Add option to skip certificate validation

rfc-st / humble

A humble, and 𝗳𝗮𝘀𝘁, security-oriented HTTP headers analyzer.

https://github.com/rfc-st/humble

MIT License

255 stars 18 forks source link

Add option to skip certificate validation #6

Closed gl4nce closed 1 year ago

gl4nce commented 1 year ago

I couldn't find any switch to disable certificate validation. Would be nice to have. I.e. if used with proxy tools like burp or proxychains.

rfc-st commented 1 year ago

Hi,

SSL Cert Verification is disabled by default; I defined it this way to avoid errors with self-signed certificates or when testing the tool against development environment URLs: https://github.com/rfc-st/humble/blob/9ae4f33cec1d8fdc990c42bd36fac64df217bbae/humble.py#L766

gl4nce commented 1 year ago

Thanks for your reply. :)

I see. It's related to ipapi.co which you are already stating in https://github.com/rfc-st/humble#caveats. Always better to read the manual first hehe.

A switch for disabling that behaviour would be nice. Of course it's no problem to edit the source code for such seldom cases. But especially for humble installed as OS package, a switch would be the prefered solution I think.

Feel free to close this issue, if you are think there is no switch needed. :)

rfc-st commented 1 year ago

I will take a look at it this week to see what might be the best solution, without relying on more parameters. At first sight, maybe add also 'verify=False' in the call to ipapi.co, to avoid errors in certificate validation.

Thanks for your suggestion!,

rfc-st commented 1 year ago

Hello!,

Have a look at this recent commit: https://github.com/rfc-st/humble/commit/1c99b73ddc7bb5f6766cda250b681eba059f6eba

In case of any error associated with the request to ipapi.co (e.g. the URL is not accessible) the analysis will now continue as normal, without the need for the end user to modify the code beforehand.
Additionally, I have added 'verify=False' in that request to disable certificate validation.
Finally, I have removed the 'Caveats' part in the README; it is no longer needed.

I've done a couple of tests and everything seems fine. If you agree, confirm it with me and I'll close this issue.

Thanks!.

gl4nce commented 1 year ago

Hi rfc-st,

thanks a lot. Just tested latest master and works fine for me. :)

proxychains python3 humble.py -u https://web.site -o html -r
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  ipapi.co:443  ...  OK

 Analyzing URL and saving the report, please wait ...

 Report saved to /home/vagrant/Downloads/humble-master/web.site_headers_20230915.html

By the way: I noticed, the tool does not recognize empty/failed responses by the webserver. Instead the tool lists all headers as missing, which does not make really sense in such cases. Would be better to display an error like no response or something else. But this is another issue and shouldn't be stated here. I just wanted to let you know. :)

So again. Thanks for fixing and improving this peace of software. Issue can be closed. :)

rfc-st commented 1 year ago

Thanks for your confirmation!. On the other point, I will take a look at it later.