This repository was archived by the owner on May 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
266 lines (227 loc) · 29.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- This file was created with the aha Ansi HTML Adapter. https://github.com/theZiz/aha -->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xml+xhtml; charset=UTF-8" />
<title>stdin</title>
</head>
<body>
<pre>
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_http_security_response_headers'</span>
• HTTP security response headers test suites (/tmp/venom_security_headers_tests_suite.yml)
• Strict-Transport-Security FAILURE
Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:29)
Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldContainSubstring \"includeSubDomains\"" failed. expected '' to contain 'includeSubDomains' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:30)
Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldContainSubstring \"max-age=\"" failed. expected '' to contain 'max-age=' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:31)
Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldContainSubstring \"preload\"" failed. expected '' to contain 'preload' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:33)
• X-Frame-Options FAILURE
Testcase "X-Frame-Options", step #0: Assertion "result.headers.x-frame-options ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:44)
Testcase "X-Frame-Options", step #0: Assertion "result.headers.x-frame-options ShouldEqual \"deny\"" failed. expected: deny got: <nil> (/tmp/venom_security_headers_tests_suite.yml:45)
• X-Content-Type-Options FAILURE
Testcase "X-Content-Type-Options", step #0: Assertion "result.headers.x-content-type-options ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:56)
Testcase "X-Content-Type-Options", step #0: Assertion "result.headers.x-content-type-options ShouldEqual \"nosniff\"" failed. expected: nosniff got: <nil> (/tmp/venom_security_headers_tests_suite.yml:57)
• Content-Security-Policy FAILURE
Testcase "Content-Security-Policy", step #0: Assertion "result.headers.content-security-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:68)
• X-Permitted-Cross-Domain-Policies FAILURE
Testcase "X-Permitted-Cross-Domain-Policies", step #0: Assertion "result.headers.x-permitted-cross-domain-policies ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:80)
Testcase "X-Permitted-Cross-Domain-Policies", step #0: Assertion "result.headers.x-permitted-cross-domain-policies ShouldEqual \"none\"" failed. expected: none got: <nil> (/tmp/venom_security_headers_tests_suite.yml:81)
• Referrer-Policy FAILURE
Testcase "Referrer-Policy", step #0: Assertion "result.headers.referrer-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:92)
Testcase "Referrer-Policy", step #0: Assertion "result.headers.referrer-policy ShouldEqual \"no-referrer\"" failed. expected: no-referrer got: <nil> (/tmp/venom_security_headers_tests_suite.yml:93)
• Clear-Site-Data FAILURE
Testcase "Clear-Site-Data", step #0: Assertion "result.statuscode ShouldEqual 200" failed. expected: 200 got: 404 (/tmp/venom_security_headers_tests_suite.yml:103)
Testcase "Clear-Site-Data", step #0: Assertion "result.headers.clear-site-data ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:104)
Testcase "Clear-Site-Data", step #0: Assertion "result.headers.clear-site-data ShouldContainSubstring \"cookies\"" failed. expected '' to contain 'cookies' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:105)
Testcase "Clear-Site-Data", step #0: Assertion "result.headers.clear-site-data ShouldContainSubstring \"storage\"" failed. expected '' to contain 'storage' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:106)
• Cross-Origin-Embedder-Policy FAILURE
Testcase "Cross-Origin-Embedder-Policy", step #0: Assertion "result.headers.cross-origin-embedder-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:117)
Testcase "Cross-Origin-Embedder-Policy", step #0: Assertion "result.headers.cross-origin-embedder-policy ShouldEqual \"require-corp\"" failed. expected: require-corp got: <nil> (/tmp/venom_security_headers_tests_suite.yml:118)
• Cross-Origin-Opener-Policy FAILURE
Testcase "Cross-Origin-Opener-Policy", step #0: Assertion "result.headers.cross-origin-opener-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:129)
Testcase "Cross-Origin-Opener-Policy", step #0: Assertion "result.headers.cross-origin-opener-policy ShouldEqual \"same-origin\"" failed. expected: same-origin got: <nil> (/tmp/venom_security_headers_tests_suite.yml:130)
• Cross-Origin-Resource-Policy FAILURE
Testcase "Cross-Origin-Resource-Policy", step #0: Assertion "result.headers.cross-origin-resource-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:141)
Testcase "Cross-Origin-Resource-Policy", step #0: Assertion "result.headers.cross-origin-resource-policy ShouldEqual \"same-origin\"" failed. expected: same-origin got: <nil> (/tmp/venom_security_headers_tests_suite.yml:142)
• Permissions-Policy FAILURE
Testcase "Permissions-Policy", step #0: Assertion "result.headers.permissions-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:153)
• Cache-Control FAILURE
Testcase "Cache-Control", step #0: Assertion "result.headers.cache-control ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:165)
Testcase "Cache-Control", step #0: Assertion "result.headers.cache-control ShouldEqual \"no-store\"" failed. expected: no-store got: <nil> (/tmp/venom_security_headers_tests_suite.yml:166)
• Feature-Policy FAILURE
[info] This header was split into Permissions-Policy and Document-Policy and will be considered deprecated once all impacted features are moved off of feature policy. (/tmp/venom_security_headers_tests_suite.yml:176) (/tmp/venom_security_headers_tests_suite.yml:176)
Testcase "Feature-Policy", step #0: Assertion "result.headers.feature-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:180)
• Public-Key-Pins SUCCESS
[info] This header has been deprecated by all major browsers and is no longer recommended. Avoid using it, and update existing code if possible! (/tmp/venom_security_headers_tests_suite.yml:188) (/tmp/venom_security_headers_tests_suite.yml:188)
• Expect-CT FAILURE
[info] This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021. (/tmp/venom_security_headers_tests_suite.yml:199) (/tmp/venom_security_headers_tests_suite.yml:199)
Testcase "Expect-CT", step #0: Assertion "result.headers.expect-ct ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:203)
Testcase "Expect-CT", step #0: Assertion "result.headers.expect-ct ShouldContainSubstring \"enforce\"" failed. expected '' to contain 'enforce' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:204)
Testcase "Expect-CT", step #0: Assertion "result.headers.expect-ct ShouldContainSubstring \"max-age=\"" failed. expected '' to contain 'max-age=' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:205)
• X-Xss-Protection FAILURE
[info] The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. (/tmp/venom_security_headers_tests_suite.yml:213) (/tmp/venom_security_headers_tests_suite.yml:213)
Testcase "X-Xss-Protection", step #0: Assertion "result.headers.x-xss-protection ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:217)
Testcase "X-Xss-Protection", step #0: Assertion "result.headers.x-xss-protection ShouldEqual \"0\"" failed. expected: 0 got: <nil> (/tmp/venom_security_headers_tests_suite.yml:218)
• SecurityHeaders-Rating SKIPPED
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_secure_protocol_usage'</span>
Permanent redirection to a HTTPS protocol is NOT in place.
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_tls_configuration'</span>
<span style="font-weight:bold;">Testing all IPv4 addresses (port 443): </span>46.137.15.86 54.220.192.176 54.73.53.134
-----------------------------------------------------
<span style="color:white;background-color:black;"> Start 2022-03-26 08:52:41 -->> 46.137.15.86:443 (xlm-blogpost-deploy-check.herokuapp.com) <<--</span>
Further IP addresses: 54.73.53.134 54.220.192.176
rDNS (46.137.15.86): ec2-46-137-15-86.eu-west-1.compute.amazonaws.com.
Service detected: HTTP
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing protocols </span><span style="text-decoration:underline;">via sockets except NPN+ALPN </span>
<span style="font-weight:bold;"> SSLv2 </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> SSLv3 </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> TLS 1 </span>not offered
<span style="font-weight:bold;"> TLS 1.1 </span>not offered
<span style="font-weight:bold;"> TLS 1.2 </span><span style="font-weight:bold;color:green;">offered (OK)</span>
<span style="font-weight:bold;"> TLS 1.3 </span>not offered and downgraded to a weaker protocol
<span style="font-weight:bold;"> NPN/SPDY </span>not offered
<span style="font-weight:bold;"> ALPN/HTTP2 </span>not offered
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing cipher categories </span>
<span style="font-weight:bold;"> NULL ciphers (no encryption) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Anonymous NULL Ciphers (no authentication) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Export ciphers (w/o ADH+NULL) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) </span><span style="color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Triple DES Ciphers / IDEA </span>not offered
<span style="font-weight:bold;"> Obsoleted CBC ciphers (AES, ARIA etc.) </span><span style="font-weight:bold;color:olive;">offered</span>
<span style="font-weight:bold;"> Strong encryption (AEAD ciphers) with no FS </span><span style="color:green;">offered (OK)</span>
<span style="font-weight:bold;"> Forward Secrecy strong encryption (AEAD ciphers) </span><span style="font-weight:bold;color:green;">offered (OK)</span>
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing vulnerabilities </span>
<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, no heartbeat extension
<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Ticketbleed</span> (CVE-2016-9244), experiment. <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, reply empty
<span style="font-weight:bold;"> ROBOT </span><span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Secure Renegotiation (RFC 5746) </span><span style="font-weight:bold;color:green;">supported (OK)</span>
<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span style="color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span style="color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> BREACH</span> (CVE-2013-3587) <span style="color:green;">no gzip/deflate/compress/br HTTP compression (OK) </span> - only supplied "/" tested
<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, no SSLv3 support
<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507) <span style="color:green;">No fallback possible (OK)</span>, no protocol below TLS 1.2 offered
<span style="font-weight:bold;"> SWEET32</span> (CVE-2016-2183, CVE-2016-6329) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> DROWN</span> (CVE-2016-0800, CVE-2016-0703) <span style="font-weight:bold;color:green;">not vulnerable on this host and port (OK)</span>
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=968E97A3C84D9007C9D14F037F84EE527802F36324A73D985B5AB8C738A3899E could help you to find out
<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span style="color:green;">not vulnerable (OK):</span> no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) <span style="color:green;">not vulnerable (OK)</span>, no SSL3 or TLS1
<span style="font-weight:bold;"> LUCKY13</span> (CVE-2013-0169), experimental potentially <span style="font-weight:bold;color:olive;">VULNERABLE</span>, uses cipher block chaining (CBC) ciphers with TLS. Check patches
<span style="font-weight:bold;"> Winshock</span> (CVE-2014-6321), experimental <span style="font-weight:bold;color:green;">not vulnerable (OK)</span> - CAMELLIA or ECDHE_RSA GCM ciphers found
<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span style="color:green;">no RC4 ciphers detected (OK)</span>
<span style="color:white;background-color:black;"> Done 2022-03-26 08:53:23 [ 44s] -->> 46.137.15.86:443 (xlm-blogpost-deploy-check.herokuapp.com) <<--</span>
-----------------------------------------------------
<span style="color:white;background-color:black;"> Start 2022-03-26 08:53:23 -->> 54.220.192.176:443 (xlm-blogpost-deploy-check.herokuapp.com) <<--</span>
Further IP addresses: 54.73.53.134 46.137.15.86
rDNS (54.220.192.176): ec2-54-220-192-176.eu-west-1.compute.amazonaws.com.
Service detected: HTTP
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing protocols </span><span style="text-decoration:underline;">via sockets except NPN+ALPN </span>
<span style="font-weight:bold;"> SSLv2 </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> SSLv3 </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> TLS 1 </span>not offered
<span style="font-weight:bold;"> TLS 1.1 </span>not offered
<span style="font-weight:bold;"> TLS 1.2 </span><span style="font-weight:bold;color:green;">offered (OK)</span>
<span style="font-weight:bold;"> TLS 1.3 </span>not offered and downgraded to a weaker protocol
<span style="font-weight:bold;"> NPN/SPDY </span>not offered
<span style="font-weight:bold;"> ALPN/HTTP2 </span>not offered
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing cipher categories </span>
<span style="font-weight:bold;"> NULL ciphers (no encryption) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Anonymous NULL Ciphers (no authentication) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Export ciphers (w/o ADH+NULL) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) </span><span style="color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Triple DES Ciphers / IDEA </span>not offered
<span style="font-weight:bold;"> Obsoleted CBC ciphers (AES, ARIA etc.) </span><span style="font-weight:bold;color:olive;">offered</span>
<span style="font-weight:bold;"> Strong encryption (AEAD ciphers) with no FS </span><span style="color:green;">offered (OK)</span>
<span style="font-weight:bold;"> Forward Secrecy strong encryption (AEAD ciphers) </span><span style="font-weight:bold;color:green;">offered (OK)</span>
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing vulnerabilities </span>
<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, no heartbeat extension
<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Ticketbleed</span> (CVE-2016-9244), experiment. <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, reply empty
<span style="font-weight:bold;"> ROBOT </span><span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Secure Renegotiation (RFC 5746) </span><span style="font-weight:bold;color:green;">supported (OK)</span>
<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span style="color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span style="color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> BREACH</span> (CVE-2013-3587) <span style="color:green;">no gzip/deflate/compress/br HTTP compression (OK) </span> - only supplied "/" tested
<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, no SSLv3 support
<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507) <span style="color:green;">No fallback possible (OK)</span>, no protocol below TLS 1.2 offered
<span style="font-weight:bold;"> SWEET32</span> (CVE-2016-2183, CVE-2016-6329) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> DROWN</span> (CVE-2016-0800, CVE-2016-0703) <span style="font-weight:bold;color:green;">not vulnerable on this host and port (OK)</span>
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=968E97A3C84D9007C9D14F037F84EE527802F36324A73D985B5AB8C738A3899E could help you to find out
<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span style="color:green;">not vulnerable (OK):</span> no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) <span style="color:green;">not vulnerable (OK)</span>, no SSL3 or TLS1
<span style="font-weight:bold;"> LUCKY13</span> (CVE-2013-0169), experimental potentially <span style="font-weight:bold;color:olive;">VULNERABLE</span>, uses cipher block chaining (CBC) ciphers with TLS. Check patches
<span style="font-weight:bold;"> Winshock</span> (CVE-2014-6321), experimental <span style="font-weight:bold;color:green;">not vulnerable (OK)</span> - CAMELLIA or ECDHE_RSA GCM ciphers found
<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span style="color:green;">no RC4 ciphers detected (OK)</span>
<span style="color:white;background-color:black;"> Done 2022-03-26 08:54:06 [ 87s] -->> 54.220.192.176:443 (xlm-blogpost-deploy-check.herokuapp.com) <<--</span>
-----------------------------------------------------
<span style="color:white;background-color:black;"> Start 2022-03-26 08:54:06 -->> 54.73.53.134:443 (xlm-blogpost-deploy-check.herokuapp.com) <<--</span>
Further IP addresses: 54.220.192.176 46.137.15.86
rDNS (54.73.53.134): ec2-54-73-53-134.eu-west-1.compute.amazonaws.com.
Service detected: HTTP
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing protocols </span><span style="text-decoration:underline;">via sockets except NPN+ALPN </span>
<span style="font-weight:bold;"> SSLv2 </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> SSLv3 </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> TLS 1 </span>not offered
<span style="font-weight:bold;"> TLS 1.1 </span>not offered
<span style="font-weight:bold;"> TLS 1.2 </span><span style="font-weight:bold;color:green;">offered (OK)</span>
<span style="font-weight:bold;"> TLS 1.3 </span>not offered and downgraded to a weaker protocol
<span style="font-weight:bold;"> NPN/SPDY </span>not offered
<span style="font-weight:bold;"> ALPN/HTTP2 </span>not offered
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing cipher categories </span>
<span style="font-weight:bold;"> NULL ciphers (no encryption) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Anonymous NULL Ciphers (no authentication) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Export ciphers (w/o ADH+NULL) </span><span style="font-weight:bold;color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) </span><span style="color:green;">not offered (OK)</span>
<span style="font-weight:bold;"> Triple DES Ciphers / IDEA </span>not offered
<span style="font-weight:bold;"> Obsoleted CBC ciphers (AES, ARIA etc.) </span><span style="font-weight:bold;color:olive;">offered</span>
<span style="font-weight:bold;"> Strong encryption (AEAD ciphers) with no FS </span><span style="color:green;">offered (OK)</span>
<span style="font-weight:bold;"> Forward Secrecy strong encryption (AEAD ciphers) </span><span style="font-weight:bold;color:green;">offered (OK)</span>
<span style="font-weight:bold;"></span><span style="text-decoration:underline;font-weight:bold;"> Testing vulnerabilities </span>
<span style="font-weight:bold;"> Heartbleed</span> (CVE-2014-0160) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, no heartbeat extension
<span style="font-weight:bold;"> CCS</span> (CVE-2014-0224) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Ticketbleed</span> (CVE-2016-9244), experiment. <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, reply empty
<span style="font-weight:bold;"> ROBOT </span><span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> Secure Renegotiation (RFC 5746) </span><span style="font-weight:bold;color:green;">supported (OK)</span>
<span style="font-weight:bold;"> Secure Client-Initiated Renegotiation </span><span style="color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> CRIME, TLS </span>(CVE-2012-4929) <span style="color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> BREACH</span> (CVE-2013-3587) <span style="color:green;">no gzip/deflate/compress/br HTTP compression (OK) </span> - only supplied "/" tested
<span style="font-weight:bold;"> POODLE, SSL</span> (CVE-2014-3566) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>, no SSLv3 support
<span style="font-weight:bold;"> TLS_FALLBACK_SCSV</span> (RFC 7507) <span style="color:green;">No fallback possible (OK)</span>, no protocol below TLS 1.2 offered
<span style="font-weight:bold;"> SWEET32</span> (CVE-2016-2183, CVE-2016-6329) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> FREAK</span> (CVE-2015-0204) <span style="font-weight:bold;color:green;">not vulnerable (OK)</span>
<span style="font-weight:bold;"> DROWN</span> (CVE-2016-0800, CVE-2016-0703) <span style="font-weight:bold;color:green;">not vulnerable on this host and port (OK)</span>
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=968E97A3C84D9007C9D14F037F84EE527802F36324A73D985B5AB8C738A3899E could help you to find out
<span style="font-weight:bold;"> LOGJAM</span> (CVE-2015-4000), experimental <span style="color:green;">not vulnerable (OK):</span> no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
<span style="font-weight:bold;"> BEAST</span> (CVE-2011-3389) <span style="color:green;">not vulnerable (OK)</span>, no SSL3 or TLS1
<span style="font-weight:bold;"> LUCKY13</span> (CVE-2013-0169), experimental potentially <span style="font-weight:bold;color:olive;">VULNERABLE</span>, uses cipher block chaining (CBC) ciphers with TLS. Check patches
<span style="font-weight:bold;"> Winshock</span> (CVE-2014-6321), experimental <span style="font-weight:bold;color:green;">not vulnerable (OK)</span> - CAMELLIA or ECDHE_RSA GCM ciphers found
<span style="font-weight:bold;"> RC4</span> (CVE-2013-2566, CVE-2015-2808) <span style="color:green;">no RC4 ciphers detected (OK)</span>
<span style="color:white;background-color:black;"> Done 2022-03-26 08:54:50 [ 131s] -->> 54.73.53.134:443 (xlm-blogpost-deploy-check.herokuapp.com) <<--</span>
-----------------------------------------------------
<span style="font-weight:bold;">Done testing now all IP addresses (on port 443): </span>46.137.15.86 54.220.192.176 54.73.53.134
6 issue(s) found.
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_exposed_content'</span>
/home/runner/work/PostDeploymentSecurityCheck-Study/PostDeploymentSecurityCheck-Study
deploy.key [Status: 200, Size: 356, Words: 7, Lines: 7]
1 excluded item(s) found.
NodeJS Express framework usage disclosed (0 = no): 1
Error handling misconfiguration (0 = no): 0
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_securitytxt_file_presence'</span>
File is present (0 = no): 1
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_waf_presence'</span>
WAF is present (1 = no): 1
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_robotstxt_file_content'</span>
Disallow clause present 2 times (expected 0 time)
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Execute 'validate_directory_listing_enabling_status'</span>
Directory listing is enabled.
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Cleanup</span>
<span style="filter: contrast(70%) brightness(190%);color:blue;">[+] Global status - RC: 15</span>
<span style="filter: contrast(70%) brightness(190%);color:red;">[!] Issue found</span>
</pre>
</body>
</html>