HTTP security headers for Flask

Overview

Talisman: HTTP security headers for Flask

Build Status Coverage Status PyPI Version

Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues.

The default configuration:

  • Forces all connects to https, unless running with debug enabled.
  • Enables HTTP Strict Transport Security.
  • Sets Flask's session cookie to secure, so it will never be set if your application is somehow accessed via a non-secure connection.
  • Sets Flask's session cookie to httponly, preventing JavaScript from being able to access its content. CSRF via Ajax uses a separate cookie and should be unaffected.
  • Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
  • Sets X-XSS-Protection to enable a cross site scripting filter for IE and Safari (note Chrome has removed this and Firefox never supported it).
  • Sets X-Content-Type-Options to prevent content type sniffing.
  • Sets a strict Content Security Policy of default-src: 'self'. This is intended to almost completely prevent Cross Site Scripting (XSS) attacks. This is probably the only setting that you should reasonably change. See the Content Security Policy section.
  • Sets a strict Referrer-Policy of strict-origin-when-cross-origin that governs which referrer information should be included with requests made.

In addition to Talisman, you should always use a cross-site request forgery (CSRF) library. It's highly recommended to use Flask-SeaSurf, which is based on Django's excellent library.

Installation & Basic Usage

Install via pip:

pip install flask-talisman

After installing, wrap your Flask app with a Talisman:

from flask import Flask
from flask_talisman import Talisman

app = Flask(__name__)
Talisman(app)

There is also a full Example App.

Options

  • feature_policy, default {}, see the Feature Policy section.
  • force_https, default True, forces all non-debug connects to https.
  • force_https_permanent, default False, uses 301 instead of 302 for https redirects.
  • frame_options, default SAMEORIGIN, can be SAMEORIGIN, DENY, or ALLOWFROM.
  • frame_options_allow_from, default None, a string indicating the domains that are allowed to embed the site via iframe.
  • strict_transport_security, default True, whether to send HSTS headers.
  • strict_transport_security_preload, default False, enables HSTS preloading If you register your application with Google's HSTS preload list, Firefox and Chrome will never load your site over a non-secure connection.
  • strict_transport_security_max_age, default ONE_YEAR_IN_SECS, length of time the browser will respect the HSTS header.
  • strict_transport_security_include_subdomains, default True, whether subdomains should also use HSTS.
  • content_security_policy, default default-src: 'self', see the Content Security Policy section.
  • content_security_policy_nonce_in, default []. Adds a per-request nonce value to the flask request object and also to the specified CSP header section. I.e. ['script-src', 'style-src']
  • content_security_policy_report_only, default False, whether to set the CSP header as "report-only" (as Content-Security-Policy-Report-Only) to ease deployment by disabling the policy enforcement by the browser, requires passing a value with the content_security_policy_report_uri parameter
  • content_security_policy_report_uri, default None, a string indicating the report URI used for CSP violation reports
  • referrer_policy, default strict-origin-when-cross-origin, a string that sets the Referrer Policy header to send a full URL when performing a same-origin request, only send the origin of the document to an equally secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
  • session_cookie_secure, default True, set the session cookie to secure, preventing it from being sent over plain http.
  • session_cookie_http_only, default True, set the session cookie to httponly, preventing it from being read by JavaScript.
  • force_file_save, default False, whether to set the X-Download-Options header to noopen to prevent IE >= 8 to from opening file downloads directly and only save them instead.

Per-view options

Sometimes you want to change the policy for a specific view. The force_https, frame_options, frame_options_allow_from, and content_security_policy options can be changed on a per-view basis.

from flask import Flask
from flask_talisman import Talisman, ALLOW_FROM

app = Flask(__name__)
talisman = Talisman(app)

@app.route('/normal')
def normal():
    return 'Normal'

@app.route('/embeddable')
@talisman(frame_options=ALLOW_FROM, frame_options_allow_from='*')
def embeddable():
    return 'Embeddable'

Content Security Policy

The default content security policy is extremely strict and will prevent loading any resources that are not in the same domain as the application. Most web applications will need to change this policy.

A slightly more permissive policy is available at flask_talisman.GOOGLE_CSP_POLICY, which allows loading Google-hosted JS libraries, fonts, and embeding media from YouTube and Maps.

You can and should create your own policy to suit your site's needs. Here's a few examples adapted from MDN:

Example 1

This is the default policy. A web site administrator wants all content to come from the site's own origin (this excludes subdomains.)

csp = {
    'default-src': '\'self\''
}
talisman = Talisman(app, content_security_policy=csp)

Example 2

A web site administrator wants to allow content from a trusted domain and all its subdomains (it doesn't have to be the same domain that the CSP is set on.)

csp = {
    'default-src': [
        '\'self\'',
        '*.trusted.com'
    ]
}

Example 3

A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.

csp = {
    'default-src': '\'self\'',
    'img-src': '*',
    'media-src': [
        'media1.com',
        'media2.com',
    ],
    'script-src': 'userscripts.example.com'
}

In this example content is only permitted from the document's origin with the following exceptions:

  • Images may loaded from anywhere (note the * wildcard).
  • Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).
  • Executable script is only allowed from userscripts.example.com.

Example 4

A web site administrator for an online banking site wants to ensure that all its content is loaded using SSL, in order to prevent attackers from eavesdropping on requests.

csp = {
    'default-src': 'https://onlinebanking.jumbobank.com'
}

The server only permits access to documents being loaded specifically over HTTPS through the single origin onlinebanking.jumbobank.com.

Example 5

A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.

csp = {
    'default-src': [
        '\'self\'',
        '*.mailsite.com',
    ],
    'img-src': '*'
}

Note that this example doesn't specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server.

Example 6

A web site administrator wants to allow embedded scripts (which might be generated dynamicially).

csp = {
    'default-src': '\'self\'',
    'script-src': '\'self\'',
}
talisman = Talisman(
    app,
    content_security_policy=csp,
    content_security_policy_nonce_in=['script-src']
)

The nonce needs to be added to the script tag in the template:

<script nonce="{{ csp_nonce() }}">
    //...
</script>

Note that the CSP directive (script-src in the example) to which the nonce-... source should be added needs to be defined explicitly.

Example 7

A web site adminstrator wants to override the CSP directives via an environment variable which doesn't support specifying the policy as a Python dictionary, e.g.:

export CSP_DIRECTIVES="default-src 'self'; image-src *"
python app.py

Then in the app code you can read the CSP directives from the environment:

import os
from flask_talisman import Talisman, DEFAULT_CSP_POLICY

talisman = Talisman(
    app,
    content_security_policy=os.environ.get("CSP_DIRECTIVES", DEFAULT_CSP_POLICY),
)

As you can see above the policy can be defined simply just like the official specification requires the HTTP header to be set: As a semicolon separated list of individual CSP directives.

Feature Policy

The default feature policy is empty, as this is the default expected behaviour. Note that the Feature Policy is still a draft https://wicg.github.io/feature-policy/ but is supported in some form in most browsers. Please note this has been renamed Permissions Policy in the latest draft by at this writing, browsers and this extension only supports the Feature-Policy HTTP Header name.

Geolocation Example

Disable access to Geolocation interface.

feature_policy = {
    'geolocation': '\'none\''
}
talisman = Talisman(app, feature_policy=feature_policy)

Disclaimer

This is not an official Google product, experimental or otherwise.

There is no silver bullet for web application security. Talisman can help, but security is more than just setting a few headers. Any public-facing web application should have a comprehensive approach to security.

Contributing changes

Licensing

Comments
  • AttributeError: frame_options

    AttributeError: frame_options

    Hello,

    We have a Flask app with Talisman and we initialize the app by default values:

    csp = {
            'default-src': '\'self\'',
            'img-src': '\'self\' data:',
            'media-src': [
                '*',
            ],
            'style-src': '\'unsafe-inline\' \'self\'',
            'script-src': '\'unsafe-inline\' \'self\'',
            'font-src' : '*'
        }
        Talisman(app, content_security_policy=csp)
    

    But sometimes, we are not sure why, it's hard to reproduce we have the following error and stacktrace :asd

    Traceback (most recent call last):
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 2000, in __call__
        return self.wsgi_app(environ, start_response)
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1991, in wsgi_app
        response = self.make_response(self.handle_exception(e))
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1567, in handle_exception
        reraise(exc_type, exc_value, tb)
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
        raise value
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1988, in wsgi_app
        response = self.full_dispatch_request()
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1643, in full_dispatch_request
        response = self.process_response(response)
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask/app.py", line 1862, in process_response
        response = handler(response)
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask_talisman/talisman.py", line 210, in _set_response_headers
        self._set_frame_options_headers(response.headers)
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/flask_talisman/talisman.py", line 217, in _set_frame_options_headers
        headers['X-Frame-Options'] = self.local_options.frame_options
      File "/root/19032018/asd/venv/lib/python3.6/site-packages/werkzeug/local.py", line 72, in __getattr__
        raise AttributeError(name)
    AttributeError: frame_options
    
    

    Can you help why this happens and why it happens at seemingly random times? Talisman version is 0.4.1

    Thanks in advance!

    bug help wanted 
    opened by myaspm 23
  • Add referrer policy security header

    Add referrer policy security header

    The referrer policy security header tells the browser what information about your website (URL and possibly path) is sent to a linked site. See this blog/examples for more info.

    There's also some useful information of the available directives from Mozilla. I've set the default to 'strict-origin-when-cross-origin', although it may want to be changed until Chrome adds handling for this (see this issue).

    opened by asmith26 12
  • Rename package from talisman to flask_talisman

    Rename package from talisman to flask_talisman

    • Fixes #3
    • I never released a package before.. so please verify which changes had to be flask_talisman and which ones flask-talisman
    • Updated the version to 1.0.0
    • Updated the URLs to flask-talisman in PyPi
    opened by lipis 7
  • Fixes for when request.endpoint is None.

    Fixes for when request.endpoint is None.

    This patch is so that when request.endpoint is None:

    • Don't raise 500 error.
    • Don't redirect to https.

    Currently, a request to an endpoint that does not exist will cause an error. I noticed this when I migrated an app engine flexible environment application from vm: true to env: flex and the health checks (requests to /_ah/health) were resulting in errors. I think the expected behavior should be that these or other nonexistent endpoints simply return 404, so I also added to the list of criteria to exclude when forcing https.

    opened by rfinck 6
  • csp_nonce() is empty

    csp_nonce() is empty

    Hi, I might be doing something really stupid but I can't find much documentation or examples, other than the main page on GitHub and the example about CSP.

    My issue is that csp_nonce() is evaluating to an empty string. What am I doing wrong?

    I include the relevant parts of my code (it is a much bigger project so I am trying to post only relevant parts, but if you need anything more, please let me know).

    <!doctype html>
    <html lang="en">
    <head>
        [...]
        <link href="/static/css/main.68b8b5e7.chunk.css" rel="stylesheet">
    </head>
    <body>
    <noscript>You need to enable JavaScript to run this app.</noscript>
    <div id="root"></div>
    <script>[...] </script>
    <script src="/static/js/2.389a3736.chunk.js" nonce="{{ csp_nonce() }}"></script>
    <script src="/static/js/main.f39b6155.chunk.js" nonce="{{ csp_nonce() }}"></script>
    </body>
    </html>
    

    While the CSP header does contain the nonce:

    Content-Security-Policy | style-src 'self' https://fonts.googleapis.com 'nonce-XleICcqjjVeXsgKoEn6gLA'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'nonce-XleICcqjjVeXsgKoEn6gLA'

    Flask app:

    man = Talisman()
    man.init_app(app, content_security_policy={
                "style-src": ["\'self\'", 'https://fonts.googleapis.com'],
                "font-src": ["\'self\'", 'https://fonts.gstatic.com'],
                "img-src": "'self' data:",
                "script-src":  ["\'self\'"],
            }, content_security_policy_nonce_in=['script-src', 'style-src']) 
    
    @app.route('/')
    def index():
           return render_template('index.html')
    

    Page in the browser (notice how the nonce is empty):

    <html lang="en">
    <head>
        <link href="/static/css/main.68b8b5e7.chunk.css" rel="stylesheet">
    <style data-jss="" data-meta="MuiGrid" nonce=""> [...]</style>
    <style data-jss="" data-meta="MuiBox" nonce=""></style>
    <style data-jss="" data-meta="MuiBox" nonce=""></style>
    <style data-jss="" data-meta="makeStyles" nonce="">[...]</style>
    </head>
    <body>
    <div id="root"></div>
    <script nonce="">[...]</script>
    <script src="/static/js/2.389a3736.chunk.js" nonce=""></script>
    <script src="/static/js/main.f39b6155.chunk.js" nonce=""></script>
    </body></html>
    
    opened by miquelvir 5
  • Add Permissions-Policy and Document-Policy support

    Add Permissions-Policy and Document-Policy support

    Feature-Policy has been split into Permissions-Policy and Document-Policy. Although these are not supported in browsers yet, it is likely that they will be at some point in the not too distant future.

    In addition the popular SecurityHeaders.com tool has started flagging when Permissions-Policy header is not being sent which is likely to increase interest in publishing a Permissions-Policy alongside the original Feature-Policy header.

    This PR adds support for both headers, though does not set them by default, nor does it retire Feature-Policy.

    opened by tunetheweb 5
  • Should not send x-content-security-policy by default

    Should not send x-content-security-policy by default

    x-content-security-policy was previously supported by some browsers before content-security-policy was fully supported. It is poorly documented and does not support the full feature-set of the standardised content-security-policy.

    IE11 is the only commonly in use browser now supporting this, however it only support the sandbox attribute.

    We don't support X-Webkit-CSP which was the other older name used by Safari.

    I think it's wrong to have this turned on by default and to use the same CSP as the standardised one. Website owners may not notice it's on by default, may assume it has same support as CSP, and will be less likely to test older browsers to see if it breaks.

    I'd suggest removing it from the code completely as the standard CSP header is now well supported and standardised. We could also leave it there but in but with a default off status, but I'd really question the value of this. The alternative would be to be able to specify its setting separately to CSP but again I think it's of little value so I say get rid.

    This would technically be a breaking change, in that anyone depending on this header will need to change their config to enable it. However, given its poor support, its complete lack of documentation and, the fact that CSP is used in preference to it anyway on any browser that supports that, I think the risk is low and it's preferable to leaving it in place.

    Happy to submit a PR for this but wanted to open an issue for discussion first in case anyone disagreed.

    opened by tunetheweb 5
  • Talisman causing Flask test_client post(), put(), or delete() requests to fail

    Talisman causing Flask test_client post(), put(), or delete() requests to fail

    I hope there is a parameter that I'm missing to fix this or I may be doing something wrong, but I don't believe that Flask Talisman works when making post(), put(), or delete() requests with the Flask test_client(). If that is the case, please consider this as a feature request if you deem it appropriate behavior for Flask Talisman.

    I have observed that after adding Taliasman(app) to my Flask app I had to change all of my test cases to follow_redirects=True because apparently Talisman redirects every request. The problem is that it breaks all POST, PUT, and DELETE requests which get redirect and become GET requests.

    Sample that shows problem

    Given this simple Flask app: (app.py)

    from flask import Flask, jsonify
    
    app = Flask(__name__)
    
    @app.route('/test1', methods=['GET'])
    def get_test():
        return jsonify(message='200 OK'), 200
    
    @app.route('/test2', methods=['POST'])
    def create_test():
        return jsonify(message='201 Created'), 201
    

    and these test cases: (test_case.py

    from unittest import TestCase
    from app import app
    
    class TalismanTestCase(TestCase):
        def setUp(self):
            self.client = app.test_client()
    
        def test_get(self):
            resp = self.client.get('/test1')
            self.assertEqual(resp.status_code, 200)
    
        def test_post(self):
            resp = self.client.post('/test2')
            self.assertEqual(resp.status_code, 201)
    

    When I run the tests, they execute correctly as expected:

    $ python -m unittest -v test_case.py 
    test_get (test_case.TalismanTestCase) ... ok
    test_post (test_case.TalismanTestCase) ... ok
    
    ----------------------------------------------------------------------
    Ran 2 tests in 0.004s
    
    OK
    

    However when I add Talisman(app) to my code:

    from flask import Flask, jsonify
    from flask_talisman import Talisman
    
    app = Flask(__name__)
    
    Talisman(app)
    
    ... same code here ...
    

    I get these test results:

    python -m unittest -v test_case.py 
    test_get (test_case.TalismanTestCase) ... FAIL
    test_post (test_case.TalismanTestCase) ... FAIL
    
    ======================================================================
    FAIL: test_get (test_case.TalismanTestCase)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/Users/rofrano/tmp/talisman-test/test_case.py", line 13, in test_get
        self.assertEqual(resp.status_code, 200)
    AssertionError: 302 != 200
    
    ======================================================================
    FAIL: test_post (test_case.TalismanTestCase)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/Users/rofrano/tmp/talisman-test/test_case.py", line 18, in test_post
        self.assertEqual(resp.status_code, 201)
    AssertionError: 302 != 201
    
    ----------------------------------------------------------------------
    Ran 2 tests in 0.006s
    
    FAILED (failures=2)
    

    So I tell the Flask test_client() to follow redirects by adding the following to my test cases:

        def test_get(self):
            resp = self.client.get('/test1', follow_redirects=True)
            self.assertEqual(resp.status_code, 200)
    
        def test_post(self):
            resp = self.client.post('/test2', follow_redirects=True)
            self.assertEqual(resp.status_code, 201)
    
    

    and now I get the following test results:

    $ python -m unittest -v test_case.py 
    test_get (test_case.TalismanTestCase) ... ok
    test_post (test_case.TalismanTestCase) ... FAIL
    
    ======================================================================
    FAIL: test_post (test_case.TalismanTestCase)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/Users/rofrano/tmp/talisman-test/test_case.py", line 18, in test_post
        self.assertEqual(resp.status_code, 201)
    AssertionError: 405 != 201
    
    ----------------------------------------------------------------------
    Ran 2 tests in 0.009s
    
    FAILED (failures=1)
    

    The first test case passed because the redirect performed a GET on the Location header that was returned but the second test failed because the POST was turned into a GET which returned a 405 Method Not Allowed. I don't know if this is something the Flask test_client() should fix but using curl I observed the same behavior.

    Impact to developers

    This makes it impossible to post form data in a test case when Talisman is being used. Do you consider this a bug or a limitation? If a limitation can I request that this capability be added? Thanks!

    opened by rofrano 5
  • Allow disabling X-Frame-Options headers by passing `None`.

    Allow disabling X-Frame-Options headers by passing `None`.

    opened by jezdez 5
  • add possibility to disable header x-content-security-policy since it is deprecated

    add possibility to disable header x-content-security-policy since it is deprecated

    the header x-content-security-policy is deprecated and it is know to have unexpected behavior when having both content-security-policy and x-content-security-policy

    source : https://content-security-policy.com/

    bug help wanted 
    opened by Heisendev 4
  • Fix handling policy directives with multiple sources.

    Fix handling policy directives with multiple sources.

    This is kind of a big deal as it prevents the extension to correctly generate policy directives when multiple sources are used. (for when the policy is provided as a string, e.g. from an env var)

    opened by jezdez 4
  • FYI: This project has been forked by the contributors

    FYI: This project has been forked by the contributors

    Since the primary maintainer of this repository is no longer at Google and there hasn't been any activity on this repository in over a year, myself and several contributors have forked the project over to wntrblm/flask-talisman. We will continue to maintain it there.

    If you're a Googler with access to this repository, you are welcome to update the README to point to the community fork and archive this repository. Or don't, I'm a random person on the internet, not your manager. 😛

    opened by theacodes 2
  • X-Content-Type-Options cant be dissabled

    X-Content-Type-Options cant be dissabled

    I'm currently using talisman to set CSP, but I need to have X-Content-Type-Options disabled/not set. In the current version it is always set to 'nosniff'.

    opened by ezelbanaan 4
  • [FR] option to remove 'Server' from resp header

    [FR] option to remove 'Server' from resp header

    Just discovered there is a huge information leak in the Response Header:

    Server: Werkzeug/0.0.1 Python/3.1.7

    Please add option to drop this, or maybe to modify it.

    Something like

    @app.after_request def add_header(response): response.headers['Server'] = 'dummy' return response

    opened by mrx23dot 0
  • On using flask-talisman with application factory pattern

    On using flask-talisman with application factory pattern

    I tried the following in my app.py:

    from flask_talisman import Talisman
    from flask_main import create_app
    
    app = create_app()
    Talisman(app)
    
    if __name__ == "main":
        app.run()
    

    It still does not work. Any request coming to https:// returns SSL_ERROR_RX_RECORD_TOO_LONG. I've tried both commands to start the app: flask run and python app.py, nothing changes.

    Per this issue #66, doing this in create_app won't work.

    from flask import Flask
    from flask_talisman import Talisman
    from flask_main.configuration import Configuration
    
    talisman = Talisman()
    
    def create_app():
        app = Flask(__name__)
        app.config.from_object(Configuration)
        talisman.init_app(app)
    

    Is there any way to make flask-talisman work with application factory pattern?

    opened by lahdjirayhan 0
Releases(v0.7.0)
  • v0.7.0(May 28, 2019)

    • Remove pinned versions from example app dependencies (#41)
    • add argument to add/remove x-csp header (#39)
    • Use Nox instead of tox. (#37)
    • Minor CSP specific updates. (#36)
    • Fix typo in README.rst (#35)
    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Oct 10, 2018)

    • Fix handling policy directives with multiple sources. (#32)
    • Allow disabling X-Frame-Options headers by passing None. (#30)
    • Allow passing strings for FP and CSP during initialization. (#31)
    • Improve performance of nonce value creation (#28)
    • Add support for the Feature-Policy Header (#26)
    Source code(tar.gz)
    Source code(zip)
  • v0.5.0(Mar 8, 2018)

  • v0.4.1(Jan 25, 2018)

  • v0.4.0(Sep 13, 2017)

    • Updated image-src to img-src and added example of passing css options. Fixes #12 (#13)
    • Add referrer policy security header (#10)
    • fix preload always disabled (#11)
    • Adding space between
       blocks in README. (#9)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.0(Nov 4, 2016)

Owner
Google Cloud Platform
Google Cloud Platform
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

CVE-2022-1388 CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE. POST /mgmt/tm/util/bash HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */

M4rtin Hsu 81 Dec 12, 2022
The Decompressoin tool for Vxworks MINIFS

MINIFS-Decompression The Decompression tool for Vxworks MINIFS filesystem. USAGE python minifs_decompression.py [target_firmware] The example of Mercu

8 Jan 03, 2023
自动化爆破子域名,并遍历所有端口寻找http服务,并使用crawlergo、dirsearch、xray等工具扫描并集成报告;支持动态添加扫描到的域名至任务;

AutoScanner AutoScanner是什么 AutoScanner是一款自动化扫描器,其功能主要是遍历所有子域名、及遍历主机所有端口寻找出所有http服务,并使用集成的工具进行扫描,最后集成扫描报告; 工具目前有:oneforall、masscan、nmap、crawlergo、dirse

633 Dec 30, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps

boring-flutter A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps. Currently only supporting

Hamza 64 Oct 18, 2022
Cve-2021-22005-exp

cve-2021-22005-exp 0x01 漏洞简介 2021年9月21日,VMware发布安全公告,公开披露了vCenter Server中的19个安全漏洞,这些漏洞的CVSSv3评分范围为4.3-9.8。 其中,最为严重的漏洞为vCenter Server 中的任意文件上传漏洞(CVE-20

Jing Ling 146 Dec 31, 2022
This is a simple PoC for the newly found Polkit error names PwnKit

A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz

Kim Schulz 16 Sep 06, 2022
PortSwigger Burp Plugin for the Log4j (CVE-2021-44228)

yLog4j This is Y-Sec's @PortSwigger Burp Plugin for the Log4j CVE-2021-44228 vulnerability. The focus of yLog4j is to support mass-scanning of the Log

Y-Security 1 Jan 31, 2022
JumpServer远程代码执行漏洞检测利用脚本

Jumpserver-EXP JumpServer远程代码执行漏洞检测利用脚本

Veraxy 181 Dec 20, 2022
This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections.

Log4J-Huntress-Automate-Script This python script will automate the testing for the Log4J vulnerability for HTTP and HTTPS connections. Pre-Requisits

1 Dec 16, 2021
Python Library For Ethical Hacker

Python Library For Ethical Hacker

11 Nov 03, 2022
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

Pushpender Singh 9 Dec 12, 2022
CVE-log4j CheckMK plugin

CVE-2021-44228-log4j discovery (Download the MKP package) This plugin discovers vulnerable files for the CVE-2021-44228-log4j issue. To discover this

4 Jan 08, 2022
Springboot directory scanning

Springboot directory scanning

WINEZERO 87 Dec 28, 2022
Shell hunter for AF

AF-ShellHunter AF-ShellHunter: Auto shell lookup AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team How to pip3 ins

Eduardo 34 May 13, 2022
Using python 3 and Flask an MVC system where the AES 128 CBC and Trivium algorithms

This project was developed using python 3 and Flask, it is an MVC system where the AES 128 CBC and Trivium algorithms can be tested through a communication between the computer and a device such as a

Brandon Israel Camacho Reyes 1 Dec 26, 2021
Brute smb share - Brute force a SMB share

brute_smb_share I wrote this small PoC after bumping into SMB servers where Hydr

devloop 3 Feb 21, 2022
Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

Padsala Tushal 5 Nov 08, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
Python APK Reverser & Patcher Tool

DTL-X An Advanced Python APK Reverser and Patcher Tool. --rmads1: target=AndroidManifest.xml,replace=com.google.android.gms.ad --rmads2: No Internet (

DedSecTL 10 Oct 31, 2022