def api_get_scan_results(): scan_id = request.args.get('scan') if not scan_id: return {'error': 'scan-not-found'} # Check for invalid scan_id numbers try: scan_id = int(scan_id) # <3 :atoll if scan_id < 1 or scan_id > 2147483646: # the first rule of autoincrement club raise ValueError except ValueError: return {'error': 'invalid-scan-id'} # Get all the test results for the given scan id tests = dict(database.select_test_results(scan_id)) # For each test, get the test score description and add that in for test in tests: tests[test]['score_description'] = get_score_description( tests[test]['result']) return tests
def api_get_scan_results(): scan_id = request.args.get('scan') if not scan_id: return {'error': 'scan-not-found'} # Get all the test results for the given scan id tests = dict(database.select_test_results(scan_id)) # For each test, get the test score description and add that in for test in tests: tests[test]['score_description'] = get_score_description(tests[test]['result']) return tests
def api_get_scan_results(): scan_id = request.args.get('scan') if not scan_id: return {'error': 'scan-not-found'} # Get all the test results for the given scan id tests = dict(database.select_test_results(scan_id)) # For each test, get the test score description and add that in for test in tests: tests[test]['score_description'] = get_score_description( tests[test]['result']) return tests
def api_get_scan_results(): scan_id = request.args.get('scan') if not scan_id: return {'error': 'scan-not-found'} # Check for invalid scan_id numbers try: scan_id = int(scan_id) # <3 :atoll if scan_id < 1 or scan_id > 2147483646: # the first rule of autoincrement club raise ValueError except ValueError: return {'error': 'invalid-scan-id'} # Get all the test results for the given scan id tests = dict(database.select_test_results(scan_id)) # For each test, get the test score description and add that in for test in tests: tests[test]['score_description'] = get_score_description(tests[test]['result']) return tests
def scan(hostname, **kwargs): """Performs an Observatory scan, but doesn't require any database/redis backing. Given the lowered security concerns due to not being a public API, you can use this to scan arbitrary ports and paths. Args: hostname (str): domain name for host to be scanned Kwargs: http_port (int): port to scan for HTTP, instead of 80 https_port (int): port to be scanned for HTTPS, instead of 443 path (str): path to scan, instead of "/" verify (bool): whether to enable or disable certificate verification, enabled by default. This can allow tested sites to pass the HSTS and HPKP tests, even with self-signed certificates. cookies (dict): Cookies sent to the system being scanned. Matches the requests cookie dict. headers (dict): HTTP headers sent to the system being scanned. Format matches the requests headers dict. Returns: A dict representing the analyze (scan) and getScanResults (test) API call. Example: { 'scan': { 'grade': 'A' ... }, 'test': { 'content-security-policy': { 'pass': True ... } } } """ # Always allow localhost scans when run in this way httpobs.conf.SCANNER_ALLOW_LOCALHOST = True # Attempt to retrieve all the resources, not capturing exceptions reqs = retrieve_all(hostname, **kwargs) # If we can't connect at all, let's abort the test if reqs['responses']['auto'] is None: return {'error': 'site down'} # Get all the results results = [test(reqs) for test in tests] for result in results: result['score_description'] = get_score_description(result['result']) # Get the score, grade, etc. grades = get_grade_and_likelihood_for_score(100 + sum([result.get('score_modifier', 0) for result in results])) tests_passed = sum([1 if result.get('pass') else 0 for result in results]) # Return the results return({ 'scan': { 'grade': grades[1], 'likelihood_indicator': grades[2], 'response_headers': dict(reqs['responses']['auto'].headers), 'score': grades[0], 'tests_failed': NUM_TESTS - tests_passed, 'tests_passed': tests_passed, 'tests_quantity': NUM_TESTS, }, 'tests': {result.pop('name'): result for result in results} })
def scan(hostname, **kwargs): """Performs an Observatory scan, but doesn't require any database/redis backing. Given the lowered security concerns due to not being a public API, you can use this to scan arbitrary ports and paths. Args: hostname (str): domain name for host to be scanned. Must not include protocol (http://, https://) or port number (:80). Kwargs: http_port (int): port to scan for HTTP, instead of 80 https_port (int): port to be scanned for HTTPS, instead of 443 path (str): path to scan, instead of "/" verify (bool): whether to enable or disable certificate verification, enabled by default. This can allow tested sites to pass the HSTS and HPKP tests, even with self-signed certificates. cookies (dict): Cookies sent to the system being scanned. Matches the requests cookie dict. headers (dict): HTTP headers sent to the system being scanned. Format matches the requests headers dict. Returns: A dict representing the analyze (scan) and getScanResults (test) API call. Example: { 'scan': { 'grade': 'A' ... }, 'test': { 'content-security-policy': { 'pass': True ... } } } """ # Always allow localhost scans when run in this way httpobs.conf.SCANNER_ALLOW_LOCALHOST = True # Attempt to retrieve all the resources, not capturing exceptions reqs = retrieve_all(hostname, **kwargs) # If we can't connect at all, let's abort the test if reqs['responses']['auto'] is None: return {'error': 'site down'} # Get all the results results = [test(reqs) for test in tests] for result in results: result['score_description'] = get_score_description(result['result']) # Get the score, grade, etc. grades = get_grade_and_likelihood_for_score( 100 + sum([result.get('score_modifier', 0) for result in results])) tests_passed = sum([1 if result.get('pass') else 0 for result in results]) # Return the results return ({ 'scan': { 'grade': grades[1], 'likelihood_indicator': grades[2], 'response_headers': dict(reqs['responses']['auto'].headers), 'score': grades[0], 'tests_failed': NUM_TESTS - tests_passed, 'tests_passed': tests_passed, 'tests_quantity': NUM_TESTS, }, 'tests': {result.pop('name'): result for result in results} })
def scan(hostname, **kwargs): """Performs an Observatory scan, but doesn't require any database/redis backing. Given the lowered security concerns due to not being a public API, you can use this to scan arbitrary ports and paths. Args: hostname (str): domain name for host to be scanned. Must not include protocol (http://, https://) or port number (:80). Kwargs: http_port (int): port to scan for HTTP, instead of 80 https_port (int): port to be scanned for HTTPS, instead of 443 path (str): path to scan, instead of "/" verify (bool): whether to enable or disable certificate verification, enabled by default. This can allow tested sites to pass the HSTS and HPKP tests, even with self-signed certificates. cookies (dict): Cookies sent to the system being scanned. Matches the requests cookie dict. headers (dict): HTTP headers sent to the system being scanned. Format matches the requests headers dict. Returns: A dict representing the analyze (scan) and getScanResults (test) API call. Example: { 'scan': { 'grade': 'A' ... }, 'test': { 'content-security-policy': { 'pass': True ... } } } """ # Always allow localhost scans when run in this way httpobs.conf.SCANNER_ALLOW_LOCALHOST = True # Attempt to retrieve all the resources, not capturing exceptions reqs = retrieve_all(hostname, **kwargs) # If we can't connect at all, let's abort the test if reqs['responses']['auto'] is None: return {'error': 'site down'} # Code based on httpobs.database.insert_test_results tests_failed = tests_passed = 0 score_with_extra_credit = uncurved_score = 100 results = {} for test in tests: # Get result for this test result = test(reqs) # Add the result with a score_description result['score_description'] = get_score_description(result['result']) results[result.pop('name')] = result # Keep track of how many tests passed or failed if result.get('pass'): tests_passed += 1 else: tests_failed += 1 # And keep track of the score score_modifier = result.get('score_modifier') score_with_extra_credit += score_modifier if score_modifier < 0: uncurved_score += score_modifier # Only record the full score if the uncurved score already receives an A score = score_with_extra_credit if uncurved_score >= MINIMUM_SCORE_FOR_EXTRA_CREDIT else uncurved_score # Get the score, grade, etc. score, grade, likelihood_indicator = get_grade_and_likelihood_for_score( score) # Return the results return ({ 'scan': { 'grade': grade, 'likelihood_indicator': likelihood_indicator, 'response_headers': dict(reqs['responses']['auto'].headers), 'score': score, 'tests_failed': tests_failed, 'tests_passed': tests_passed, 'tests_quantity': NUM_TESTS, }, 'tests': results })
def test_get_score_description(self): self.assertEquals('Preloaded via the HTTP Public Key Pinning (HPKP) preloading process', get_score_description('hpkp-preloaded'))