nikto
nikto copied to clipboard
sullo
Bug: false positive "The X-Content-Type-Options header is not set"
Expected behavior
Like running with -Plugins "headers", no error should be thrown.
$ perl /usr/local/nikto-nikto-2.5.0/program/nikto.pl -config /usr/local/nikto-nikto-2.5.0/program/nikto.conf -Display P -timeout 2 -Pause 0.1 -maxtime 24h -h <REDACTED-IP> -C all -p <REDACTED-PORT> -Plugins "headers"
-***** Pausing 0.1 second(s) per request
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: <REDACTED-IP>
+ Target Hostname: <REDACTED-IP>
+ Target Port: <REDACTED-PORT>
+ Start Time: 2022-07-26 11:34:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ 267 requests: 0 error(s) and 0 item(s) reported on remote host
+ End Time: 2022-07-26 11:34:57 (GMT-4) (33 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Like running with -Plugins ""httpoptions", no error should be thrown:
$ perl /usr/local/nikto-nikto-2.5.0/program/nikto.pl -config /usr/local/nikto-nikto-2.5.0/program/nikto.conf -Display P -timeout 2 -Pause 0.1 -maxtime 24h -h <REDACTED-IP> -C all -p <REDACTED-PORT> -Plugins "httpoptions"
-***** Pausing 0.1 second(s) per request
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: <REDACTED-IP>
+ Target Hostname: <REDACTED-IP>
+ Target Port: <REDACTED-PORT>
+ Start Time: 2022-07-26 11:35:17 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ 249 requests: 0 error(s) and 0 item(s) reported on remote host
+ End Time: 2022-07-26 11:35:48 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Actual behavior
Running with -Plugins "headers;httpoptions" (or "httpoptions;headers") throws an error:
$ perl /usr/local/nikto-nikto-2.5.0/program/nikto.pl -config /usr/local/nikto-nikto-2.5.0/program/nikto.conf -Display P -timeout 2 -Pause 0.1 -maxtime 24h -h <REDACTED-IP> -C all -p <REDACTED-PORT> -Plugins "headers;httpoptions"
-***** Pausing 0.1 second(s) per request
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: <REDACTED-IP>
+ Target Hostname: <REDACTED-IP>
+ Target Port: <REDACTED-PORT>
+ Start Time: 2022-07-26 11:36:04 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ 276 requests: 0 error(s) and 1 item(s) reported on remote host
+ End Time: 2022-07-26 11:36:39 (GMT-4) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Debug Verbose output shows no headers detected at all:
V:Tue Jul 26 09:27:15 2022 - Running scan for "HTTP Options" plugin
D:Tue Jul 26 09:27:15 2022 'Request Hash' = {
'Connection' => 'Keep-Alive',
'Host' => '<REDACTED-IP>',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
'whisker' => {
'MAGIC' => 31339,
'force_bodysnatch' => 0,
'force_close' => 0,
'force_open' => 0,
'host' => '<REDACTED-IP>',
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'ignore_duplicate_headers' => 0,
'include_host_in_uri' => 0,
'invalid_protocol_return_value' => 1,
'keep-alive' => 1,
'lowercase_incoming_headers' => 1,
'max_size' => 750000,
'method' => 'OPTIONS',
'normalize_incoming_headers' => 1,
'port' => <REDACTED-PORT>,
'protocol' => 'HTTP',
'require_newline_after_headers' => 0,
'retry' => 0,
'ssl' => 0,
'ssl_certfile' => undef,
'ssl_rsacertfile' => undef,
'ssl_save_info' => 1,
'timeout' => 2,
'trailing_slurp' => 0,
'uri' => '*',
'uri_param_sep' => '?',
'uri_postfix' => '',
'uri_prefix' => '',
'version' => '1.1'
}
};
D:Tue Jul 26 09:27:15 2022 'Result Hash' = {
'connection' => 'Keep-Alive',
'content-length' => 0,
'date' => 'Tue, 26 Jul 2022 13:27:15 GMT',
'keep-alive' => 'timeout=5, max=100',
'server' => 'Apache/2.4.52 (Ubuntu)',
'whisker' => {
'MAGIC' => 31340,
'code' => 200,
'data' => '',
'header_order' => [
'date',
'server',
'content-length',
'keep-alive',
'connection'
],
'http_data_sent' => 1,
'http_eol' => "\r\n",
'http_space1' => ' ',
'http_space2' => ' ',
'lowercase_incoming_headers' => 1,
'message' => 'OK',
'protocol' => 'HTTP',
'socket_state' => 1,
'stats_reqs' => 281,
'stats_syns' => 7,
'uri' => '*',
'uri_requested' => '*',
'version' => '1.1'
}
};
V:Tue Jul 26 09:27:15 2022 - 200 for OPTIONS: *
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
Steps to reproduce
- Configure a target host to respond with X-Content-Type-Options
- Run Nikto:
perl /usr/local/nikto-nikto-2.5.0/program/nikto.pl -config /usr/local/nikto-nikto-2.5.0/program/nikto.conf -Display P -timeout 2 -Pause 0.1 -maxtime 24h -h <REDACTED-IP> -C all -p <REDACTED-PORT> -Plugins "headers;httpoptions"
Nikto version
$ perl /usr/local/nikto-master/program/nikto.pl -config /usr/local/nikto-master/program/nikto.conf --Version
Nikto 2.5.0 (LW 2.5)
Further technical info
Yet, curl shows headers including X-Content-Type-Options:
$ curl -i -X OPTIONS http://<REDACTED-IP>:<REDACTED-PORT>/*
HTTP/1.1 403 Forbidden
Date: Tue, 26 Jul 2022 15:26:21 GMT
Server: Apache/2.4.52 (Ubuntu)
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 280
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at <REDACTED-IP> Port <REDACTED-PORT></address>
</body></html>
I've just tested it against my server and it finds the header and does not report anything.
Have you tried it without all the extra options?
nikto.pl -h https://digi.ninja -Plugins "httpoptions"
What does curl show if you just do a GET rather than OPTIONS?
Did you type the X-Content-Type-Options in the config file or copy/paste from somewhere? Could the hyphens be other characters that look like hyphens?
Have you tried saving the output with -Save to see what contains?
As it looks like you are scanning HTTP rather than HTTPS, could you try capturing the traffic with Wireshark or tcpdump and see if the headers are returned.
The problem is triggered when -Plugins "headers;httpoptions" or -Plugins "httpoptions;headers"
Does it see the header of you don't ask for just those plugins?
On Tue, 26 Jul 2022, 21:25 rchekaluk, @.***> wrote:
The problem is triggered when -Plugins "headers;httpoptions" or -Plugins "httpoptions;headers"
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/770#issuecomment-1195943090, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWJ2SVJ2BUOIS4Z6ENTVWBCUJANCNFSM54XCG7WQ . You are receiving this because you commented.Message ID: @.***>
Note: this issue occurs when using Nikto 2.5.0.
I can reproduce the error against digi.ninja:
$ perl /usr/local/nikto-nikto-2.5.0/program/nikto.pl -h https://digi.ninja -Plugins "headers;httpoptions"
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 5.196.105.14
+ Target Hostname: digi.ninja
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /CN=alertlab.digi.ninja
Altnames: alertlab.digi.ninja, authlab.digi.ninja, cors-client.digi.ninja, cors-server.digi.ninja, crackedflask.digi.ninja, digi.ninja, digininja.org, frontme.vuln-demo.com, frontmecf.vuln-demo.com, graphqlab.digi.ninja, html5.digi.ninja, html5server.digi.ninja, iot-cert.space, ip.digi.ninja, secret.digi.ninja, splitxsslab.digi.ninja, svg.digi.ninja, vuln-demo.com, vulndap.digi.ninja, ws.digi.ninja, www.digi.ninja, www.digininja.org, www.iot-cert.space, www.vuln-demo.com, www.zonetransfer.me, zonetransfer.me
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=US/O=Let's Encrypt/CN=R3
+ Start Time: 2022-07-27 12:08:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ Retrieved x-powered-by header: Rainbows and XSS<script>alert(1)</script>.
+ Uncommon header 'x-xss' found, with contents: <script>alert('XSS');</script>.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
+ Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ 277 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-07-27 12:10:32 (GMT-4) (109 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
And yet, curl confirms that X-Content-Type-Options is present:
$ curl -i -X OPTIONS https://digi.ninja/*
HTTP/2 200
x-powered-by: Rainbows and XSS<script>alert(1)</script>
strict-transport-security: max-age=63072000
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), wake-lock=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()
allow: GET,POST,OPTIONS,HEAD
cache-control: max-age=172800
expires: Fri, 29 Jul 2022 16:12:15 GMT
x-content-type-options: nosniff
x-xss: <script>alert('XSS');</script>
x-frame-options: DENY
referrer-policy: no-referrer-when-downgrade
expect-ct: enforce,max-age=30,report-uri="https://digininja.report-uri.com/r/d/ct/enforce"
content-security-policy: default-src 'self' ; object-src 'self' ; style-src 'self' https://fonts.googleapis.com/css ; font-src 'self' https://fonts.gstatic.com/s/cookie/v12/ ; frame-src https://blog.c22.cc https://asciinema.org https://www.youtube.com ; script-src 'self' https://asciinema.org/a/ZbhHf0GnDEp2Vuh6j0EiikJwj.js https://asciinema.org/a/wI21yxJc5xv42qvRa3cSExhgR.js https://www.google-analytics.com ; img-src 'self' https://stats.g.doubleclick.net https://www.google-analytics.com https://www.google.se/ads/ https://www.google.ae/ads/ https://www.google.at/ads/ https://www.google.be/ads/ https://www.google.ca/ads/ https://www.google.ch/ads/ https://www.google.cl/ads/ https://www.google.cn/ads/ https://www.google.co.id/ads/ https://www.google.co.il/ads/ https://www.google.co.in/ads/ https://www.google.co.jp/ads/ https://www.google.co.kr/ads/ https://www.google.co.ma/ads/ https://www.google.co.nz/ads/ https://www.google.co.uk/ads/ https://www.google.co.za/ads/ https://www.google.com.ar/ads/ https://www.google.com.au/ads/ https://www.google.com.br/ads/ https://www.google.com.co/ads/ https://www.google.com.gr/ads/ https://www.google.com.gt/ads/ https://www.google.com.hk/ads/ https://www.google.com.mm/ads/ https://www.google.com.mx/ads/ https://www.google.com.np/ads/ https://www.google.com.ph/ads/ https://www.google.com.pk/ads/ https://www.google.com.pt/ads/ https://www.google.com.sg/ads/ https://www.google.com.tr/ads/ https://www.google.com.tw/ads/ https://www.google.com.zw/ads/ https://www.google.com/ads/ https://www.google.cz/ads/ https://www.google.de/ads/ https://www.google.dk/ads/ https://www.google.ee/ads/ https://www.google.es/ads/ https://www.google.fr/ads/ https://www.google.iq/ads/ https://www.google.it/ads/ https://www.google.no/ads/ https://www.google.pl/ads/ https://www.google.ro/ads/ https://www.google.rs/ads/ https://www.google.ru/ads/ https://www.google.co.tz/ads/ https://www.google.co.th/ads/ https://www.google.com.eg/ads/ https://www.google.com.ng/ads/ https://www.google.fi/ads/ https://www.google.sk/ads/ https://www.google.com.pe/ads https://www.google.com.vn/ads https://www.google.lk/ads https://www.google.co.zw/ads https://www.google.nl/ads https://www.google.com.bh/ads https://www.gstatic.com/images/branding/product/2x/translate_24dp.png ; connect-src https://stats.g.doubleclick.net https://www.google-analytics.com/ ; report-uri https://digininja.report-uri.io/r/default/csp/enforce ;
content-length: 0
date: Wed, 27 Jul 2022 16:12:15 GMT
server: Apache
What's happening is that most responses are returning the X-Content-Type-Options header, but there is one is one that does not.
GET /67b2Zd9Z.php# HTTP/1.1
Host: digi.ninja
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
---------------------------------------------------------------------------
HTTP/1.1 400 Bad Request
date: Sun, 31 Jul 2022 00:57:06 GMT
server: Apache
x-powered-by: Rainbows and XSS<script>alert(1)</script>
strict-transport-security: max-age=63072000
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), wake-lock=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()
content-length: 226
connection: close
content-type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
...
So Nikto is looking at each response and the test for the header is passing, then this one request happens and it issues a finding. Note that it will only issue one, so there might be other 400 responses that don't contain it--this is just the first one.
I'm not sure if this should be fixed or can be fixed (easily). Technically it's correct, but it doesn't feel very useful.
Would taking the response code into consideration help? Are there any useful attacks if a 4xx is returned?
On Mon, 1 Aug 2022, 13:39 sullo, @.***> wrote:
What's happening is that most responses are returning the X-Content-Type-Options header, but there is one is one that does not.
GET /67b2Zd9Z.php# HTTP/1.1 Host: digi.ninja Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
HTTP/1.1 400 Bad Request date: Sun, 31 Jul 2022 00:57:06 GMT server: Apache x-powered-by: Rainbows and XSS strict-transport-security: max-age=63072000 permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), wake-lock=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=() content-length: 226 connection: close content-type: text/html; charset=iso-8859-1
...
So Nikto is looking at each response and the test for the header is passing, then this one request happens and it issues a finding. Note that it will only issue one, so there might be other 400 responses that don't contain it--this is just the first one.
I'm not sure if this should be fixed or can be fixed (easily). Technically it's correct, but it doesn't feel very useful.
â Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/770#issuecomment-1201148734, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWM3UJZSRLBHLVWK4QDVW7AR5ANCNFSM54XCG7WQ . You are receiving this because you commented.Message ID: @.***>
I try not to judge on what's useful and what isn't, and let the user decide. On the other hand, I have never come across an issue with a 400 response unless it was XSS, and even that maybe once or twice in the last 2 decades.
So the question is then, do we want to ignore all headers on 400 responses? @rchekaluk what are your thoughts on this?
I don't feel supremely qualified to issue a ruling; I have been treating Nikto guidance as the de facto authority.
Having said that, here are a couple of thoughts:
- Nikto prior to 2.5.0 did not report this finding; simply mimic the policy of that version?
- If not, a slightly more invasive approach might be to make the finding more useful: e.g. by providing more detail on the specific request and response
- If not, ignoring all headers on 400 responses strikes me as the most invasive approach. All things being equal, perhaps only use this approach as a last resort?
If not, a slightly more invasive approach might be to make the finding more useful: e.g. by providing more detail on the specific request and response
I'm thinking this might be a good compromise. It doesn't show the path now (for any header check) but it probably should.
The lack of it in previous versions is just another example of needing to get 2.5.0 out as an official release :)
Adding some context would help.
... Not found on 40x response
Or
... Not found on 200 response
I've never managed to use it as vulnerability so not sure how much use it actually is.
On Thu, 4 Aug 2022, 14:41 sullo, @.***> wrote:
@digininja https://github.com/digininja I appreciate your opinion as well. Thoughts?
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/770#issuecomment-1205274657, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWIHBIHFAZDYKZACG6LVXPB75ANCNFSM54XCG7WQ . You are receiving this because you were mentioned.Message ID: @.***>
Looking a little more, I notice a few things:
- The Actual Behavior above Debug Verbose output shows request
'uri' => '*', not digi.ninja/67b2Zd9Z.php# - The Actual Behavior above Debug Verbose output shows
'code' => 200, not digi.ninja 4xx - The Actual Behavior above Debug Verbose output shows
'method' => 'OPTIONS', not digi.ninjaGET - Reiterating that the Actual Behavior above Debug Verbose output shows no headers detected at all, not just X-Content-Type-Options
I'm not certain we should be checking for missing headers on OPTIONS - as most of the security headers won't do much of anything on an OPTIONS request.
So two points to decide:
- Should we report security headers on 4xx - I'm tempted to say yes, as a 4xx page still has content and can still be abused to carry other attacks (e.g. if there's an XSS in the 404 page, then a CSP will prevent it)
- Should we report security headers on OPTIONS - I would say no as OPTIONS doesn't return a body and therefore the headers won't do anything.
After some consideration I agree with @tautology0 that we should not report on OPTIONS so I've added a line to skip that.
I also added the file requested to all the headers checks (as well as all the other templates, where appropriate).
@rchekaluk can you see if this works to your expectations? I think the addition of the file will make it more clear which file requested will help people make more sense of the errors.
Sorry, been struggling somewhat. ATM my Nikto 2.5.0 scan takes significantly longer than with previous Nikto 2.1.6. I'm still looking into it, but with long runs this process is somewhat slow.
@rchekaluk keep me posted on how the timing is going. If that's a problem lets get a new issue opened.
The latest Nikto 2.5.0 behaves as I would expect.
My timing issue was user error.
I'll retest this later, but I've just seen this reported on a 301 response where the header wouldn't make any sense.
On Mon, 5 Sept 2022 at 21:17, sullo @.***> wrote:
After some consideration I agree with @tautology0 https://github.com/tautology0 that we should not report on OPTIONS so I've added a line to skip that.
I also added the file requested to all the headers checks (as well as all the other templates, where appropriate).
@rchekaluk https://github.com/rchekaluk can you see if this works to your expectations? I think the addition of the file will make it more clear which file requested will help people make more sense of the errors.
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/770#issuecomment-1237434596, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWPYDC2ZRQOQNLONZXLV4ZINZANCNFSM54XCG7WQ . You are receiving this because you were mentioned.Message ID: @.***>
Is there any way to report the response code along with the finding?
On Mon, 1 Aug 2022, 17:57 rchekaluk, @.***> wrote:
I don't feel supremely qualified to issue a ruling; I have been treating Nikto guidance as the de facto authority.
Having said that, here are a couple of thoughts:
- Nikto prior to 2.5.0 did not report this finding; simply mimic the policy of that version?
- If not, a slightly more invasive approach might be to make the finding more useful: e.g. by providing more detail on the specific request and response
- If not, ignoring all headers on 400 responses strikes me as the most invasive approach. All things being equal, perhaps only use this approach as a last resort?
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/770#issuecomment-1201465862, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWPUJLGKZBWASITKOE3VW76WFANCNFSM54XCG7WQ . You are receiving this because you commented.Message ID: @.***>
It is something broken in the change from 2.1.6 to 2.5.0 as the current master branch finds the header.
@sullo you broke something!
I was going to say case sensitivity, but this is the check:
nikto_headers.plugin: if (!defined $result->{'x-content-type-options'}) {
And this is a snippet of the save file with the header in lower case.
vary: Accept-Encoding x-content-type-options: nosniff x-xss:
On Wed, 27 Jul 2022 at 17:18, rchekaluk @.***> wrote:
Note: this issue occurs when using Nikto 2.5.0.
I can reproduce the error against digi.ninja:
$ perl /usr/local/nikto-nikto-2.5.0/program/nikto.pl -h https://digi.ninja -Plugins "headers;httpoptions"
- Nikto v2.5.0
- Target IP: 5.196.105.14
- Target Hostname: digi.ninja
- Target Port: 443
- SSL Info: Subject: /CN=alertlab.digi.ninja Altnames: alertlab.digi.ninja, authlab.digi.ninja, cors-client.digi.ninja, cors-server.digi.ninja, crackedflask.digi.ninja, digi.ninja, digininja.org, frontme.vuln-demo.com, frontmecf.vuln-demo.com, graphqlab.digi.ninja, html5.digi.ninja, html5server.digi.ninja, iot-cert.space, ip.digi.ninja, secret.digi.ninja, splitxsslab.digi.ninja, svg.digi.ninja, vuln-demo.com, vulndap.digi.ninja, ws.digi.ninja, www.digi.ninja, www.digininja.org, www.iot-cert.space, www.vuln-demo.com, www.zonetransfer.me, zonetransfer.me Ciphers: TLS_AES_256_GCM_SHA384 Issuer: /C=US/O=Let's Encrypt/CN=R3
- Start Time: 2022-07-27 12:08:43 (GMT-4)
- Server: Apache
- Retrieved x-powered-by header: Rainbows and XSS.
- Uncommon header 'x-xss' found, with contents: .
- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
- The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. See: http://breachattack.com/
- Web Server returns a valid response with junk HTTP methods which may cause false positives.
- DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
- 277 requests: 0 error(s) and 6 item(s) reported on remote host
- End Time: 2022-07-27 12:10:32 (GMT-4) (109 seconds)
- 1 host(s) tested
And yet, curl confirms that X-Content-Type-Options is present:
$ curl -i -X OPTIONS https://digi.ninja/* HTTP/2 https://digi.ninja/*HTTP/2 200 x-powered-by: Rainbows and XSS strict-transport-security: max-age=63072000 permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), wake-lock=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=() allow: GET,POST,OPTIONS,HEAD cache-control: max-age=172800 expires: Fri, 29 Jul 2022 16:12:15 GMT x-content-type-options: nosniff x-xss: x-frame-options: DENY referrer-policy: no-referrer-when-downgrade expect-ct: enforce,max-age=30,report-uri="https://digininja.report-uri.com/r/d/ct/enforce" content-security-policy: default-src 'self' ; object-src 'self' ; style-src 'self' https://fonts.googleapis.com/css ; font-src 'self' https://fonts.gstatic.com/s/cookie/v12/ ; frame-src https://blog.c22.cc https://asciinema.org https://www.youtube.com ; script-src 'self' https://asciinema.org/a/ZbhHf0GnDEp2Vuh6j0EiikJwj.js https://asciinema.org/a/wI21yxJc5xv42qvRa3cSExhgR.js https://www.google-analytics.com ; img-src 'self' https://stats.g.doubleclick.net https://www.google-analytics.com https://www.google.se/ads/ https://www.google.ae/ads/ https://www.google.at/ads/ https://www.google.be/ads/ https://www.google.ca/ads/ https://www.google.ch/ads/ https://www.google.cl/ads/ https://www.google.cn/ads/ https://www.google.co.id/ads/ https://www.google.co.il/ads/ https://www.google.co.in/ads/ https://www.google.co.jp/ads/ https://www.google.co.kr/ads/ https://www.google.co.ma/ads/ https://www.google.co.nz/ads/ https://www.google.co.uk/ads/ https://www.google.co.za/ads/ https://www.google.com.ar/ads/ https://www.google.com.au/ads/ https://www.google.com.br/ads/ https://www.google.com.co/ads/ https://www.google.com.gr/ads/ https://www.google.com.gt/ads/ https://www.google.com.hk/ads/ https://www.google.com.mm/ads/ https://www.google.com.mx/ads/ https://www.google.com.np/ads/ https://www.google.com.ph/ads/ https://www.google.com.pk/ads/ https://www.google.com.pt/ads/ https://www.google.com.sg/ads/ https://www.google.com.tr/ads/ https://www.google.com.tw/ads/ https://www.google.com.zw/ads/ https://www.google.com/ads/ https://www.google.cz/ads/ https://www.google.de/ads/ https://www.google.dk/ads/ https://www.google.ee/ads/ https://www.google.es/ads/ https://www.google.fr/ads/ https://www.google.iq/ads/ https://www.google.it/ads/ https://www.google.no/ads/ https://www.google.pl/ads/ https://www.google.ro/ads/ https://www.google.rs/ads/ https://www.google.ru/ads/ https://www.google.co.tz/ads/ https://www.google.co.th/ads/ https://www.google.com.eg/ads/ https://www.google.com.ng/ads/ https://www.google.fi/ads/ https://www.google.sk/ads/ https://www.google.com.pe/ads https://www.google.com.vn/ads https://www.google.lk/ads https://www.google.co.zw/ads https://www.google.nl/ads https://www.google.com.bh/ads https://www.gstatic.com/images/branding/product/2x/translate_24dp.png ; connect-src https://stats.g.doubleclick.net https://www.google-analytics.com/ ; report-uri https://digininja.report-uri.io/r/default/csp/enforce ; content-length: 0 date: Wed, 27 Jul 2022 16:12:15 GMT server: Apache
— Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/770#issuecomment-1196969418, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4SWMD3KIFMX22RFIIHNDVWFOLZANCNFSM54XCG7WQ . You are receiving this because you commented.Message ID: @.***>