search

sullo / nikto

Nikto web server scanner
Other
8.61k stars 1.24k forks source link

Bug: Issue 999993 produces invalid URL using "-r /login" parameter #755

Closed rein123 closed 2 years ago

rein123 commented 2 years ago

Expected behavior

Using the "-root /login" parameter in a Nikto call a valid URL is reported in the XML report.

Actual behavior

Issue 999993 produces the following output in the XML report. A colon is added at the end of the reported URL:

<item id="999993" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[Hostname '10.3.2.7' does not match certificate's names: xyz.com]]></description>
<uri><![CDATA[/login/: ]]></uri>
<namelink><![CDATA[https://10.3.2.7:443/login/: ]]></namelink>
<iplink><![CDATA[https://10.3.2.7:443/login/: ]]></iplink>
</item>

For issue 999955 the URL output is correct:

<item id="999955" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[The site uses SSL and Expect-CT header is not present.]]></description>
<uri><![CDATA[/login/]]></uri>
<namelink><![CDATA[https://10.3.2.7:443/login/]]></namelink>
<iplink><![CDATA[https://10.3.2.7:443/login/]]></iplink>
</item>

Parsing the report with e.g. Ruby produces the following error: URI::InvalidURIError: bad URI(is not URI?): "https://10.3.2.7:443/login/: "

Steps to reproduce

  1. Scan a target which produces the issue 999993 "Hostname '10.3.2.7' does not match certificate's names: xyz.com"
  2. Use the following parameter: "-root /directory"
  3. Check the XML report for an URL with an invalid colon : at the end.

Nikto version

Run:

./nikto.pl -Version./nikto.pl -Version

and paste the output here.

└─# ./nikto.pl -Version

Nikto Versions

File Version Last Mod

Nikto main 2.1.6 LibWhisker 2.5 db_404_strings 2.003
db_content_search 2.000
nary 1.0 db_dir_traversal 2.1.6
db_domino 2.1.6
db_drupal 1.00
db_embedded 2.004
db_favicon 2.010
db_headers 2.008
db_httpoptions 2.002
db_multiple_index 2.005
db_outdated 2.017
db_parked_strings 2.001
db_realms 2.002
db_server_msgs 2.006
db_tests 2.021
db_variables 2.004
nikto_apache_expect_xss.plugin 2.04
nikto_apacheusers.plugin 2.06
nikto_auth.plugin 2.04
nikto_cgi.plugin 2.06
nikto_clientaccesspolicy.plugin 1.00
nikto_content_search.plugin 2.05
nikto_cookies.plugin 2.05
nikto_core.plugin 2.1.5
nikto_dictionary_attack.plugin 2.04
nikto_dir_traversal.plugin 2.1.6
nikto_dishwasher.plugin 2.20
nikto_docker_registry.plugin 2.20
nikto_domino.plugin 2.1.6
nikto_drupal.plugin 1.00
nikto_embedded.plugin 2.07
nikto_favicon.plugin 2.09
nikto_fileops.plugin 1.00
nikto_headers.plugin 2.11
nikto_httpoptions.plugin 2.10
nikto_ms10_070.plugin 1.00
nikto_msgs.plugin 2.07
nikto_multiple_index.plugin 2.03
nikto_negotiate.plugin 2.00
nikto_origin_reflection.plugin 2.01
nikto_outdated.plugin 2.09
nikto_parked.plugin 2.00
nikto_paths.plugin 2.00
nikto_put_del_test.plugin 2.04
nikto_report_csv.plugin 2.07
nikto_report_html.plugin 2.06
nikto_report_json.plugin 2.00
nikto_report_nbe.plugin 2.02
nikto_report_sqlg.plugin 2.00
nikto_report_text.plugin 2.05
nikto_report_xml.plugin 2.06
nikto_robots.plugin 2.06
nikto_shellshock.plugin 2.01
nikto_siebel.plugin 1.00
nikto_sitefiles.plugin 2.00
nikto_ssl.plugin 2.01
nikto_strutshock.plugin 2.01
nikto_tests.plugin 2.04

Further technical info

E.g. you can obtain Nikto debug output by running -D D and redirecting to a file. You may also scrub the output of hostnames and IPs by specifying -D DS.

<?xml version="1.0" ?>
<!DOCTYPE niktoscan SYSTEM "docs/nikto.dtd">
<niktoscan>
<niktoscan hoststest="0" options="-Plugins @@ALL;ssl;tests(report:500) -Display EP -nointeractive -ask auto -C none -T x01 -output https_10_3_2_7_443_login.xml -Save https_10_3_2_7_443_login -p 443 -h 10.3.2.7 -timeout 60 -Pause 0.01 -maxtime 3600s -r /login" version="2.1.6" scanstart="Tue Jan 18 17:41:54 2022" scanend="Thu Jan  1 01:00:00 1970" scanelapsed=" seconds" nxmlversion="1.2">

<scandetails targetip="10.3.2.7" targethostname="10.3.2.7" targetport="443" targetbanner="Apache" starttime="2022-01-18 17:41:55" sitename="https://10.3.2.7:443/login/" siteip="https://10.3.2.7:443/login/" hostheader="10.3.2.7" errors="0" checks="5005">
<ssl ciphers="DHE-RSA-AES256-GCM-SHA384" issuers="..." info="..." altnames="....com" />

<item id="999955" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[The site uses SSL and Expect-CT header is not present.]]></description>
<uri><![CDATA[/login/]]></uri>
<namelink><![CDATA[https://10.3.2.7:443/login/]]></namelink>
<iplink><![CDATA[https://10.3.2.7:443/login/]]></iplink>
</item>

<item id="999993" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[Hostname '10.3.2.7' does not match certificate's names: xyz.com]]></description>
<uri><![CDATA[/login/: ]]></uri>
<namelink><![CDATA[https://10.3.2.7:443/login/: ]]></namelink>
<iplink><![CDATA[https://10.3.2.7:443/login/: ]]></iplink>
</item>

<statistics elapsed="787" itemsfound="8" itemstested="5005" endtime="2022-01-18 17:55:02" />
</scandetails>

</niktoscan>
sullo commented 2 years ago

This is fixed in the 2.5.0 branch. Thanks!