Nikto import only shows a single host per vulnerability.

[lukaspj]

Running a Nikto scan against multiple ports and servers, I've found a few issues.

• The UI only shows the results for one server, despite the IVIL containing all the servers. (same vulnerabilities for each server).
• Similarly for ports, only the vulnerabilities for one port shows up.
• If using hostnames (server1.com), these are inserted into the "IP" column.

IVIL (filtered for just 1 vulnerability)

<?xml version="1.0" standalone='yes'?>
<IVIL version="0.2">
	<addressee>
		<program>Seccubus</program>
		<programSpecificData>
			<workspace>Preprod</workspace>
			<scan>NiktoAll</scan>
		</programSpecificData>
	</addressee>
	<sender>
		<scanner_type>Nikto</scanner_type>
		<version>2.1.6</version>
		<timestamp>20180911163103</timestamp>
	</sender>
	<findings>
		<finding>
			<ip>server1.com</ip>
			<hostname></hostname>
			<port>8080/tcp</port>
			<id>999957</id>
			<severity>2</severity>
			<finding_txt>GET The anti-clickjacking X-Frame-Options header is not present.</finding_txt>
		</finding>
		<finding>
			<ip>server1.com</ip>
			<hostname></hostname>
			<port>8043/tcp</port>
			<id>999957</id>
			<severity>2</severity>
			<finding_txt>GET The anti-clickjacking X-Frame-Options header is not present.</finding_txt>
		</finding>
		<finding>
			<ip>server2.com</ip>
			<hostname></hostname>
			<port>8080/tcp</port>
			<id>999957</id>
			<severity>2</severity>
			<finding_txt>GET The anti-clickjacking X-Frame-Options header is not present.</finding_txt>
		</finding>
		<finding>
			<ip>server2.com</ip>
			<hostname></hostname>
			<port>8043/tcp</port>
			<id>999957</id>
			<severity>2</severity>
			<finding_txt>GET The anti-clickjacking X-Frame-Options header is not present.</finding_txt>
		</finding>
	</findings>
</IVIL>

NBE (filtered for just 1 vulnerability):

timestamps|network|host|port|nikto_id|prio|Nikto v2.1.6/2.1.5
results||server1.com|8080|999957|Security Warning|GET The anti-clickjacking X-Frame-Options header is not present.
results||server1.com|8043|999957|Security Warning|GET The anti-clickjacking X-Frame-Options header is not present.
results||server2.com|8080|999957|Security Warning|GET The anti-clickjacking X-Frame-Options header is not present.
results||server2.com|8043|999957|Security Warning|GET The anti-clickjacking X-Frame-Options header is not present.

UI (filtered for just 1 vulnerability):

[lukaspj]

It only exists in the database for the single server, so it's not UI rendering, it is import into database that fails.

[lukaspj]

Seeing this:
https://github.com/schubergphilis/Seccubus/blob/a8ad6cacea2f9740beb87820a14f6f06a2c7a853/lib/Seccubus/IVIL.pm#L132-L192

It might seem like it is on purpose, I'm honestly having a hard time reading Perl code, but it seems like we might be aggregating vulnerabilities into a single finding. If this is the case, would it be possible to indicate that in the UI somehow? E.g. list multiple hostnames/ips per finding?

[arkenoi]

yes, seems that it is a kind of side effect caused by CDN normalization. The port number is ignored. Is it bad? Should we change it?

[MrSeccubus]

The cdn feature should only be there if —cdn is used on the command line iirc.
Could this be related to resolving the hostname?