ghost
commented
8 years ago Hi,
the typo3 FP was/is fixed with the PR i've created a few minutes ago in https://github.com/sullo/nikto/pull/339
Closed csiefer closed 8 years ago
ghost
commented
8 years ago Hi,
the typo3 FP was/is fixed with the PR i've created a few minutes ago in https://github.com/sullo/nikto/pull/339
tautology0
commented
8 years ago The header items are detected if it sees a page without these headers
(normally /). The easiest way to see where this is happening is to use the
-Save option which dumps a load of information to a file - including the
whole of the response block - whenever it sees an issue.
So if you could rerun it with the -Save option (you'll need to give it a
directory) and have a look at the headers in the output it would be useful.
On Fri, 12 Feb 2016 12:38:16 -0000, Christoph Siefer
notifications@github.com wrote:
Hi,
im scanning an Apache2-server of mine, wich definitely sends
Header set X-Content-Type-Options: "nosniff" Header set X-XSS-Protection: "1; mode=block" Header set X-Frame-Options: "sameorigin" Header always append X-Frame-Options: DENY
(verfied by FF live-headers plugin) but I get
- The X-XSS-Protection header is not defined. This header can hint to
the user agent to protect >against some forms of XSS- The X-Content-Type-Options header is not set. This could allow the
user agent to render the content >of the site in a different fashion to
the MIME typeI also get
OSVDB-54058:
/typo3/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini%00:
TYPO3 >allows any file to be retrieved remotely. Upgrade to the latest
version.with no typo3 present on this machine whatsoever.
nikto v2.1.6 on ubuntu 14.04.3 lts
Any clue?
Best,
Chri
— Reply to this email directly or view it on GitHub.
Using Opera's mail client: http://www.opera.com/mail/
csiefer
commented
8 years ago wooo! that was fast ;)
nikto.pl -h "https://www.secretsite.de" -C all -Save /var/www/saves/logs/nikto will do?
Note: the site ist locate on a testserver, which is ip-ed in my hosts file. The original site should not be scanned.
Best,
Chris
sullo
commented
8 years ago Sorry for late reply. Yes, your command with -S should have created that directory (if needed) and saved a text file for each vulnerability. Inside the right text file you should see the headers returned.
csiefer
commented
8 years ago Hi, back on the track.
I go
nikto.pl -h https://www.[somedomain].de -C all -Save /var/www/saves/logs/nikto/tuser
(replaced the actual domain here with [somedomain])
I see the apache answering a HTTP/1.1 400 Bad Request (the "http on a 443 port" thing)
even if I scan with -ssl and/or -p 443 options the request seeems to go as an http, not https call.
Best,
Chris
Am 24.02.2016 um 07:13 schrieb sullo:
Sorry for late reply. Yes, your command with -S should have created that directory (if needed) and saved a text file for each vulnerability. Inside the right text file you should see the headers returned.
— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/340#issuecomment-188096856.
InformationTest ID: 999102 OSVDB ID: 0 Message: The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
RequestGET / HTTP/1.1 Connection: Keep-Alive Host: www.[somedomain].de User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)
ResponseHTTP/1.1 400 Bad Request date: Mon, 28 Mar 2016 15:17:18 GMT server: Apache x-frame-options: DENY, DENY content-length: 362 connection: close content-type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Data ObjectsREQUEST:{"whisker":{"host":"www.[somedomain].de","http_space2":" ","trailing_slurp":0,"version":"1.1","normalize_incoming_headers":1,"port":"443","ignore_duplicate_headers":0,"ssl":0,"include_host_in_uri":0,"ssl_certfile":null,"http_eol":"\r\n","retry":0,"uri":"/","protocol":"HTTP","max_size":0,"force_open":0,"timeout":10,"invalid_protocol_return_value":1,"uri_prefix":"","lowercase_incoming_headers":1,"keep-alive":1,"MAGIC":31339,"method":"GET","ssl_rsacertfile":null,"uri_param_sep":"?","force_close":0,"force_bodysnatch":0,"uri_postfix":"","require_newline_after_headers":0,"ssl_save_info":1,"http_space1":" "},"Connection":"Keep-Alive","Host":"www.[somedomain].de","User-Agent":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"} RESPONSE:{"connection":"close","x-frame-options":"DENY, DENY","server":"Apache","whisker":{"stats_syns":3,"http_data_sent":1,"socket_state":0,"data":"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n
\nYour browser sent a request that this server could not understand.
\nReason: You're speaking plain HTTP to an SSL-enabled server port.
\n Instead use the HTTPS scheme to access this URL, please.
\n
InformationTest ID: 999103 OSVDB ID: 0 Message: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
RequestGET / HTTP/1.1 Connection: Keep-Alive Host: www.[somedomain].de User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)
ResponseHTTP/1.1 400 Bad Request date: Mon, 28 Mar 2016 15:17:18 GMT server: Apache x-frame-options: DENY, DENY content-length: 362 connection: close content-type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Data ObjectsREQUEST:{"whisker":{"host":"www.[somedomain].de","http_space2":" ","trailing_slurp":0,"version":"1.1","normalize_incoming_headers":1,"port":"443","ignore_duplicate_headers":0,"ssl":0,"include_host_in_uri":0,"ssl_certfile":null,"http_eol":"\r\n","retry":0,"uri":"/","protocol":"HTTP","max_size":0,"force_open":0,"timeout":10,"invalid_protocol_return_value":1,"uri_prefix":"","lowercase_incoming_headers":1,"keep-alive":1,"MAGIC":31339,"method":"GET","ssl_rsacertfile":null,"uri_param_sep":"?","force_close":0,"force_bodysnatch":0,"uri_postfix":"","require_newline_after_headers":0,"ssl_save_info":1,"http_space1":" "},"Connection":"Keep-Alive","Host":"www.[somedomain].de","User-Agent":"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:map_codes)"} RESPONSE:{"connection":"close","x-frame-options":"DENY, DENY","server":"Apache","whisker":{"stats_syns":3,"http_data_sent":1,"socket_state":0,"data":"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n
\nYour browser sent a request that this server could not understand.
\nReason: You're speaking plain HTTP to an SSL-enabled server port.
\n Instead use the HTTPS scheme to access this URL, please.
\n
GET / HTTP/1.1 Host: www.[somedomain].de User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/_;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Cookie: osi=1ea7d72ccc142daf972a9c9113cdeb35 Connection: keep-alive If-Modified-Since: Mon, 28 Mar 2016 15:10:11 GMT
HTTP/1.1 302 Found Date: Mon, 28 Mar 2016 15:33:14 GMT Server: Apache x-frame-options: DENY, DENY, sameorigin Expires: Sat, 05 Aug 2000 22:27:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 28 Mar 2016 15:33:14 GMT Location: login.php?tw=274 x-content-type-options: nosniff x-xss-protection: 1; mode=block Content-Length: 0 Connection: close
https://www.[somedomain].de/login.php?tw=274
GET /login.php?tw=274 HTTP/1.1 Host: www.[somedomain].de User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/_;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Cookie: osi=1ea7d72ccc142daf972a9c9113cdeb35 Connection: keep-alive If-Modified-Since: Mon, 28 Mar 2016 15:10:12 GMT
HTTP/1.1 200 OK Date: Mon, 28 Mar 2016 15:33:14 GMT Server: Apache x-frame-options: DENY, DENY, sameorigin Expires: Sat, 05 Aug 2000 22:27:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Mon, 28 Mar 2016 15:33:14 GMT Vary: Accept-Encoding Content-Encoding: gzip x-content-type-options: nosniff x-xss-protection: 1; mode=block Content-Length: 2416 Connection: close
csiefer
commented
8 years ago Info: the last portion of the attached files is the output of Firefoxes LiveHeaders Plugin
tautology0
commented
8 years ago That makes sense - the headers aren't there because it is returning that 400 error. Maybe we shouldn't be reporting this on any 4* error.
I'll have a think.
BTW I had to edit your response as it included your company email footer, including your email address and we don't want to give those spammers any targets!
tautology0
commented
8 years ago I also note that you're returning the following for x-frame-options:
x-frame-options: DENY, DENY
This is non-standard, so may cause it to be ignore on some user agents.
csiefer
commented
8 years ago Thanks for cleaning up my post (didn't think about that, answered directly from my em-client).
Yes, reporting missing headers on a 400+ response does not really make sense. Anyways: why does the request initially comes in as http, not https, even if the address is given with https:// and options -ssl and -port 443 are used?
Double x-frame options occurred due to a double config-setting. Fixed that, thanks.
Hi,
im scanning an Apache2-server of mine, wich definitely sends
Header set X-Content-Type-Options: "nosniff" Header set X-XSS-Protection: "1; mode=block" Header set X-Frame-Options: "sameorigin" Header always append X-Frame-Options: DENY
(verfied by FF live-headers plugin) but I get
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME typeI also get
OSVDB-54058: /typo3/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini%00: TYPO3 allows any file to be retrieved remotely. Upgrade to the latest version.with no typo3 present on this machine whatsoever.
nikto v2.1.6 on ubuntu 14.04.3 lts
Any clue?
Best,
Chris