rfc-st/humble

Add option to skip certificate validation

gl4nce opened this issue · 6 comments

gl4nce commented

I couldn't find any switch to disable certificate validation. Would be nice to have. I.e. if used with proxy tools like burp or proxychains.

rfc-st commented

Hi,

SSL Cert Verification is disabled by default; I defined it this way to avoid errors with self-signed certificates or when testing the tool against development environment URLs:

humble/humble.py

Line 766 in 9ae4f33

r = requests.get(URL, verify=False, headers=c_headers, timeout=15)

  • 👍1
gl4nce commented

Thanks for your reply. :)

I see. It's related to ipapi.co which you are already stating in https://github.com/rfc-st/humble#caveats. Always better to read the manual first hehe.

A switch for disabling that behaviour would be nice. Of course it's no problem to edit the source code for such seldom cases. But especially for humble installed as OS package, a switch would be the prefered solution I think.

Feel free to close this issue, if you are think there is no switch needed. :)

rfc-st commented

I will take a look at it this week to see what might be the best solution, without relying on more parameters. At first sight, maybe add also 'verify=False' in the call to ipapi.co, to avoid errors in certificate validation.

Thanks for your suggestion!,

  • 👍1
rfc-st commented

Hello!,

Have a look at this recent commit: 1c99b73

  • In case of any error associated with the request to ipapi.co (e.g. the URL is not accessible) the analysis will now continue as normal, without the need for the end user to modify the code beforehand.

  • Additionally, I have added 'verify=False' in that request to disable certificate validation.

  • Finally, I have removed the 'Caveats' part in the README; it is no longer needed.

I've done a couple of tests and everything seems fine. If you agree, confirm it with me and I'll close this issue.

Thanks!.

  • ❤️1
gl4nce commented

Hi rfc-st,

thanks a lot. Just tested latest master and works fine for me. :)

proxychains python3 humble.py -u https://web.site -o html -r
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:8080  ...  ipapi.co:443  ...  OK

 Analyzing URL and saving the report, please wait ...

 Report saved to /home/vagrant/Downloads/humble-master/web.site_headers_20230915.html

By the way: I noticed, the tool does not recognize empty/failed responses by the webserver. Instead the tool lists all headers as missing, which does not make really sense in such cases. Would be better to display an error like no response or something else. But this is another issue and shouldn't be stated here. I just wanted to let you know. :)

So again. Thanks for fixing and improving this peace of software. Issue can be closed. :)

rfc-st commented

Thanks for your confirmation!. On the other point, I will take a look at it later.