sullo / nikto

Nikto web server scanner
Other
8.6k stars 1.24k forks source link

false positive on IBM Webshpere #429

Closed digininja closed 7 years ago

digininja commented 7 years ago

I just got this false positive when scanning a site:

-----------------------------------------------------------------------
              Information
-----------------------------------------------------------------------
Test ID:    007044
OSVDB ID:   0
Message:    /wps/portal/Home/Welcome/!ut/: IBM Websphere default portal found. May allow users to create accounts.
Reason:     Content Match
-----------------------------------------------------------------------
              Request
-----------------------------------------------------------------------
GET /wps/portal/Home/Welcome/!ut/ HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007044)
Host: abc.com

-----------------------------------------------------------------------
              Response
-----------------------------------------------------------------------
HTTP/1.1 404 Not Found

Not sure what it is matching in the page as there isn't a flood of false positives like there can be when the 404 page does something special.

ghost commented 7 years ago

Not sure what it is matching in the page as there isn't a flood

The check is doing a Sign\sUp so it seems that 404 is containing this response

digininja commented 7 years ago

It does contain that string, looks like you've found it.

On Tue, 22 Nov 2016 at 15:30 RealRancor notifications@github.com wrote:

Not sure what it is matching in the page as there isn't a flood

The check is doing a Sign\sUp so it seems that 404 is containing this response

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/429#issuecomment-262272081, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWbR7gWPB6FSbJRsNpngMar_4qjA2ks5rAwqqgaJpZM4K5kbz .

ghost commented 7 years ago

If you have such custom build 404s on pages (which is probably also the case in #430) then have a look at the -404string command line options of nikto to mark these 404 pages as a 404.

sullo commented 7 years ago

I poked at a bunch of these via inurl, and don't see anything better or more unique to match on, really.