-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
case sensitive header checks cause false negatives #214
Comments
Can you send some (sanitized) Debug output for that request or a similar so something else is going on. You can use -DS to debug output and scrub hostnames/ips from the results. Thanks On Thu, Feb 5, 2015 at 2:09 AM, shimmyshack notifications@github.com
|
Yes you're right of course :) TLSv1.2 (attachment output-yy400.txt, 1000 lines) Nikto doesn't operate over TLSv1.2, and following the failed handshake all Nikto correctly reports that the headers in the bug report aren't present. TLSv1 (attachment output-yy400tlsv1.txt, 1000 lines) I don't understand the pair of lines from the tlsv1 attachment 246, 304. It If this is my mistake I apologise. [Seperately I have also seen false positives when trying to detect XSS, D:Thu Feb 5 21:27:47 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_parked_strings - Nikto v2.1.6D:Thu Feb 5 21:27:47 2015 WARNING: No init found for nikto_core 400 Bad Request\r\nThe plain HTTP request was sent to HTTPS port\r\nnginx\r\n\r\n\r\n", 'stats_reqs' => 2, 'message' => 'Bad Request', 'MAGIC' => 31340, 'socket_state' => 0, 'http_space1' => ' ', 'code' => 400, 'version' => '1.1' }, 'date' => 'Thu, 05 Feb 2015 21:27:48 GMT' };
+ Start Time: 2015-02-05 21:27:48 (GMT0)
D:Thu Feb 5 21:45:21 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_parked_strings - Nikto v2.1.6D:Thu Feb 5 21:45:21 2015 WARNING: No init found for nikto_core 'version' => '1.1', 'uri' => '/', 'ssl_cert_issuer' => '/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA', 'header_order' => [ 'server', 'date', 'content-type', 'transfer-encoding', 'connection', 'vary', 'strict-transport-security', 'x-frame-options', 'x-xss-protection', 'x-content-type-options', 'content-security-policy', 'p3p', 'timing-allow-origin' ], 'message' => 'OK', 'ssl_cert_subject' => '/OU=Domain Control Validated/OU=PositiveSSL/CN=yahvehyireh.com', 'lowercase_incoming_headers' => 1, 'code' => 200, 'socket_state' => 0, 'http_space2' => ' ', 'ssl_cert_altnames' => [ 2, 'yahvehyireh.com', 2, 'www.yahvehyireh.com' ], 'http_data_sent' => 1, 'protocol' => 'HTTP' }, 'connection' => 'keep-alive', 'x-frame-options' => 'deny', 'x-xss-protection' => '1; mode=block', 'x-content-type-options' => 'nosniff', 'content-type' => 'text/html; charset=UTF-8', 'date' => 'Thu, 05 Feb 2015 21:45:22 GMT', 'transfer-encoding' => 'chunked', 'p3p' => 'CP=YY has no P3P policy, why? https://yahvehyireh.com/manage/p3p/', 'strict-transport-security' => 'max-age=16070400; includesubdomains; preload', 'timing-allow-origin' => '', 'vary' => 'Accept-Encoding' };
+ Target Port: 443
+ Start Time: 2015-02-05 21:45:21 (GMT0)
|
Version 2.1.6 - getting a Header missing for "X-Content-Type-Options" even though it's defined. In nikto_headers.plugin I believe This line : if (!defined $result->{'X-Content-Type-Options'}) { should be: if (!defined $result->{'x-content-type-options'}) { Thanks for your work on this program |
Seems this was partly fixed by ab9560c ? |
Yeah; sorry I fixed it whilst I was there. I just needed to fully test it before I close off the call (which I should be doing tomorrow). |
No worries, just wanted to make @shimmyshack aware of this possible fix. Maybe should have noted that. :-) |
It appears to work fully with tests against real world servers; so I'm going to close this as fixed. @shimmyshack, if you're still getting the problem with trunk, could you open up the call again and we'll do some more digging. Thanks! |
The only header still acting like this is the anti-clickjacking x-frame-options: deny Everything else seems fine :) thank you for your work! Using brew install nikto just now, v2.1.5 inspecting a vhost equal to host, |
[BTW I had to edit your comment as your mobile number was in the email footer] I'll be honest; I've tried to reproduce the issue, even using the domain above, and am not succeeding. Burp definitely shows that you're using the right headers, but I can't get Nikto to alert on it. Though now I see that I have to add support for public key pinning too :-) |
Thanks for the edit! Oh yeah pkp what fun!
It could be that one or two pages (maybe error pages) don't have the
header. I'll dump some packets, recheck and report back.
|
I receive these warnings when running Nikto v2.1.6 against my site which uses HSTS to force everything over TLSv1.2
X-Frame-Options header is not present
X-Content-Type-Options header is not set
X-XSS-Protection header is not defined
source:
program/plugins/nikto_headers.plugin
SPDY is on my site, so all headers are lowercase.
These headers were confirmed to be present:
x-content-type-options:nosniff
x-frame-options:deny
x-xss-protection:1; mode=block
thanks
The text was updated successfully, but these errors were encountered: