From 7e3eae4eb5794b256ca98a7cbd7309fe8551402d Mon Sep 17 00:00:00 2001
From: sullo <sullo@cirt.net>
Date: Sat, 30 Dec 2023 15:17:39 -0500
Subject: [PATCH] Report x-frame-options as being deprecated in favor of CSP

---
 program/plugins/nikto_headers.plugin | 23 +++--------------------
 1 file changed, 3 insertions(+), 20 deletions(-)

diff --git a/program/plugins/nikto_headers.plugin b/program/plugins/nikto_headers.plugin
index 5e585314..53dcdd60 100644
--- a/program/plugins/nikto_headers.plugin
+++ b/program/plugins/nikto_headers.plugin
@@ -147,15 +147,12 @@ sub nikto_headers_postfetch {
     }
 
     # Look for X-Frame-Options
-    if (!$XFRAME{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
+    if (!$XFRAME{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'} && $result->{'whisker'}->{'code'} == 200) {
         if (defined $result->{'x-frame-options'}) {
-            if ($result->{'x-frame-options'} =~ /^ALLOW-FROM/) {
-                my $allowed = $result->{'x-frame-options'};
-                $allowed =~ s/^.* //g;
                 add_vulnerability(
                     $mark,
                     $request->{'whisker'}{'uri'}
-                      . ":X-Frame-Options header is set to allow framing from $allowed. This does not have full cross-browser support (only in IE and Firefox) and may lead to the header being ignored.",
+                      . ":X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead.",
                     999978,
                     "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
                     $request->{'whisker'}->{'method'},
@@ -163,22 +160,8 @@ sub nikto_headers_postfetch {
                     $request,
                     $result
                     );
-            }
-        }
-        else {
-            add_vulnerability(
-                        $mark,
-                        $request->{'whisker'}{'uri'}
-                          . ": The anti-clickjacking X-Frame-Options header is not present.",
-                        999957,
-                        "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
-                        $request->{'whisker'}->{'method'},
-                        $request->{'whisker'}->{'uri'},
-                        $request,
-                        $result
-                        );
+        	$XFRAME{ $mark->{hostname} }{ $mark->{port} } = 1;
         }
-        $XFRAME{ $mark->{hostname} }{ $mark->{port} } = 1;
     }
 
     # Incapsula WAF