forked from shartge/testssl.sh-webfrontend
-
Notifications
You must be signed in to change notification settings - Fork 1
/
SSLTestPortal.py
executable file
·168 lines (144 loc) · 5.95 KB
/
SSLTestPortal.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#!/usr/bin/env python3
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from flask import Flask, Response, request, redirect, session, render_template, url_for, flash, stream_with_context
from markupsafe import escape
import os
from os import urandom
from subprocess import Popen, PIPE, CalledProcessError, TimeoutExpired
import re
import socket
SENTINEL = '------------SPLIT----------HERE---------'
application = Flask(__name__)
### Configuration ###
checkCmd = "/testssl.sh/testssl.sh"
checkArgs = ["--quiet", "--add-ca=/etc/ssl/certs/ca-certificates.pem"]
checkTimeout = int(os.environ.get("CHECKTIMEOUT", default=300))
testsslDebug = int(os.environ.get("TESTSSLDEBUG", default=0))
rendererCmd = "aha"
rendererArgs = ["-n"]
rendererTimeout = 30
protocols = ["ftp", "smtp", "pop3", "imap", "xmpp", "telnet", "ldap"]
scantypes = ["normal", "quick"]
reHost = re.compile("^[a-zA-Z0-9_][a-zA-Z0-9_-]+(\x2E[a-zA-Z0-9_-]+)*$")
preflightRequest = True
preflightTimeout = 10
application.debug = False
application.secret_key = urandom(32)
#####################
@application.route("/", methods=['GET', 'POST'])
def main():
if request.method == 'GET': # Main Page
return render_template("main.html")
elif request.method == 'POST': # Perform Test
# Sanity checks of request values
ok = True
host = request.form['host']
if not reHost.match(host):
flash("Wrong host name!")
ok = False
if host == "localhost" or host.find("127.") == 0 or host == "::1":
flash("I was already pentested ;)")
ok = False
try:
port = int(request.form['port'])
if not (port >= 0 and port <= 65535):
flash("Wrong port number!")
ok = False
except:
flash("Port number must be numeric")
ok = False
scantype = request.form['scantype']
if scantype not in scantypes:
flash("Wrong scantype!")
ok = False
if 'starttls' in request.form and request.form['starttls'] == "yes":
starttls = True
else:
starttls = False
protocol = request.form['protocol']
if starttls and protocol not in protocols:
flash("Wrong protocol!")
ok = False
# Perform preflight request to prevent that testssl.sh runs into long timeout
if ok and preflightRequest:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(preflightTimeout)
s.connect((host, port))
s.close()
except:
flash("Connection failed!")
ok = False
if not ok:
return render_template("main.html")
# Build command line
testssl_args = [checkCmd]
testssl_args += checkArgs
testssl_args.append("--debug="+str(testsslDebug))
if scantype == "normal":
testssl_args.append("--protocols")
testssl_args.append("--cipher-per-proto")
testssl_args.append("--fs")
testssl_args.append("--rc4")
testssl_args.append("--vulnerable")
if scantype == "quick":
testssl_args.append("--protocols")
testssl_args.append("--cipher-per-proto")
testssl_args.append("--server-defaults")
if starttls:
testssl_args.append("-t")
testssl_args.append(protocol)
testssl_args.append(host + ":" + str(port))
# Build render command line
render_args = [rendererCmd]
render_args += rendererArgs
# Perform test
def runtest():
first, _, last = render_template('result.html', result=SENTINEL).partition(SENTINEL)
yield first
check = Popen(testssl_args, shell=False, stdout=PIPE, stderr=PIPE)
for line in iter(check.stdout.readline, b''):
renderer = Popen(render_args, shell=False, stdin=PIPE, stdout=PIPE, stderr=PIPE)
html, err = renderer.communicate(input=line)
if renderer.returncode != 0:
html = "<pre>HTML formatting failed with error code " + str(renderer.returncode) + " - see raw output below</pre>"
html += "<pre>" + str(err, 'utf-8') + "</pre>"
yield str(html, 'utf-8')
break
yield str(html, 'utf-8')
output, err = check.communicate(timeout=checkTimeout)
if check.returncode > 128:
yield str(err, 'utf-8')
yield last
check.kill()
renderer.kill()
return Response(stream_with_context(runtest()), mimetype='text/html')
@application.route("/about/")
def about():
# Build commmands
testssl_args = [checkCmd]
testssl_args.append("--version")
render_args = [rendererCmd]
render_args += rendererArgs
# Get version output from testssl
check = Popen(testssl_args, shell=False, stdout=PIPE, stderr=PIPE)
output, err = check.communicate()
# Render output as HTML
renderer = Popen(render_args, shell=False, stdin=PIPE, stdout=PIPE, stderr=PIPE)
html, err = renderer.communicate(input=output)
check.kill()
renderer.kill()
return render_template("about.html", about=str(html, 'utf-8'))
if __name__ == "__main__":
application.run(host='0.0.0.0')