From robin at digi.ninja Sat Aug 9 15:13:42 2014 From: robin at digi.ninja (Robin Wood) Date: Sat, 9 Aug 2014 21:13:42 +0100 Subject: [Nikto-discuss] Nikto doesn't understand CSP Message-ID: I just got this in a scan using the latest Git code: + Uncommon header 'content-security-policy-report-only' found, with contents: default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src data: Is it reported as Uncommon because it doesn't know about it or is it just pointing out that not many sites set it? I'd guess it is the first. Robin -------------- next part -------------- An HTML attachment was scrubbed... URL: From robin at digi.ninja Sat Aug 9 16:35:44 2014 From: robin at digi.ninja (Robin Wood) Date: Sat, 9 Aug 2014 22:35:44 +0100 Subject: [Nikto-discuss] mention XSS protection header Message-ID: It would be nice to mention that the XSS protection header has been sent: X-XSS-Protection: 1; mode=block Especially if it is set to 0 to disable it. Robin -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Sun Aug 10 22:38:47 2014 From: csullo at gmail.com (Sullo) Date: Sun, 10 Aug 2014 23:38:47 -0400 Subject: [Nikto-discuss] Nikto doesn't understand CSP In-Reply-To: References: Message-ID: It alerts because it's not in db_headers. I've added this one and content-security-policy, thanks. On Sat, Aug 9, 2014 at 4:13 PM, Robin Wood wrote: > I just got this in a scan using the latest Git code: > > + Uncommon header 'content-security-policy-report-only' found, with > contents: default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src > https://* about: javascript:; img-src data: > > Is it reported as Uncommon because it doesn't know about it or is it just > pointing out that not many sites set it? I'd guess it is the first. > > Robin > > _______________________________________________ > Nikto is sponsored by Netsparker, a false positive free web application > security scanner. > Visit https://www.netsparker.com/ for more information. > _______________________________________________ > Nikto-discuss mail list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://richsec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Sun Aug 10 22:40:16 2014 From: csullo at gmail.com (Sullo) Date: Sun, 10 Aug 2014 23:40:16 -0400 Subject: [Nikto-discuss] mention XSS protection header In-Reply-To: References: Message-ID: Added issue #154--thanks. https://github.com/sullo/nikto/issues/154 On Sat, Aug 9, 2014 at 5:35 PM, Robin Wood wrote: > It would be nice to mention that the XSS protection header has been sent: > > X-XSS-Protection: 1; mode=block > > Especially if it is set to 0 to disable it. > > Robin > > _______________________________________________ > Nikto is sponsored by Netsparker, a false positive free web application > security scanner. > Visit https://www.netsparker.com/ for more information. > _______________________________________________ > Nikto-discuss mail list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://richsec.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From raymond_pluto at hotmail.com Mon Aug 18 06:34:45 2014 From: raymond_pluto at hotmail.com (raymond lukanta) Date: Mon, 18 Aug 2014 18:34:45 +0700 Subject: [Nikto-discuss] Nikto Plugin Tutorial In-Reply-To: <581AC794-9C83-40BA-AA0E-A4F17FA080E9@gmail.com> References: , <581AC794-9C83-40BA-AA0E-A4F17FA080E9@gmail.com> Message-ID: Hi again, In the docs (http://cirt.net/nikto2-docs/expanding.html#id2792681), there's a prefetch hook. In the explanation, it is said that "The prefetch phase is called before every request to the server". My question is what does "every request" means? Every request done by Nikto or every request done by the plugin that defines that hook? Thanks. --Raymond L Subject: Re: [Nikto-discuss] Nikto Plugin Tutorial From: csullo at gmail.com Date: Sat, 21 Jun 2014 09:54:40 -0400 CC: nikto-discuss at attrition.org To: raymond_pluto at hotmail.com Raymond I don't know of a full tutorial other than the docs (http://cirt.net/nikto2-docs/expanding.html#id2792681) on it. You might start with an existing plugin which has similar functionality and start modifying it. Feel free to post questions as well! Regards, Sullo On Jun 21, 2014, at 12:47 AM, raymond lukanta wrote: Hi All, I want to create new Nikto plugin. I've been googling but what I found was this book:http://books.google.co.id/books?id=iV8DRekYvg0C&printsec=frontcover&dq=Network+Security+Tools:+Writing,+Hacking,+and+Modifying+Security+Tools&hl=en&sa=X&ei=xAylU4DPGc7JuAS39YCwCA&ved=0CBsQ6AEwAA#v=onepage&q&f=false On page 86, the author give some explanation, but I think the author use the older Nikto version. Is there anybody have some tutorial that I can follow? Thanks. --Raymond L _______________________________________________ Nikto is sponsored by Netsparker, a false positive free web application security scanner. Visit https://www.netsparker.com/ for more information. _______________________________________________ Nikto-discuss mail list Nikto-discuss at attrition.org https://attrition.org/mailman/listinfo/nikto-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: