用于漏洞测试验证的脚本 HTTPS 调用
我试图向我们的质量保证部门证明我们已经(或尚未)修复了最近扫描中显示的漏洞。我想编写一个简单的脚本来演示该漏洞并表明补救措施确实修复了该漏洞。然而,由于该漏洞涉及无效(可能是故意的)HTTPS 请求,我无法使用标准客户端轻松复制它。因为有多个服务器需要测试,并且有几个不同的漏洞,所以我想稍微自动化一下测试。
以下命令行复制测试,但需要人工干预:
>openssl s_client -connect {server:ip} | grep Location
GET /images HTTP/1.0 <---- (user types this plus two Enter keys)
Location:{text here proves success/failure}
如何自动执行上面的测试?
我使用 openssl 因为它很方便。如果另一个工具可以接受任意 HTTPS 请求标头,我愿意使用它。
I'm trying to demonstrate to our QA department that we have (or have not) fixed a vulnerability shown in a recent scan. I would like to write a simple script that can demonstrate the vulnerability and show that the remediation actually fixes it. However since the vulnerability involves a invalid (possibly intentionally) HTTPS request I can't use a standard client to easily replicate it. Because there are several servers to test and several different vulnerabilities I would like to automate the testing a bit.
The following command line replicates the test but requires human intervention:
>openssl s_client -connect {server:ip} | grep Location
GET /images HTTP/1.0 <---- (user types this plus two Enter keys)
Location:{text here proves success/failure}
How can I automate the test above?
I'm using openssl because it's convenient. I'm willing to get another tool if it can accept arbitrary HTTPS request headers.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在 bash 中,您可以将文本通过管道传输到 OpenSSL 命令行实用程序中:
In bash you can just pipe your text into the OpenSSL command-line utility: