truestack 0.2.0

Security-aware technology fingerprinting — detects what is really running, not what the version string claims
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

use truestack::{fingerprints, security_headers, Severity};
use wiremock::matchers::{method, path};
use wiremock::{Mock, MockServer, ResponseTemplate};

#[tokio::test]
async fn test_full_fingerprint_pipeline() {
    let server = MockServer::start().await;

    // Mock a WordPress site with some security issues
    Mock::given(method("GET"))
        .and(path("/"))
        .respond_with(
            ResponseTemplate::new(200)
                .insert_header("server", "nginx/1.18.0")
                .insert_header("x-powered-by", "PHP/7.4.3")
                .insert_header("set-cookie", "wordpress_test_cookie=wp_cookie")
                // Missing HSTS, CSP, etc.
                .set_body_string("<html><head><title>My Blog</title></head><body>Welcome to WordPress</body></html>")
        )
        .mount(&server)
        .await;

    let client = reqwest::Client::new();
    let resp = client.get(&server.uri()).send().await.unwrap();

    let headers: Vec<(String, String)> = resp
        .headers()
        .iter()
        .map(|(k, v)| (k.as_str().to_string(), v.to_str().unwrap_or("").to_string()))
        .collect();
    let body = resp.text().await.unwrap();

    // 1. Detect technologies
    let techs = fingerprints::detect(&headers, &body);

    let names: Vec<&str> = techs.iter().map(|t| t.name.as_str()).collect();
    assert!(names.contains(&"nginx"));
    assert!(names.contains(&"PHP"));
    assert!(names.contains(&"WordPress"));

    let nginx = techs.iter().find(|t| t.name == "nginx").unwrap();
    assert_eq!(nginx.version.as_deref(), Some("1.18.0"));

    // 2. Audit security headers
    let findings = security_headers::audit(&headers);

    let titles: Vec<&str> = findings.iter().map(|f| f.title()).collect();
    assert!(titles.contains(&"Missing HSTS header"));
    assert!(titles.contains(&"Missing Content-Security-Policy"));

    // Check severity
    let hsts = findings.iter().find(|f| f.title().contains("HSTS")).unwrap();
    assert_eq!(hsts.severity(), Severity::Medium);
}

#[tokio::test]
async fn test_csp_bypass_detection_integration() {
    let server = MockServer::start().await;

    // Mock a site with a vulnerable CSP (allowing jsdelivr)
    Mock::given(method("GET"))
        .and(path("/"))
        .respond_with(
            ResponseTemplate::new(200)
                .insert_header(
                    "content-security-policy",
                    "script-src 'self' cdn.jsdelivr.net; object-src 'none';",
                )
                .set_body_string("<html><body>Vulnerable CSP</body></html>"),
        )
        .mount(&server)
        .await;

    let client = reqwest::Client::new();
    let resp = client.get(&server.uri()).send().await.unwrap();

    let headers: Vec<(String, String)> = resp
        .headers()
        .iter()
        .map(|(k, v)| (k.as_str().to_string(), v.to_str().unwrap_or("").to_string()))
        .collect();

    let findings = security_headers::audit(&headers);

    let bypass = findings
        .iter()
        .find(|f| f.title().contains("CSP bypass"))
        .unwrap();
    assert_eq!(bypass.severity(), Severity::Medium);
    assert!(bypass.detail().contains("cdn.jsdelivr.net"));
}