back out that state initialization until it can be further explored

sullo · Oct 30, 2024 · badb856 · badb856
1 parent dd191f7
commit badb856
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 18 deletions.
diff --git a/program/databases/db_headers → program/databases/db_headers_common b/program/databases/db_headers → program/databases/db_headers_common
diff --git a/program/nikto.pl b/program/nikto.pl
@@ -1,6 +1,5 @@
 #!/usr/bin/env perl
 use strict;
-use feature 'state';
 
 ###############################################################################
 # Modules are now loaded in a function so errors can be trapped and evaluated

diff --git a/program/plugins/nikto_core.plugin b/program/plugins/nikto_core.plugin
@@ -1637,7 +1637,7 @@ sub check_dbs {
             $ctr--;
             nprint("\t$ctr entries");
         }
-        elsif ($file =~ /u?db_headers/) {
+        elsif ($file =~ /u?db_headers_(common|suggested)/) {
             my $ctr = 0;
             my %HEADERS;
             foreach $line (<IN>) {
@@ -2745,7 +2745,7 @@ sub set_scan_items {
 # extract IP like strings and return an array
 sub get_ips {
     my $string =shift || return;
-    state $ip_regex = qr/(?:\b|[^0-9v])($LW2::IPv4_re|$LW2::IPv6_re_inc_zoneid)(?:\b|[^0-9])/;
+    my $ip_regex = qr/(?:\b|[^0-9v])($LW2::IPv4_re|$LW2::IPv6_re_inc_zoneid)(?:\b|[^0-9])/;
     return $string =~ /$ip_regex/g;
 }
 

diff --git a/program/plugins/nikto_headers.plugin b/program/plugins/nikto_headers.plugin
@@ -18,7 +18,7 @@
 # PURPOSE:
 # General HTTP headers checks
 ###############################################################################
-use vars qw/$HEADERSDB/;
+use vars qw/$HEADERSDB %HEADERSSUG/;
 
 sub nikto_headers_init {
     my $id = {
@@ -42,7 +42,8 @@ sub nikto_headers_init {
 }
 
 sub nikto_headers_load {
-    $HEADERSDB = init_db("db_headers");
+    $HEADERSDB = init_db("db_headers_common");
+    $HEADERSSUG = init_db("db_headers_suggested")
 }
 
 sub nikto_headers_postfetch {
@@ -52,19 +53,20 @@ sub nikto_headers_postfetch {
     # Skip OPTIONS
     return if $request->{'whisker'}{'method'} eq "OPTIONS";
 
+    # These headers are very common but unlikely to be useful, so we can quickly skip them
+    my %skip_headers = map { $_ => 1 } qw(
+        whisker
+        date
+        content-type
+        content-length
+        connection
+        x-mod-pagespeed
+        x-page-speed
+    );
+
     # look for internal IPs
     foreach my $header (keys %$result) {
-
-        # skip some headers unlikely to have security implications, for speed
-        if    ($header eq 'whisker')         { next; }
-        elsif ($header eq 'date')            { next; }
-        elsif ($header eq 'content-type')    { next; }
-        elsif ($header eq 'content-length')  { next; }
-        elsif ($header eq 'connection')      { next; }
-        elsif ($header eq 'x-mod-pagespeed') { next; }
-        elsif ($header eq 'x-page-speed')    { next; }
-        elsif (defined $HFOUND{$header})     { next; }
-
+        next if exists $skip_headers{$header} || exists $HFOUND{$header};
         next if $header eq 'server'       && substr($result->{$header}, 0, 8) eq 'WebSEAL/';
         next if $header eq 'x-powered-by' && $result->{$header} =~ /Oracle GlassFish Server [0-9]/;
 
@@ -146,15 +148,15 @@ sub nikto_headers_postfetch {
         }
     }
 
-    # Look for X-Frame-Options
+    # Look for X-Frame-Options - Deprecated
     if (!$XFRAME{ $mark->{hostname} }{ $mark->{port} } 
 	&& defined $result->{'whisker'}->{'code'} 
 	&& $result->{'whisker'}->{'code'} == 200) {
         if (defined $result->{'x-frame-options'}) {
                 add_vulnerability(
                     $mark,
                     $request->{'whisker'}{'uri'}
-                      . ":X-Frame-Options header is deprecated and has been replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead.",
+                      . ":X-Frame-Options header is deprecated and was replaced with the Content-Security-Policy HTTP header with the frame-ancestors directive instead.",
                     999978,
                     "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
                     $request->{'whisker'}->{'method'},
@@ -166,6 +168,21 @@ sub nikto_headers_postfetch {
         }
     }
 
+    # Look for Expect-CT - Deprecated
+   if (defined $result->{'expect-ct'} && $HFOUND{'expect-ct'} != 1) {
+        add_vulnerability(
+            $mark,
+            $request->{'whisker'}{'uri'} . ": The Expect-CT header is deprecated and was replaced with Signed Certificate Timestamps (SCTs).",
+            "011379",
+            "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT",
+            $request->{'whisker'}->{'method'},
+            $request->{'whisker'}->{'uri'},
+            $request,
+            $result
+            );
+        $HFOUND{'expect-ct'} = 1;
+    }
+
     # Incapsula WAF
     if (   defined $result->{'x-cdn'}
         && ($result->{'x-cdn'} == "Incapsula")
@@ -546,6 +563,8 @@ sub nikto_headers {
                      '/aspnet_client',                 '/PowerShell'
                      ) {
 
+        return if $mark->{'terminate'};
+
         my ($res, $content, $errors, $request, $result) =
           nfetch($mark, $uri, "GET", "", \%locheaders, \%locflags, "headers: HTTP 1.0 internal IP",
                  "1.0");
@@ -718,5 +737,8 @@ sub nikto_headers {
             );
     }
 
+    #######################################################################
+    # Missing suggested headers
+    print "called once\n";
 }
 1;