From bb35837ea1529bf13225a0bb94d4203661ba92c3 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Fri, 19 Jul 2013 14:14:13 +0200
Subject: [PATCH] output interesting http-headers

---
 lib/common/browser/actions.rb                 |  8 +++++
 lib/wpscan/wp_target.rb                       |  2 ++
 lib/wpscan/wp_target/interesting_headers.rb   | 36 +++++++++++++++++++
 spec/lib/wpscan/wp_target_spec.rb             |  1 +
 .../wp_target/interesting_headers.rb          | 36 +++++++++++++++++++
 wpscan.rb                                     |  4 +++
 6 files changed, 87 insertions(+)
 create mode 100644 lib/wpscan/wp_target/interesting_headers.rb
 create mode 100644 spec/shared_examples/wp_target/interesting_headers.rb

diff --git a/lib/common/browser/actions.rb b/lib/common/browser/actions.rb
index 230fb428..13d4f158 100644
--- a/lib/common/browser/actions.rb
+++ b/lib/common/browser/actions.rb
@@ -19,6 +19,14 @@ class Browser
       process(url, params.merge(method: :post))
     end
 
+    # @param [ String ] url
+    # @param [ Hash ] params
+    #
+    # @return [ Typhoeus::Response ]
+    def head(url, params = {})
+      process(url, params.merge(method: :head))
+    end
+
     # @param [ String ] url
     # @param [ Hash ] params
     #
diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb
index b187d8f9..750d3927 100644
--- a/lib/wpscan/wp_target.rb
+++ b/lib/wpscan/wp_target.rb
@@ -6,6 +6,7 @@ require 'wp_target/wp_readme'
 require 'wp_target/wp_registrable'
 require 'wp_target/wp_config_backup'
 require 'wp_target/wp_login_protection'
+require 'wp_target/interesting_headers'
 require 'wp_target/wp_custom_directories'
 require 'wp_target/wp_full_path_disclosure'
 
@@ -15,6 +16,7 @@ class WpTarget < WebSite
   include WpTarget::WpRegistrable
   include WpTarget::WpConfigBackup
   include WpTarget::WpLoginProtection
+  include WpTarget::InterestingHeaders
   include WpTarget::WpCustomDirectories
   include WpTarget::WpFullPathDisclosure
 
diff --git a/lib/wpscan/wp_target/interesting_headers.rb b/lib/wpscan/wp_target/interesting_headers.rb
new file mode 100644
index 00000000..c783c9ee
--- /dev/null
+++ b/lib/wpscan/wp_target/interesting_headers.rb
@@ -0,0 +1,36 @@
+# encoding: UTF-8
+
+class WpTarget < WebSite
+  module InterestingHeaders
+
+    # Checks for interesting headers
+    def interesting_headers
+      response = Browser.head(@uri.to_s)
+      headers = response.headers
+      InterestingHeaders.known_headers.each do |h|
+          headers.delete(h)
+      end
+      headers.to_a.compact.sort
+    end
+
+    protected
+
+    # @return Array
+    def self.known_headers
+      %w{
+        Location
+        Date
+        Content-Type
+        Content-Length
+        Connection
+        Etag
+        Expires
+        Last-Modified
+        Pragma
+        Vary
+        Cache-Control
+      }
+    end
+
+  end
+end
diff --git a/spec/lib/wpscan/wp_target_spec.rb b/spec/lib/wpscan/wp_target_spec.rb
index b852790f..7ee4e3d2 100644
--- a/spec/lib/wpscan/wp_target_spec.rb
+++ b/spec/lib/wpscan/wp_target_spec.rb
@@ -23,6 +23,7 @@ describe WpTarget do
   it_behaves_like 'WpTarget::WpRegistrable'
   it_behaves_like 'WpTarget::WpConfigBackup'
   it_behaves_like 'WpTarget::WpLoginProtection'
+  it_behaves_like 'WpTarget::InterestingHeaders'
   it_behaves_like 'WpTarget::WpCustomDirectories'
   it_behaves_like 'WpTarget::WpFullPathDisclosure'
 
diff --git a/spec/shared_examples/wp_target/interesting_headers.rb b/spec/shared_examples/wp_target/interesting_headers.rb
new file mode 100644
index 00000000..ac6c9ace
--- /dev/null
+++ b/spec/shared_examples/wp_target/interesting_headers.rb
@@ -0,0 +1,36 @@
+# encoding: UTF-8
+
+shared_examples 'WpTarget::InterestingHeaders' do
+
+  let(:known_headers) { WpTarget::InterestingHeaders.known_headers }
+  let(:url) { 'http://localhost.com' }
+
+  describe '#interesting_headers' do
+
+    it 'returns MyTestHeader' do
+      stub_request(:head, wp_target.url).
+          to_return(status: 200, headers: { 'Mytestheader' => 'Mytestheadervalue' })
+      wp_target.interesting_headers.should =~ [ [ 'Mytestheader', 'Mytestheadervalue' ] ]
+    end
+
+    it 'removes known headers' do
+      stub_request(:head, wp_target.url).
+          to_return(status: 200, headers: { 'Location' => 'a', 'Connection' => 'Close' })
+      wp_target.interesting_headers.should be_empty
+    end
+
+    it 'returns nothing' do
+      stub_request(:head, wp_target.url).
+          to_return(status: 200, headers: { })
+      wp_target.interesting_headers.should be_empty
+    end
+
+  end
+
+  describe '#known_headers' do
+    it 'does not contain duplicates' do
+      known_headers.flatten.uniq.length.should == known_headers.length
+    end
+  end
+
+end
diff --git a/wpscan.rb b/wpscan.rb
index 9d473f4c..f389bb5b 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -127,6 +127,10 @@ def main
       puts red("[!] searchreplacedb2.php has been found '#{wp_target.search_replace_db_2_url}'")
     end
 
+    wp_target.interesting_headers.each do |header|
+      puts green('[+]') + " Interesting header: #{header[0]}: #{header[1]}"
+    end
+
     if wp_target.multisite?
       puts green('[+]') + ' This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)'
     end