Open Linuxfabrik opened 3 years ago
Nikto takes this from the response to both:
OPTIONS / HTTP/1.1 OPTIONS * HTTP/1.1
So it looks like Apache is closing down the method, but still reporting it on OPTIONS.
There could be a case for an enhancement to try the actual method; but this wouldn't be a priority.
Yes, on Apache, an OPTIONS request always returns Allow: GET,POST,OPTIONS,HEAD
, what does not fit when using RewriteRules to forbid some methods. So for a scanner actually testing CONNECT|DELETE|GET|HEAD|OPTIONS|PATCH|POST|PUT
would be a good idea.
I'm wondering if OPTIONS * check should be removed? My hesitation on this has always been that we don't what sub-urls might have a different option enabled, e.g., /uploads
might be the only spot that allows PUT.
IMHO from a security scanner perspective, you can't trust what OPTIONS returns.
As seen above OPTIONS might not match at all if RewriteRules are used to allow/disallow different HTTP methods on specific URLs, for example. It gets even more complicated in CORS sending preflight requests with the OPTIONS method and requesting permissions using addtional headers.
Expected behavior
For example, we disabled all HTTP methods except for GET and OPTIONS. Nikto then should print
+ Allowed HTTP Methods: OPTIONS, GET
.Actual behavior
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
. This is wrong.Steps to reproduce
Apache:
curl:
curl --verbose -X POST http://myserver
:HTTP/1.1 405 Method Not Allowed
Nikto:
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
Nikto version