scruffyscarf · scruffyscarf · Nov 3, 2025
diff --git a/labs/lab11/analysis/headers-http.txt b/labs/lab11/analysis/headers-http.txt
@@ -0,0 +1,14 @@
+HTTP/1.1 308 Permanent Redirect
+Server: nginx
+Date: Mon, 03 Nov 2025 20:57:19 GMT
+Content-Type: text/html
+Content-Length: 164
+Connection: keep-alive
+Location: https://localhost:8443/
+X-Frame-Options: DENY
+X-Content-Type-Options: nosniff
+Referrer-Policy: strict-origin-when-cross-origin
+Permissions-Policy: camera=(), geolocation=(), microphone=()
+Cross-Origin-Opener-Policy: same-origin
+Cross-Origin-Resource-Policy: same-origin
+Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
diff --git a/labs/lab11/analysis/headers-https.txt b/labs/lab11/analysis/headers-https.txt
@@ -0,0 +1,20 @@
+HTTP/2 200 
+server: nginx
+date: Mon, 03 Nov 2025 20:57:35 GMT
+content-type: text/html; charset=UTF-8
+content-length: 75002
+feature-policy: payment 'self'
+x-recruiting: /#/jobs
+accept-ranges: bytes
+cache-control: public, max-age=0
+last-modified: Mon, 03 Nov 2025 20:54:59 GMT
+etag: W/"124fa-19a4b806d51"
+vary: Accept-Encoding
+strict-transport-security: max-age=31536000; includeSubDomains; preload
+x-frame-options: DENY
+x-content-type-options: nosniff
+referrer-policy: strict-origin-when-cross-origin
+permissions-policy: camera=(), geolocation=(), microphone=()
+cross-origin-opener-policy: same-origin
+cross-origin-resource-policy: same-origin
+content-security-policy-report-only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
diff --git a/labs/lab11/analysis/rate-limit-test.txt b/labs/lab11/analysis/rate-limit-test.txt
@@ -0,0 +1,12 @@
+401
+401
+401
+401
+401
+401
+429
+429
+429
+429
+429
+429
diff --git a/labs/lab11/analysis/testssl.txt b/labs/lab11/analysis/testssl.txt
@@ -0,0 +1,225 @@
+#####################################################################
+  testssl.sh version 3.2.2 from https://testssl.sh/
+
+  This program is free software. Distribution and modification under
+  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
+
+  Please file bugs @ https://testssl.sh/bugs/
+#####################################################################
+
+  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~183 ciphers]
+  on fad5bba9a81b:/home/testssl/bin/openssl.Linux.x86_64
+
+ Start 2025-11-03 21:01:11        -->> 192.168.65.254:8443 (host.docker.internal) <<--
+
+ Further IP addresses:   fdc4:f303:9324::254 
+ rDNS (192.168.65.254):  --
+ Service detected:       HTTP
+
+ Testing protocols via sockets except NPN+ALPN 
+
+ SSLv2      not offered (OK)
+ SSLv3      not offered (OK)
+ TLS 1      not offered
+ TLS 1.1    not offered
+ TLS 1.2    offered (OK)
+ TLS 1.3    offered (OK): final
+ NPN/SPDY   not offered
+ ALPN/HTTP2 h2, http/1.1 (offered)
+
+ Testing cipher categories 
+
+ NULL ciphers (no encryption)                      not offered (OK)
+ Anonymous NULL Ciphers (no authentication)        not offered (OK)
+ Export ciphers (w/o ADH+NULL)                     not offered (OK)
+ LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
+ Triple DES Ciphers / IDEA                         not offered
+ Obsoleted CBC ciphers (AES, ARIA etc.)            not offered
+ Strong encryption (AEAD ciphers) with no FS       not offered
+ Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)
+
+
+ Testing server's cipher preferences 
+
+Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
+-----------------------------------------------------------------------------------------------------------------------------
+SSLv2
+ - 
+SSLv3
+ - 
+TLSv1
+ - 
+TLSv1.1
+ - 
+TLSv1.2 (server order)
+ xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
+ xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
+TLSv1.3 (server order)
+ x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                             
+ x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
+ x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256                             
+
+ Has server cipher order?     yes (OK) -- TLS 1.3 and below
+
+
+ Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 
+
+ FS is offered (OK)           TLS_AES_256_GCM_SHA384
+                              TLS_CHACHA20_POLY1305_SHA256
+                              ECDHE-RSA-AES256-GCM-SHA384
+                              TLS_AES_128_GCM_SHA256
+                              ECDHE-RSA-AES128-GCM-SHA256 
+ Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448 
+ Finite field group:          ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192
+ TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 
+                              RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 
+                              RSA+SHA512 RSA+SHA224 
+ TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 
+                              RSA-PSS-RSAE+SHA512 
+
+ Testing server defaults (Server Hello) 
+
+ TLS extensions (standard)    "server name/#0" "max fragment length/#1"
+                              "supported_groups/#10" "EC point formats/#11"
+                              "application layer protocol negotiation/#16"
+                              "extended master secret/#23" "session ticket/#35"
+                              "supported versions/#43" "key share/#51"
+                              "renegotiation info/#65281"
+ Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily
+ SSL Session ID support       yes
+ Session Resumption           Tickets: yes, ID: yes
+ TLS clock skew               Random values, no fingerprinting possible 
+ Certificate Compression      none
+ Client Authentication        none
+ Signature Algorithm          SHA256 with RSA
+ Server key size              RSA 2048 bits (exponent is 65537)
+ Server key usage             --
+ Server extended key usage    --
+ Serial                       15ECBD98D2847CC46619AD8FFD52040B9CD4718D (OK: length 20)
+ Fingerprints                 SHA1 404D7517DAF3A4C63748CDF87FE4BCCDC0BB7615
+                              SHA256 EB970983500361B6777449C3AC8CE37F9A8D47ACF7A26E4AFA584B747F3721F0
+ Common Name (CN)             localhost 
+ subjectAltName (SAN)         localhost 127.0.0.1 0:0:0:0:0:0:0:1 
+ Trust (hostname)             certificate does not match supplied URI (same w/o SNI)
+ Chain of trust               NOT ok (self signed)
+ EV cert (experimental)       no 
+ Certificate Validity (UTC)   364 >= 60 days (2025-11-03 20:54 --> 2026-11-03 20:54)
+ ETS/"eTLS", visibility info  not present
+ Certificate Revocation List  --
+ OCSP URI                     --
+                              NOT ok -- neither CRL nor OCSP URI provided
+ OCSP stapling                not offered
+ OCSP must staple extension   --
+ DNS CAA RR (experimental)    not offered
+ Certificate Transparency     --
+ Certificates provided        1
+ Issuer                       localhost
+ Intermediate Bad OCSP (exp.) Ok
+
+
+ Testing HTTP header response @ "/" 
+
+ HTTP Status Code             200 OK
+ HTTP clock skew              0 sec from localtime
+ Strict Transport Security    365 days=31536000 s, includeSubDomains, preload
+ Public Key Pinning           --
+ Server banner                nginx
+ Application banner           --
+ Cookie(s)                    (none issued at "/")
+ Security headers             X-Frame-Options: DENY
+                              X-Content-Type-Options: nosniff
+                              Content-Security-Policy-Report-Only: default-src
+                                'self'; img-src 'self' data:; script-src 'self'
+                                'unsafe-inline' 'unsafe-eval'; style-src 'self'
+                                'unsafe-inline'
+                              Permissions-Policy: camera=(), geolocation=(),
+                                microphone=()
+                              Cross-Origin-Opener-Policy: same-origin
+                              Cross-Origin-Resource-Policy: same-origin
+                              Permissions-Policy: camera=(), geolocation=(),
+                                microphone=()
+                              Referrer-Policy: strict-origin-when-cross-origin
+                              Cache-Control: public, max-age=0
+ Reverse Proxy banner         --
+
+
+ Testing vulnerabilities 
+
+ Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
+ CCS (CVE-2014-0224)                       not vulnerable (OK)
+ Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
+ ROBOT                                     Server does not support any cipher suites that use RSA key transport
+ Secure Renegotiation (RFC 5746)           supported (OK)
+ Secure Client-Initiated Renegotiation     not vulnerable (OK)
+ CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
+ BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
+ POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
+ TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
+ SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
+ FREAK (CVE-2015-0204)                     not vulnerable (OK)
+ DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
+                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
+                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=EB970983500361B6777449C3AC8CE37F9A8D47ACF7A26E4AFA584B747F3721F0
+ LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
+ BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
+ LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
+ Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
+ RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
+
+
+ Running client simulations (HTTP) via sockets 
+
+ Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
+------------------------------------------------------------------------------------------------
+ Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       256 bit ECDH (P-256)
+ Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       253 bit ECDH (X25519)
+ Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ IE 8 Win 7                   No connection
+ IE 11 Win 7                  No connection
+ IE 11 Win 8.1                No connection
+ IE 11 Win Phone 8.1          No connection
+ IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       256 bit ECDH (P-256)
+ Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       253 bit ECDH (X25519)
+ Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Safari 18.4 (iOS 18.4)       TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Safari 18.4 (macOS 15.4)     TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Java 7u25                    No connection
+ Java 8u442 (OpenJDK)         TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            256 bit ECDH (P-256)
+ Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Java 21.0.6 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ go 1.17.8                    TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ LibreSSL 3.3.6 (macOS)       TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       256 bit ECDH (P-256)
+ OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ OpenSSL 3.0.15 (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+ Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       256 bit ECDH (P-256)
+ Thunderbird (91.9)           TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
+
+
+ Rating (experimental) 
+
+ Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
+ Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
+ Protocol Support (weighted)  0 (0)
+ Key Exchange     (weighted)  0 (0)
+ Cipher Strength  (weighted)  0 (0)
+ Final Score                  0
+ Overall Grade                T
+ Grade cap reasons            Grade capped to T. Issues with chain of trust
+                                (self signed)
+                              Grade capped to
+                                M. Domain name mismatch
+
+ Done 2025-11-03 21:02:45 [ 107s] -->> 192.168.65.254:8443 (host.docker.internal) <<--
diff --git a/labs/lab11/logs/access.log b/labs/lab11/logs/access.log
@@ -0,0 +1,26 @@
+172.18.0.1 - - [03/Nov/2025:20:55:14 +0000] "GET / HTTP/1.1" 308 164 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:20:55:23 +0000] "GET / HTTP/1.1" 308 164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:20:55:24 +0000] "GET / HTTP/1.1" 308 164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:20:55:31 +0000] "GET / HTTP/1.1" 308 164 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:20:57:19 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:20:57:35 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/8.7.1" rt=0.030 uct=0.003 urt=0.030
+172.18.0.1 - - [03/Nov/2025:20:58:50 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.008 uct=0.001 urt=0.008
+172.18.0.1 - - [03/Nov/2025:20:59:40 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.002 urt=0.006
+172.18.0.1 - - [03/Nov/2025:20:59:41 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.002 uct=0.000 urt=0.001
+172.18.0.1 - - [03/Nov/2025:20:59:51 +0000] "GET / HTTP/1.1" 200 75002 "https://google.com/" "TLS tester from https://testssl.sh/" rt=0.004 uct=0.002 urt=0.004
+172.18.0.1 - - [03/Nov/2025:21:01:12 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.000 urt=0.005
+172.18.0.1 - - [03/Nov/2025:21:02:03 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.005 uct=0.000 urt=0.004
+172.18.0.1 - - [03/Nov/2025:21:02:04 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.002 uct=0.000 urt=0.002
+172.18.0.1 - - [03/Nov/2025:21:02:14 +0000] "GET / HTTP/1.1" 200 75002 "https://google.com/" "TLS tester from https://testssl.sh/" rt=0.003 uct=0.000 urt=0.003
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.065 uct=0.003 urt=0.065
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.009 uct=0.000 urt=0.009
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.009 uct=0.000 urt=0.008
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.011 uct=0.000 urt=0.011
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.011 uct=0.000 urt=0.010
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 200 26 "-" "curl/8.7.1" rt=0.006 uct=0.000 urt=0.007
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=-
+172.18.0.1 - - [03/Nov/2025:21:07:23 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.7.1" rt=0.000 uct=- urt=-