<br><br><div class="gmail_quote">On Fri, Aug 9, 2013 at 10:27 AM, Justin C. Klein Keane <span dir="ltr"><<a href="mailto:justin@madirish.net" target="_blank">justin@madirish.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
When Nikto receives a 200 response from a probe it may report a<br>
finding depending on the test definition (ref:<br>
<a href="http://cirt.net/nikto2-docs/expanding.html#id2792422" target="_blank">http://cirt.net/nikto2-docs/expanding.html#id2792422</a>), which may be a<br>
false positive. Your browser may show "no result" but get a 200 HTTP<br>
response. This is one of the bigger issues with Nikto, if you run it<br>
against something like Drupal (which routes all requests through<br>
index.php and responds with a customized "Not Found Page" but<br>
unhelpfully serves it with a 200 response code) you wind up with a<br>
bunch of false positives.<br><br></blockquote><div><br></div><div>This is true, and it's a constant battle with Nikto (and other web security tools). There are also a number of strings in db_404_strings which, if they match page content, are treated as if the server responded with a 404 response. Additionally, most tests added in the last few years don't rely on 200--it's generally the older ones, or ones where we have no idea what a valid response looks like, which only match on 200. </div>
<div><br></div><div>As for Cloudflare...I can't say how things respond as I haven't tried it out in a few years. If the original poster wants to send me (off list) a capture of the output running with "-D DS" (debug mode, scrubbing hostnames & Ips) along with the sanitized report (any format) I'm happy to take a look at it to see if anything can be done. </div>
<div><br></div><div>Better, if the original poster or someone with a Cloudflare site want to let me test directly... email me off-list!</div><div><br></div><div>-Sullo</div></div>