diff --git a/program/nikto.pl b/program/nikto.pl index 49e34161..c5484e50 100755 --- a/program/nikto.pl +++ b/program/nikto.pl @@ -150,35 +150,36 @@ # Now we've done the precursor, do the scan foreach my $mark (@MARKS) { - report_host_start($mark); - if ($mark->{'errmsg'} ne "") { - add_vulnerability($mark, $mark->{'errmsg'}, 0, "", "GET", "/", "", ""); - } + my %FoF = (); if (!$mark->{'test'}) { report_host_end($mark); next; } + if (defined $CLI{'vhost'}) { + $mark->{'vhost'} = $CLI{'vhost'}; + } $mark->{'total_vulns'} = 0; $mark->{'total_errors'} = 0; $mark->{'start_time'} = time(); $VARIABLES{'TEMPL_HCTR'}++; - if (defined $CLI{'vhost'}) { - $mark->{'vhost'} = $CLI{'vhost'}; - } - # Saving responses if ($CLI{'saveresults'} ne '') { $mark->{'save_dir'} = save_createdir($CLI{'saveresults'}, $mark); $mark->{'save_prefix'} = save_getprefix($mark); } - my %FoF = (); - nfetch($mark, "/", "GET", "", "", { noprefetch => 1, nopostfetch => 1 }, "getinfo"); + report_host_start($mark); + + if ($mark->{'errmsg'} ne "") { + add_vulnerability($mark, $mark->{'errmsg'}, 0, "", "GET", "/", "", ""); + } + + dump_target_info($mark); unless ((defined $CLI{'nofof'}) || ($CLI{'plugins'} eq '@@NONE')) { map_codes($mark) } run_hooks($mark, "recon"); @@ -197,7 +198,7 @@ } else { nprint( - "+ Scan terminated: $mark->{'total_errors'} error(s) and $mark->{'total_vulns'} item(s) reported on remote host" + "+ Scan terminated: $mark->{'total_errors'} error(s) and $mark->{'total_vulns'} item(s) reported on remote host" ); } nprint( "+ End Time: " diff --git a/program/plugins/nikto_core.plugin b/program/plugins/nikto_core.plugin index bb23a4f3..74cd217a 100644 --- a/program/plugins/nikto_core.plugin +++ b/program/plugins/nikto_core.plugin @@ -1944,7 +1944,6 @@ sub load_plugins { ############################################################################### sub run_hooks { my ($mark, $type, $request, $result) = @_; - return if $mark->{'terminate'}; foreach my $plugin (@{ $PLUGINORDER{$type} }) { return if $mark->{'terminate'}; @@ -2474,7 +2473,7 @@ sub nfetch { # Snarf what we can from the whisker hash and put in mark if (!exists $result{'whisker'}->{'error'}) { - if (!exists $mark->{'banner'}) { + if ((!exists $mark->{'banner'}) || ($mark->{'banner'} eq "")) { $mark->{'banner'} = $result{'server'}; } else { @@ -2769,9 +2768,9 @@ sub send_updates { if ($answer !~ /y/i) { return; } # set up our mark - my %mark = ('ident' => 'cirt.net', - 'ssl' => 1, - 'port' => 443 + my %mark = ('ident' => '68.183.58.226', + 'ssl' => 0, + 'port' => 80 ); for (my $i = 0 ; $i <= $#ARGV ; $i++) { @@ -2781,7 +2780,7 @@ sub send_updates { } } - ($mark{'hostname'}, $mark{'ip'}, $mark{'display_name'}) = resolve('cirt.net'); + ($mark{'hostname'}, $mark{'ip'}, $mark{'display_name'}) = resolve('68.183.58.226'); $upd_enc = LW2::encode_base64($updated_version); chomp($upd_enc); diff --git a/program/plugins/nikto_headers.plugin b/program/plugins/nikto_headers.plugin index 9a612886..7aa56740 100644 --- a/program/plugins/nikto_headers.plugin +++ b/program/plugins/nikto_headers.plugin @@ -134,7 +134,7 @@ sub nikto_headers_postfetch { $allowed =~ s/^.* //g; add_vulnerability( $mark, "X-Frame-Options header is set to allow framing from $allowed. This does not have full cross-browser support (only in IE and Firefox) and may lead to the header being ignored.", 999978, "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options", $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result); } - } + } else { add_vulnerability($mark, "The anti-clickjacking X-Frame-Options header is not present.", 999957, "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options", $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result); } @@ -212,6 +212,7 @@ sub nikto_headers_postfetch { } } + # Strict-Transport-Security if ($mark->{'ssl'} && !$HEADERS_STS{ $mark->{hostname} }{ $mark->{port} } && defined $result) { if (!defined $result->{'strict-transport-security'}) { add_vulnerability( $mark, "The site uses TLS and the Strict-Transport-Security HTTP header is not defined.", 999970, "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security", $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result); @@ -223,13 +224,15 @@ sub nikto_headers_postfetch { $HEADERS_STS{ $mark->{hostname} }{ $mark->{port} } = 1; } + # X-Content-Type-Options if (!$HEADERS_XCTO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) { if (!defined $result->{'x-content-type-options'}) { add_vulnerability( $mark, "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.", 999103, "https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/", $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result); + $HEADERS_XCTO{ $mark->{hostname} }{ $mark->{port} } = 1; } - $HEADERS_XCTO{ $mark->{hostname} }{ $mark->{port} } = 1; } + # x-clacks-overhead if (!$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) { if (defined $result->{'x-clacks-overhead'}) { add_vulnerability( $mark, "There appears to be Clacks Overhead on the server and the message is: $result->{'x-clacks-overhead'}", 999104, "https://xclacksoverhead.org/home/about", $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result); diff --git a/program/plugins/nikto_report_json.plugin b/program/plugins/nikto_report_json.plugin index ced65807..8cda295d 100644 --- a/program/plugins/nikto_report_json.plugin +++ b/program/plugins/nikto_report_json.plugin @@ -82,7 +82,7 @@ sub json_close { # print an item sub json_item { my ($handle, $mark, $item) = @_; - $line .= "{"; + my $line = "{"; $line .= "\"id\": \"" . $item->{'nikto_id'} ."\","; if ($item->{'refs'} ne '') { $line .= "\"references\": \"" . $item->{'refs'} ."\","; } if ($item->{'method'} ne '') { $line .= "\"method\":\"" . $item->{'method'} ."\","; } diff --git a/program/plugins/nikto_shellshock.plugin b/program/plugins/nikto_shellshock.plugin index f87d0de2..217d92fa 100644 --- a/program/plugins/nikto_shellshock.plugin +++ b/program/plugins/nikto_shellshock.plugin @@ -58,11 +58,11 @@ sub nikto_shellshock { # request by hostname my ($res, $content, $error, $request, $response) = nfetch($mark, "$parameters->{'uri'}", "GET", "", \%headers, "", "shellshock"); - if (($response->{'nikto-added-cve-2014-6271'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6271: true/))) { + if (($response->{'93e4r0-CVE-2014-6271'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6271: true/))) { add_vulnerability( $mark, "$parameters->{'uri'}: Site appears vulnerable to the 'shellshock' vulnerability).", 999949, "CVE-2014-6271", "GET", "$parameters->{'uri'}", $request, $response); } - if (($response->{'nikto-added-cve-2014-6278'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6278: true/))) { + if (($response->{'93e4r0-CVE-2014-6278'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6278: true/))) { add_vulnerability( $mark, "$parameters->{'uri'}: Site appears vulnerable to the 'shellshock' vulnerability.", 999948, "CVE-2014-6278", "GET", "$parameters->{'uri'}", $request, $response); } @@ -74,11 +74,11 @@ sub nikto_shellshock { # request by hostname my ($res, $content, $error, $request, $response) = nfetch($mark, "$cgidir$file", "GET", "", \%headers, "", "shellshock"); - if (($response->{'nikto-added-cve-2014-6271'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6271: true/))) { + if (($response->{'93e4r0-CVE-2014-6271'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6271: true/))) { add_vulnerability( $mark, "$cgidir$file: Site appears vulnerable to the 'shellshock' vulnerability.", 999947, "CVE-2014-6271", "GET", "$cgidir$file", $request, $response); } - if (($response->{'nikto-added-cve-2014-6278'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6278: true/))) { + if (($response->{'93e4r0-CVE-2014-6278'} eq 'true') || ($checkcontent && ($content =~ /93e4r0-CVE-2014-6278: true/))) { add_vulnerability( $mark, "$cgidir$file: Site appears vulnerable to the 'shellshock' vulnerability.", 999946, "CVE-2014-6278", "GET", "$cgidir$file", $request, $response); } diff --git a/program/plugins/nikto_tests.plugin b/program/plugins/nikto_tests.plugin index edcf4b70..cd451f15 100644 --- a/program/plugins/nikto_tests.plugin +++ b/program/plugins/nikto_tests.plugin @@ -81,10 +81,9 @@ sub nikto_tests { $TESTS{$checkid}{'method'}, $data, \%headrs, - \%flags, + \%flags, $checkid); - # NOTE: auth is now done in nfetch if ($OUTPUT{'show_ok'} && ($res eq 200)) { nprint("+ $mark->{'root'}$uri - 200/OK Response could be $TESTS{$checkid}{'message'}", "", ($mark->{'hostname'}, $mark->{'ip'}, $mark->{'displayname'})); }