The HTTP vs HTTPS Analyzer is a specialized tool designed to systematically evaluate HTTP and HTTPS implementation differences across web domains. It helps security professionals identify potential security vulnerabilities related to insecure protocol usage, improper redirects, and certificate issues. The tool provides comprehensive insights into how websites handle both HTTP and HTTPS protocols.
- Protocol Accessibility Analysis: Determines if domains are accessible via HTTP, HTTPS, or both
- Redirect Validation: Identifies and validates HTTP to HTTPS redirects
- Certificate Verification: Checks SSL/TLS certificate validity and configuration
- DNS Resolution Verification: Confirms proper DNS resolution for target domains
- Endpoint Response Characteristics: Analyzes response codes, headers, and content
- Comprehensive Reporting: Generates detailed CSV reports and console summaries
- Batch Processing: Efficiently processes multiple domains from input files
The HTTP vs HTTPS Analyzer is included in the SecRecon framework. The tool requires Python 3.6+ and the following dependencies:
pip install requests urllib3python httpvshttps.py -f domains.txtWhere domains.txt contains a list of domains to analyze (one per line).
python httpvshttps.py -d example.comusage: httpvshttps.py [-h] (-f FILE | -d DOMAIN) [-o OUTPUT] [-t TIMEOUT] [-s]
HTTP Protocol Accessibility Analyzer: Systematically evaluate HTTP vs HTTPS availability
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Input file containing domains (one per line)
-d DOMAIN, --domain DOMAIN
Single domain to analyze
-o OUTPUT, --output OUTPUT
Output CSV file for results
-t TIMEOUT, --timeout TIMEOUT
Request timeout in seconds (default: 5)
-s, --ssl Verify SSL certificates
The tool provides a detailed summary in the console, including:
- Total domains analyzed
- DNS resolution statistics
- HTTP protocol status breakdown
- HTTPS protocol status breakdown
- List of domains with direct HTTP access (potential security concern)
When using the -o option, the tool generates a CSV file with the following fields:
- domain: The analyzed domain name
- dns_resolution_status: Whether DNS resolution succeeded
- ip_address: Resolved IP address
- http_direct_access: Whether HTTP content is directly accessible
- http_response_code: HTTP response status code
- http_redirect_to_https: Whether HTTP redirects to HTTPS
- https_accessible: Whether HTTPS is accessible
- https_response_code: HTTPS response status code
The tool performs a comprehensive analysis of HTTP protocol implementation by:
- Checking DNS resolution for the target domain
- Testing HTTP accessibility with redirect behavior analysis
- Identifying if HTTP content is directly accessible (potential security issue)
- Detecting if proper HTTP to HTTPS redirects are implemented
The HTTPS analysis includes:
- Testing HTTPS accessibility
- Validating SSL/TLS certificate configuration
- Analyzing HTTPS response characteristics
The tool helps identify several security concerns:
- Domains serving content directly over HTTP (unencrypted)
- Missing or improper HTTP to HTTPS redirects
- SSL/TLS certificate issues
- Inconsistent protocol implementation
Based on the analysis results, security professionals should recommend:
- Implementing proper HTTP to HTTPS redirects
- Ensuring valid SSL/TLS certificates
- Configuring HSTS (HTTP Strict Transport Security)
- Disabling direct HTTP content access