HTTP Basic Testing - Misleading Warning

[joswr1ght]

When I use Legba 0.11.0 against a web server with HTTP Basic auth configured on the default page, Legba generates several warnings as part of the validating canary status codes check:

$ curl -D - http://172.30.0.12
HTTP/1.1 401 UNAUTHORIZED
Server: gunicorn
Date: Mon, 15 Sep 2025 17:12:04 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19
WWW-Authenticate: Basic realm="TikSight Surveillance Camera"

$ legba -C credentials.txt -T http://172.30.0.12/ http.basic
legba v0.11.0

[INFO ] target: http://172.30.0.12/
[INFO ] validating canary status codes ...
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[WARN ] http://172.30.0.12/ returned status code 401 Unauthorized for an existing page, aborting due to likely false negatives
[INFO ] username -> wordlist /C/credentials.txt
[INFO ] password -> wordlist /C/credentials.txt

[INFO ] [2025-09-15 17:06:30] (http) <http://172.30.0.12/> username=admin password=......
[INFO ] tasks=1 mem=22.5 MiB targets=1 attempts=596 done=596 (100.00%) speed=596 reqs/s
[INFO ] runtime 1.421983689s

(The /C/credentials.txt file path is from a Docker volume mapping.)

Looking at the check_false_positives() (https://github.com/evilsocket/legba/blob/main/src/plugins/http/mod.rs#L455C14-L455C35) function, it seems like Legba expects the HTTP Basic server to return something other than 401 in is_success_response(). For web servers using HTTP Basic, it seems like an HTTP/401 response is the expected functionality.

The warning from Legba aren't fatal, but they are a little misleading. Is it possible to rework this so that http.basic testing does not return this warning?

[evilsocket]

yep those checks should just not run for http.basic, fixing now, thanks!