[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicated for X-Clacks-Overhead test in nikto_headers #772

Closed
tautology0 opened this issue Aug 10, 2022 · 3 comments
Closed

Duplicated for X-Clacks-Overhead test in nikto_headers #772

tautology0 opened this issue Aug 10, 2022 · 3 comments
Labels
bug

Comments

@tautology0
Copy link
Collaborator

commit 65059c6 duplicated the X-Clacks-Overhead test with a comment implying that it's checking for Content-Security-Policy or Content-Security-Policy-Report-Only.

    # CSP Report URLs
      if (!$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
        if (defined $result->{'x-clacks-overhead'}) {
            add_vulnerability( $mark, "There appears to be clacks overhead on the server, the message is: $result->{'x-clacks-overhead'}", 999104, 0,
                $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result);
            $HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } = 1;
        }
    }
@tautology0 tautology0 added the bug label Aug 10, 2022
@sullo
Copy link
Owner
sullo commented Sep 1, 2022
edited
Loading

I'm not sure what commit you're looking at but the linked one doesn't have x-clacks-overhead in it. Looking at the plugin, I only see one block for it.

Was the 'message' from x-clacks-overhead different in the multiple responses? De-duplication checks in add_vulnerability() will fail to match if the message is different.

@tautology0
Copy link
Collaborator Author

Yeah looked like I C+P'd the wrong request. This is what nikto_headers looks like at the moment:

    if (!$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
        if (defined $result->{'x-clacks-overhead'}) {
            add_vulnerability( $mark, "There appears to be clacks overhead on the server, the message is: $result->{'x-clacks-overhead'}", 999104, 0,
                $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result);
            $HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } = 1;
        }
    }

    # CSP Report URLs
      if (!$HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } && defined $result->{'whisker'}->{'code'}) {
        if (defined $result->{'x-clacks-overhead'}) {
            add_vulnerability( $mark, "There appears to be clacks overhead on the server, the message is: $result->{'x-clacks-overhead'}", 999104, 0,
                $request->{'whisker'}->{'method'}, $request->{'whisker'}->{'uri'}, $request, $result);
            $HEADERS_XCO{ $mark->{hostname} }{ $mark->{port} } = 1;
        }
    }

sullo pushed a commit that referenced this issue Sep 5, 2022
Replace duplicate x-clacks check for report-to. #772
2d88c8a
@sullo
Copy link
Owner
sullo commented Sep 5, 2022

I'm not sure how I missed that searching for clacks, but... updated to report-to which was the intent.

@sullo sullo closed this as completed Sep 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sullo @tautology0