search

sullo / nikto

Nikto web server scanner
Other
8.61k stars 1.24k forks source link

Bug: Server Banner #742

Closed JohannesZahn closed 2 years ago

JohannesZahn commented 3 years ago

Expected behavior

Server Banner should be set like in version 2.1.6

Actual behavior

Server banner is empty, see output.zip

Steps to reproduce

  1. git checkout nikto-2.5.0
  2. git pull
  3. docker build . -t "sullo/nikto:v2.5"
  4. docker run --rm -v $(pwd):/tmp sullo/nikto:v2.5 -h http://docs.securecodebox.io -o /tmp/out.json

Nikto version

v2.5.0

Run:

./nikto.pl -Version

and paste the output here.

Nikto 2.5.0 (LW 2.5)

sullo commented 3 years ago

Can you show the incorrect behavior as well as the correct from 2.1.6?

Thanks

On Thu, Sep 2, 2021 at 5:23 AM Johannes Zahn @.***> wrote:

Expected behavior

Server Banner should be set like in version 2.1.6 Actual behavior

Server banner is empty, see output.zip https://github.com/sullo/nikto/files/7097724/output.zip Steps to reproduce

  1. git checkout nikto-2.5.0
  2. git pull
  3. docker build . -t "sullo/nikto:v2.5"
  4. docker run --rm -v $(pwd):/tmp sullo/nikto:v2.5 -h http://docs.securecodebox.io -o /tmp/out.json

Nikto version

v2.5.0

Run:

./nikto.pl -Version

and paste the output here. Further technical info

E.g. you can obtain Nikto debug output by running -D D and redirecting to a file. You may also scrub the output of hostnames and IPs by specifying -D DS.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/742, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALICRDTOUDLJSCOSHDAKYLT747B3ANCNFSM5DIUEDKQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

JohannesZahn commented 3 years ago

When you click on the output.zip link in my previous post you will find 2 json files. One with the 2.1.6 and one with the 2.5.0 json output. As shown in the following image the banner is empty

image

I get the following vulnerabilities (in v2.5.0 (see output.zip)) which makes me think it should recognize Netlify as banner. Also it seems to me that there are many duplicates of this entry. Overall we have seen that 2.5.0 often produces 10-20 times the amout of vulnerarbilities than 2.1.6 image

digininja commented 3 years ago

When you run the app, what does it report the banner as in the console?

JohannesZahn commented 3 years ago

Does Server equal banner? image

digininja commented 3 years ago

That is the value that should be appearing in the JSON I think. Looks like it is being found, but not being put in the output correctly.

sullo commented 3 years ago

Sorry I was on my phone and missed there was an attachment.

"2.5.0 often produces 10-20 times the amout of vulnerarbilities" -- is this for the banner, or just in general?

On Thu, Sep 2, 2021 at 9:42 AM Robin Wood @.***> wrote:

That is the value that should be appearing in the JSON I think. Looks like it is being found, but not being put in the output correctly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/742#issuecomment-911697597, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALICRBFLDQV763AXBYICY3T755KXANCNFSM5DIUEDKQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

--

https://cirt.net | https://rvasec.com/

JohannesZahn commented 3 years ago

If I use no options on the same host like shown in the "steps to reproduce" for nikto 2.1.6 I get 8 and for nikto 2.5.0 45 vulnerabilities (see also output.zip). I am not saying this is a problem but just asking if this is what you would expect. The server banner vulnerability is in in there 9 times in nikto 2.5.0, always with the exact same json

{
  "id": 999962,
  "method": "GET",
  "url": "",
  "msg": "Server banner changed from '' to 'foo'."
}
JohannesZahn commented 3 years ago

Any news on this? @sullo

sullo commented 3 years ago

It shouldn’t be reporting multiple times. I haven’t been able to look into it yet, however.

Sent from my iPhone

On Sep 13, 2021, at 3:20 AM, Johannes Zahn @.***> wrote:

 Any news on this? @sullo

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

sullo commented 2 years ago

I committed a fix for the banner not being in the JSON. Still looking into the duplicate reported items.

sullo commented 2 years ago

I believe that fixes both issues here.

sullo commented 2 years ago

@JohannesZahn can you confirm it's working for you?