forked from canada-ca/tracker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhttps_scanner.py
More file actions
executable file
·229 lines (179 loc) · 7.34 KB
/
https_scanner.py
File metadata and controls
executable file
·229 lines (179 loc) · 7.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
import os
import sys
import time
import requests
import logging
import json
import emoji
import traceback
import asyncio
import signal
import datetime as dt
from scan import https
from starlette.applications import Starlette
from starlette.routing import Route, Mount, WebSocketRoute
from starlette.responses import PlainTextResponse, JSONResponse
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
MIN_HSTS_AGE = 31536000 # one year
QUEUE_URL = "http://result-queue.scanners.svc.cluster.local/https"
def dispatch_results(payload, client):
client.post(QUEUE_URL, json=payload)
logging.info("Scan results dispatched to result-processor")
def scan_https(domain):
try:
# Run https-scanner
res_dict = https.run([domain])
# Return scan results for the designated domain
return res_dict[domain]
except Exception as e:
logging.error("An error occurred while scanning domain - %s", str(e))
return None
def process_results(results):
logging.info("Processing HTTPS scan results...")
report = {}
if results is None or results == {}:
report = {"missing": True}
else:
# Assumes that HTTPS would be technically present, with or without issues
if results["Downgrades HTTPS"]:
https = "Downgrades HTTPS" # No
else:
if results["Valid HTTPS"]:
https = "Valid HTTPS" # Yes
elif results["HTTPS Bad Chain"] and not results["HTTPS Bad Hostname"]:
https = "Bad Chain" # Yes
else:
https = "Bad Hostname" # No
report["implementation"] = https
# Is HTTPS enforced?
if https == ("Downgrades HTTPS" or "Bad Hostname"):
behavior = "Not Enforced" # N/A
else:
# "Strict" means HTTP immediately redirects to HTTPS,
# *and* that HTTP eventually redirects to HTTPS.
#
# Since a pure redirector domain can't "default" to HTTPS
# for itself, we'll say it "Enforces HTTPS" if it immediately
# redirects to an HTTPS URL.
if results["Strictly Forces HTTPS"] and (
results["Defaults to HTTPS"] or results["Redirect"]
):
behavior = "Strict" # Yes (Strict)
# "Moderate" means HTTP eventually redirects to HTTPS.
elif not results["Strictly Forces HTTPS"] and results["Defaults to HTTPS"]:
behavior = "Moderate" # Yes
# Either both are False, or just 'Strict Force' is True,
# which doesn't matter on its own.
# A "present" is better than a downgrade.
else:
behavior = "Weak" # Present (considered 'No')
report["enforced"] = behavior
###
# Characterize the presence and completeness of HSTS.
if results["HSTS Max Age"]:
hsts_age = int(results["HSTS Max Age"])
else:
hsts_age = None
# Otherwise, without HTTPS there can be no HSTS for the domain directly.
if https == "Downgrades HTTPS" or https == "Bad Hostname":
hsts = "No HSTS" # N/A (considered 'No')
else:
# HSTS is present for the canonical endpoint.
if results["HSTS"] and hsts_age is not None:
# Say No for too-short max-age's, and note in the extended details.
if hsts_age >= MIN_HSTS_AGE:
hsts = "HSTS Fully Implemented" # Yes, directly
else:
hsts = "HSTS Max Age Too Short" # No
else:
hsts = "No HSTS" # No
# Separate preload status from HSTS status:
#
# * Domains can be preloaded through manual overrides.
# * Confusing to mix an endpoint-level decision with a domain-level decision.
if results["HSTS Preloaded"]:
preloaded = "HSTS Preloaded" # Yes
elif results["HSTS Preload Ready"]:
preloaded = "HSTS Preload Ready" # Ready for submission
else:
preloaded = "HSTS Not Preloaded" # No
# Certificate info
if results["HTTPS Expired Cert"]:
expired = True
else:
expired = False
if results["HTTPS Self Signed Cert"]:
self_signed = True
else:
self_signed = False
report["hsts"] = hsts
report["hsts_age"] = hsts_age
report["preload_status"] = preloaded
report["expired_cert"] = expired
report["self_signed_cert"] = self_signed
logging.info(f"Processed HTTPS scan results: {str(report)}")
return report
def Server(server_client=requests):
async def scan(scan_request):
logging.info("Scan request received")
inbound_payload = await scan_request.json()
def timeout_handler(signum, frame):
msg = "Timeout while performing scan"
logging.error(msg)
dispatch_results(
{"scan_type": "https", "scan_id": scan_id, "results": {}}, server_client
)
return PlainTextResponse(msg)
try:
start_time = dt.datetime.now()
signal.signal(signal.SIGALRM, timeout_handler)
signal.alarm(80)
try:
domain = inbound_payload["domain"]
scan_id = inbound_payload["scan_id"]
except KeyError:
msg = f"Invalid scan request format received: {str(inbound_payload)}"
logging.error(msg)
return PlainTextResponse(msg)
logging.info(f"(ID={scan_id}) Performing scan...")
scan_results = scan_https(domain)
if scan_results is not None:
processed_results = process_results(scan_results)
outbound_payload = json.dumps(
{
"results": processed_results,
"scan_type": "https",
"scan_id": scan_id,
}
)
logging.info(f"(ID={scan_id}) Scan results: {str(scan_results)}")
else:
raise Exception("HTTPS scan not completed")
except Exception as e:
signal.alarm(0)
msg = f"(ID={scan_id}) An unexpected error occurred while attempting to process HTTPS scan request: ({type(e).__name__}: {str(e)})"
logging.error(msg)
logging.error(f"Full traceback: {traceback.format_exc()}")
dispatch_results(
{"scan_type": "https", "scan_id": scan_id, "results": {}}, server_client
)
return PlainTextResponse(msg)
signal.alarm(0)
end_time = dt.datetime.now()
elapsed_time = end_time - start_time
dispatch_results(outbound_payload, server_client)
msg = f"(ID={scan_id}) HTTPS scan completed in {elapsed_time.total_seconds()} seconds."
logging.info(msg)
return PlainTextResponse(msg)
async def startup():
logging.info(emoji.emojize("ASGI server started :rocket:"))
async def shutdown():
logging.info(emoji.emojize("ASGI server shutting down..."))
routes = [
Route("/", scan, methods=["POST"]),
]
starlette_app = Starlette(
debug=True, routes=routes, on_startup=[startup], on_shutdown=[shutdown]
)
return starlette_app
app = Server()