Closed ghost closed 9 years ago
Can you send some (sanitized) Debug output for that request or a similar one? It should not mismatch on case as all incoming headers are made lowercase, and the actual match is: if (defined $result->{'x-frame-options'}) {
so something else is going on.
You can use -DS to debug output and scrub hostnames/ips from the results. Can you paste in the headers your site is sending?
Thanks Sullo
On Thu, Feb 5, 2015 at 2:09 AM, shimmyshack notifications@github.com wrote:
I receive these warnings when running Nikto v2.1.6 against my site which uses HSTS to force everything over TLSv1.2
X-Frame-Options header is not present X-Content-Type-Options header is not set X-XSS-Protection header is not defined
source: program/plugins/nikto_headers.plugin
SPDY is on my site, so all headers are lowercase.
These headers were confirmed to be present:
x-content-type-options:nosniff x-frame-options:deny x-xss-protection:1; mode=block
thanks
— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/214.
Yes you're right of course :) I have no reason to withhold my server hostname, IP address, or encryption protocols etc.. so the attached files are 1000 lines using head, of Debug logs.
TLSv1.2 (attachment output-yy400.txt, 1000 lines)
Nikto doesn't operate over TLSv1.2, and following the failed handshake all subsequent communication is plain text over port 443, producing 400s with minimal headers.
Nikto correctly reports that the headers in the bug report aren't present. Line 271 in attached debug output.
TLSv1 (attachment output-yy400tlsv1.txt, 1000 lines)
I don't understand the pair of lines from the tlsv1 attachment 246, 304. It seems as though the header x-content-type-options: nosniff is present and correct in line 246, but reported not to be in 304.
If this is my mistake I apologise.
[Seperately I have also seen false positives when trying to detect XSS, nginx correctly urlencodes <,> etc.. and these are printing urlescaped %3D etc in my HTML pages, just not as HTML entities < etc.. Nikto reports XSS is present, but I can't see how.. Perhaps some cunning payload that I didn't spot Nikto testing for in the logs? fails as do any similar double/single quote, html char combinations]
D:Thu Feb 5 21:27:47 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_parked_strings D:Thu Feb 5 21:27:47 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_404_strings D:Thu Feb 5 21:27:47 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_outdated D:Thu Feb 5 21:27:47 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_variables D:Thu Feb 5 21:27:47 2015 - Loading DB: /Users/moomoo/Downloads/nikto-master/program/databases/db_tests
D:Thu Feb 5 21:27:47 2015 WARNING: No init found for nikto_core D:Thu Feb 5 21:27:48 2015 'Request Hash' = { 'Host' => 'yahvehyireh.com', 'User-Agent' => 'Mozilla/5.00', 'Connection' => 'Keep-Alive', 'whisker' => { 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'retry' => 0, 'http_space2' => ' ', 'method' => 'HEAD', 'ssl' => 1, 'ignore_duplicate_headers' => 1, 'force_close' => 0, 'uri_postfix' => '', 'keep-alive' => 1, 'uri' => '/', 'trailing_slurp' => 0, 'protocol' => 'HTTP', 'normalize_incoming_headers' => 1, 'ssl_rsacertfile' => undef, 'include_host_in_uri' => 0, 'ssl_certfile' => undef, 'http_eol' => "\r\n", 'http_space1' => ' ', 'uri_param_sep' => '?', 'force_bodysnatch' => 0, 'ssl_save_info' => 1, 'timeout' => 10, 'max_size' => 0, 'version' => '1.1', 'invalid_protocol_return_value' => 1, 'MAGIC' => 31339, 'require_newline_after_headers' => 0, 'host' => 'yahvehyireh.com', 'port' => 443, 'force_open' => 0 } }; D:Thu Feb 5 21:27:48 2015 'Result Hash' = { 'whisker' => { 'uri' => '/', 'error' => "sending request: SSL error: ssl_write_all 32490: 1 - SSL_ERROR_SSL(-1,1,error:00000001:lib(0):func(0):reason(1),)\nSSL_write 32490: 1 - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure\n", 'ssl_cipher' => '(NONE)', 'MAGIC' => 31340 } }; D:Thu Feb 5 21:27:48 2015 'Request Hash' = { 'whisker' => { 'uri_postfix' => '', 'force_close' => 0, 'keep-alive' => 1, 'uri' => '/', 'trailing_slurp' => 0, 'normalize_incoming_headers' => 1, 'ssl_rsacertfile' => undef, 'protocol' => 'HTTP', 'ssl_certfile' => undef, 'http_eol' => "\r\n", 'include_host_in_uri' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'method' => 'HEAD', 'ssl' => 0, 'ignore_duplicate_headers' => 1, 'http_space2' => ' ', 'retry' => 0, 'invalid_protocol_return_value' => 1, 'MAGIC' => 31339, 'port' => 443, 'force_open' => 0, 'host' => 'yahvehyireh.com', 'require_newline_after_headers' => 0, 'force_bodysnatch' => 0, 'uri_param_sep' => '?', 'http_space1' => ' ', 'timeout' => 10, 'ssl_save_info' => 1, 'max_size' => 0, 'version' => '1.1' }, 'Connection' => 'Keep-Alive', 'User-Agent' => 'Mozilla/5.00', 'Host' => 'yahvehyireh.com' }; D:Thu Feb 5 21:27:48 2015 'Result Hash' = { 'date' => 'Thu, 05 Feb 2015 21:27:48 GMT', 'whisker' => { 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'http_data_sent' => 1, 'header_order' => [ 'server', 'date', 'content-type', 'content-length', 'connection' ], 'stats_syns' => 1, 'uri_requested' => '/', 'uri' => '/', 'http_eol' => "\r\n", 'protocol' => 'HTTP', 'http_space1' => ' ', 'version' => '1.1', 'code' => 400, 'message' => 'Bad Request', 'stats_reqs' => 1, 'MAGIC' => 31340, 'socket_state' => 0 }, 'connection' => 'close', 'content-type' => 'text/html; charset=UTF-8', 'server' => 'nginx', 'content-length' => 264 }; D:Thu Feb 5 21:27:48 2015 - HTTP Server found: yahvehyireh.com:443 nginx D:Thu Feb 5 21:27:48 2015 'Request Hash' = { 'whisker' => { 'invalid_protocol_return_value' => 1, 'MAGIC' => 31339, 'host' => 'yahvehyireh.com', 'require_newline_after_headers' => 0, 'port' => 443, 'force_open' => 0, 'http_space1' => ' ', 'uri_param_sep' => '?', 'force_bodysnatch' => 0, 'timeout' => 10, 'ssl_save_info' => 1, 'max_size' => 0, 'version' => '1.1', 'force_close' => 0, 'uri_postfix' => '', 'uri' => '/', 'keep-alive' => 1, 'trailing_slurp' => 0, 'protocol' => 'HTTP', 'ssl_rsacertfile' => undef, 'normalize_incoming_headers' => 1, 'ssl_certfile' => undef, 'http_eol' => "\r\n", 'include_host_in_uri' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'retry' => 0, 'http_space2' => ' ', 'ignore_duplicate_headers' => 1, 'ssl' => 0, 'method' => 'GET' }, 'Connection' => 'Keep-Alive', 'User-Agent' => 'Mozilla/5.00', 'Host' => 'yahvehyireh.com' }; D:Thu Feb 5 21:27:48 2015 'Result Hash' = { 'content-length' => 264, 'server' => 'nginx', 'content-type' => 'text/html; charset=UTF-8', 'connection' => 'close', 'whisker' => { 'uri' => '/', 'http_eol' => "\r\n", 'protocol' => 'HTTP', 'http_space2' => ' ', 'header_order' => [ 'server', 'date', 'content-type', 'content-length', 'connection' ], 'http_data_sent' => 1, 'lowercase_incoming_headers' => 1, 'stats_syns' => 2, 'uri_requested' => '/', 'data' => "\r\n
I receive these warnings when running Nikto v2.1.6 against my site which uses HSTS to force everything over TLSv1.2
X-Frame-Options header is not present X-Content-Type-Options header is not set X-XSS-Protection header is not defined
source: program/plugins/nikto_headers.plugin
SPDY is on my site, so all headers are lowercase.
These headers were confirmed to be present:
x-content-type-options:nosniff x-frame-options:deny x-xss-protection:1; mode=block
thanks