[Nikto-discuss] Nikto 2.1.5 bug

[Balázs Zoltán]

Hi,

Thank you for the fast response. You are right, HTTP 1.1 servers must
accept absoulute URL's.
The problem was that the server was not following this directive from
the protocol. Unfortunately, I can't tell more details about the
server.

Excuse me for the false alarm :)

Zoltan

On Mon, Dec 10, 2012 at 5:02 AM, Sullo <csullo at gmail.com> wrote:
> I don't see anything in the http book suggesting that this is an invalid
> request. In testing, I see expected responses from requests which have the
> host in both the host header and the URL.
>
> Am I missing something? If you're seeing responses from the server
> indicating an invalid request, have you tried more than one server and
> confirmed nothing in the burp proxy is changing the request?
>
> Thanks
> Sullo
>
>
> On Sun, Dec 9, 2012 at 6:30 AM, Balázs Zoltán <zoltan1.balazs at gmail.com>
> wrote:
>>
>> Hi all,
>>
>> I have found a bug in nikto while scanning SSL sites. For the test I
>> set up a burp proxy locally so I can see all the traffic.
>> The bug is in the GET resource, where the vhost is included in the
>> request, so every request to an SSL site is a bad request.
>>
>> Nikto command:
>> perl nikto.pl -config nikto.conf -host cirt.net -vhost cirt.net --useproxy
>>
>> Request generated  (valid request):
>> GET / HTTP/1.1
>> Connection: Keep-Alive
>> User-Agent: Mozilla/5.00
>> Host: cirt.net
>>
>>
>> #####################################################################################
>>
>> Nikto command:
>> perl nikto.pl -config nikto.conf -host cirt.net -port 443 -ssl -vhost
>> cirt.net --useproxy
>>
>> Invalid request generated:
>> GET https://cirt.net:443/ HTTP/1.1
>> Connection: Keep-Alive
>> User-Agent: Mozilla/5.00
>> Host: cirt.net:443
>>
>> Regards
>> Zoltan
>> _______________________________________________
>> Nikto-discuss mailing list
>> Nikto-discuss at attrition.org
>> https://attrition.org/mailman/listinfo/nikto-discuss
>
>
>
>
> --
>
> http://www.cirt.net     |      http://richsec.com/