|
+
[ ] Workflow bypass
|
|
151
|
+
[ ] Mass assignment
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
### Phase 8: API Security
|
|
155
|
+
```
|
|
156
|
+
[ ] REST API testing:
|
|
157
|
+
[ ] Authorization bypass
|
|
158
|
+
[ ] Rate limiting
|
|
159
|
+
[ ] Input validation
|
|
160
|
+
[ ] CORS misconfiguration
|
|
161
|
+
[ ] GraphQL testing:
|
|
162
|
+
[ ] Introspection enabled?
|
|
163
|
+
[ ] Query complexity
|
|
164
|
+
[ ] Depth limiting
|
|
165
|
+
[ ] JWT testing:
|
|
166
|
+
[ ] Algorithm confusion
|
|
167
|
+
[ ] Weak secret
|
|
168
|
+
[ ] Token expiration
|
|
169
|
+
[ ] None algorithm
|
|
170
|
+
[ ] API versioning issues
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### Phase 9: OWASP Top 10
|
|
174
|
+
```
|
|
175
|
+
[ ] A01 - Broken Access Control
|
|
176
|
+
[ ] Vertical privilege escalation
|
|
177
|
+
[ ] Horizontal privilege escalation
|
|
178
|
+
[ ] IDOR
|
|
179
|
+
[ ] CORS misconfiguration
|
|
180
|
+
[ ] A02 - Cryptographic Failures
|
|
181
|
+
[ ] Sensitive data exposure
|
|
182
|
+
[ ] Weak encryption
|
|
183
|
+
[ ] Default crypto
|
|
184
|
+
[ ] Insecure key management
|
|
185
|
+
[ ] A03 - Injection
|
|
186
|
+
[ ] SQL Injection
|
|
187
|
+
[ ] XSS
|
|
188
|
+
[ ] Command Injection
|
|
189
|
+
[ ] LDAP/XXE/XPath
|
|
190
|
+
[ ] A04 - Insecure Design
|
|
191
|
+
[ ] Missing rate limiting
|
|
192
|
+
[ ] Business logic flaws
|
|
193
|
+
[ ] Credential stuffing protection
|
|
194
|
+
[ ] A05 - Security Misconfiguration
|
|
195
|
+
[ ] Default credentials
|
|
196
|
+
[ ] Debug mode
|
|
197
|
+
[ ] Directory listing
|
|
198
|
+
[ ] Unnecessary features
|
|
199
|
+
[ ] Error handling
|
|
200
|
+
[ ] A06 - Vulnerable Components
|
|
201
|
+
[ ] Outdated libraries
|
|
202
|
+
[ ] Known CVEs
|
|
203
|
+
[ ] Unmaintained dependencies
|
|
204
|
+
[ ] A07 - Identification & Auth Failures
|
|
205
|
+
[ ] Weak passwords
|
|
206
|
+
[ ] Session management
|
|
207
|
+
[ ] Credential exposure
|
|
208
|
+
[ ] A08 - Software & Data Integrity
|
|
209
|
+
[ ] Insecure deserialization
|
|
210
|
+
[ ] CI/CD issues
|
|
211
|
+
[ ] Auto-update integrity
|
|
212
|
+
[ ] A09 - Logging & Monitoring
|
|
213
|
+
[ ] No audit logging
|
|
214
|
+
[ ] Failed login tracking
|
|
215
|
+
[ ] Alert fatigue
|
|
216
|
+
[ ] A10 - SSRF
|
|
217
|
+
[ ] URL validation bypass
|
|
218
|
+
[ ] Internal network access
|
|
219
|
+
[ ] Cloud metadata access
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
### Phase 10: Client-Side Testing
|
|
223
|
+
```
|
|
224
|
+
[ ] CORS misconfiguration
|
|
225
|
+
[ ] WebSocket testing
|
|
226
|
+
[ ] WebRTC leakage
|
|
227
|
+
[ ] Service Worker security
|
|
228
|
+
[ ] Browser storage (localStorage, sessionStorage)
|
|
229
|
+
[ ] Cookies security attributes
|
|
230
|
+
[ ] JWT in localStorage vs HttpOnly cookie
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
---
|
|
234
|
+
|
|
235
|
+
## ⚡ WORKFLOW (Follow in Order)
|
|
236
|
+
|
|
237
|
+
### Step 1: Confirm Scope
|
|
238
|
+
```
|
|
239
|
+
1. Target URL/IP: [user input]
|
|
240
|
+
2. Testing type: [Full / Targeted]
|
|
241
|
+
3. Authorization: [User owns this / Has permission]
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
### Step 2: Run Tests (follow Complete Test Checklist above)
|
|
245
|
+
|
|
246
|
+
### Step 3: Generate Report
|
|
247
|
+
|
|
248
|
+
**IMPORTANT:** Always save report to:
|
|
249
|
+
```
|
|
250
|
+
site/[domain]-[YYYY-MM-DD].md
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
Example:
|
|
254
|
+
```
|
|
255
|
+
site/example.com-2025-07-05.md
|
|
256
|
+
site/api.target.com-2025-07-05.md
|
|
257
|
+
site/subdomain.target.com-2025-07-05.md
|
|
258
|
+
```
|
|
259
|
+
|
|
260
|
+
---
|
|
261
|
+
|
|
262
|
+
## 🔧 TOOLS & SCRIPTS
|
|
263
|
+
|
|
264
|
+
Scripts available in `tools/`:
|
|
265
|
+
```
|
|
266
|
+
tools/
|
|
267
|
+
├── header-scan.sh # Linux/Mac headers
|
|
268
|
+
├── header-scan.ps1 # Windows headers
|
|
269
|
+
└── security-scan.ps1 # Windows ALL-IN-ONE
|
|
270
|
+
```
|
|
271
|
+
|
|
272
|
+
Checklists available in `checklists/`:
|
|
273
|
+
```
|
|
274
|
+
checklists/
|
|
275
|
+
├── headers.md # 9 headers detail
|
|
276
|
+
├── owasp.md # OWASP Top 10
|
|
277
|
+
├── ports.md # Port scanning
|
|
278
|
+
└── injection.md # All injection types
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
---
|
|
282
|
+
|
|
283
|
+
## 🚀 QUICK COMMANDS
|
|
284
|
+
|
|
285
|
+
### Security Headers
|
|
286
|
+
```bash
|
|
287
|
+
# Linux/Mac
|
|
288
|
+
chmod +x tools/header-scan.sh
|
|
289
|
+
./tools/header-scan.sh https://target.com
|
|
290
|
+
|
|
291
|
+
# Windows PowerShell
|
|
292
|
+
.\tools\header-scan.ps1 -Target https://target.com
|
|
293
|
+
```
|
|
294
|
+
|
|
295
|
+
### Port Scanning
|
|
296
|
+
```bash
|
|
297
|
+
# Nmap quick
|
|
298
|
+
nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
|
|
299
|
+
|
|
300
|
+
# Full scan
|
|
301
|
+
nmap -p- -sV target.com
|
|
302
|
+
|
|
303
|
+
# Nmap with scripts
|
|
304
|
+
nmap -sC -sV -p- target.com
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
### Vulnerability Scanning
|
|
308
|
+
```bash
|
|
309
|
+
# Nuclei
|
|
310
|
+
nuclei -u https://target.com
|
|
311
|
+
|
|
312
|
+
# SQLMap
|
|
313
|
+
sqlmap -u "https://target.com/search?q=1" --batch
|
|
314
|
+
|
|
315
|
+
# Dalfox XSS
|
|
316
|
+
dalfox url https://target.com/search?q=test
|
|
317
|
+
|
|
318
|
+
# Commix
|
|
319
|
+
commix -u "http://target.com/ping?ip=127.0.0.1"
|
|
320
|
+
```
|
|
321
|
+
|
|
322
|
+
### Full Scan
|
|
323
|
+
```powershell
|
|
324
|
+
# Windows - All in one
|
|
325
|
+
.\tools\security-scan.ps1 -Target https://target.com
|
|
326
|
+
```
|
|
327
|
+
|
|
328
|
+
---
|
|
329
|
+
|
|
330
|
+
## 📊 OUTPUT FORMAT
|
|
331
|
+
|
|
332
|
+
### Header Score (0-100)
|
|
333
|
+
```
|
|
334
|
+
A (90-100): Excellent
|
|
335
|
+
B (70-89): Good
|
|
336
|
+
C (50-69): Needs Improvement
|
|
337
|
+
D (30-49): Poor
|
|
338
|
+
F (0-29): Critical
|
|
339
|
+
```
|
|
340
|
+
|
|
341
|
+
### Vulnerability Severity
|
|
342
|
+
```
|
|
343
|
+
🔴 CRITICAL → Fix immediately
|
|
344
|
+
🟠 HIGH → Fix within 1 week
|
|
345
|
+
🟡 MEDIUM → Fix within 1 month
|
|
346
|
+
🟢 LOW/INFO → Fix when possible
|
|
347
|
+
```
|
|
348
|
+
|
|
349
|
+
### Report File
|
|
350
|
+
**Format:** `site/[domain]-[YYYY-MM-DD].md`
|
|
351
|
+
|
|
352
|
+
---
|
|
353
|
+
|
|
354
|
+
## ⚠️ IMPORTANT REMINDERS
|
|
355
|
+
|
|
356
|
+
1. **ONLY test targets you own or have written permission for**
|
|
357
|
+
2. **Document all findings with evidence**
|
|
358
|
+
3. **Use responsible disclosure for bugs found**
|
|
359
|
+
4. **Respect rate limits to avoid DoS**
|
|
360
|
+
5. **Always save reports to site/[domain]-[date].md**
|
|
361
|
+
|
|
362
|
+
---
|
|
363
|
+
|
|
364
|
+
## 🆘 HELP COMMANDS
|
|
365
|
+
|
|
366
|
+
If user asks:
|
|
367
|
+
- "apa bisa ini?" → Show CAPABILITIES OVERVIEW
|
|
368
|
+
- "cara pakai" → Show QUICK COMMANDS
|
|
369
|
+
- "test sekarang" → Start the test workflow
|
|
370
|
+
- "check [target]" → Start security scan + save to site/[domain]-[date].md
|
|
371
|
+
- "scan headers" → Run header scan
|
|
372
|
+
- "test SQL injection" → Load SQLi payloads
|
|
373
|
+
- "complete checklist" → Show COMPLETE TEST CHECKLIST
|
|
374
|
+
|
|
375
|
+
---
|
|
376
|
+
|
|
377
|
+
## 📝 EXAMPLES OF TRIGGER PHRASES
|
|
378
|
+
|
|
379
|
+
```
|
|
380
|
+
User: "pentest untuk website ini: example.com"
|
|
381
|
+
→ Load SKILL → Start full pentest workflow → Generate site/example.com-2025-07-05.md
|
|
382
|
+
|
|
383
|
+
User: "security audit untuk target.com"
|
|
384
|
+
→ Load SKILL → Run all tests → Generate site/target.com-2025-07-05.md
|
|
385
|
+
|
|
386
|
+
User: "OWASP check untuk API"
|
|
387
|
+
→ Load SKILL → Run OWASP Top 10 checklist
|
|
388
|
+
|
|
389
|
+
User: "scan subdomain ini: api.target.com"
|
|
390
|
+
→ Load SKILL → Run all tests → Generate site/api.target.com-2025-07-05.md
|
|
391
|
+
```
|
|
392
|
+
|
|
393
|
+
---
|
|
394
|
+
|
|
395
|
+
## ✅ SKILL READY
|
|
396
|
+
|
|
397
|
+
**Status:** ACTIVE & READY FOR USE
|
|
398
|
+
**Version:** 2.0
|
|
399
|
+
**Author:** Rz (@soulofzephir)
|
|
@@ -0,0 +1,286 @@
|
|
|
1
|
+
# Security Headers Checklist
|
|
2
|
+
|
|
3
|
+
## 🔒 Critical Security Headers
|
|
4
|
+
|
|
5
|
+
### 1. Content-Security-Policy (CSP)
|
|
6
|
+
|
|
7
|
+
**Purpose:** Prevent XSS, clickjacking, data injection
|
|
8
|
+
|
|
9
|
+
**Good Example:**
|
|
10
|
+
```
|
|
11
|
+
Content-Security-Policy:
|
|
12
|
+
default-src 'self';
|
|
13
|
+
script-src 'self' 'nonce-random123';
|
|
14
|
+
style-src 'self' https://fonts.googleapis.com;
|
|
15
|
+
img-src 'self' data: https:;
|
|
16
|
+
font-src 'self' https://fonts.gstatic.com;
|
|
17
|
+
connect-src 'self';
|
|
18
|
+
frame-ancestors 'none';
|
|
19
|
+
base-uri 'self';
|
|
20
|
+
form-action 'self'
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
**What to Check:**
|
|
24
|
+
- [ ] `default-src 'self'` or restrictive source
|
|
25
|
+
- [ ] No `unsafe-inline` in script-src (XSS risk!)
|
|
26
|
+
- [ ] No `unsafe-eval` in script-src
|
|
27
|
+
- [ ] `frame-ancestors 'none'` or `'self'`
|
|
28
|
+
- [ ] `base-uri` restricted
|
|
29
|
+
- [ ] `form-action` limited
|
|
30
|
+
|
|
31
|
+
**Red Flags:**
|
|
32
|
+
```diff
|
|
33
|
+
- script-src 'unsafe-inline' 'unsafe-eval'
|
|
34
|
+
- default-src *
|
|
35
|
+
- style-src *
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
---
|
|
39
|
+
|
|
40
|
+
### 2. Strict-Transport-Security (HSTS)
|
|
41
|
+
|
|
42
|
+
**Purpose:** Force HTTPS, prevent protocol downgrade
|
|
43
|
+
|
|
44
|
+
**Good Example:**
|
|
45
|
+
```
|
|
46
|
+
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
**What to Check:**
|
|
50
|
+
- [ ] `max-age` minimum 31536000 (1 year)
|
|
51
|
+
- [ ] `includeSubDomains` present
|
|
52
|
+
- [ ] `preload` for maximum protection
|
|
53
|
+
|
|
54
|
+
**Red Flags:**
|
|
55
|
+
```diff
|
|
56
|
+
- max-age=0
|
|
57
|
+
- Missing header entirely
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
---
|
|
61
|
+
|
|
62
|
+
### 3. X-Content-Type-Options
|
|
63
|
+
|
|
64
|
+
**Purpose:** Prevent MIME sniffing
|
|
65
|
+
|
|
66
|
+
**Good:**
|
|
67
|
+
```
|
|
68
|
+
X-Content-Type-Options: nosniff
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
**Check:**
|
|
72
|
+
- [ ] Must be exactly "nosniff"
|
|
73
|
+
- [ ] Should not be missing
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
77
|
+
### 4. X-Frame-Options
|
|
78
|
+
|
|
79
|
+
**Purpose:** Prevent clickjacking
|
|
80
|
+
|
|
81
|
+
**Good:**
|
|
82
|
+
```
|
|
83
|
+
X-Frame-Options: DENY
|
|
84
|
+
# or
|
|
85
|
+
X-Frame-Options: SAMEORIGIN
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
**What to Check:**
|
|
89
|
+
- [ ] Not set to ALLOWALL (dangerous!)
|
|
90
|
+
- [ ] Missing = vulnerable
|
|
91
|
+
|
|
92
|
+
**Red Flags:**
|
|
93
|
+
```diff
|
|
94
|
+
- X-Frame-Options: ALLOWALL
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
---
|
|
98
|
+
|
|
99
|
+
### 5. X-XSS-Protection
|
|
100
|
+
|
|
101
|
+
**Purpose:** Legacy browser XSS filter (deprecated but still useful)
|
|
102
|
+
|
|
103
|
+
**Good:**
|
|
104
|
+
```
|
|
105
|
+
X-XSS-Protection: 1; mode=block
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
**What to Check:**
|
|
109
|
+
- [ ] Set to `1; mode=block` not just `0` (disabled)
|
|
110
|
+
|
|
111
|
+
---
|
|
112
|
+
|
|
113
|
+
### 6. Referrer-Policy
|
|
114
|
+
|
|
115
|
+
**Purpose:** Control referrer information leakage
|
|
116
|
+
|
|
117
|
+
**Good:**
|
|
118
|
+
```
|
|
119
|
+
Referrer-Policy: strict-origin-when-cross-origin
|
|
120
|
+
# or stricter:
|
|
121
|
+
Referrer-Policy: no-referrer
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
**What to Check:**
|
|
125
|
+
- [ ] Not `no-referrer-when-downgrade` (leaks HTTPS→HTTP)
|
|
126
|
+
- [ ] Not `unsafe-url` (leaks everything!)
|
|
127
|
+
|
|
128
|
+
**Ranking (best to worst):**
|
|
129
|
+
1. `no-referrer`
|
|
130
|
+
2. `strict-origin-when-cross-origin`
|
|
131
|
+
3. `same-origin`
|
|
132
|
+
4. `origin`
|
|
133
|
+
5. `strict-origin`
|
|
134
|
+
6. `no-referrer-when-downgrade` ⚠️
|
|
135
|
+
7. `origin-when-cross-origin`
|
|
136
|
+
8. `unsafe-url` ❌
|
|
137
|
+
|
|
138
|
+
---
|
|
139
|
+
|
|
140
|
+
### 7. Permissions-Policy (formerly Feature-Policy)
|
|
141
|
+
|
|
142
|
+
**Purpose:** Disable dangerous browser features
|
|
143
|
+
|
|
144
|
+
**Good:**
|
|
145
|
+
```
|
|
146
|
+
Permissions-Policy:
|
|
147
|
+
geolocation=(),
|
|
148
|
+
microphone=(),
|
|
149
|
+
camera=(),
|
|
150
|
+
payment=(self)
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
**What to Check:**
|
|
154
|
+
- [ ] Camera/microphone disabled if not needed
|
|
155
|
+
- [ ] Geolocation restricted
|
|
156
|
+
- [ ] USB not exposed
|
|
157
|
+
- [ ] No autoplay audio
|
|
158
|
+
|
|
159
|
+
---
|
|
160
|
+
|
|
161
|
+
### 8. Cache-Control
|
|
162
|
+
|
|
163
|
+
**Purpose:** Prevent sensitive data caching
|
|
164
|
+
|
|
165
|
+
**For sensitive pages:**
|
|
166
|
+
```
|
|
167
|
+
Cache-Control: no-store, no-cache, must-revalidate, private
|
|
168
|
+
Pragma: no-cache
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
**Check:**
|
|
172
|
+
- [ ] Login pages = no-store
|
|
173
|
+
- [ ] User data pages = no-store
|
|
174
|
+
- [ ] API responses with PII = no-store
|
|
175
|
+
|
|
176
|
+
---
|
|
177
|
+
|
|
178
|
+
### 9. Cross-Origin Policies
|
|
179
|
+
|
|
180
|
+
```
|
|
181
|
+
Cross-Origin-Opener-Policy: same-origin
|
|
182
|
+
Cross-Origin-Resource-Policy: same-origin
|
|
183
|
+
Cross-Origin-Embedder-Policy: require-corp
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## ⚠️ Information Leakage Headers (Should NOT expose)
|
|
189
|
+
|
|
190
|
+
### Server Information
|
|
191
|
+
|
|
192
|
+
**Bad (reveals version):**
|
|
193
|
+
```
|
|
194
|
+
Server: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f
|
|
195
|
+
X-Powered-By: PHP/7.4.3
|
|
196
|
+
X-AspNet-Version: 4.0.30319
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
**Good:**
|
|
200
|
+
```
|
|
201
|
+
Server: nginx
|
|
202
|
+
# or
|
|
203
|
+
Server: Apache
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
**Check:**
|
|
207
|
+
- [ ] Server header generic (no version)
|
|
208
|
+
- [ ] X-Powered-By removed or hidden
|
|
209
|
+
- [ ] X-AspNet-Version removed
|
|
210
|
+
|
|
211
|
+
---
|
|
212
|
+
|
|
213
|
+
## 📊 Header Security Score Calculation
|
|
214
|
+
|
|
215
|
+
| Header | Points |
|
|
216
|
+
|--------|--------|
|
|
217
|
+
| CSP (strict) | 20 |
|
|
218
|
+
| HSTS (max-age ≥ 31536000) | 15 |
|
|
219
|
+
| X-Content-Type-Options | 10 |
|
|
220
|
+
| X-Frame-Options | 10 |
|
|
221
|
+
| Referrer-Policy (strict) | 10 |
|
|
222
|
+
| Permissions-Policy | 10 |
|
|
223
|
+
| Cache-Control (sensitive pages) | 10 |
|
|
224
|
+
| No info leakage (Server, X-Powered-By) | 15 |
|
|
225
|
+
|
|
226
|
+
**Score:**
|
|
227
|
+
- 90-100: A (Excellent)
|
|
228
|
+
- 70-89: B (Good)
|
|
229
|
+
- 50-69: C (Needs improvement)
|
|
230
|
+
- 30-49: D (Poor)
|
|
231
|
+
- 0-29: F (Critical issues)
|
|
232
|
+
|
|
233
|
+
---
|
|
234
|
+
|
|
235
|
+
## 🔧 Quick Test Commands
|
|
236
|
+
|
|
237
|
+
```bash
|
|
238
|
+
# Check all headers
|
|
239
|
+
curl -I -s https://target.com
|
|
240
|
+
|
|
241
|
+
# Specific header check
|
|
242
|
+
curl -sD - https://target.com | grep -iE "csp|hsts|x-frame|x-content|server"
|
|
243
|
+
|
|
244
|
+
# Full verbose
|
|
245
|
+
curl -v -s https://target.com 2>&1 | grep -iE "^< |server|x-powered"
|
|
246
|
+
|
|
247
|
+
# Check CSP with report-uri
|
|
248
|
+
curl -s https://target.com -I | grep -i content-security
|
|
249
|
+
|
|
250
|
+
# Test missing headers script
|
|
251
|
+
#!/bin/bash
|
|
252
|
+
TARGET=$1
|
|
253
|
+
echo "Checking headers for: $TARGET"
|
|
254
|
+
curl -I -s $TARGET | awk '/^HTTP/ {print "\n["$0"]"}
|
|
255
|
+
/[Ss]erver/ {print "⚠️ "$0}
|
|
256
|
+
/[Xx]-[Pp]owered/ {print "⚠️ "$0}
|
|
257
|
+
/[Ss]trict-[Tt]ransport/ {print "✅ "$0}
|
|
258
|
+
/[Xx]-[Cc]ontent-[Tt]ype/ {print "✅ "$0}
|
|
259
|
+
/[Xx]-[Ff]rame/ {print "✅ "$0}
|
|
260
|
+
/[Cc]ontent-[Ss]ecurity/ {print "✅ "$0}
|
|
261
|
+
/[Rr]eferrer/ {print "✅ "$0}
|
|
262
|
+
'
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
---
|
|
266
|
+
|
|
267
|
+
## 📋 Header Remediation Quick Reference
|
|
268
|
+
|
|
269
|
+
| Header | Apache (.htaccess) | Nginx |
|
|
270
|
+
|--------|-------------------|-------|
|
|
271
|
+
| CSP | Header set Content-Security-Policy "..." | add_header Content-Security-Policy "..."; |
|
|
272
|
+
| HSTS | Header always set Strict-Transport-Security "max-age=..." | add_header Strict-Transport-Security "max-age=..."; |
|
|
273
|
+
| X-Frame | Header set X-Frame-Options "DENY" | add_header X-Frame-Options "DENY"; |
|
|
274
|
+
| X-Content-Type | Header set X-Content-Type-Options "nosniff" | add_header X-Content-Type-Options "nosniff"; |
|
|
275
|
+
| Remove Server | Header unset Server | server_tokens off; |
|
|
276
|
+
| Remove X-Powered-By | Header unset X-Powered-By | fastcgi_hide_header X-Powered-By; |
|
|
277
|
+
|
|
278
|
+
---
|
|
279
|
+
|
|
280
|
+
## 🛡️ Tools for Header Analysis
|
|
281
|
+
|
|
282
|
+
1. **securityheaders.com** - Online scanner with grade
|
|
283
|
+
2. **observatory.mozilla.org** - Mozilla's header analyzer
|
|
284
|
+
3. **csp-evaluator.google** - CSP specifically
|
|
285
|
+
4. **ssllabs.com** - SSL/TLS + some headers
|
|
286
|
+
5. **curl** - Manual check
|