Download the PHP package bramus/mixed-content-scan without Composer

Mixed Content Scan

Scan your HTTPS-enabled website for Mixed Content

Built by Bramus! (https://www.bram.us/) and Contributors

About

Mixed Content Scan is a CLI Script which crawls+scans HTTPS-enabled websites for Mixed Content.

The script starts at a given URL, and then starts processing it:

• All contained img[src|srcset|data-src], iframe[src], script[src], link[href][rel="stylesheet"], object[data], form[action], embed[src], video[src], audio[src], source[src|srcset], and params[name="movie"][value] elements are checked for being Mixed Content or not
• All contained a[href] elements linking to the same or a deeper level are successively processed for Mixed Content.

Installation

Installation is possible using Composer

New to Composer? It's a command line tool for dependency management in PHP. On Linux/Unix/OSX you will need to download and run the install script and (recommended) successively move composer.phar to a global location. On Windows you will need to run the installer

Usage

Run this script from the CLI, a such:

The script itself will start scanning and give feedback whilst running. When Mixed Content is found, the URLs causing Mixed Content warnings will be shown on screen:

Mixed Content Scan uses ANSI coloring, provided by bramus/ansi-php, so one can easily spot errors based on the color.

Advanced usage / CLI Options

Mixed Content Scan support several CLI options which can manipulate its behavior:

• --output=path/to/file: File to output results to. Defaults to php://stdout (= show on screen).
• --format=ansi|no-ansi|json: Define which formatter to use for outputting the results
  • ansi (Default): ANSI Colored Line Formatter
  • no-ansi: Monolog Line Formatter
  • json: Monolog JSON Formatter
• --no-crawl: Don't crawl scanned pages for new pages
• --no-check-certificate: Don\'t check the certificate for validity (e.g. allow self-signed or missing certificates)
• --timeout=value-in-milliseconds: How long to wait for each request to complete. Defaults to 10000ms.
• --delay=value-in-seconds: How long to wait between each request. Defaults to 0s.
• --input=path/to/file: Specify a file containing a list of links as the source, instead of parsing the passed in URL. Automatically enables --no-crawl
• --ignore=path/to/file: File containing URL patterns to ignore. See Ignoring links further down on how to build this file.
• --loglevel=level: The Monolog loglevel to log at. Defaults to 200 (= info). Both numeric values, as string (lowercase) values are supported as input. See Monolog Log Levels for more info.
• --user-agent='user-agent': Set the user agent to be used when crawling.

Example: mixed-content-scan https://www.bram.us/ --ignore=./wordpress.txt --output=./results.txt --format=no-ansi

Handling errors

Internally Mixed Content Scan uses Curl to perform requests. If an error should be encountered (in case of a connection loss for example), the error will be shown on screen:

Ignoring links

It's possible to define a list of patterns to ignore. To do so, create a text file with on each line a PCRE pattern to ignore. Pass in the path to that file using the --ignore option. Lines starting with # are considered being comments and therefore are ignored.

For a WordPress installation, the ignore pattern file – which is distributed with Mixed Content Scan in ignorepattens/wordpress.txt – would be this:

The {$rootUrl} token in each pattern will be replaced with the (root) URL passed into the script.

Note: The PHP PCRE Cheat Sheet might come in handy.

Known issues

Mixed Content Scan:

• Doesn't take <base href="..."> into account (but who uses that, anyways?)
• Doesn't scan linked .css or .js files themselves for Mixed Content
• Doesn't scan inline <script> or <style> for mixed content

Please open an issue (or fix it and perform a pull request ;)) when you've encountered a problem.