3

I have a problem with the Nikto Web Scanner.

I would like to scan a site but Nikto returned the response with a HTTP 403 status code: Nikto HTTP Response

After that I tried to change the USERAGENT in nikto.conf. Nikto is now able to return with HTTP 200 status code for first few requests. But the following requests are returning with HTTP 404 status codes (not returning any status codes after that): enter image description here

The following shows the Nikto scan result:

Nikto Result

What exactly is happening in between? How can I get a normal scan using Nikto?

Traveller
  • 103
  • 1
  • 2
  • 8

2 Answers2

1

Your site seems to be using Incapsula (as the x-cdn header says), which obfuscates the site's content using proprietary obfuscation technology to defend against scrapers. As part of their obfuscation, they actually put parts of the page's contents in those random-looking HTTP headers which then are used by the client-side Javascript to reconstruct the page.

The message Nikto says is more of a notice/info and in this case doesn't reveal any vulnerability - the X-cdn header tells you're using Incapsula but that can already be known by looking up where the DNS record is pointing at, the X-iinfo header shows Incapsula-specific info about which one of their servers served the request, and the remaining headers are just normal obfuscation.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • FWIW, Nikto reports *uncommon header* if a header is not in its `db_headers` file. What's also happening though is that Incapsula are issuing cookies with [invalid data](https://tools.ietf.org/html/rfc6265#section-4.1.1) that a browser will accept but the bundled LW2 (libwhisker) will not. – mr.spuratic Dec 14 '15 at 11:46
0

What exactly is happening in between?

Have you tried proxing Nikto requests through an intercepting proxy (Fiddler, Burp, etc)?

How can I get a normal scan using Nikto?

Nikto typically throws out false positives and it is better to tune it. Nikto normally is good in identifying default webpages, admin interfaces, logging interface etc. However, I wouldn't use nikto to find any injection attack. Here is how I run it by skipping injection scans:

nikto -Tuning x4 -host [HOSTS.txt] -port 80 -Format htm -o [OUTPUT.htm]
Dr. mattle
  • 300
  • 1
  • 10
  • Thanks @mattle. I tried proxing Nikto through Burp (updated the thread). AFAIK, Nikto’s default User-Agent string is “USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)". Web Application Firewalls (WAFs) may block Nikto scans with this User-Agent. So I guess the problem may be the USERAGENT string? Or I need a way to bypass? – Traveller Sep 15 '15 at 04:48
  • 1
    @TianneChu Yes, User Agent, usually is a first place most IPS or WAF system look to detect 'malicious' requests. There are many other place that is also being checked including the request pattern and time between consecutive requests. Popular tools like nikto are very easy to be blocked if there is WAF in place so I suggest to verify that (with your customer). Alternatively, try [-evasion](https://cirt.net/nikto2-docs/options.html#id2741238) option to see if it is going to effect in the responses from server. – Dr. mattle Sep 15 '15 at 22:53
  • Thanks for your valuable information. I will have a look at it and probably update my result later. Cheers! – Traveller Sep 16 '15 at 09:04