Closed tautology0 closed 2 years ago
I'm not sure what commit you're looking at but the linked one doesn't have x-clacks-overhead
in it. Looking at the plugin, I only see one block for it.
Was the 'message' from x-clacks-overhead
different in the multiple responses? De-duplication checks in add_vulnerability()
will fail to match if the message is different.
Yeah looked like I C+P'd the wrong request. This is what nikto_headers looks like at the moment:
if (!$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
if (defined $result->{'x-clacks-overhead'}) {
add_vulnerability( $mark, "There appears to be clacks overhead on the server, the message is: $result->{'x-clacks-overhead'}", 999104, 0,
$request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result);
$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } = 1;
}
}
# CSP Report URLs
if (!$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
if (defined $result->{'x-clacks-overhead'}) {
add_vulnerability( $mark, "There appears to be clacks overhead on the server, the message is: $result->{'x-clacks-overhead'}", 999104, 0,
$request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result);
$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } = 1;
}
}
I'm not sure how I missed that searching for clacks, but... updated to report-to
which was the intent.
commit 65059c63df69689cdecf9813a1d0ff53e79514da duplicated the X-Clacks-Overhead test with a comment implying that it's checking for Content-Security-Policy or Content-Security-Policy-Report-Only.