ウェブサイトの脆弱性チェック

ホストOS:Debian GNU/Linux 10.7
ゲストOS:FreeBSD 12.2-RELEASE r366954 GENERIC amd64 

Web脆弱性スキャナ(Nikto2)で確認する。

gitでインストールする。

# git clone https://github.com/sullo/nikto
Cloning into 'nikto'...
remote: Enumerating objects: 44, done.
remote: Counting objects: 100% (44/44), done.
remote: Compressing objects: 100% (33/33), done.
remote: Total 6136 (delta 22), reused 27 (delta 11), pack-reused 6092
Receiving objects: 100% (6136/6136), 4.09 MiB | 2.13 MiB/s, done.
Resolving deltas: 100% (4442/4442), done.

脆弱性チェック実行

# cd /usr/local/nikto/program
# ./nikto.pl -h https://www.server-bff.net
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.XXX.XXX
+ Target Hostname:    www.server-bff.net
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=www.server-bff.net
                   Altnames: www.server-bff.net
                   Ciphers:  TLS_AES_256_GCM_SHA384
                   Issuer:   /C=US/O=Let's Encrypt/CN=R3
+ Start Time:         2021-03-10 10:52:30 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Entry '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/bin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/cli/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
---省略ーーー
+ End Time:           2021-03-10 10:57:43 (GMT9) (313 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

明示されたリストを潰していく。

 

以上