[Nikto-discuss] a newbie question

Sullo csullo at gmail.com
Fri Aug 9 21:59:20 CDT 2013


On Fri, Aug 9, 2013 at 10:27 AM, Justin C. Klein Keane
<justin at madirish.net>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> When Nikto receives a 200 response from a probe it may report  a
> finding depending on the test definition (ref:
> http://cirt.net/nikto2-docs/expanding.html#id2792422), which may be a
> false positive.  Your browser may show "no result" but get a 200 HTTP
> response.  This is one of the bigger issues with Nikto, if you run it
> against something like Drupal (which routes all requests through
> index.php and responds with a customized "Not Found Page" but
> unhelpfully serves it with a 200 response code) you wind up with a
> bunch of false positives.
>
>
This is true, and it's a constant battle with Nikto (and other web security
tools). There are also a number of strings in db_404_strings which, if they
match page content, are treated as if the server responded with a 404
response. Additionally, most tests added in the last few years don't rely
on 200--it's generally the older ones, or ones where we have no idea what a
valid response looks like, which only match on 200.

As for Cloudflare...I can't say how things respond as I haven't tried it
out in a few years. If the original poster wants to send me (off list) a
capture of the output running with "-D DS" (debug mode, scrubbing hostnames
& Ips) along with the sanitized report (any format) I'm happy to take a
look at it to see if anything can be done.

Better, if the original poster or someone with a Cloudflare site want to
let me test directly... email me off-list!

-Sullo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20130809/9924a332/attachment.html>


More information about the Nikto-discuss mailing list