Open Gitabhsuosowo opened 1 month ago
Do you have an issue to report? No info here.
Thx @sullo for being reactive!
Here is one of my scan
➜ program git:(master) ./nikto.pl -h http://localhost:9086/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ ERROR: Unable to open database file db_headers_suggested: .
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 9086
+ Start Time: 2024-11-01 14:29:13 (GMT1)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ No CGI Directories found (use '-C all' to force check all possible dirs)
called once
+ /servlet/org.apache.catalina.Globals/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes.
+ /ss000007.pl?PRODREF=<script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1732
+ /modules.php?op=modload&name=Members_List&file=index&letter=<script>alert('Vulnerable')</script>: This install of PHP-Nuke's modules.php is vulnerable to Cross Site Scripting (XSS).
+ /html/partner.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script>: myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS).
+ /article.cfm?id=1'<script>alert(document.cookie);</script>: With malformed URLs, ColdFusion is vulnerable to Cross Site Scripting (XSS).
+ /diapo.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2397
+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/cfg/configsite.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/cfg/configsql.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/modules/cache.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /admin/settings.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /functions.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/Downloads/voteinclude.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/WebChat/in.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /modules/Your_Account/navbar.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /options.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /shop/php_files/site.config.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /uifc/MultFileUploadHandler.php+: This might be interesting: has been seen in web logs from an unknown scanner.
+ /index.html.ru.iso-ru: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. See: CWE-552
+ /aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=<script>alert('Vulnerable')</script>: Aktivate Shopping Cart 1.03 and lower are vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1212
+ /sysuser/docmgr/info.stm?path=<script>alert(document.cookie)</script>: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). See: https://seclists.org/fulldisclosure/2003/Mar/265
+ /pls/portal/PORTAL.wwv_ui_lovf.show: Access to Oracle pages could have an unknown impact.
+ /pls/portal/PORTAL.wwv_dynxml_generator.show: Access to Oracle pages could have an unknown impact.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ 7856 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2024-11-01 14:29:32 (GMT1) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
All that are false positive since in all cases my server returns a 404 response without a body or a content.
Maybe I did something wrong (it's my 1st time using the tool so sorry if it's a dumb question.
We'd need to see the actual full HTTP 404 response to assist with reducing the FPs.
On Fri, Nov 1, 2024 at 9:34 AM TOPKAT @.***> wrote:
Here is one of my scan
➜ program git:(master) ./nikto.pl -h http://localhost:9086/
Nikto v2.5.0
- ERROR: Unable to open database file db_headers_suggested: .
- Target IP: 127.0.0.1
- Target Hostname: localhost
- Target Port: 9086
Start Time: 2024-11-01 14:29:13 (GMT1)
- Server: No banner retrieved
- No CGI Directories found (use '-C all' to force check all possible dirs) called once
- /servlet/org.apache.catalina.Globals/: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes.
- /ss000007.pl?PRODREF=: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1732
- /modules.php?op=modload&name=Members_List&file=index&letter=: This install of PHP-Nuke's modules.php is vulnerable to Cross Site Scripting (XSS).+ /html/partner.php?mainfile=anything&Default_Theme=': myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS).
- /article.cfm?id=1': With malformed URLs, ColdFusion is vulnerable to Cross Site Scripting (XSS).+ /diapo.php?rep=: GPhotos index.php rep Variable XSS. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2397+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/cfg/configsite.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/cfg/configsql.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/modules/cache.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /admin/settings.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /functions.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /modules/Downloads/voteinclude.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /modules/WebChat/in.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /modules/Your_Account/navbar.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /options.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /shop/php_files/site.config.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /uifc/MultFileUploadHandler.php+: This might be interesting: has been seen in web logs from an unknown scanner.+ /index.html.ru.iso-ru: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information. See: CWE-552+ /aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=: Aktivate Shopping Cart 1.03 and lower are vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1212+ /sysuser/docmgr/info.stm?path=: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). See: https://seclists.org/fulldisclosure/2003/Mar/265+ /pls/portal/PORTAL.wwv_ui_lovf.show: Access to Oracle pages could have an unknown impact.+ /pls/portal/PORTAL.wwv_dynxml_generator.show: Access to Oracle pages could have an unknown impact.+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.+ 7856 requests: 0 error(s) and 24 item(s) reported on remote host+ End Time: 2024-11-01 14:29:32 (GMT1) (19 seconds)---------------------------------------------------------------------------+ 1 host(s) tested
All that are false positive since in all cases my server returns a 404 response without a body or a content.
Maybe I did something wrong (it's my 1st time using the tool so sorry if it's a dumb question.
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/844#issuecomment-2451881440, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALICRFBO5V5SB7TDK4K7TDZ6N7M5AVCNFSM6AAAAABPEFH7OWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJRHA4DCNBUGA . You are receiving this because you commented.Message ID: @.***>
--
Here is a postman screenshot
This is a straight 404 with no content
We need the raw response not interpreted by postman or anything. try using curl.
curl <url>
Thx for helping there, here is the result of the curl -v
command:
curl http://localhost:9086/servlet/org.apache.catalina.Globals/%3Cscript%3Ealert\('Vulnerable'\)%3C/script%3E -v
* Host localhost:9086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:9086...
* Connected to localhost (::1) port 9086
> GET /servlet/org.apache.catalina.Globals/%3Cscript%3Ealert(Vulnerable)%3C/script%3E HTTP/1.1
> Host: localhost:9086
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< Cross-Origin-Opener-Policy: same-origin
< Cross-Origin-Resource-Policy: same-origin
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Date: Fri, 01 Nov 2024 13:50:58 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
<
* Connection #0 to host localhost left intact
If I don't set the -v option, it doesn't return a thing
Well that wasn't helpful. Can you try this one?
curl -v "http://localhost:9086/admin/cfg/configscreen.inc.php+"
curl -v "http://localhost:9086/admin/cfg/configscreen.inc.php+"
* Host localhost:9086 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:9086...
* Connected to localhost (::1) port 9086
> GET /admin/cfg/configscreen.inc.php+ HTTP/1.1
> Host: localhost:9086
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< Cross-Origin-Opener-Policy: same-origin
< Cross-Origin-Resource-Policy: same-origin
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Date: Fri, 01 Nov 2024 13:59:27 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
<
* Connection #0 to host localhost left intact
I can't offer a suggestion at this point. I don't see any obvious reason why it is giving a FP.
Nikto works by analyzing the HTTP response and looking for a certain code or response content matching. In the cases you pasted, it is responding with a 404 so Nikto should not be confused and report FP on some of them which are looking for a 200 response.
My best guess is the 404 detection has misidentified how the server works. I can't really troubleshoot that further since I don't have direct access to the server/configuration/app.
We might get a clue into the 404 detection if you run this and paste the output:
./nikto.pl -h http://localhost:9086/ -D D | grep php+
It should look something like this:
V:Fri Nov 1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php=
V:Fri Nov 1 10:08:49 2024 - 302 for GET: /5I2gyXy1.php=
V:Fri Nov 1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php3
V:Fri Nov 1 10:08:49 2024 - 302 for GET: /5I2gyXy1.php3
V:Fri Nov 1 10:08:49 2024 - Testing error for file: /5I2gyXy1.php3+
V:Fri Nov 1 10:08:49 2024 - 302 for GET: /5I2gyXy1.php3+
V:Fri Nov 1 10:08:50 2024 - Testing error for file: /5I2gyXy1.php
V:Fri Nov 1 10:08:50 2024 - 302 for GET: /5I2gyXy1.php
V:Fri Nov 1 10:08:50 2024 - Testing error for file: /5I2gyXy1.php+
V:Fri Nov 1 10:08:50 2024 - 302 for GET: /5I2gyXy1.php+
This doesn't exactly look like what you provided...it's an extremely long output, here is an extract:
Maybe it's worth mentionning I am on MacOs ?
D:Fri Nov 1 15:11:38 2024 'Result Hash' = { 'access-control-allow-credentials' => 'true', 'connection' => 'keep-alive', 'content-length' => 0, 'content-security-policy' => 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests', 'cross-origin-opener-policy' => 'same-origin', 'cross-origin-resource-policy' => 'same-origin', 'date' => 'Fri, 01 Nov 2024 14:11:38 GMT', 'keep-alive' => 'timeout=5', 'referrer-policy' => 'no-referrer', 'strict-transport-security' => 'max-age=15552000; includeSubDomains', 'vary' => 'Origin', 'whisker' => { 'MAGIC' => 31340, 'code' => 404, 'data' => '', 'header_order' => [ 'content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'referrer-policy', 'strict-transport-security', 'x-content-type-options', 'x-dns-prefetch-control', 'x-download-options', 'x-frame-options', 'x-permitted-cross-domain-policies', 'x-xss-protection', 'vary', 'access-control-allow-credentials', 'date', 'connection', 'keep-alive', 'content-length' ], 'http_data_sent' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'message' => 'Not Found', 'protocol' => 'HTTP', 'socket_state' => 1, 'stats_reqs' => 6717, 'stats_syns' => 13, 'uri' => '/data/owncloud.log', 'uri_requested' => '/data/owncloud.log', 'version' => '1.1' }, 'x-content-type-options' => 'nosniff', 'x-dns-prefetch-control' => 'off', 'x-download-options' => 'noopen', 'x-frame-options' => 'SAMEORIGIN', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => 0 }; D:Fri Nov 1 15:11:38 2024 'Request Hash' = { 'Connection' => 'Keep-Alive', 'Host' => 'localhost', 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', 'whisker' => { 'MAGIC' => 31339, 'force_bodysnatch' => 0, 'force_close' => 0, 'force_open' => 0, 'host' => 'localhost', 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'ignore_duplicate_headers' => 0, 'include_host_in_uri' => 0, 'invalid_protocol_return_value' => 1, 'keep-alive' => 1, 'lowercase_incoming_headers' => 1, 'max_size' => 750000, 'method' => 'GET', 'normalize_incoming_headers' => 1, 'port' => 9086, 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'retry' => 0, 'ssl' => 0, 'ssl_certfile' => undef, 'ssl_rsacertfile' => undef, 'ssl_save_info' => 1, 'timeout' => 10, 'trailing_slurp' => 0, 'uri' => '/cloud/data/owncloud.log', 'uri_param_sep' => '?', 'uri_postfix' => '', 'uri_prefix' => '', 'version' => '1.1' } }; D:Fri Nov 1 15:11:38 2024 'Result Hash' = { 'access-control-allow-credentials' => 'true', 'connection' => 'keep-alive', 'content-length' => 0, 'content-security-policy' => 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests', 'cross-origin-opener-policy' => 'same-origin', 'cross-origin-resource-policy' => 'same-origin', 'date' => 'Fri, 01 Nov 2024 14:11:38 GMT', 'keep-alive' => 'timeout=5', 'referrer-policy' => 'no-referrer', 'strict-transport-security' => 'max-age=15552000; includeSubDomains', 'vary' => 'Origin', 'whisker' => { 'MAGIC' => 31340, 'code' => 404, 'data' => '', 'header_order' => [ 'content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'referrer-policy', 'strict-transport-security', 'x-content-type-options', 'x-dns-prefetch-control', 'x-download-options', 'x-frame-options', 'x-permitted-cross-domain-policies', 'x-xss-protection', 'vary', 'access-control-allow-credentials', 'date', 'connection', 'keep-alive', 'content-length' ], 'http_data_sent' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'message' => 'Not Found', 'protocol' => 'HTTP', 'socket_state' => 1, 'stats_reqs' => 6718, 'stats_syns' => 13, 'uri' => '/cloud/data/owncloud.log', 'uri_requested' => '/cloud/data/owncloud.log', 'version' => '1.1' }, 'x-content-type-options' => 'nosniff', 'x-dns-prefetch-control' => 'off', 'x-download-options' => 'noopen', 'x-frame-options' => 'SAMEORIGIN', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => 0 }; D:Fri Nov 1 15:11:38 2024 'Request Hash' = { 'Connection' => 'Keep-Alive', 'Host' => 'localhost', 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', 'whisker' => { 'MAGIC' => 31339, 'force_bodysnatch' => 0, 'force_close' => 0, 'force_open' => 0, 'host' => 'localhost', 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'ignore_duplicate_headers' => 0, 'include_host_in_uri' => 0, 'invalid_protocol_return_value' => 1, 'keep-alive' => 1, 'lowercase_incoming_headers' => 1, 'max_size' => 750000, 'method' => 'GET', 'normalize_incoming_headers' => 1, 'port' => 9086, 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'retry' => 0, 'ssl' => 0, 'ssl_certfile' => undef, 'ssl_rsacertfile' => undef, 'ssl_save_info' => 1, 'timeout' => 10, 'trailing_slurp' => 0, 'uri' => '/owncloud/data/owncloud.log', 'uri_param_sep' => '?', 'uri_postfix' => '', 'uri_prefix' => '', 'version' => '1.1' } }; D:Fri Nov 1 15:11:38 2024 'Result Hash' = { 'access-control-allow-credentials' => 'true', 'connection' => 'keep-alive', 'content-length' => 0, 'content-security-policy' => 'default-src \'self\';base-uri \'self\';font-src \'self\' https: data:;form-action \'self\';frame-ancestors \'self\';img-src \'self\' data:;object-src \'none\';script-src \'self\';script-src-attr \'none\';style-src \'self\' https: \'unsafe-inline\';upgrade-insecure-requests', 'cross-origin-opener-policy' => 'same-origin', 'cross-origin-resource-policy' => 'same-origin', 'date' => 'Fri, 01 Nov 2024 14:11:38 GMT', 'keep-alive' => 'timeout=5', 'referrer-policy' => 'no-referrer', 'strict-transport-security' => 'max-age=15552000; includeSubDomains', 'vary' => 'Origin', 'whisker' => { 'MAGIC' => 31340, 'code' => 404, 'data' => '', 'header_order' => [ 'content-security-policy', 'cross-origin-opener-policy', 'cross-origin-resource-policy', 'referrer-policy', 'strict-transport-security', 'x-content-type-options', 'x-dns-prefetch-control', 'x-download-options', 'x-frame-options', 'x-permitted-cross-domain-policies', 'x-xss-protection', 'vary', 'access-control-allow-credentials', 'date', 'connection', 'keep-alive', 'content-length' ], 'http_data_sent' => 1, 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'lowercase_incoming_headers' => 1, 'message' => 'Not Found', 'protocol' => 'HTTP', 'socket_state' => 1, 'stats_reqs' => 6719, 'stats_syns' => 13, 'uri' => '/owncloud/data/owncloud.log', 'uri_requested' => '/owncloud/data/owncloud.log', 'version' => '1.1' }, 'x-content-type-options' => 'nosniff', 'x-dns-prefetch-control' => 'off', 'x-download-options' => 'noopen', 'x-frame-options' => 'SAMEORIGIN', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => 0 }; D:Fri Nov 1 15:11:38 2024 'Request Hash' = { 'Connection' => 'Keep-Alive', 'Host' => 'localhost', 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36', 'whisker' => { 'MAGIC' => 31339, 'force_bodysnatch' => 0, 'force_close' => 0, 'force_open' => 0, 'host' => 'localhost', 'http_eol' => "\r\n", 'http_space1' => ' ', 'http_space2' => ' ', 'ignore_duplicate_headers' => 0, 'include_host_in_uri' => 0, 'invalid_protocol_return_value' => 1, 'keep-alive' => 1, 'lowercase_incoming_headers' => 1, 'max_size' => 750000, 'method' => 'GET', 'normalize_incoming_headers' => 1, 'port' => 9086, 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'retry' => 0, 'ssl' => 0, 'ssl_certfile' => undef, 'ssl_rsacertfile' => undef, 'ssl_save_info' => 1, 'timeout' => 10, 'trailing_slurp' => 0, 'uri' => '/ownCloud/data/owncloud.log', 'uri_param_sep' => '?', 'uri_postfix' => '', 'uri_prefix' => '', 'version' => '1.1' } };
Ahh crap, I mis-typed. Use -D v
instead of -D D
Here it is!
./nikto.pl -h http://localhost:9086/ -D v | grep php+
+ ERROR: Unable to open database file db_headers_suggested: .
V:Fri Nov 1 15:35:36 2024 - Testing error for file: /XsvbtEWs.php+
V:Fri Nov 1 15:35:36 2024 - 404 for GET: /XsvbtEWs.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /admin/cfg/configscreen.inc.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /admin/cfg/configsite.inc.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /admin/cfg/configsql.inc.php+
V:Fri Nov 1 15:35:42 2024 - 429 for GET: /admin/cfg/configtache.inc.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /admin/modules/cache.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /admin/settings.inc.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /functions.inc.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /modules/Downloads/voteinclude.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /modules/WebChat/in.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /modules/Your_Account/navbar.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /options.inc.php+
V:Fri Nov 1 15:35:42 2024 - 404 for GET: /shop/php_files/site.config.php+
V:Fri Nov 1 15:35:43 2024 - 404 for GET: /uifc/MultFileUploadHandler.php+
There is absolutely no reason it should be giving a FP on /admin/cfg/configscreen.inc.php+
at least; that seems clear.
I think this is the end of my ability to troubleshoot w/o access to the server. Unfortunately it looks like a code bug and that would take time to track down and a complicated fix, which is fine but... I can't access the system.
Ok thx for that investigation by the way, I'll be there if you need further informations :)
Seeing as we have the output from curl -v , couldn't we put together a dummy page that returns the exact output to see if there is a match?
On Fri, 1 Nov 2024, 14:55 TOPKAT, @.***> wrote:
Ok thx for that investigation by the way, I'll be there if you need further informations :)
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/844#issuecomment-2452012936, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWLS2BQHXXXPTSKJ3CDZ6OI7NAVCNFSM6AAAAABPEFH7OWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSGAYTEOJTGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
@digininja if you create it'll test it :)
Challenge finally accepted!
$ ~/tools/web/nikto/program/nikto.pl -host https://vuln-demo.com
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 5.196.105.14
+ Target Hostname: vuln-demo.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /CN=badclick.vuln-demo.com
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=US/O=Let's Encrypt/CN=E5
+ Start Time: 2024-11-08 11:11:24 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ /: Retrieved access-control-allow-origin header: *.
+ /zXeTyxZ1.php#: Retrieved x-powered-by header: Rainbows and XSS<script>alert(1)</script>.
+ /zXeTyxZ1.php#: Uncommon header(s) 'do_not_hack_me' found, with contents: Please.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: The Content-Encoding header is set to "deflate" which may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
+ /: Suggested security header missing: referrer-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+ /: Suggested security header missing: permissions-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+ /: Suggested security header missing: content-security-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ Hostname 'vuln-demo.com' does not match certificate's names: badclick.vuln-demo.com. See: https://cwe.mitre.org/data/definitions/297.html
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /admin/cfg/configscreen.inc.php+:X-Frame-Options header is deprecated and was replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Heade
rs/X-Frame-Options
+ /admin/cfg/configscreen.inc.php+: This might be interesting: has been seen in web logs from an unknown scanner.
The false positive is on the last line.
Output of suspected false positive / negative
Post any useful information like the ID of the test causing the false positive.
Debug output
Run:
This saves all positive responses to a new
false_positive
directory. Afterwards look for the related ID of the false positive / negative and paste it below.