search

sullo / nikto

Nikto web server scanner
Other
8.61k stars 1.24k forks source link

Bug: Nikto results include template strings #771

Closed ahokinson closed 2 years ago

ahokinson commented 2 years ago

Expected behavior

Nikto should return items resembling the following:

<item id="999102" osvdbid="0" osvdblink="[http://osvdb.org/0"](http://osvdb.org/0) method="GET">
<description><![CDATA[The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS]]></description>
<uri><![CDATA[/]]></uri>
<namelink><![CDATA[[https://127.0.0.1:8080/]]></namelink>](https://127.0.0.1:8080/]]%3E%3C/namelink%3E)
<iplink><![CDATA[[https://127.0.0.1:8080/]]></iplink>](https://127.0.0.1:8080/]]%3E%3C/iplink%3E)
</item>

Actual behavior

Nikto is including an item that appears to be an un-rendered template.

<item id="#ID#" osvdbid="#TEMPL_OSVDB#" osvdblink="#TEMPL_OSVDB_LINK#" method="#TEMPL_HTTP_METHOD#">
<description><![CDATA[#TEMPL_MSG#]]></description>
<uri><![CDATA[#TEMPL_URI#]]></uri>
<namelink><![CDATA[#TEMPL_ITEM_NAME_LINK#]]></namelink>
<iplink><![CDATA[#TEMPL_ITEM_IP_LINK#]]></iplink>
</item>

Steps to reproduce

  1. Running Nikto inside of a Python application in a docker container.
  2. /opt/nikto/program/nikto.pl -config nikto.conf -nointeractive -host {ips} {arguments} -output /tmp/niktout.xml -Format xml
  3. awk '{print}' /addon/results/*
  4. Observe the template item in the scan results.

Nikto version

2.1.6

Further technical info

This could be intentional behavior in order to show the item template. But I didn't notice it as documented behavior.

sullo commented 2 years ago

It is not intentional, however the master branch is largely stagnant. Please check out the nikto-2.5.0 branch and retry.

sullo commented 2 years ago

I am going to close this issue. If it still a problem in the 2.5.0 version please reopen, thanks.