generic.rb in yawast-0.4.0.beta5

- old
+ new

@@ -77,11 +77,11 @@
           Yawast::Utilities.puts_error "Error getting basic information: #{e.message}"
           raise
         end
       end
 
-      def self.head_info(head)
+      def self.head_info(head, uri)
         begin
           server = ''
           powered_by = ''
           cookies = Array.new
           pingback = ''
@@ -91,10 +91,11 @@
           backend_server = ''
           runtime = ''
           xss_protection = ''
           via = ''
           hpkp = ''
+          acao = ''
 
           Yawast::Utilities.puts_info 'HEAD:'
           head.each do |k, v|
             Yawast::Utilities.puts_info "\t\t#{k}: #{v}"
 
@@ -107,10 +108,11 @@
             backend_server = v if k.downcase == 'x-backend-server'
             runtime = v if k.downcase == 'x-runtime'
             xss_protection = v if k.downcase == 'x-xss-protection'
             via = v if k.downcase == 'via'
             hpkp = v if k.downcase == 'public-key-pins'
+            acao = v if k.downcase == 'access-control-allow-origin'
 
             if k.downcase == 'set-cookie'
               #this chunk of magic manages to properly split cookies, when multiple are sent together
               v.gsub(/(,([^;,]*=)|,$)/) { "\r\n#{$2}" }.split(/\r\n/).each { |c| cookies.push(c) }
             end
@@ -179,10 +181,14 @@
 
           if hpkp == ''
             Yawast::Utilities.puts_warn 'Public-Key-Pins Header Not Present'
           end
 
+          if acao == '*'
+            Yawast::Utilities.puts_warn 'Access-Control-Allow-Origin: Unrestricted'
+          end
+
           puts ''
 
           unless cookies.empty?
             Yawast::Utilities.puts_info 'Cookies:'
 
@@ -190,16 +196,20 @@
               Yawast::Utilities.puts_info "\t\t#{val.strip}"
 
               elements = val.strip.split(';')
 
               #check for secure cookies
-              unless elements.include? ' Secure'
+              if elements.include?(' Secure') || elements.include?(' secure')
+                if uri.scheme != 'https'
+                  Yawast::Utilities.puts_warn "\t\t\tCookie with Secure flag sent over non-HTTPS connection"
+                end
+              else
                 Yawast::Utilities.puts_warn "\t\t\tCookie missing Secure flag"
               end
 
               #check for HttpOnly cookies
-              unless elements.include? ' HttpOnly'
+              unless elements.include?(' HttpOnly') || elements.include?(' httponly')
                 Yawast::Utilities.puts_warn "\t\t\tCookie missing HttpOnly flag"
               end
             end
 
             puts ''
@@ -260,24 +270,24 @@
       end
     end
 
     #Custom class to allow using the PROPFIND verb
     class Propfind < Net::HTTPRequest
-      METHOD = "PROPFIND"
+      METHOD = 'PROPFIND'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end
 
     #Custom class to allow using the OPTIONS verb
     class Options < Net::HTTPRequest
-      METHOD = "OPTIONS"
+      METHOD = 'OPTIONS'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end
 
     #Custom class to allow using the TRACE verb
     class Trace < Net::HTTPRequest
-      METHOD = "TRACE"
+      METHOD = 'TRACE'
       REQUEST_HAS_BODY = false
       RESPONSE_HAS_BODY = true
     end
   end
 end