[研究]nikto 2.5.0 測試 DVWA 1.10 網站

[研究]nikto 2.5.0 測試 DVWA 1.10 網站

2025-05-09

Kali Linux 2025.3 內建 nikto 2.5.0

[研究] Damn Vulnerable Web App (DVWA) 1.10 滲透測試練習(靶機)平台安裝 (Windows 2025)

https://shaurong.blogspot.com/2025/05/damn-vulnerable-web-app-dvwa-110.html

┌──(kali㉿kali)-[~] └─$ nikto -h https://192.168.128.144/dvwa/ - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.128.144 + Target Hostname: 192.168.128.144 + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Subject: /CN=localhost Ciphers: TLS_AES_256_GCM_SHA384 Issuer: /CN=localhost + Start Time: 2025-05-08 22:37:32 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 + /dvwa/: Retrieved x-powered-by header: PHP/8.2.12. + /dvwa/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /dvwa/: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security + /dvwa/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /dvwa/: Cookie PHPSESSID created without the secure flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + /dvwa/: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + /dvwa/: Cookie security created without the secure flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + Root page /dvwa redirects to: login.php + No CGI Directories found (use '-C all' to force check all possible dirs) + Hostname '192.168.128.144' does not match certificate's names: localhost. See: https://cwe.mitre.org/data/definitions/297.html + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + /dvwa/config/: Directory indexing found. + /dvwa/config/: Configuration information may be available remotely. + /dvwa/docs/: Directory indexing found. + /dvwa/login.php: Admin login page/section found. + /dvwa/.gitignore: .gitignore file found. It is possible to grasp the directory structure. + 8102 requests: 0 error(s) and 14 item(s) reported on remote host + End Time: 2025-05-08 22:39:26 (GMT-4) (114 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ********************************************************************* Portions of the server's headers (Apache/2.4.58 PHP/8.2.12 OpenSSL/3.1.3) are not in the Nikto 2.5.0 database or are newer than the known string. Would you like to submit this information (*no server specific data*) to CIRT.net for a Nikto update (or you may email to sullo@cirt.net) (y/n)? ┌──(kali㉿kali)-[~] └─$

(完)

相關