Created
August 12, 2020 11:41
-
-
Save Zodiac1978/9b2e28a9b8e17f51006f1c2f73b9c56f to your computer and use it in GitHub Desktop.
WORK IN PROGRESS: wpcheck module to scan for common security headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* wpcheck module security-header.js | |
* Scan WordPress URL for common security headers | |
*/ | |
/** | |
* Required modules | |
*/ | |
const request = require( 'request' ).defaults( { followRedirect: false } ) | |
const fs = require( '../fs' ) | |
const log = require( '../log' ) | |
/** | |
* Initiator method | |
* | |
* @param {Object} data Data object with request values | |
* @return void | |
*/ | |
exports.fire = ( data ) => { | |
const { wpURL, siteURL, userAgent, silentMode } = data | |
const filterName = fs.fileName( __filename, '.js' ) | |
const logObj = { silentMode, filterName } | |
const targetURL = `${wpURL}` | |
request( { | |
'url': targetURL, | |
'method': 'GET', | |
'headers': { 'User-Agent': userAgent } | |
}, ( error, response, body, headers ) => { | |
const XSS = response.caseless.get('x-xss-protection'); | |
const Server = response.caseless.get('Server'); | |
const SNIFF = response.caseless.get('X-Content-Type-Options'); | |
const LM = response.caseless.get('Last-Modified'); | |
if ( error || response.statusCode === 404 ) { | |
return log.info( `${targetURL} is not found`, logObj ) | |
} | |
if ( response.caseless.get('X-XSS-Protection') === '1; mode=block' ) { | |
log.ok( `${siteURL} has XSS Protection turned on`, logObj ) | |
} else { | |
log.warn( `${siteURL} has XSS Protection turned off`, logObj ) | |
} | |
log.info( XSS, logObj ) | |
log.info( SNIFF, logObj ) | |
log.info( LM, logObj ) | |
log.ok( Server, logObj ) | |
} ) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment