search

sullo / nikto

Nikto web server scanner
Other
8.3k stars 1.2k forks source link

Bug: Consider removing X-XSS-Protection header detection or adding caveat #705

Closed stuartw1 closed 3 years ago

stuartw1 commented 3 years ago

Recommendations to use X-XSS-Protection are now considered by many to be outdated / harmful Most browsers now no longer support it. I saw a pentest report with its absence flagged by this tool and raised as an issue, so thought I would report.

https://portswigger.net/research/abusing-chromes-xss-auditor-to-steal-tokens https://news.ycombinator.com/item?id=20472947

Expected behavior

Consider if it would be better to change behavior to one of the following, keep current behavior or do something else

Either: A - Don't say anything about the X-XSS-Protection header OR B - Caveat advice about the header getting the browser / client to provide protection against XSS

Actual behavior

Reports absence of X-XSS-Protection header and suggests enabling it

./nikto.pl --host <snipped>
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          52.217.96.xxx
+ Target Hostname:    <snipped>
+ Target Port:        80
+ Start Time:         2020-10-29 16:38:13 (GMT0)
---------------------------------------------------------------------------
+ Server: AmazonS3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

Steps to reproduce

1.Run Nikto against a server that does not return the X-XSS-Protection header in its responses

Nikto version

./nikto.pl -Version
---------------------------------------------------------------------------
Nikto Versions
---------------------------------------------------------------------------
File                               Version      Last Mod
-----------------------------      --------     ----------
Nikto main                         2.1.6
LibWhisker                         2.5
db_404_strings                     2.003        
db_content_search                  2.000        
db_dictionary                      1.0          
db_dir_traversal                   2.1.6        
db_domino                          2.1.6        
db_drupal                          1.00         
db_embedded                        2.004        
db_favicon                         2.010        
db_headers                         2.008        
db_httpoptions                     2.002        
db_multiple_index                  2.005        
db_outdated                        2.017        
db_parked_strings                  2.001        
db_realms                          2.002        
db_server_msgs                     2.006        
db_tests                           2.021        
db_variables                       2.004        
nikto_apache_expect_xss.plugin     2.04         
nikto_apacheusers.plugin           2.06         
nikto_auth.plugin                  2.04         
nikto_cgi.plugin                   2.06         
nikto_clientaccesspolicy.plugin    1.00         
nikto_content_search.plugin        2.05         
nikto_cookies.plugin               2.05         
nikto_core.plugin                  2.1.5        
nikto_dictionary_attack.plugin     2.04         
nikto_dir_traversal.plugin         2.1.6        
nikto_dishwasher.plugin            2.20         
nikto_docker_registry.plugin       2.20         
nikto_domino.plugin                2.1.6        
nikto_drupal.plugin                1.00         
nikto_embedded.plugin              2.07         
nikto_favicon.plugin               2.09         
nikto_fileops.plugin               1.00         
nikto_headers.plugin               2.11         
nikto_httpoptions.plugin           2.10         
nikto_ms10_070.plugin              1.00         
nikto_msgs.plugin                  2.07         
nikto_multiple_index.plugin        2.03         
nikto_negotiate.plugin             2.00         
nikto_origin_reflection.plugin     2.01         
nikto_outdated.plugin              2.09         
nikto_parked.plugin                2.00         
nikto_paths.plugin                 2.00         
nikto_put_del_test.plugin          2.04         
nikto_report_csv.plugin            2.07         
nikto_report_html.plugin           2.06         
nikto_report_json.plugin           2.00         
nikto_report_nbe.plugin            2.02         
nikto_report_sqlg.plugin           2.00         
nikto_report_text.plugin           2.05         
nikto_report_xml.plugin            2.06         
nikto_robots.plugin                2.06         
nikto_shellshock.plugin            2.01         
nikto_siebel.plugin                1.00         
nikto_sitefiles.plugin             2.00         
nikto_ssl.plugin                   2.01         
nikto_strutshock.plugin            2.01         
nikto_tests.plugin                 2.04         
---------------------------------------------------------------------------
---------------------------------------------------------------------------
tautology0 commented 3 years ago

I'd just raised this same bug against another tool. I really should've looked at Nikto first. Thanks, will have a look!

drwetter commented 3 years ago

Support is disappearing, yes: https://caniuse.com/?search=x-xss-protection .

CSP @ https://news.ycombinator.com/item?id=20472947. Really? Has yyyk ever in real life to implement it. And there are no bypasses, right? (#LOL).

And Facebook has 0 historically because Igor Homakov did a thing: http://homakov.blogspot.com/2013/02/hacking-facebook-with-oauth2-and-chrome.html a longer while back and FB decided to revamp their code.

sullo commented 3 years ago

I would have sworn in court I just did this 2 months ago, but I must not have committed. Anyway, it's gone now ty for the reminder.