sullo / nikto

Nikto web server scanner
Other
8.66k stars 1.25k forks source link

False Positive/Negative: #844

Open Gitabhsuosowo opened 1 month ago

Gitabhsuosowo commented 1 month ago

Output of suspected false positive / negative

Post any useful information like the ID of the test causing the false positive.

Debug output

Run:

./nikto.pl -host targethost -Save false_positive

This saves all positive responses to a new false_positive directory. Afterwards look for the related ID of the false positive / negative and paste it below.

sullo commented 1 month ago

Do you have an issue to report? No info here.

top-kat commented 3 weeks ago

Thx @sullo for being reactive!

Here is one of my scan

➜  program git:(master) ./nikto.pl -h http://localhost:9086/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ ERROR: Unable to open database file db_headers_suggested: .
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        9086
+ Start Time:         2024-11-01 14:29:13 (GMT1)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ No CGI Directories found (use '-C all' to force check all possible dirs)
called once
+ /servlet/org.apache.catalina.Globals/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes.
+ /ss000007.pl?PRODREF=<script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1732
+ /modules.php?op=modload&name=Members_List&file=index&letter=<script>alert('Vulnerable')</script>: This install of PHP-Nuke's modules.php is vulnerable to Cross Site Scripting (XSS).
+ /html/partner.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script>: myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS).
+ /article.cfm?id=1'<script>alert(document.cookie);</script>: With malformed URLs, ColdFusion is vulnerable to Cross Site Scripting (XSS).
+ /diapo.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2397
+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/cfg/configsite.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/cfg/configsql.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/modules/cache.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/settings.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /functions.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/Downloads/voteinclude.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/WebChat/in.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/Your_Account/navbar.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /options.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /shop/php_files/site.config.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /uifc/MultFileUploadHandler.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /index.html.ru.iso-ru: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. See: CWE-552
+ /aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=<script>alert('Vulnerable')</script>: Aktivate Shopping Cart 1.03 and lower are vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1212
+ /sysuser/docmgr/info.stm?path=<script>alert(document.cookie)</script>: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). See: https://seclists.org/fulldisclosure/2003/Mar/265
+ /pls/portal/PORTAL.wwv_ui_lovf.show: Access to Oracle pages could have an unknown impact.
+ /pls/portal/PORTAL.wwv_dynxml_generator.show: Access to Oracle pages could have an unknown impact.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ 7856 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2024-11-01 14:29:32 (GMT1) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

All that are false positive since in all cases my server returns a 404 response without a body or a content.

Maybe I did something wrong (it's my 1st time using the tool so sorry if it's a dumb question.

sullo commented 3 weeks ago

We'd need to see the actual full HTTP 404 response to assist with reducing the FPs.

On Fri, Nov 1, 2024 at 9:34 AM TOPKAT @.***> wrote:

Here is one of my scan

➜ program git:(master) ./nikto.pl -h http://localhost:9086/

  • Nikto v2.5.0

  • ERROR: Unable to open database file db_headers_suggested: .
  • Target IP: 127.0.0.1
  • Target Hostname: localhost
  • Target Port: 9086
  • Start Time: 2024-11-01 14:29:13 (GMT1)

  • Server: No banner retrieved
  • No CGI Directories found (use '-C all' to force check all possible dirs) called once
  • /servlet/org.apache.catalina.Globals/: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes.
  • /ss000007.pl?PRODREF=: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1732
  • /modules.php?op=modload&name=Members_List&file=index&letter=: This install of PHP-Nuke's modules.php is vulnerable to Cross Site Scripting (XSS).+ /html/partner.php?mainfile=anything&Default_Theme=': myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS).
  • /article.cfm?id=1': With malformed URLs, ColdFusion is vulnerable to Cross Site Scripting (XSS).+ /diapo.php?rep=: GPhotos index.php rep Variable XSS. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2397+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/cfg/configsite.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/cfg/configsql.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/modules/cache.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/settings.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /functions.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /modules/Downloads/voteinclude.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /modules/WebChat/in.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /modules/Your_Account/navbar.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /options.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /shop/php_files/site.config.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /uifc/MultFileUploadHandler.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /index.html.ru.iso-ru: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. See: CWE-552+ /aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=: Aktivate Shopping Cart 1.03 and lower are vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1212+ /sysuser/docmgr/info.stm?path=: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). See: https://seclists.org/fulldisclosure/2003/Mar/265+ /pls/portal/PORTAL.wwv_ui_lovf.show: Access to Oracle pages could have an unknown impact.+ /pls/portal/PORTAL.wwv_dynxml_generator.show: Access to Oracle pages could have an unknown impact.+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.+ 7856 requests: 0 error(s) and 24 item(s) reported on remote host+ End Time: 2024-11-01 14:29:32 (GMT1) (19 seconds)---------------------------------------------------------------------------+ 1 host(s) tested

All that are false positive since in all cases my server returns a 404 response without a body or a content.

Maybe I did something wrong (it's my 1st time using the tool so sorry if it's a dumb question.

— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/844#issuecomment-2451881440, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALICRFBO5V5SB7TDK4K7TDZ6N7M5AVCNFSM6AAAAABPEFH7OWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJRHA4DCNBUGA . You are receiving this because you commented.Message ID: @.***>

--

https://cirt.net | https://rvasec.com/

top-kat commented 3 weeks ago

Here is a postman screenshot

image

This is a straight 404 with no content

sullo commented 3 weeks ago

We need the raw response not interpreted by postman or anything. try using curl. curl <url>

top-kat commented 3 weeks ago

Thx for helping there, here is the result of the curl -v command:

curl http://localhost:9086/servlet/org.apache.catalina.Globals/%3Cscript%3Ealert\('Vulnerable'\)%3C/script%3E -v
* Host localhost:9086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9086...
* Connected to localhost (::1) port 9086
> GET /servlet/org.apache.catalina.Globals/%3Cscript%3Ealert(Vulnerable)%3C/script%3E HTTP/1.1
> Host: localhost:9086
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< Cross-Origin-Opener-Policy: same-origin
< Cross-Origin-Resource-Policy: same-origin
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Date: Fri, 01 Nov 2024 13:50:58 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

If I don't set the -v option, it doesn't return a thing

sullo commented 3 weeks ago

Well that wasn't helpful. Can you try this one? curl -v "http://localhost:9086/admin/cfg/configscreen.inc.php+"

top-kat commented 3 weeks ago
curl -v "http://localhost:9086/admin/cfg/configscreen.inc.php+"
* Host localhost:9086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9086...
* Connected to localhost (::1) port 9086
> GET /admin/cfg/configscreen.inc.php+ HTTP/1.1
> Host: localhost:9086
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< Cross-Origin-Opener-Policy: same-origin
< Cross-Origin-Resource-Policy: same-origin
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Date: Fri, 01 Nov 2024 13:59:27 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
< 
* Connection #0 to host localhost left intact
sullo commented 3 weeks ago

I can't offer a suggestion at this point. I don't see any obvious reason why it is giving a FP.

Nikto works by analyzing the HTTP response and looking for a certain code or response content matching. In the cases you pasted, it is responding with a 404 so Nikto should not be confused and report FP on some of them which are looking for a 200 response.

My best guess is the 404 detection has misidentified how the server works. I can't really troubleshoot that further since I don't have direct access to the server/configuration/app.

We might get a clue into the 404 detection if you run this and paste the output: ./nikto.pl -h http://localhost:9086/ -D D | grep php+

It should look something like this:

V:Fri Nov  1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php=
V:Fri Nov  1 10:08:49 2024 - 302 for GET:   /5I2gyXy1.php=
V:Fri Nov  1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php3
V:Fri Nov  1 10:08:49 2024 - 302 for GET:   /5I2gyXy1.php3
V:Fri Nov  1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php3+
V:Fri Nov  1 10:08:49 2024 - 302 for GET:   /5I2gyXy1.php3+
V:Fri Nov  1 10:08:50 2024 - Testing error for file: /5I2gyXy1.php
V:Fri Nov  1 10:08:50 2024 - 302 for GET:   /5I2gyXy1.php
V:Fri Nov  1 10:08:50 2024 - Testing error for file: /5I2gyXy1.php+
V:Fri Nov  1 10:08:50 2024 - 302 for GET:   /5I2gyXy1.php+
top-kat commented 3 weeks ago

This doesn't exactly look like what you provided...it's an extremely long output, here is an extract:

Maybe it's worth mentionning I am on MacOs ?

Details

D:Fri Nov 1 15:11:38 2024 'Result Hash' = { 'access-control-allow-credentials' => 'true', 'connection' => 'keep-alive', 'content-length' => 0, 'content-security-policy' => 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests', 'cross-origin-opener-policy' => 'same-origin', 'cross-origin-resource-policy' => 'same-origin', 'date' => 'Fri, 01 Nov 2024 14:11:38 GMT', 'keep-alive' => 'timeout=5', 'referrer-policy' => 'no-referrer', 'strict-transport-security' => 'max-age=15552000; includeSubDomains', 'vary' => 'Origin', 'whisker' => { 'MAGIC' => 31340, 'code' => 404, 'data' => '', 'header_order' => [ 'content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'referrer-policy', 'strict-transport-security', 'x-content-type-options', 'x-dns-prefetch-control', 'x-download-options', 'x-frame-options', 'x-permitted-cross-domain-policies', 'x-xss-protection', 'vary', 'access-control-allow-credentials', 'date', 'connection', 'keep-alive', 'content-length' ], 'http_data_sent' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'message' => 'Not Found', 'protocol' => 'HTTP', 'socket_state' => 1, 'stats_reqs' => 6717, 'stats_syns' => 13, 'uri' => '/data/owncloud.log', 'uri_requested' => '/data/owncloud.log', 'version' => '1.1' }, 'x-content-type-options' => 'nosniff', 'x-dns-prefetch-control' => 'off', 'x-download-options' => 'noopen', 'x-frame-options' => 'SAMEORIGIN', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => 0 }; D:Fri Nov 1 15:11:38 2024 'Request Hash' = { 'Connection' => 'Keep-Alive', 'Host' => 'localhost', 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', 'whisker' => { 'MAGIC' => 31339, 'force_bodysnatch' => 0, 'force_close' => 0, 'force_open' => 0, 'host' => 'localhost', 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'ignore_duplicate_headers' => 0, 'include_host_in_uri' => 0, 'invalid_protocol_return_value' => 1, 'keep-alive' => 1, 'lowercase_incoming_headers' => 1, 'max_size' => 750000, 'method' => 'GET', 'normalize_incoming_headers' => 1, 'port' => 9086, 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'retry' => 0, 'ssl' => 0, 'ssl_certfile' => undef, 'ssl_rsacertfile' => undef, 'ssl_save_info' => 1, 'timeout' => 10, 'trailing_slurp' => 0, 'uri' => '/cloud/data/owncloud.log', 'uri_param_sep' => '?', 'uri_postfix' => '', 'uri_prefix' => '', 'version' => '1.1' } }; D:Fri Nov 1 15:11:38 2024 'Result Hash' = { 'access-control-allow-credentials' => 'true', 'connection' => 'keep-alive', 'content-length' => 0, 'content-security-policy' => 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests', 'cross-origin-opener-policy' => 'same-origin', 'cross-origin-resource-policy' => 'same-origin', 'date' => 'Fri, 01 Nov 2024 14:11:38 GMT', 'keep-alive' => 'timeout=5', 'referrer-policy' => 'no-referrer', 'strict-transport-security' => 'max-age=15552000; includeSubDomains', 'vary' => 'Origin', 'whisker' => { 'MAGIC' => 31340, 'code' => 404, 'data' => '', 'header_order' => [ 'content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'referrer-policy', 'strict-transport-security', 'x-content-type-options', 'x-dns-prefetch-control', 'x-download-options', 'x-frame-options', 'x-permitted-cross-domain-policies', 'x-xss-protection', 'vary', 'access-control-allow-credentials', 'date', 'connection', 'keep-alive', 'content-length' ], 'http_data_sent' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'message' => 'Not Found', 'protocol' => 'HTTP', 'socket_state' => 1, 'stats_reqs' => 6718, 'stats_syns' => 13, 'uri' => '/cloud/data/owncloud.log', 'uri_requested' => '/cloud/data/owncloud.log', 'version' => '1.1' }, 'x-content-type-options' => 'nosniff', 'x-dns-prefetch-control' => 'off', 'x-download-options' => 'noopen', 'x-frame-options' => 'SAMEORIGIN', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => 0 }; D:Fri Nov 1 15:11:38 2024 'Request Hash' = { 'Connection' => 'Keep-Alive', 'Host' => 'localhost', 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', 'whisker' => { 'MAGIC' => 31339, 'force_bodysnatch' => 0, 'force_close' => 0, 'force_open' => 0, 'host' => 'localhost', 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'ignore_duplicate_headers' => 0, 'include_host_in_uri' => 0, 'invalid_protocol_return_value' => 1, 'keep-alive' => 1, 'lowercase_incoming_headers' => 1, 'max_size' => 750000, 'method' => 'GET', 'normalize_incoming_headers' => 1, 'port' => 9086, 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'retry' => 0, 'ssl' => 0, 'ssl_certfile' => undef, 'ssl_rsacertfile' => undef, 'ssl_save_info' => 1, 'timeout' => 10, 'trailing_slurp' => 0, 'uri' => '/owncloud/data/owncloud.log', 'uri_param_sep' => '?', 'uri_postfix' => '', 'uri_prefix' => '', 'version' => '1.1' } }; D:Fri Nov 1 15:11:38 2024 'Result Hash' = { 'access-control-allow-credentials' => 'true', 'connection' => 'keep-alive', 'content-length' => 0, 'content-security-policy' => 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests', 'cross-origin-opener-policy' => 'same-origin', 'cross-origin-resource-policy' => 'same-origin', 'date' => 'Fri, 01 Nov 2024 14:11:38 GMT', 'keep-alive' => 'timeout=5', 'referrer-policy' => 'no-referrer', 'strict-transport-security' => 'max-age=15552000; includeSubDomains', 'vary' => 'Origin', 'whisker' => { 'MAGIC' => 31340, 'code' => 404, 'data' => '', 'header_order' => [ 'content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'referrer-policy', 'strict-transport-security', 'x-content-type-options', 'x-dns-prefetch-control', 'x-download-options', 'x-frame-options', 'x-permitted-cross-domain-policies', 'x-xss-protection', 'vary', 'access-control-allow-credentials', 'date', 'connection', 'keep-alive', 'content-length' ], 'http_data_sent' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'message' => 'Not Found', 'protocol' => 'HTTP', 'socket_state' => 1, 'stats_reqs' => 6719, 'stats_syns' => 13, 'uri' => '/owncloud/data/owncloud.log', 'uri_requested' => '/owncloud/data/owncloud.log', 'version' => '1.1' }, 'x-content-type-options' => 'nosniff', 'x-dns-prefetch-control' => 'off', 'x-download-options' => 'noopen', 'x-frame-options' => 'SAMEORIGIN', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => 0 }; D:Fri Nov 1 15:11:38 2024 'Request Hash' = { 'Connection' => 'Keep-Alive', 'Host' => 'localhost', 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', 'whisker' => { 'MAGIC' => 31339, 'force_bodysnatch' => 0, 'force_close' => 0, 'force_open' => 0, 'host' => 'localhost', 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'ignore_duplicate_headers' => 0, 'include_host_in_uri' => 0, 'invalid_protocol_return_value' => 1, 'keep-alive' => 1, 'lowercase_incoming_headers' => 1, 'max_size' => 750000, 'method' => 'GET', 'normalize_incoming_headers' => 1, 'port' => 9086, 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'retry' => 0, 'ssl' => 0, 'ssl_certfile' => undef, 'ssl_rsacertfile' => undef, 'ssl_save_info' => 1, 'timeout' => 10, 'trailing_slurp' => 0, 'uri' => '/ownCloud/data/owncloud.log', 'uri_param_sep' => '?', 'uri_postfix' => '', 'uri_prefix' => '', 'version' => '1.1' } };

sullo commented 3 weeks ago

Ahh crap, I mis-typed. Use -D v instead of -D D

top-kat commented 3 weeks ago

Here it is!

./nikto.pl -h http://localhost:9086/ -D v | grep php+
+ ERROR: Unable to open database file db_headers_suggested: .
V:Fri Nov  1 15:35:36 2024 - Testing error for file: /XsvbtEWs.php+
V:Fri Nov  1 15:35:36 2024 - 404 for GET:   /XsvbtEWs.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /admin/cfg/configscreen.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /admin/cfg/configsite.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /admin/cfg/configsql.inc.php+
V:Fri Nov  1 15:35:42 2024 - 429 for GET:   /admin/cfg/configtache.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /admin/modules/cache.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /admin/settings.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /functions.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /modules/Downloads/voteinclude.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /modules/WebChat/in.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /modules/Your_Account/navbar.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /options.inc.php+
V:Fri Nov  1 15:35:42 2024 - 404 for GET:   /shop/php_files/site.config.php+
V:Fri Nov  1 15:35:43 2024 - 404 for GET:   /uifc/MultFileUploadHandler.php+
sullo commented 3 weeks ago

There is absolutely no reason it should be giving a FP on /admin/cfg/configscreen.inc.php+ at least; that seems clear.

I think this is the end of my ability to troubleshoot w/o access to the server. Unfortunately it looks like a code bug and that would take time to track down and a complicated fix, which is fine but... I can't access the system.

top-kat commented 3 weeks ago

Ok thx for that investigation by the way, I'll be there if you need further informations :)

digininja commented 3 weeks ago

Seeing as we have the output from curl -v , couldn't we put together a dummy page that returns the exact output to see if there is a match?

On Fri, 1 Nov 2024, 14:55 TOPKAT, @.***> wrote:

Ok thx for that investigation by the way, I'll be there if you need further informations :)

— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/844#issuecomment-2452012936, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWLS2BQHXXXPTSKJ3CDZ6OI7NAVCNFSM6AAAAABPEFH7OWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSGAYTEOJTGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

sullo commented 3 weeks ago

@digininja if you create it'll test it :)

digininja commented 2 weeks ago

Challenge finally accepted!

$ ~/tools/web/nikto/program/nikto.pl -host https://vuln-demo.com
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          5.196.105.14
+ Target Hostname:    vuln-demo.com
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:           Subject:  /CN=badclick.vuln-demo.com
                      Ciphers:  TLS_AES_256_GCM_SHA384
                      Issuer:   /C=US/O=Let's Encrypt/CN=E5
+ Start Time:         2024-11-08 11:11:24 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ /: Retrieved access-control-allow-origin header: *.
+ /zXeTyxZ1.php#: Retrieved x-powered-by header: Rainbows and XSS<script>alert(1)</script>.
+ /zXeTyxZ1.php#: Uncommon header(s) 'do_not_hack_me' found, with contents: Please.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: The Content-Encoding header is set to "deflate" which may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
+ /: Suggested security header missing: referrer-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+ /: Suggested security header missing: permissions-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+ /: Suggested security header missing: content-security-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ Hostname 'vuln-demo.com' does not match certificate's names: badclick.vuln-demo.com. See: https://cwe.mitre.org/data/definitions/297.html
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /admin/cfg/configscreen.inc.php+:X-Frame-Options header is deprecated and was replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Heade
rs/X-Frame-Options
+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.

The false positive is on the last line.