This tool detects the two classes of vulnerability defined at https://insecure.design
The tool can be ran to detect either Man In The Middle, or Denial of Service
To run the tool in DoS mode, make sure you supply ALL the domains you own in the config file, otherwise the tool won't work. It is designed to report certs containing domains you don't own.
To run the tool in MITM mode, make sure you accurately list the date you FIRST registered the domain, otherwise you will recieve inaccurate results.
Install with either
pip install bygonessl
Or install the Dockerfile
docker build -t "bygonessl" .
Set two environment variables for your facebook developer account:
export facebook_app_id=<id>
export facebook_app_token=<token>
Make sure you escape the pipe in the app token.
Create a config file with the following:
{
"domains": [
{
"domain": "insecure.design",
"domainCreated": "2018-04-10T23:59:59+0000"
}
],
"bygoneDOS": true,
"bygoneMITM": true
}
Run the tool with the following:
bygonessl --config <pathToJsonFile>
Or with docker:
docker run --env-file sourceme --rm -v $(pwd):/work -ti bygonessl bygonessl --config /work/exampleConfig.json