insecres

insecRes - Insecure Resource Finder

A console tool that finds insecure resources on HTTPS sites. It is written in Go language and uses the power of "multi-threading" (goroutines) to crawl and parse site pages.

The motivation

Some time ago, I switched my site to HTTPS. And you should too! All went well except the fact that my pages contained images, embedded videos and other resources, which pointed to HTTP content and made browsers display warnings about the insecure content on the pages. After some research of existing tools, which did not fit my needs, I decided to create my own one.

Features

• Crawls all site pages in parallel
• Finds the following resources with absolute HTTP (insecure) urls:
  • IMG
  • IFRAME
  • OBJECT
  • AUDIO, VIDEO, SOURCE, TRACK
• Uses a random delay between requests to prevent blacklisting
• Prints results to a CSV file

Installation

First of all, install Go.

After that, run the following command:

go get github.com/kkomelin/insecres

Usage

• Find insecure resources on a site and print results to the console:

$GOPATH/bin/insecres https://example.com

• Find insecure resources on a site and print results to a CSV file:

$GOPATH/bin/insecres -f="/home/user/report.csv" https://example.com

• Display usage guide:

$GOPATH/bin/insecres -h

Roadmap

• Display result counters
• Compare performance of simple regex parsing and Tokenized parsing, which is currently used
• Implement an option for printing results to a CSV file
• Add random delay between requests to prevent blacklisting
• Ignore trailing slashes (https://example.com and https://example.com/ are considered equivalent)
• Handle domains w/ and w/o WWW
• Support IFRAME tags
• Support OBJECT tags
• Support AUDIO, VIDEO, SOURCE and TRACK tags