[Nikto-discuss] Uncommon Header problem

Sullo csullo at gmail.com
Sat May 10 21:49:29 CDT 2014 

Looking again, I see that it is "option" and not "options".  "options" is
correct according to the RFC and thus what is in the Nikto database. Your
server should be sending x-frame-options and *not* x-frame-option to
properly set frame restrictions.

regards,
Sullo


On Sat, May 10, 2014 at 3:25 PM, csullo at gmail.com <csullo at gmail.com> wrote:

> I'm not near a computer to check this out, but that should be in the
> database of known headers. So either it's missing which is a mistake, or a
> bug is preventing a match.
>
> However, you want to keep that header around unless you have a specific
> need for removing it (and even then, allowing specific hosts to frame). So
> don't try to get rid of it--leave it be!
>
> I'll look at this later to figure out why it's not matching.
>
> Regards,
> Sullo
>
> > On May 10, 2014, at 11:26 AM, eXile Out <outofexile at yandex.com> wrote:
> >
> > Dear Friend,
> > I've a security problem whit my server (debian wheezy 7.4 with apache
> 2.2.22-deb7u on amd64 arch).
> > when I scan the server with nikto, nikto tell me that found a "Uncommon
> header" that I can't solve:
> >
> -----------------------------------------------------------------------------------------------------------
> > - Nikto v2.1.5
> >
> -----------------------------------------------------------------------------------------------------------
> > + Taget IP: 127.0.0.1
> >
> -----------------------------------------------------------------------------------------------------------
> > + Server: Apache/2.2.22
> > + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
> >
> -----------------------------------------------------------------------------------------------------------
> >
> > The default debian anti click-hijacking config is in the file:
> > /etc/apache2/conf.d/security
> > And containd this line:
> > Header set X-Frame-Option: "sameorigin"
> >
> > I try to comment this line and add manually the protection, in file:
> > /etc/apache2/httpd.conf (created by me and included on apache2.conf file)
> > Whit this line:
> > Header always append X-Frame-Option SAMEORIGIN
> >
> > But the message on Nikto persist.
> > Anyone can help me?
> > Thank you so much
> > Regards
> > OeX
> > _______________________________________________
> > Nikto is sponsored by Netsparker, a false positive free web application
> security scanner.
> > Visit https://www.netsparker.com/ for more information.
> > _______________________________________________
> > Nikto-discuss mail list
> > Nikto-discuss at attrition.org
> > https://attrition.org/mailman/listinfo/nikto-discuss
>



-- 

http://www.cirt.net     |      http://richsec.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20140510/c418d634/attachment.html>

More information about the Nikto-discuss mailing list