Closed stuartw1 closed 3 years ago
I'd just raised this same bug against another tool. I really should've looked at Nikto first. Thanks, will have a look!
Support is disappearing, yes: https://caniuse.com/?search=x-xss-protection .
CSP @ https://news.ycombinator.com/item?id=20472947. Really? Has yyyk ever in real life to implement it. And there are no bypasses, right? (#LOL).
And Facebook has 0 historically because Igor Homakov did a thing: http://homakov.blogspot.com/2013/02/hacking-facebook-with-oauth2-and-chrome.html a longer while back and FB decided to revamp their code.
I would have sworn in court I just did this 2 months ago, but I must not have committed. Anyway, it's gone now ty for the reminder.
Recommendations to use X-XSS-Protection are now considered by many to be outdated / harmful Most browsers now no longer support it. I saw a pentest report with its absence flagged by this tool and raised as an issue, so thought I would report.
https://portswigger.net/research/abusing-chromes-xss-auditor-to-steal-tokens https://news.ycombinator.com/item?id=20472947
Expected behavior
Consider if it would be better to change behavior to one of the following, keep current behavior or do something else
Either: A - Don't say anything about the X-XSS-Protection header OR B - Caveat advice about the header getting the browser / client to provide protection against XSS
Actual behavior
Reports absence of X-XSS-Protection header and suggests enabling it
Steps to reproduce
1.Run Nikto against a server that does not return the X-XSS-Protection header in its responses
Nikto version