H2T:一款扫描网站安全并给出安全实践建议的工具
source link: https://www.freebuf.com/sectool/199607.html?amp%3Butm_medium=referral
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
今天给大家介绍的是一款名叫h2t的开源工具,广大研究人员可以利用这款工具来对目标站点进行安全扫描,并获取专业的安全实践建议。
虽然h2t的使用非常简单,但它能够很大程度地帮助系统管理员提升网站的安全性。目前,h2t可以检测网站的header,并给出安全实践建议。
依赖组件
工具安装
$ git clone https://github.com/gildasio/h2t
$ cd h2t
$ pip install -r requirements.txt
$ ./h2t.py –h
工具使用
h2t提供下列两种操作子命令:list和scan。
$./h2t.py -h usage:h2t.py [-h] {list,l,scan,s} ... h2t -HTTP Hardening Tool positional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2tcatalog (that can be used in scan subcommand-H option) scan (s) scan url to hardening headers optional arguments: -h, --help show this help message and exit
List子命令
List子命令可以列举出h2t中所有支持的header,并提供相关的描述信息以及安全实践操作建议:
$./h2t.py list -h usage:h2t.py list [-h] [-p PRINT [PRINT ...]] [-B] [-a | -H HEADERS [HEADERS...]] optional arguments: -h, --help show this help message and exit -p PRINT [PRINT ...], --print PRINT [PRINT...] a list of additionalinformation about the headers to print. For now thereare two options: description and refs (you can useeither or both) -B, --no-banner don't print the h2t banner -a, --all list all available headers[default] -H HEADERS [HEADERS ...], --headers HEADERS[HEADERS ...] a list of headers to look for in theh2t catalog
Scan子命令
Scan子命令可以对目标站点进行安全扫描,并收集网站header:
$./h2t.py scan -h usage:h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS ...]] [-p PRINT [PRINT ...]] [-i IGNORE_HEADERS[IGNORE_HEADERS ...]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] url positional arguments: url url to look for optional arguments: -h, --help show this help message and exit -v, --verbose increase output verbosity: -v printresponse headers, -vv print response andrequest headers -a, --all scan all cataloged headers[default] -g, --good scan good headers only -b, --bad scan bad headers only -H HEADERS [HEADERS ...], --headers HEADERS[HEADERS ...] scan only these headers (see available inlist sub- command) -p PRINT [PRINT ...], --print PRINT [PRINT...] a list of additionalinformation about the headers to print. For now thereare two options: description and refs (you can useeither or both) -i IGNORE_HEADERS [IGNORE_HEADERS ...],--ignore-headers IGNORE_HEADERS [IGNORE_HEADERS ...] a list of headers toignore in the results -B, --no-banner don't print the h2t banner -E, --no-explanation don't print the h2t output explanation -o {normal,csv,json}, --output{normal,csv,json} choose which outputformat to use (available: normal, csv, json) -n, --no-redirect don't follow http redirects -u USER_AGENT, --user-agent USER_AGENT set user agent to scanrequest -k, --insecure don't verify SSL certificate as valid -r, --recommendation output only recommendations [default] -s, --status output actual status (eg: existentheaders only)
结果输出
目前,该工具只有“普通模式”这一种数据输出模式:
[+] 红色header为存在安全隐患的header,这些header可能会让你的网站陷入安全风险,或泄露某些敏感数据,我们建议大家修复这些问题。 [+] 黄色header为正常的header,代表网站没有使用到的header,我们建议大家使用这些header。 [-] 绿色header为正常的header,代表你网站已经在使用的header。
使用样例
建议采用Cookie HTTP Only
建议采用Cookie over SSL/TLS
建议移除Server header
建议采用Referrer-Policy
已使用X-Frame-Options,无需额外操作
已使用X-XSS-Protection,无需额外操作
运行截图
List h2t分类:
从文件获取扫描路径:
扫描url:
Verbose模式扫描:
Header信息:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK