cschanaj / xhttpse2 Goto Github PK

BUG

• Deduce the cause of #2 and fix it.

• Missing correct Different Content implementation (Ref: https://github.com/EFForg/https-everywhere/blob/445df151702555218cda70aab9aff092f1bfd214/test/rules/src/https_everywhere_checker/metrics.py#L42).

• libcurl verbose mode mess up stdout when multi-threading is enabled (theoretically)

• OpenSSL locking (now requires OpenSSL 1.1.0+)

Good Volunteer Works

• Doxyfile, configure file, etc.

• Pre-generated test data (Sublist3r output).

• Figure out required CURL version.

Features & Enhancements

• Check HSTS preload for the domain prior to the requests. (won't fix, use https://hstspreload.com)

• Automatically look for test URLs from downloaded pages.

• Check and warn for HTTPS-Transprt-Security header.

• Sort domain internally without relying on Sublist3r if --sort is enabled in the command line

• No progress nor log messages.

• A tool to check if cookies are set for a subdomain, if HTTPS works on that domain without problem then add securecookie for that subdomain, e.g. www, ref https://stackoverflow.com/questions/5298187/is-it-possible-to-read-a-cookie-from-a-different-sub-domain-if-so-how

Limitations (NO FIX)

Some sites serve differently when using a browser and a headless client!!!

RT> Program terminated randomly when num-threads is larger than one, especially for input file containing more than 80+ lines targets. The reason for this issue can be heap overflow (unconfirmed).

Temporary solution: setting 'num-threads' to 1 by default until this is fixed.

libcurl Thread Safety (https://curl.haxx.se/libcurl/c/threadsafe.html)

When using multiple threads you should set the CURLOPT_NOSIGNAL option to 1L for all handles.

xhttpse2 - currently looks for a file called -, instead of using STDIN as an input (xhttpse2 /dev/stdin works).

Running xhttpse2 with this list consistently causes a pointer being freed was not allocated error.

RT, while this program work relatively well. it is difficult to extend the functionalities.

Non-deterministic Test Results

HTTPSE_SECURE_FALLBACK

HTTPSE_DIFFERENT_CONTENT

TODO Missing false positive examples.

HTTPSE_OK

Important There are in fact hosts which pass all the tests and exited with HTTPSE_OK but being problematic. They are likely having false-negative results from the above tests, mostly HTTPSE_DIFFERENT_CONTENT.

Deterministic Test Results

HTTPSE_SSL_INCOMPLETE_CERT_CHAIN, See EFForg/https-everywhere#8964 (comment)

• http://mnhn.fr

• http://build.webmproject.org

• http://platform.bittorrent.com

HTTPSE_MIXED_CONTENT

• https://club.japantimes.co.jp

• https://www.bittorrent.com

• https://test.thenewslens.com

• https://www.post852.com

• https://www.hkgolden.com