Changes to fix sullo#713

Added headers to db_headers Added printing of the "url" comonents of reort-to headers
ouyangjunjie · Mar 23, 2021 · 7789586 · 7789586
1 parent a750f64
commit 7789586
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/program/databases/db_headers b/program/databases/db_headers
@@ -33,6 +33,7 @@
 "alternates"
 "authorization"
 "cache-control"
+"cf-request-id"
 "commerce-server-software"
 "connection"
 "content-encoding"
@@ -64,9 +65,11 @@
 "location"
 "max-forwards"
 "mime-version"
+"nel"
 "nncoection"
 "p3p"
 "persistent-auth"
+"permissions-policy"
 "pragma"
 "proxy-authenticate"
 "proxy-authorization"
@@ -75,6 +78,7 @@
 "range"
 "referer"
 "referrer-policy"
+#"report-to"
 "retry-after"
 "server"
 "set-cookie"

diff --git a/program/plugins/nikto_headers.plugin b/program/plugins/nikto_headers.plugin
@@ -291,7 +291,7 @@ sub nikto_headers {
     $locheaders{'User-Agent'} =~ s/\@TESTID/headers:\ IIS\ internal\ IP/;
     $locflags{'noclean'} = 1;
     $locflags{'nohost'}  = 1;
-    $cl = $l = $wa = 0;
+    $cl = $l = $wa = $rt = 0;
 
     foreach my $uri ('/',                              '/images',
                      '/Autodiscover/Autodiscover.xml', '/Autodiscover/',
@@ -303,6 +303,7 @@ sub nikto_headers {
                      '/ecp',                           '/OAB',
                      '/aspnet_client',                 '/PowerShell'
                      ) {
+if ($uri != "/") { next; }
         my ($res, $content, $errors, $request, $result) =
           nfetch($mark, $uri, "GET", "", \%locheaders, \%locflags, "headers: HTTP 1.0 internal IP", "1.0");
 
@@ -338,7 +339,25 @@ sub nikto_headers {
                         999986, 630, "GET", $uri, $request, $result);
                         }
                 }
-        if ($cl && $l && $wa) { last; }
+
+        if (!$rt && ($result->{'report-to'} ne "")) {
+        	my @bits = split("url\": \"", $result->{'report-to'});
+		    my $have = 0;
+            my @urls;
+        	foreach my $b (@bits) {
+                	next if $b !~ /^http/;
+                	$b =~ s/\".*$//;
+        			if ($b ne "") {
+                        push(@urls, $b);
+			        	$have = $rt = 1;
+				        }
+        		    }
+		if ($have) {
+			add_vulnerability( $mark, "A report-to header was found with the following URLs: " . join(", ", @urls), 999945, 630, "GET", $uri, $request, $result);
+			}
+		}
+
+        if ($cl && $l && $wa && $rt) { last; }
         }
 
     #######################################################################