ウェブサイトの脆弱性を確認する-Niktoを試してみた
インストール
debian系はapt-get install nikto でもインストール可能
root@debian9:/usr/local/src# wget -d https://cirt.net/nikto/nikto-2.1.5.tar.gz ... root@debian9:/usr/local/src# tar xzvf nikto-2.1.5.tar.gz root@debian9:/usr/local/src# cd nikto-2.1.5 root@debian9:/usr/local/src/nikto-2.1.5# chmod +x nikto.pl ### プラグインとデータベースの更新 ### root@debian9:/usr/local/src/nikto-2.1.5# ./nikto.pl -update + Retrieving 'db_tests' + Retrieving 'nikto_cookies.plugin' + Retrieving 'nikto_report_csv.plugin' + Retrieving 'db_parked_strings' + Retrieving 'nikto_headers.plugin' + Retrieving 'CHANGES.txt' + CIRT.net message: Please submit Nikto bugs to https://github.com/sullo/nikto
脆弱性診断
-outputオプションでレポートを出力可能だが、レポート内容についてあまり意味がないように感じた
行頭に “+ OSVDB” が表示されていると脆弱性があるとのこと
OSVDBとはOpen Sourced Vulnerability Databaseのこと
root@debian9:/usr/local/src/nikto-2.1.5# ./nikto.pl -h 127.0.0.1 -output result2.txt - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2016-01-31 20:35:25 (GMT9) --------------------------------------------------------------------------- + Server: nginx + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'link' found, with contents: <http://tech.akat.info/?rest_route=/>; rel="https://api.w.org/" + Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x53b024a8 0x13e + /fcgi-bin/post-query: Echoes back result of your POST + /cgi-exe/post-query: Echoes back result of your POST + /cgi-home/post-query: Echoes back result of your POST + /cgi-perl/post-query: Echoes back result of your POST + /scgi-bin/post-query: Echoes back result of your POST + OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content. + OSVDB-3092: /lib/: This might be interesting... + OSVDB-3092: /linux/: This might be interesting... + OSVDB-3092: /status/: This might be interesting... + OSVDB-3092: /log/: Ahh...log information...fun! + OSVDB-3093: /fcgi-bin/rightfax/fuwww.dll/?: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /cgi-exe/rightfax/fuwww.dll/?: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /cgi-home/rightfax/fuwww.dll/?: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /cgi-perl/rightfax/fuwww.dll/?: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /scgi-bin/rightfax/fuwww.dll/?: This might be interesting... has been seen in web logs from an unknown scanner. + OSVDB-3093: /.htaccess: Contains authorization information + OSVDB-5692: /oekaki/: The PaintBBS Server may allow unauthorized access to the config files. + OSVDB-3092: /qa/: This might be interesting... potential country code (Qatar) + Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN + Cookie wordpress_test_cookie created without the httponly flag + 6545 items checked: 0 error(s) and 23 item(s) reported on remote host + End Time: 2016-01-31 20:43:37 (GMT9) (492 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
対応内容
The anti-clickjacking X-Frame-Options header is not present
nginx.confに以下を追加する
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff;
OSVDB-3092・OSVDB-3093
脆弱性の可能性のあるフォルダを表示している
sitemap.xml・.htaccessなどを削除
Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x53b024a8 0x13e
ETagの生成にinodeを使用しているためファイル自体に変更がなくても
ETagの値が変わり不必要にネットワーク帯域を使用するため、inodeを使用しないほうがよいとのこと
対応方法は不明。。orz
参考URL
セキュリティ診断ツール「Nikto」を使ってサイトをチェックしよう
Nginxセキュリティ設定
手軽なセキュリティスキャンサービス Walti.ioを試してみた