From 547ad5ed464e1dd8b9f1195982149a90e0f67de3 Mon Sep 17 00:00:00 2001 From: manuel Date: Thu, 6 Feb 2020 10:55:50 +0100 Subject: [PATCH 1/2] log cookie names without httponly or secure flag --- testssl.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/testssl.sh b/testssl.sh index 11cf74dfb..4528b04d4 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3022,6 +3022,16 @@ run_cookie_flags() { # ARG1: Path else fileout "cookie_httponly" "INFO" "$nr_secure/$nr_cookies at \"$1\" marked as HttpOnly$msg302_" fi + IFS=$'; ' read -r -a not_secure <<< $(echo $(awk -F"=" '{print$1}' <<< $(awk -F" " '{print$2}' <<< $(grep -iav secure $TMPFILE)))) + if [[ -v not_secure ]]; then + not_secure_cookies=$(printf '%s,' "${not_secure[@]}") + fileout "cookie_not_secure" "INFO" "The cookie(s) with name(s) '${not_secure_cookies::-1}' does not have the secure flag set." + fi + IFS=$'; ' read -r -a not_httponly <<< $(echo $(awk -F"=" '{print$1}' <<< $(awk -F" " '{print$2}' <<< $(grep -iav httponly $TMPFILE)))) + if [[ -v not_httponly ]]; then + not_httponly_cookies=$(printf '%s,' "${not_httponly[@]}") + fileout "cookie_not_httponly" "INFO" "The cookie(s) with name(s) '${not_httponly_cookies::-1}' does not have the httponly flag set." + fi outln "$msg302" allcookies="$(awk '/[Ss][Ee][Tt]-[Cc][Oo][Oo][Kk][Ii][Ee]:/ { print $2 }' "$TMPFILE")" sub_f5_bigip_check "$allcookies" "$spaces" From 8ebd12c19cd9949f34e3e3913f87cc965d3d021b Mon Sep 17 00:00:00 2001 From: manuel Date: Thu, 6 Feb 2020 11:10:54 +0100 Subject: [PATCH 2/2] simplify cookie name extraction --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4528b04d4..d92c1babe 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3022,12 +3022,12 @@ run_cookie_flags() { # ARG1: Path else fileout "cookie_httponly" "INFO" "$nr_secure/$nr_cookies at \"$1\" marked as HttpOnly$msg302_" fi - IFS=$'; ' read -r -a not_secure <<< $(echo $(awk -F"=" '{print$1}' <<< $(awk -F" " '{print$2}' <<< $(grep -iav secure $TMPFILE)))) + IFS=$'; ' read -r -a not_secure <<< $(awk -F"=" '{print$1}' <<< $(awk -F" " '{print$2}' <<< $(grep -iav secure $TMPFILE))) if [[ -v not_secure ]]; then not_secure_cookies=$(printf '%s,' "${not_secure[@]}") fileout "cookie_not_secure" "INFO" "The cookie(s) with name(s) '${not_secure_cookies::-1}' does not have the secure flag set." fi - IFS=$'; ' read -r -a not_httponly <<< $(echo $(awk -F"=" '{print$1}' <<< $(awk -F" " '{print$2}' <<< $(grep -iav httponly $TMPFILE)))) + IFS=$'; ' read -r -a not_httponly <<< $(awk -F"=" '{print$1}' <<< $(awk -F" " '{print$2}' <<< $(grep -iav httponly $TMPFILE))) if [[ -v not_httponly ]]; then not_httponly_cookies=$(printf '%s,' "${not_httponly[@]}") fileout "cookie_not_httponly" "INFO" "The cookie(s) with name(s) '${not_httponly_cookies::-1}' does not have the httponly flag set."