[+] Execute 'validate_http_security_response_headers' • HTTP security response headers test suites (/tmp/venom_security_headers_tests_suite.yml) • Strict-Transport-Security FAILURE Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:29) Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldContainSubstring \"includeSubDomains\"" failed. expected '' to contain 'includeSubDomains' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:30) Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldContainSubstring \"max-age=\"" failed. expected '' to contain 'max-age=' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:31) Testcase "Strict-Transport-Security", step #0: Assertion "result.headers.strict-transport-security ShouldContainSubstring \"preload\"" failed. expected '' to contain 'preload' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:33) • X-Frame-Options FAILURE Testcase "X-Frame-Options", step #0: Assertion "result.headers.x-frame-options ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:44) Testcase "X-Frame-Options", step #0: Assertion "result.headers.x-frame-options ShouldEqual \"deny\"" failed. expected: deny got: <nil> (/tmp/venom_security_headers_tests_suite.yml:45) • X-Content-Type-Options FAILURE Testcase "X-Content-Type-Options", step #0: Assertion "result.headers.x-content-type-options ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:56) Testcase "X-Content-Type-Options", step #0: Assertion "result.headers.x-content-type-options ShouldEqual \"nosniff\"" failed. expected: nosniff got: <nil> (/tmp/venom_security_headers_tests_suite.yml:57) • Content-Security-Policy FAILURE Testcase "Content-Security-Policy", step #0: Assertion "result.headers.content-security-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:68) • X-Permitted-Cross-Domain-Policies FAILURE Testcase "X-Permitted-Cross-Domain-Policies", step #0: Assertion "result.headers.x-permitted-cross-domain-policies ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:80) Testcase "X-Permitted-Cross-Domain-Policies", step #0: Assertion "result.headers.x-permitted-cross-domain-policies ShouldEqual \"none\"" failed. expected: none got: <nil> (/tmp/venom_security_headers_tests_suite.yml:81) • Referrer-Policy FAILURE Testcase "Referrer-Policy", step #0: Assertion "result.headers.referrer-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:92) Testcase "Referrer-Policy", step #0: Assertion "result.headers.referrer-policy ShouldEqual \"no-referrer\"" failed. expected: no-referrer got: <nil> (/tmp/venom_security_headers_tests_suite.yml:93) • Clear-Site-Data FAILURE Testcase "Clear-Site-Data", step #0: Assertion "result.statuscode ShouldEqual 200" failed. expected: 200 got: 404 (/tmp/venom_security_headers_tests_suite.yml:103) Testcase "Clear-Site-Data", step #0: Assertion "result.headers.clear-site-data ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:104) Testcase "Clear-Site-Data", step #0: Assertion "result.headers.clear-site-data ShouldContainSubstring \"cookies\"" failed. expected '' to contain 'cookies' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:105) Testcase "Clear-Site-Data", step #0: Assertion "result.headers.clear-site-data ShouldContainSubstring \"storage\"" failed. expected '' to contain 'storage' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:106) • Cross-Origin-Embedder-Policy FAILURE Testcase "Cross-Origin-Embedder-Policy", step #0: Assertion "result.headers.cross-origin-embedder-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:117) Testcase "Cross-Origin-Embedder-Policy", step #0: Assertion "result.headers.cross-origin-embedder-policy ShouldEqual \"require-corp\"" failed. expected: require-corp got: <nil> (/tmp/venom_security_headers_tests_suite.yml:118) • Cross-Origin-Opener-Policy FAILURE Testcase "Cross-Origin-Opener-Policy", step #0: Assertion "result.headers.cross-origin-opener-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:129) Testcase "Cross-Origin-Opener-Policy", step #0: Assertion "result.headers.cross-origin-opener-policy ShouldEqual \"same-origin\"" failed. expected: same-origin got: <nil> (/tmp/venom_security_headers_tests_suite.yml:130) • Cross-Origin-Resource-Policy FAILURE Testcase "Cross-Origin-Resource-Policy", step #0: Assertion "result.headers.cross-origin-resource-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:141) Testcase "Cross-Origin-Resource-Policy", step #0: Assertion "result.headers.cross-origin-resource-policy ShouldEqual \"same-origin\"" failed. expected: same-origin got: <nil> (/tmp/venom_security_headers_tests_suite.yml:142) • Permissions-Policy FAILURE Testcase "Permissions-Policy", step #0: Assertion "result.headers.permissions-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:153) • Cache-Control FAILURE Testcase "Cache-Control", step #0: Assertion "result.headers.cache-control ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:165) Testcase "Cache-Control", step #0: Assertion "result.headers.cache-control ShouldEqual \"no-store\"" failed. expected: no-store got: <nil> (/tmp/venom_security_headers_tests_suite.yml:166) • Feature-Policy FAILURE [info] This header was split into Permissions-Policy and Document-Policy and will be considered deprecated once all impacted features are moved off of feature policy. (/tmp/venom_security_headers_tests_suite.yml:176) (/tmp/venom_security_headers_tests_suite.yml:176) Testcase "Feature-Policy", step #0: Assertion "result.headers.feature-policy ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:180) • Public-Key-Pins SUCCESS [info] This header has been deprecated by all major browsers and is no longer recommended. Avoid using it, and update existing code if possible! (/tmp/venom_security_headers_tests_suite.yml:188) (/tmp/venom_security_headers_tests_suite.yml:188) • Expect-CT FAILURE [info] This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021. (/tmp/venom_security_headers_tests_suite.yml:199) (/tmp/venom_security_headers_tests_suite.yml:199) Testcase "Expect-CT", step #0: Assertion "result.headers.expect-ct ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:203) Testcase "Expect-CT", step #0: Assertion "result.headers.expect-ct ShouldContainSubstring \"enforce\"" failed. expected '' to contain 'enforce' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:204) Testcase "Expect-CT", step #0: Assertion "result.headers.expect-ct ShouldContainSubstring \"max-age=\"" failed. expected '' to contain 'max-age=' but it wasn't (/tmp/venom_security_headers_tests_suite.yml:205) • X-Xss-Protection FAILURE [info] The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. (/tmp/venom_security_headers_tests_suite.yml:213) (/tmp/venom_security_headers_tests_suite.yml:213) Testcase "X-Xss-Protection", step #0: Assertion "result.headers.x-xss-protection ShouldNotBeNil" failed. expected: Not Nil but is was (/tmp/venom_security_headers_tests_suite.yml:217) Testcase "X-Xss-Protection", step #0: Assertion "result.headers.x-xss-protection ShouldEqual \"0\"" failed. expected: 0 got: <nil> (/tmp/venom_security_headers_tests_suite.yml:218) • SecurityHeaders-Rating SKIPPED [+] Execute 'validate_secure_protocol_usage' Permanent redirection to a HTTPS protocol is NOT in place. [+] Execute 'validate_tls_configuration' Testing all IPv4 addresses (port 443): 46.137.15.86 54.220.192.176 54.73.53.134 ----------------------------------------------------- Start 2022-03-26 08:52:41 -->> 46.137.15.86:443 (xlm-blogpost-deploy-check.herokuapp.com) <<-- Further IP addresses: 54.73.53.134 54.220.192.176 rDNS (46.137.15.86): ec2-46-137-15-86.eu-west-1.compute.amazonaws.com. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), reply empty ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=968E97A3C84D9007C9D14F037F84EE527802F36324A73D985B5AB8C738A3899E could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) - CAMELLIA or ECDHE_RSA GCM ciphers found RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2022-03-26 08:53:23 [ 44s] -->> 46.137.15.86:443 (xlm-blogpost-deploy-check.herokuapp.com) <<-- ----------------------------------------------------- Start 2022-03-26 08:53:23 -->> 54.220.192.176:443 (xlm-blogpost-deploy-check.herokuapp.com) <<-- Further IP addresses: 54.73.53.134 46.137.15.86 rDNS (54.220.192.176): ec2-54-220-192-176.eu-west-1.compute.amazonaws.com. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), reply empty ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=968E97A3C84D9007C9D14F037F84EE527802F36324A73D985B5AB8C738A3899E could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) - CAMELLIA or ECDHE_RSA GCM ciphers found RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2022-03-26 08:54:06 [ 87s] -->> 54.220.192.176:443 (xlm-blogpost-deploy-check.herokuapp.com) <<-- ----------------------------------------------------- Start 2022-03-26 08:54:06 -->> 54.73.53.134:443 (xlm-blogpost-deploy-check.herokuapp.com) <<-- Further IP addresses: 54.220.192.176 46.137.15.86 rDNS (54.73.53.134): ec2-54-73-53-134.eu-west-1.compute.amazonaws.com. Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), reply empty ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=968E97A3C84D9007C9D14F037F84EE527802F36324A73D985B5AB8C738A3899E could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches Winshock (CVE-2014-6321), experimental not vulnerable (OK) - CAMELLIA or ECDHE_RSA GCM ciphers found RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2022-03-26 08:54:50 [ 131s] -->> 54.73.53.134:443 (xlm-blogpost-deploy-check.herokuapp.com) <<-- ----------------------------------------------------- Done testing now all IP addresses (on port 443): 46.137.15.86 54.220.192.176 54.73.53.134 6 issue(s) found. [+] Execute 'validate_exposed_content' /home/runner/work/PostDeploymentSecurityCheck-Study/PostDeploymentSecurityCheck-Study deploy.key [Status: 200, Size: 356, Words: 7, Lines: 7] 1 excluded item(s) found. NodeJS Express framework usage disclosed (0 = no): 1 Error handling misconfiguration (0 = no): 0 [+] Execute 'validate_securitytxt_file_presence' File is present (0 = no): 1 [+] Execute 'validate_waf_presence' WAF is present (1 = no): 1 [+] Execute 'validate_robotstxt_file_content' Disallow clause present 2 times (expected 0 time) [+] Execute 'validate_directory_listing_enabling_status' Directory listing is enabled. [+] Cleanup [+] Global status - RC: 15 [!] Issue found