rfc-st / humble

A humble, and ๐—ณ๐—ฎ๐˜€๐˜, security-oriented HTTP headers analyzer.
https://github.com/rfc-st/humble
MIT License
261 stars 18 forks source link

AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS' #7

Closed n3bojs4 closed 10 months ago

n3bojs4 commented 1 year ago

The Issue

After cloning and using the project in a virtual env and install requirements, i had this error message when launching the program :


โ””โ”€$ python humble.py -u https://business-together-as-a-service.com/                                                                                                                                                               

 Analyzing URL, please wait ...

Traceback (most recent call last):
  File "/home/milan/Stuff/Tools/humble/humble.py", line 872, in <module>
    requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'urllib3.util.ssl_' has no attribute 'DEFAULT_CIPHERS'

OS and Python infos

Python 3.11.4 on kali linux Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2023.3 Codename: kali-rolling

How i fixed this :

I fixed the issue by uninstalling urllib3 ( urllib3-2.0.4 ) and adding urllib3<2 in requirements.txt

n3bojs4 commented 1 year ago

FYI : I used this page to fix my issue : https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html#importerror-cannot-import-name-default-ciphers-from-urllib3-util-ssl

rfc-st commented 1 year ago

Thank you for reporting it!.

I have to check it in more detail, as it may also be related to the 'requests' library, and the minimum required version that I indicate in the requirements file.

rfc-st commented 1 year ago

After reading a bit about this topic tomorrow I will start with several tests to change the current logic: using SSLContext, an HTTPAdapter class and working directly with Session objects.

The underlying problem, indeed, seems to be that from version 2 of urllib3 (or version 2.30 of the requests library that supports that version of urllib3), the DEFAULT_CIPHERS attribute was removed.

My goal with this code-level change is to avoid modifying the requirements file, allowing that regardless of the version of urllib3/requests installed, this tool will work without problems.

I'll keep updating this issue!

rfc-st commented 1 year ago

Well, this is getting difficult :( ... I've done several tests and I can't find the right combination of the SSLContext and HTTPAdapter to retrieve the response headers, in order to fix the _'AttributeError: module 'urllib3.util.ssl' has no attribute 'DEFAULTCIPHERS'' error while using urllib3-2.x.

I can't get this example to work correctly... I have adapted it but the request does not return any headers, which is obviously not correct. Tsk, tsk.

I keep trying!.

rfc-st commented 1 year ago

Hello!,

I haven't been able to continue reviewing this problem, due to lack of time :(, but I have it in mind!

I hope, in the following weeks, to address it from other perspectives and find a definitive solution.

Best regards,

ehlewis commented 11 months ago

Sounds good! Should have mentioned that I tested on urllib3-2.1.0 and urllib3-1.26.18

rfc-st commented 11 months ago

Thanks for the information!; I will try it as soon as I have time.

dkadev commented 10 months ago

Any update on this?

Adding urllib3<2 to requirements.txt does indeed solve the problem. (Long term this will be less hassle than trying to pin an older version of Requests)

But it does not really solve it like @rfc-st said by code without modifying dependencies.

rfc-st commented 10 months ago

Hi, dkadev!

I would like to resume this issue this Friday, based initially on https://github.com/rfc-st/humble/pull/16 (with some modifications regarding the 'FORCED_CIPHERS') and with the objective, indeed, of not having to modify the requirements.txt file.

Thanks for your patience!.

Best regards,

rfc-st commented 10 months ago

Hi, @n3bojs4, @ehlewis and @dkadev:

Good news! (I hope ^^). Please, take a look at this recent commit: https://github.com/rfc-st/humble/commit/e0d0610cd5c33b5a72f130fd3f67aa3436f97f9c

The fix is initially based on https://github.com/rfc-st/humble/pull/16, along with additional changes I have had to make.

I just tested it in the following configurations, with these Python libraries:

And it seems that everything goes OK (I have tested it with several https:// and http:// URLs) and it does not return any error, in fact the scans finish without any problem. It was not necessary to modify anything in the 'requirements.txt' file :).

I would greatly appreciate, in order to resolve this issue, if you could run several tests after updating 'humble' with that commit, to confirm that everything is indeed OK.

Thanks, as always, for your time!.

Best regards,

dkadev commented 10 months ago

Working great!

Tested on:

Will test on Kali and Windows 10 too.

Awesome work man, love the tool! ๐Ÿ˜‰

rfc-st commented 10 months ago

Hi,

After the tests performed I understand that there is nothing more to check: so I am going to close this issue and the PR (https://github.com/rfc-st/humble/pull/16) and mention you three in the "Acknowledgements" section of the README.

Thanks for your help!.

Best regards,