search

sullo / nikto

Nikto web server scanner
Other
8.61k stars 1.24k forks source link

Bug: HTTP Basic Auth not working #762

Closed sschroep closed 2 years ago

sschroep commented 2 years ago

I have a website which is using header based http basic auth. Unfortunately nikto is not sending any authorization headers.

I'm running nikto -h https://HOST/ -id ID:PASSWD -useproxy https://127.0.0.1:8080/ -ssl -Display D On Port 8080 i have a mitmproxy through which i want to record the traffic.

The nikto debug output gives me the following:

D:Thu Feb 24 17:10:44 2022 'Request Hash' = {
    'whisker' => {
        'force_open' => 0,
        'uri' => '/',
        'protocol' => 'HTTP',
        'invalid_protocol_return_value' => 1,
        'proxy_host' => '127.0.0.1',
        'http_eol' => "\r\n",
        'require_newline_after_headers' => 0,
        'uri_param_sep' => '?',
        'ignore_duplicate_headers' => 1,
        'proxy_port' => 8080,
        'http_space1' => ' ',
        'ssl' => 1,
        'MAGIC' => 31339,
        'ssl_certfile' => undef,
        'port' => 443,
        'ssl_save_info' => 1,
        'host' => 'HOST',
        'keep-alive' => 1,
        'ssl_rsacertfile' => undef,
        'http_space2' => ' ',
        'version' => '1.1',
        'method' => 'GET',
        'uri_postfix' => '',
        'normalize_incoming_headers' => 1,
        'max_size' => 0,
        'force_close' => 0,
        'force_bodysnatch' => 0,
        'trailing_slurp' => 0,
        'include_host_in_uri' => 1,
        'uri_prefix' => '',
        'retry' => 0,
        'timeout' => 10,
        'lowercase_incoming_headers' => 1
    },
    'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0',
    'Host' => 'HOST:443',
    'Connection' => 'Keep-Alive'
};
D:Thu Feb 24 17:10:44 2022 'Result Hash' = {
    'www-authenticate' => 'Basic realm="REALM VALUE"',
    'date' => 'Thu, 24 Feb 2022 16:10:41 GMT',
    'x-content-type-options' => 'nosniff',
    'content-length' => 381,
    'strict-transport-security' => 'max-age=31536000; preload',
    'x-xss-protection' => '1; mode=block',
    'content-type' => 'text/html; charset=iso-8859-1',
    'server' => 'Apache',
    'content-security-policy' => 'frame-ancestors \'self\';',
    'whisker' => {
        'protocol' => 'HTTP',
        'http_space2' => ' ',
        'data' => "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>401 Unauthorized</title>\n</head><body>\n<h1>Unauthorized</h1>\n<p>This server could not verify that you\nare authorized to access the document\nrequested.  Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn't understand how to supply\nthe credentials required.</p>\n</body></html>\n",
        'header_order' => [
            'date',
            'server',
            'x-xss-protection',
            'content-security-policy',
            'strict-transport-security',
            'x-content-type-options',
            'www-authenticate',
            'content-length',
            'content-type'
        ],
        'version' => '1.1',
        'stats_syns' => 3,
        'ssl_cipher' => 'TLS_AES_256_GCM_SHA384',
        'code' => 401,
        'message' => 'Unauthorized',
        'http_data_sent' => 1,
        'ssl_cert_subject' => '/CN=HOST',
        'uri' => '/',
        'http_space1' => ' ',
        'ssl_cert_issuer' => '/CN=mitmproxy/O=mitmproxy',
        'socket_state' => 0,
        'lowercase_incoming_headers' => 1,
        'MAGIC' => 31340,
        'http_eol' => "\r\n",
        'stats_reqs' => 3
    }
};

As you can see, nikto is not sending an authorization Header to the server. It seems to me the -id param is simply ignored. Can somebody help me?

sullo commented 2 years ago

@sschroep can you test this out and make sure it works for you?

sullo commented 2 years ago

Closing due to lack of feedback.