Closed digininja closed 9 years ago
tautology0
commented
10 years ago Good idea; although I'm tempted to add a report that it returns 200 instead of 404.
(I'm always tempted to raise this as a vulnerability with clients who do this as they're opening themselves up for a world of pain if they're not careful.)
sullo
commented
10 years ago There is no way on the command line but you can add it to udb_404strings (I think that's it--sorry on my phone) and it should do what you want. Just create the file in the db dir.
On Sep 17, 2014, at 7:26 PM, tautology0 notifications@github.com wrote:
Good idea; although I'm tempted to add a report that it returns 200 instead of 404.
(I'm always tempted to raise this as a vulnerability with clients who do this as they're opening themselves up for a world of pain if they're not careful.)
— Reply to this email directly or view it on GitHub.
digininja
commented
10 years ago tautology0 - Unfortunately it is how the dotnet framework works by default I've been told, you get a 301 which takes you to the 404 page but that is served with a 200. I was discussing it with Troy Hunt the other day http://www.troyhunt.com/2014/09/solving-tyranny-of-http-403-responses.html
sullo - I'll try adding it but it would be nice to have a -404match command line option
tautology0
commented
10 years ago Great, once more Microsoft does strange, probably non-compliant behaviour in its software! We'll add it to the things to do pile.
ethicalhack3r
commented
8 years ago Just came across this as needed similar functionality. Noticed the option is not mentioned in Nikto's output (that I could see). Not sure if this is intentional or not.
For example, I wasn't sure if the option was 404string "some string", -404string "some string" or -404string="some string", etc...
sullo
commented
8 years ago It works like most perl options... "-no404 string" or "-no404=string".
I also added it to the doc xml as it was missing.
I'm scanning a site where the 404 page returns a 200 but the built in detection isn't able to recognise the page and so I've got a load of false positives, it would be good to pass a string on the command line which only appears in the 404 page to use instead of the automated detection.