search

OJ / gobuster

Directory/File, DNS and VHost busting tool written in Go
Apache License 2.0
10.24k stars 1.22k forks source link

Update TLS Minimum Version in NewHTTPClient to Enhance Security #513

Closed nyxfqq closed 4 months ago

nyxfqq commented 4 months ago

Issue Description:

I noticed that the current implementation of the NewHTTPClient function in the http.go file (at github.com/OJ/gobuster/libgobuster/http.go) still supports TLS 1.0 as its minimum version. Given that TLS 1.0 is considered outdated and insecure by modern standards, I believe it's crucial to update this setting to prevent potential security vulnerabilities.

As of 2024, many organizations have deprecated TLS 1.0 and 1.1 due to known weaknesses and vulnerabilities. Continuing to support these versions exposes our software to potential man-in-the-middle attacks, protocol downgrade attacks, and other security risks.

I suggest updating the tls.Config in the NewHTTPClient function to at least TLS 1.2 as the minimum version. This change will not only enhance the security of our software but also align it with current best practices and industry standards.

The relevant code snippet is:

tlsConfig := tls.Config{
    InsecureSkipVerify: opt.NoTLSValidation,
    // enable TLS1.0 and TLS1.1 support
    MinVersion: tls.VersionTLS10,
}

I propose changing it to:

tlsConfig := tls.Config{
    InsecureSkipVerify: opt.NoTLSValidation,
    // update to support TLS1.2 and above
    MinVersion: tls.VersionTLS12,
}