8000 Updated `nikto` to latest release v2.5.0 by rfelber · Pull Request #668 · secureCodeBox/secureCodeBox · GitHub
[go: up one dir, main page]
Skip to content

Updated nikto to latest release v2.5.0 #668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Weltraumschaf merged 10 commits into from
Feb 16, 2022
Merged

Updated nikto to latest release v2.5.0 #668

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
7d764e9
Updating nikto to latest release v2.5.0
rfelber Sep 22, 2021
e48f086
Updating integration test
rfelber Sep 22, 2021
1ec6e5b
Merge remote-tracking branch 'origin/main' into dependencies/updating…
SebieF Sep 23, 2021
40946bf
Update Nikto examples
Ilyesbdlala Sep 27, 2021
ade8758
Updated Nikto scanner's test files and jest snapshots
Ilyesbdlala Sep 27, 2021
1f9c127
Merge branch 'main' into dependencies/updating-nikto-to-2.5.0
Ilyesbdlala Jan 11, 2022
bd499aa
Updated testfiles and snapshots of nikto-2.5.0
Ilyesbdlala Jan 11, 2022
10dc5e2
Updated examples of nikto-2.5.0
Ilyesbdlala Jan 11, 2022
1958fe6
Added an unresolvable-host parser unit-test for nikto-2.5.0
Ilyesbdlala Jan 11, 2022
1392f68
Merge branch 'main' into dependencies/updating-nikto-to-2.5.0
Ilyesbdlala Feb 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion scanners/nikto/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ description: A Helm chart for the Nikto security scanner that integrates with th
type: application
# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: v3.1.0-alpha1
appVersion: "2.1.6"
# appVersion - Nikto doesn't really version its releases
appVersion: 2.5.0
kubeVersion: ">=v1.11.0-0"

keywords:
Expand Down
2 changes: 1 addition & 1 deletion scanners/nikto/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: "Nikto"
category: "scanner"
type: "Webserver"
state: "released"
appVersion: "2.1.6"
appVersion: "2.5.0"
usecase: "Webserver Vulnerability Scanner"
---

Expand Down
138 changes: 38 additions & 100 deletions scanners/nikto/examples/demo-bodgeit/findings.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,119 +7,57 @@
"name": "The anti-clickjacking X-Frame-Options header is not present.",
"description": null,
"category": "X-Frame-Options Header",
"location": "http://bodgeit/",
"location": "http://bodgeit.demo-targets.svc",
"osi_layer": "NETWORK",
"severity": "LOW",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "GET",
"port": 8080,
"niktoId": 999957
},
"id": "9fc0b231-3a91-4976-ad59-35d59a585a38"
"attributes":
{
"ip_address": "10.96.46.204",
"hostname": "bodgeit.demo-targets.svc",
"banner": "",
"method": "GET",
"port": 8080,
"niktoId": 999957,
},
"id": "53d62642-865a-4cfb-b74c-275afa45d8b9",
"parsed_at": "2022-01-11T10:32:20.053Z",
},
{
"name": "The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS",
"description": null,
"category": "X-XSS-Protection",
"location": "http://bodgeit/",
"osi_layer": "NETWORK",
"severity": "LOW",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "GET",
"port": 8080,
"niktoId": 999102
},
"id": "fd763ddc-beaf-4bb0-91f6-334fadfaad03"
},
{
"name": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type",
"name": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.",
"description": null,
"category": "X-Content-Type-Options Header",
"location": "http://bodgeit/",
"location": "http://bodgeit.demo-targets.svc",
"osi_layer": "NETWORK",
"severity": "INFORMATIONAL",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "GET",
"port": 8080,
"niktoId": 999103
},
"id": "08fc1392-6da9-4d57-beb2-dc7f72bea503"
"attributes":
{
"ip_address": "10.96.46.204",
"hostname": "bodgeit.demo-targets.svc",
"banner": "",
"method": "GET",
"port": 8080,
"niktoId": 999103,
},
"id": "b906cf2c-a1a0-4e03-a51b-0d88f47ee8d2",
"parsed_at": "2022-01-11T10:32:20.053Z",
},
{
"name": "/favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community",
"name": "/favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community.",
"description": null,
"category": "Identified Software",
"location": "http://bodgeit/favicon.ico",
"osi_layer": "NETWORK",
"severity": "INFORMATIONAL",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "GET",
"port": 8080,
"niktoId": 500645
},
"id": "4a6b694c-b0ac-465e-929e-8e67cbded3a8"
},
{
"name": "Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS",
"description": null,
"category": "Nikto Finding",
"location": "http://bodgeit/",
"osi_layer": "NETWORK",
"severity": "INFORMATIONAL",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "OPTIONS",
"port": 8080,
"niktoId": 999990
},
"id": "7fe0661b-1eac-4e7c-ad02-0fa5b293700c"
},
{
"name": "HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.",
"description": null,
"category": "Nikto Finding",
"location": "http://bodgeit/",
"osi_layer": "NETWORK",
"severity": "INFORMATIONAL",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "GET",
"port": 8080,
"niktoId": 400001
},
"id": "f63b2cd6-cb19-43f5-a086-c5084e8b8e2b"
},
{
"name": "HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.",
"description": null,
"category": "Nikto Finding",
"location": "http://bodgeit/",
"location": "http://bodgeit.demo-targets.svc",
"osi_layer": "NETWORK",
"severity": "INFORMATIONAL",
"attributes": {
"ip_address": "10.105.36.237",
"hostname": "bodgeit",
"banner": "Apache-Coyote/1.1",
"method": "GET",
"port": 8080,
"niktoId": 400000
},
"id": "237ff776-7fc1-4509-b51e-d916b3951422"
"attributes":
{
"ip_address": "10.96.46.204",
"hostname": "bodgeit.demo-targets.svc",
"banner": "",
"method": "GET",
"port": 8080,
"niktoId": 500645,
},
"id": "8f6141f1-7401-4fb0-8219-b711599cc1f5",
"parsed_at": "2022-01-11T10:32:20.053Z",
}
]
128 changes: 74 additions & 54 deletions scanners/nikto/examples/demo-bodgeit/nikto-results.json
View file
Open in desktop
B94A
Original file line number Diff line number Diff line change
@@ -1,57 +1,77 @@
{
"host": "bodgeit",
"ip": "10.105.36.237",
"host": "bodgeit.demo-targets.svc",
"ip": "10.96.46.204",
"port": "8080",
"banner": "Apache-Coyote/1.1",
"vulnerabilities": [
{
"id": "999957",
"OSVDB": "0",
"method": "GET",
"url": "/",
"msg": "The anti-clickjacking X-Frame-Options header is not present."
},
{
"id": "999102",
"OSVDB": "0",
"method": "GET",
"url": "/",
"msg": "The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS"
},
{
"id": "999103",
"OSVDB": "0",
"method": "GET",
"url": "/",
"msg": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type"
},
{
"id": "500645",
"OSVDB": "39272",
"method": "GET",
"url": "/favicon.ico",
"msg": "/favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community"
},
{
"id": "999990",
"OSVDB": "0",
"method": "OPTIONS",
"url": "/",
"msg": "Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS "
},
{
"id": "400001",
"OSVDB": "397",
"method": "GET",
"url": "/",
"msg": "HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server."
},
{
"id": "400000",
"OSVDB": "5646",
"method": "GET",
"url": "/",
"msg": "HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server."
}
]
"banner": "",
"vulnerabilities": [{
"id": "999957",
"references": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"method": "GET",
"url": "",
"msg": "The anti-clickjacking X-Frame-Options header is not present."
}, {
"id": "999103",
"references": "https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/",
"method": "GET",
"url": "",
"msg": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type."
}, {
"id": "500645",
"references": "https://en.wikipedia.org/wiki/Favicon",
"method": "GET",
"url": "",
"msg": "/favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community."
}, {
"id": "999990",
"method": "OPTIONS",
"url": "",
"msg": "Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS ."
}, {
"id": "400001",
"method": "GET",
"url": "",
"msg": "HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server."
}, {
"id": "400000",
"method": "GET",
"url": "",
"msg": "HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server."
}, {
"id": "000366",
"method": "GET",
"url": "",
"msg": "/examples/servlets/index.html: Apache Tomcat default JSP pages present."
}, {
"id": "001355",
"references": "CVE-2004-2104",
"method": "GET",
"url": "",
"msg": "/examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users."
}, {
"id": "003399",
"references": "CWE-552",
"method": "GET",
"url": "",
"msg": "/manager/manager-howto.html: Tomcat documentation found."
}, {
"id": "006525",
"method": "GET",
"url": "",
"msg": "/manager/html: Default Tomcat Manager / Host Manager interface found."
}, {
"id": "006525",
"method": "GET",
"url": "",
"msg": "/host-manager/html: Default Tomcat Manager / Host Manager interface found."
}, {
"id": "007015",
"method": "GET",
"url": "",
"msg": "/manager/status: Default Tomcat Server Status interface found."
}, {
"id": "007015",
"method": "GET",
"url": "",
"msg": "/host-manager/status: Default Tomcat Server Status interface found."
}]
}
2 changes: 1 addition & 1 deletion scanners/nikto/examples/demo-bodgeit/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ spec:
scanType: 'nikto'
parameters:
- '-h'
- 'bodgeit'
- 'bodgeit.demo-targets.svc'
- '-port 8080'
- '-Tuning'
# Only enable fast (ish) Scan Options, remove attack option like SQLi and RCE. We will leave those to ZAP
Expand Down
4 changes: 2 additions & 2 deletions .../examples/demo-secureCodeBox.io/scan.yaml → ...ples/demo-docs.securecodebox.io/scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@
apiVersion: 'execution.securecodebox.io/v1'
kind: Scan
metadata:
name: 'nikto-www.securecodebox.io'
name: 'nikto-docs.securecodebox.io'
labels:
organization: 'secureCodeBox'
spec:
scanType: 'nikto'
parameters:
- '-h'
- 'https://www.securecodebox.io'
- 'https://docs.securecodebox.io/'
- '-Tuning'
# Only enable fast (ish) Scan Options, remove attack option like SQLi and RCE. We will leave those to ZAP
- '1,2,3,5,7,b'
Loading
0