Feature: 2 new insecure checks

Content-Type: Incorrect Value - Response body
X-UA-Compatible: Incorrect Value - Response body

README.md

@@ -1,12 +1,12 @@
 <h1><p align="center">humble</p></h1>
-<h4><p align="center">A humble and fast HTTP Response Header Security Analyzer</p></h4>
+<h4><p align="center">A humble, and fast, security-oriented HTTP headers analyzer</p></h4>
 <br />
 
 <p align=center>
 <a target="_blank" href="https://www.python.org/downloads/" title="Minimum Python version required to run this tool"><img src="https://img.shields.io/badge/Python-%3E%3D3.9-blue?labelColor=343b41"></a>
 <a target="_blank" href="LICENSE" title="License of this tool"><img src="https://img.shields.io/badge/License-MIT-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/releases" title="Latest release of this tool"><img src="https://img.shields.io/github/v/release/rfc-st/humble?display_name=release&label=Latest%20Release&labelColor=343b41"></a>
-<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2024--09--13-blue.svg?labelColor=343b41"></a>
+<a target="_blank" href="https://github.com/rfc-st/humble/commits/master" title="Latest commit of this tool"><img src="https://img.shields.io/badge/Latest_Commit-2024--09--14-blue.svg?labelColor=343b41"></a>
 <a target="_blank" href="https://github.com/rfc-st/humble/actions?query=workflow%3ACodeQL" title="Results of the last analysis of this tool with CodeQL"><img src="https://github.com/rfc-st/humble/workflows/CodeQL/badge.svg"></a>
 <a target="_blank" href="https://owasp.org/www-project-secure-headers/#div-technical" title="Official tool in OWASP Secure Headers Project"><img src="https://img.shields.io/badge/OWASP-Tool-blue?labelColor=343b41"></a>
 <a target="_blank" href="https://pkg.kali.org/pkg/humble" title="Official tool in Kali Linux"><img src="https://img.shields.io/badge/Kali%20Linux-Tool-blue?labelColor=343b41"></a>
@@ -51,7 +51,7 @@
 
 :heavy_check_mark: 14 [checks](#checks-missing-headers) of missing HTTP response headers.<br />
 :heavy_check_mark: 1177 [checks](#checks-fingerprint-headers) of fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 111 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
+:heavy_check_mark: 113 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
 :heavy_check_mark: SSL/TLS checks (requires the **amazing** https://testssl.sh/).<br />
 :heavy_check_mark: Browser support references for enabled HTTP security headers (provided by https://caniuse.com/).<br />
 :heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.<br />

additional/insecure.txt

@@ -49,6 +49,7 @@ Content-Security-Policy: Unsafe Nonce
 Content-Security-Policy: Unsafe Values
 Content-Security-Policy-Report-Only: Deprecated Directives
 Content-Type: Deprecated Values
+Content-Type: Incorrect Value - Response body
 Content-Type: Non-HTML MIME type
 Content-Type: Unsafe Value
 Critical-CH: Ignored Header via Unsafe Scheme
@@ -129,6 +130,7 @@ X-Robots-Tag: No Valid Directives
 X-Runtime: Unsafe Value
 X-SourceMap: Deprecated Header
 X-UA-Compatible: Deprecated Header
+X-UA-Compatible: Incorrect Value - Response body
 X-Webkit-CSP: Deprecated Header
 X-Webkit-CSP-Report-Only: Deprecated Header
 X-XSS-Protection: Deprecated Header

humble.py

@@ -92,7 +92,9 @@
                r'%2e%2e%2f|%252e%252e%252f|%c0%ae%c0%ae%c0%af|'
                r'%uff0e%uff0e%u2215|%uff0e%uff0e%u2216'), r'\[([^\]]+)\]',
               r'\d{4}-\d{2}-\d{2}', r'\[(.*?)\]\n', r"'nonce-([^']+)'",
-              r'\(humble_pdf_style\)([^:]+):')
+              r'\(humble_pdf_style\)([^:]+):',
+              r'<meta\s+http-equiv=["\'](.*?)["\']\s+content=["\'](.*?)["\']\s'
+              r'*/?>')
 REF_LINKS = (' Ref  : ', ' Ref: ', 'Ref  :', 'Ref: ')
 RU_CHECKS = ('https://ipapi.co/country_name/', 'RU', 'Russia')
 SLICE_INT = (30, 43, 25, 24, -4, -5)
@@ -108,7 +110,7 @@
 URL_STRING = ('rfc-st', ' URL  : ', 'caniuse')
 
 current_time = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
-local_version = datetime.strptime('2024-09-13', '%Y-%m-%d').date()
+local_version = datetime.strptime('2024-09-14', '%Y-%m-%d').date()
 
 
 class SSLContextAdapter(requests.adapters.HTTPAdapter):
@@ -1297,6 +1299,7 @@ def manage_http_request():
     headers = {}
     status_c = None
     reliable = None
+    body = None
     try:
         with concurrent.futures.ThreadPoolExecutor() as executor:
             future = executor.submit(make_http_request)
@@ -1307,14 +1310,15 @@ def manage_http_request():
             r, _, exception = future.result()
             if exception:
                 manage_http_exception(exception)
-                return headers, status_c, reliable
+                return headers, status_c, reliable, body
             handle_http_exception(r, exception_d)
             if r is not None:
                 status_c = r.status_code
                 headers = r.headers
+                body = r.text
     except SystemExit:
         sys.exit()
-    return headers, status_c, reliable
+    return headers, status_c, reliable, body
 
 
 def custom_help_formatter(prog):
@@ -1460,7 +1464,10 @@ def custom_help_formatter(prog):
 }
 requests.packages.urllib3.disable_warnings()
 
-headers, status_code, reliable = manage_http_request()
+headers, status_code, reliable, body = manage_http_request()
+http_equiv = None
+if body:
+    http_equiv = re.findall(RE_PATTERN[8], body, re.IGNORECASE)
 headers_l = {header.lower(): value for header, value in headers.items()}
 
 # Export filename generation
@@ -1843,6 +1850,12 @@ def custom_help_formatter(prog):
                                                             ctype_header):
         print_details('[ictlchar_h]', '[ictlchar]', 'd', i_cnt)
 
+if http_equiv:
+    ctype_meta = any('content-type' in item for item in http_equiv)
+    if ctype_meta and not any('text/html; charset=utf-8' in item for tuple in
+                              http_equiv for item in tuple):
+        print_details('[ictlmeta_h]', '[ictlmeta]', 'd', i_cnt)
+
 if 'critical-ch' in headers_l and unsafe_scheme and '15' not in skip_list:
     print_details('[icrch_h]', '[icrch]', 'd', i_cnt)
 
@@ -2128,6 +2141,12 @@ def custom_help_formatter(prog):
 if 'x-ua-compatible' in headers_l and '71' not in skip_list:
     print_details('[ixuacom_h]', '[ixuacom]', 'm', i_cnt)
 
+if http_equiv:
+    x_ua_meta = any('x-ua-compatible' in item for item in http_equiv)
+    if x_ua_meta and not any('IE=edge' in item for tuple in http_equiv for item
+                             in tuple):
+        print_details('[ixuameta_h]', '[ixuameta]', 'd', i_cnt)
+
 if 'x-webkit-csp' in headers_l and '72' not in skip_list:
     print_details('[ixwcsp_h]', '[ixcsp]', 'd', i_cnt)
 

l10n/details.txt

@@ -655,6 +655,20 @@
 [ixxpd_h]
  X-XSS-Protection (Duplicated Values)
 
+[ictlmeta_h]
+ Content-Type (Incorrect Value: Response body)
+
+[ictlmeta]
+ The only allowed value is 'text/html; charset=utf-8'
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
+
+[ixuameta_h]
+ X-UA-Compatible (Incorrect Value: Response body)
+
+[ixuameta]
+ The only allowed value is 'IE=edge'
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
+
 [pdf_title]
 'humble' (HTTP Headers Analyzer)
 

l10n/details_es.txt

@@ -655,6 +655,21 @@
 [ixxpd_h]
  X-XSS-Protection (Valores duplicados)
 
+[ictlmeta_h]
+ Content-Type (Valor incorrecto: cuerpo de la respuesta)
+
+[ictlmeta]
+ El único valor permitido es 'text/html; charset=utf-8'
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
+
+[ixuameta_h]
+ X-UA-Compatible (Valor incorrecto: cuerpo de la respuesta)
+
+[ixuameta]
+ El único valor permitido es 'IE=edge'
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
+
+
 [pdf_title]
 'humble' (Analizador de cabeceras HTTP)