Skip to content

Commit 2b278d1

Browse files
damiencaroldamiencarol
authored
[Nikto parser] Fix severity and add more unit tests (DefectDojo#4357)
* Fix severity in XML function to be the same as JSON function * Fix parser * Add another XML report
1 parent 8011d21 commit 2b278d1

File tree

5 files changed

+355
-36
lines changed

5 files changed

+355
-36
lines changed

dojo/tools/nikto/parser.py

Lines changed: 38 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,11 @@
11

22
import hashlib
3+
import json
34
import logging
45
import re
5-
import hyperlink
6-
import json
76

7+
import hyperlink
88
from defusedxml import ElementTree as ET
9-
109
from dojo.models import Endpoint, Finding
1110

1211
logger = logging.getLogger(__name__)
@@ -109,7 +108,7 @@ def process_scandetail(self, scan, test, dupes):
109108
for item in scan.findall('item'):
110109
# Title
111110
titleText = None
112-
description = item.find("description").text
111+
description = item.findtext("description")
113112
# Cut the title down to the first sentence
114113
sentences = re.split(
115114
r'(?<!\w\.\w.)(?<![A-Z][a-z]\.)(?<=\.|\?)\s', description)
@@ -118,47 +117,50 @@ def process_scandetail(self, scan, test, dupes):
118117
else:
119118
titleText = description[:900]
120119

121-
# Url
122-
ip = item.find("iplink").text
123-
# Remove the port numbers for 80/443
124-
ip = ip.replace(r":['80']{2}\/?$", "")
125-
ip = ip.replace(r":['443']{3}\/?$", "")
126-
127-
# Severity
128-
severity = "Info" # Nikto doesn't assign severity, default to Info
129-
130120
# Description
131121
description = "\n".join([
132-
f"**Host:** `{ip}`",
133-
f"**Description:** `{item.find('description').text}`",
134-
f"**HTTP Method:** `{item.attrib['method']}`",
122+
f"**Host:** `{item.findtext('iplink')}`",
123+
f"**Description:** `{item.findtext('description')}`",
124+
f"**HTTP Method:** `{item.attrib.get('method')}`",
135125
])
136126

137-
url = hyperlink.parse(ip)
138-
endpoint = Endpoint(
139-
protocol=url.scheme,
140-
host=url.host,
141-
port=url.port,
142-
path="/".join(url.path),
127+
# Manage severity the same way with JSON
128+
severity = "Info" # Nikto doesn't assign severity, default to Info
129+
if item.get('osvdbid') is not None and "0" != item.get('osvdbid'):
130+
severity = "Medium"
131+
132+
finding = Finding(
133+
title=titleText,
134+
test=test,
135+
description=description,
136+
severity=severity,
137+
dynamic_finding=True,
138+
static_finding=False,
139+
vuln_id_from_tool=item.attrib.get('id'),
140+
nb_occurences=1,
143141
)
144142

143+
# endpoint
144+
try:
145+
ip = item.findtext("iplink")
146+
url = hyperlink.parse(ip)
147+
endpoint = Endpoint(
148+
protocol=url.scheme,
149+
host=url.host,
150+
port=url.port,
151+
path="/".join(url.path),
152+
)
153+
finding.unsaved_endpoints = [endpoint]
154+
except ValueError as exce:
155+
logger.warn("Invalid iplink in the report")
156+
145157
dupe_key = hashlib.sha256(description.encode("utf-8")).hexdigest()
146158

147159
if dupe_key in dupes:
148-
finding = dupes[dupe_key]
149-
if finding.description:
150-
finding.description = finding.description + "\nHost:" + ip + "\n" + description
151-
finding.unsaved_endpoints.append(endpoint)
152-
finding.nb_occurences += 1
160+
find = dupes[dupe_key]
161+
find.description += "\n-----\n" + finding.description
162+
find.unsaved_endpoints.extend(finding.unsaved_endpoints)
163+
find.nb_occurences += 1
153164

154165
else:
155-
finding = Finding(title=titleText,
156-
test=test,
157-
description=description,
158-
severity=severity,
159-
dynamic_finding=True,
160-
nb_occurences=1,
161-
)
162-
finding.unsaved_endpoints = [endpoint]
163-
164166
dupes[dupe_key] = finding

dojo/unittests/scans/nikto/nikto-output.xml

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
<?xml version="1.0" ?>
2+
<!DOCTYPE niktoscan SYSTEM "/usr/share/doc/nikto/nikto.dtd">
3+
<niktoscan hoststest="0" options="-h 127.0.0.1 -p 8070 -output nikto-output.xml" version="2.1.5" scanstart="Mon Nov 16 03:45:06 2020" scanend="Wed Dec 31 19:00:00 1969" scanelapsed=" seconds" nxmlversion="1.2">
4+
5+
<scandetails targetip="127.0.0.1" targethostname="localhost" targetport="8070" targetbanner="" starttime="2020-11-16 03:45:07" sitename="http://localhost:8070" siteip="http://127.0.0.1:8070" hostheader="localhost" errors="0" checks="6544">
6+
7+
8+
<item id="999976" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
9+
<description><![CDATA[The anti-clickjacking X-Frame-Options header is not present.]]></description>
10+
<uri><![CDATA[/]]></uri>
11+
<namelink><![CDATA[http://localhost:8070/]]></namelink>
12+
<iplink><![CDATA[http://127.0.0.1:8070/]]></iplink>
13+
</item>
14+
15+
<item id="999984" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
16+
<description><![CDATA[Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1602011686000 ]]></description>
17+
<uri><![CDATA[/favicon.ico]]></uri>
18+
<namelink><![CDATA[http://localhost:8070/favicon.ico]]></namelink>
19+
<iplink><![CDATA[http://127.0.0.1:8070/favicon.ico]]></iplink>
20+
</item>
21+
22+
<item id="500008" osvdbid="39272" osvdblink="http://osvdb.org/39272" method="GET">
23+
<description><![CDATA[favicon.ico file identifies this server as: Apache Tomcat]]></description>
24+
<uri><![CDATA[/favicon.ico]]></uri>
25+
<namelink><![CDATA[]]></namelink>
26+
<iplink><![CDATA[http://:/favicon.ico]]></iplink>
27+
</item>
28+
29+
<item id="999990" osvdbid="0" osvdblink="http://osvdb.org/0" method="OPTIONS">
30+
<description><![CDATA[Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS ]]></description>
31+
<uri><![CDATA[/]]></uri>
32+
<namelink><![CDATA[http://localhost:8070/]]></namelink>
33+
<iplink><![CDATA[http://127.0.0.1:8070/]]></iplink>
34+
</item>
35+
36+
<item id="999978" osvdbid="397" osvdblink="http://osvdb.org/397" method="GET">
37+
<description><![CDATA[HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.]]></description>
38+
<uri><![CDATA[/]]></uri>
39+
<namelink><![CDATA[http://localhost:8070/]]></namelink>
40+
<iplink><![CDATA[http://127.0.0.1:8070/]]></iplink>
41+
</item>
42+
43+
<item id="999976" osvdbid="5646" osvdblink="http://osvdb.org/5646" method="GET">
44+
<description><![CDATA[HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.]]></description>
45+
<uri><![CDATA[/]]></uri>
46+
<namelink><![CDATA[http://localhost:8070/]]></namelink>
47+
<iplink><![CDATA[http://127.0.0.1:8070/]]></iplink>
48+
</item>
49+
50+
<item id="000366" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
51+
<description><![CDATA[/examples/servlets/index.html: Apache Tomcat default JSP pages present.]]></description>
52+
<uri><![CDATA[/examples/servlets/index.html]]></uri>
53+
<namelink><![CDATA[http://localhost:8070/examples/servlets/index.html]]></namelink>
54+
<iplink><![CDATA[http://127.0.0.1:8070/examples/servlets/index.html]]></iplink>
55+
</item>
56+
57+
<item id="000834" osvdbid="3931" osvdblink="http://osvdb.org/3931" method="GET">
58+
<description><![CDATA[/myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). CA-2000-02.]]></description>
59+
<uri><![CDATA[/myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent]]></uri>
60+
<namelink><![CDATA[http://localhost:8070/myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent]]></namelink>
61+
<iplink><![CDATA[http://127.0.0.1:8070/myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent]]></iplink>
62+
</item>
63+
64+
<item id="000863" osvdbid="4598" osvdblink="http://osvdb.org/4598" method="GET">
65+
<description><![CDATA[/members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02.]]></description>
66+
<uri><![CDATA[/members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22]]></uri>
67+
<namelink><![CDATA[http://localhost:8070/members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22]]></namelink>
68+
<iplink><![CDATA[http://127.0.0.1:8070/members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22]]></iplink>
69+
</item>
70+
71+
<item id="000888" osvdbid="2946" osvdblink="http://osvdb.org/2946" method="GET">
72+
<description><![CDATA[/forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02.]]></description>
73+
<uri><![CDATA[/forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22]]></uri>
74+
<namelink><![CDATA[http://localhost:8070/forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22]]></namelink>
75+
<iplink><![CDATA[http://127.0.0.1:8070/forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22]]></iplink>
76+
</item>
77+
78+
<item id="999960" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
79+
<description><![CDATA[Cookie JSESSIONID created without the httponly flag]]></description>
80+
<uri><![CDATA[/examples/jsp/snp/snoop.jsp]]></uri>
81+
<namelink><![CDATA[http://localhost:8070/examples/jsp/snp/snoop.jsp]]></namelink>
82+
<iplink><![CDATA[http://127.0.0.1:8070/examples/jsp/snp/snoop.jsp]]></iplink>
83+
</item>
84+
85+
<item id="001355" osvdbid="3720" osvdblink="http://osvdb.org/3720" method="GET">
86+
<description><![CDATA[/examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.]]></description>
87+
<uri><![CDATA[/examples/jsp/snp/snoop.jsp]]></uri>
88+
<namelink><![CDATA[http://localhost:8070/examples/jsp/snp/snoop.jsp]]></namelink>
89+
<iplink><![CDATA[http://127.0.0.1:8070/examples/jsp/snp/snoop.jsp]]></iplink>
90+
</item>
91+
92+
<item id="006525" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
93+
<description><![CDATA[/manager/html: Default Tomcat Manager interface found]]></description>
94+
<uri><![CDATA[/manager/html]]></uri>
95+
<namelink><![CDATA[http://localhost:8070/manager/html]]></namelink>
96+
<iplink><![CDATA[http://127.0.0.1:8070/manager/html]]></iplink>
97+
</item>
98+
99+
<statistics elapsed="37" itemsfound="12" itemstested="6544" endtime="2020-11-16 03:45:44" />
100+
</scandetails>
101+
102+
103+
</niktoscan>

dojo/unittests/scans/nikto/tdh.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"host": "www.tdh.com",
3+
"ip": "64.220.43.153",
4+
"port": "443",
5+
"banner": "nginx",
6+
"vulnerabilities": [
7+
{
8+
"id": "999100",
9+
"OSVDB": "0",
10+
"method": "GET",
11+
"url": "/",
12+
"msg": "Uncommon header 'x-cacheable' found, with contents: YES"
13+
},
14+
{
15+
"id": "999100",
16+
"OSVDB": "0",
17+
"method": "GET",
18+
"url": "/",
19+
"msg": "Uncommon header 'x-cache' found, with contents: HIT"
20+
},
21+
{
22+
"id": "999100",
23+
"OSVDB": "0",
24+
"method": "GET",
25+
"url": "/tldH5dDP.",
26+
"msg": "Uncommon header 'x-redirect-by' found, with contents: WordPress"
27+
},
28+
{
29+
"id": "999997",
30+
"OSVDB": "0",
31+
"method": "GET",
32+
"url": "/wp-admin/",
33+
"msg": "Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)"
34+
},
35+
{
36+
"id": "999996",
37+
"OSVDB": "0",
38+
"method": "GET",
39+
"url": "/robots.txt",
40+
"msg": "\"robots.txt\" contains 2 entries which should be manually viewed."
41+
},
42+
{
43+
"id": "999966",
44+
"OSVDB": "0",
45+
"method": "GET",
46+
"url": "/",
47+
"msg": "The Content-Encoding header is set to \"deflate\" this may mean that the server is vulnerable to the BREACH attack."
48+
},
49+
{
50+
"id": "999967",
51+
"OSVDB": "0",
52+
"method": "SOWBGYUF",
53+
"url": "/",
54+
"msg": "Web Server returns a valid response with junk HTTP methods, this may cause false positives."
55+
},
56+
{
57+
"id": "700007",
58+
"OSVDB": "0",
59+
"method": "GET",
60+
"url": "/status",
61+
"msg": "Default account found for 'Restricted' at /status (ID '', PW 'cisco'). Cisco device."
62+
}
63+
]
64+
}

dojo/unittests/scans/nikto/tdh.xml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
<?xml version="1.0" ?>
2+
<!DOCTYPE niktoscan SYSTEM "docs/nikto.dtd">
3+
<niktoscan>
4+
<niktoscan hoststest="0" options="-h https://www.tdh.com -o /tmp/tdh.xml" version="2.1.6" scanstart="Mon Apr 26 08:33:14 2021" scanend="Thu Jan 1 00:00:00 1970" scanelapsed=" seconds" nxmlversion="1.2">
5+
6+
<scandetails targetip="64.220.43.153" targethostname="www.tdh.com" targetport="443" targetbanner="nginx" starttime="2021-04-26 08:33:16" sitename="https://www.tdh.com:443/" siteip="https://64.220.43.153:443/" hostheader="www.tdh.com" errors="0" checks="6955">
7+
<ssl ciphers="TLS_AES_128_GCM_SHA256" issuers="/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA" info="/CN=tdh.com" altnames="tdh.com, www.tdh.com" />
8+
9+
<item id="999100" osvdbid="0" osvdblink="" method="GET">
10+
<description><![CDATA[Uncommon header 'x-cache' found, with contents: HIT]]></description>
11+
<uri><![CDATA[/]]></uri>
12+
<namelink><![CDATA[https://www.tdh.com:443/]]></namelink>
13+
<iplink><![CDATA[https://64.220.43.153:443/]]></iplink>
14+
</item>
15+
16+
<item id="999100" osvdbid="0" osvdblink="" method="GET">
17+
<description><![CDATA[Uncommon header 'x-cacheable' found, with contents: YES]]></description>
18+
<uri><![CDATA[/]]></uri>
19+
<namelink><![CDATA[https://www.tdh.com:443/]]></namelink>
20+
<iplink><![CDATA[https://64.220.43.153:443/]]></iplink>
21+
</item>
22+
23+
<item id="999100" osvdbid="0" osvdblink="" method="GET">
24+
<description><![CDATA[Uncommon header 'x-redirect-by' found, with contents: WordPress]]></description>
25+
<uri><![CDATA[/iqeVqbOU.]]></uri>
26+
<namelink><![CDATA[https://www.tdh.com:443/iqeVqbOU.]]></namelink>
27+
<iplink><![CDATA[https://64.220.43.153:443/iqeVqbOU.]]></iplink>
28+
</item>
29+
30+
<item id="999997" osvdbid="0" osvdblink="" method="GET">
31+
<description><![CDATA[Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)]]></description>
32+
<uri><![CDATA[/wp-admin/]]></uri>
33+
<namelink><![CDATA[https://www.tdh.com:443/wp-admin/]]></namelink>
34+
<iplink><![CDATA[https://64.220.43.153:443/wp-admin/]]></iplink>
35+
</item>
36+
37+
<item id="999996" osvdbid="0" osvdblink="" method="GET">
38+
<description><![CDATA["robots.txt" contains 2 entries which should be manually viewed.]]></description>
39+
<uri><![CDATA[/robots.txt]]></uri>
40+
<namelink><![CDATA[https://www.tdh.com:443/robots.txt]]></namelink>
41+
<iplink><![CDATA[https://64.220.43.153:443/robots.txt]]></iplink>
42+
</item>
43+
44+
<item id="999966" osvdbid="0" osvdblink="" method="GET">
45+
<description><![CDATA[The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.]]></description>
46+
<uri><![CDATA[/]]></uri>
47+
<namelink><![CDATA[https://www.tdh.com:443/]]></namelink>
48+
<iplink><![CDATA[https://64.220.43.153:443/]]></iplink>
49+
</item>
50+
51+
<statistics elapsed="1619427130" itemsfound="" itemstested="6955" endtime="2021-04-26 08:52:10" />
52+
</scandetails>
53+
54+
</niktoscan>
55+
56+
57+
</niktoscan>

0 commit comments

Comments
 (0)