Enhancement: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST

[Linuxfabrik]

Expected behavior

For example, we disabled all HTTP methods except for GET and OPTIONS. Nikto then should print + Allowed HTTP Methods: OPTIONS, GET.

Actual behavior

+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST. This is wrong.

Steps to reproduce

Apache:

    <IfModule rewrite_module>
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} !^(GET|OPTIONS)
        RewriteRule .* - [R=405,L]
    </IfModule>

curl: curl --verbose -X POST http://myserver: HTTP/1.1 405 Method Not Allowed

Nikto: + Allowed HTTP Methods: OPTIONS, HEAD, GET, POST

Nikto version

Nikto Versions
---------------------------------------------------------------------------
File                               Version      Last Mod
-----------------------------      --------     ----------
Nikto main                         2.1.6
LibWhisker                         2.5
db_404_strings                     2.003        
db_content_search                  2.000        
         nary                      1.0
db_dir_traversal                   2.1.6        
db_domino                          2.1.6        
db_drupal                          1.00         
db_embedded                        2.004        
db_favicon                         2.010        
db_headers                         2.008        
db_httpoptions                     2.002        
db_multiple_index                  2.005        
db_outdated                        2.017        
db_parked_strings                  2.001        
db_realms                          2.002        
db_server_msgs                     2.006        
db_tests                           2.021        
db_variables                       2.004        
nikto_apache_expect_xss.plugin     2.04         
nikto_apacheusers.plugin           2.06         
nikto_auth.plugin                  2.04         
nikto_cgi.plugin                   2.06         
nikto_clientaccesspolicy.plugin    1.00         
nikto_content_search.plugin        2.05         
nikto_cookies.plugin               2.05         
nikto_core.plugin                  2.1.5        
nikto_dictionary_attack.plugin     2.04         
nikto_dir_traversal.plugin         2.1.6        
nikto_dishwasher.plugin            2.20         
nikto_docker_registry.plugin       2.20         
nikto_domino.plugin                2.1.6        
nikto_drupal.plugin                1.00         
nikto_embedded.plugin              2.07         
nikto_favicon.plugin               2.09         
nikto_fileops.plugin               1.00         
nikto_headers.plugin               2.11         
nikto_httpoptions.plugin           2.10         
nikto_ms10_070.plugin              1.00         
nikto_msgs.plugin                  2.07         
nikto_multiple_index.plugin        2.03         
nikto_negotiate.plugin             2.00         
nikto_origin_reflection.plugin     2.01         
nikto_outdated.plugin              2.09         
nikto_parked.plugin                2.00         
nikto_paths.plugin                 2.00         
nikto_put_del_test.plugin          2.04         
nikto_report_csv.plugin            2.07         
nikto_report_html.plugin           2.06         
nikto_report_json.plugin           2.00         
nikto_report_nbe.plugin            2.02         
nikto_report_sqlg.plugin           2.00         
nikto_report_text.plugin           2.05         
nikto_report_xml.plugin            2.06         
nikto_robots.plugin                2.06         
nikto_shellshock.plugin            2.01         
nikto_siebel.plugin                1.00         
nikto_sitefiles.plugin             2.00         
nikto_ssl.plugin                   2.01         
nikto_strutshock.plugin            2.01         
nikto_tests.plugin                 2.04 

[tautology0]

Nikto takes this from the response to both:
OPTIONS / HTTP/1.1 OPTIONS * HTTP/1.1

So it looks like Apache is closing down the method, but still reporting it on OPTIONS.

There could be a case for an enhancement to try the actual method; but this wouldn't be a priority.

[Linuxfabrik]

Yes, on Apache, an OPTIONS request always returns Allow: GET,POST,OPTIONS,HEAD, what does not fit when using RewriteRules to forbid some methods. So for a scanner actually testing CONNECT|DELETE|GET|HEAD|OPTIONS|PATCH|POST|PUT would be a good idea.

[sullo]

I'm wondering if OPTIONS * check should be removed? My hesitation on this has always been that we don't what sub-urls might have a different option enabled, e.g., /uploads might be the only spot that allows PUT.

[Linuxfabrik]

IMHO from a security scanner perspective, you can't trust what OPTIONS returns.

As seen above OPTIONS might not match at all if RewriteRules are used to allow/disallow different HTTP methods on specific URLs, for example. It gets even more complicated in CORS sending preflight requests with the OPTIONS method and requesting permissions using addtional headers.