Add Custom Header to Nikto Scan

Posted by Brian Cardinale in Penetration Testing, Reference | 0 comments

Have you ever needed to add a custom header, such as X-Auth-Token, to a Nikto scan for authentication or otherwise? I have, and found that it was surprisingly not a trivial thing to do. Scouring around the net I found that people have been asking for this since 2012. Chris Sullo, who wrote Nikto, mentioned it wasn’t currently possible back in August, 2012 and there has been a lonely enhancement in the GitHub backlog since November of the same year.

I would agree that it is not too often that a header outside of Cookies is required to interact with a web server in a meaningful manner, however when you do need a custom header it usually an all-or-nothing proposition. In my case I needed to add a X-Auth-Token header to authenticate to the service, otherwise it would not talk to me and would only respond with 500 errors.

I would like to quote one of my favorite childhood sitcoms and a internet punching bag at the same time to explain how to overcome this. “Don’t fret, my pet”, “we’ll do it live”! If Nikto doesn’t have the functionality built in, lets modify the traffic prior to sending it off to the web server. I used Portswigger’s Burp Suite to accomplish this, but any intercepting proxy should have the chops to modify requests on the fly.

We need to direct Nikto to send its traffic through our proxy. Also, we need an already present header to modify on the fly. We will  use the User Agent header which is set to “Nikto” by default, I set it here explicitly for clarity.

nikto.pl -host <hostaddress> -port <hostport> –useragent nikto –useproxy http://127.0.0.1:8080

In Burp Suite, we need to add an intercepting rule. Go to Proxy > Options and scroll to “Match and Replace” and click the “Add” button.

Specify the “Type” as “Request header”, and the “Match” value to hit on your User Agent string, in my case “User-Agent: nikto.*$. Finally, specify the Replace value with your customer header value. If you need to support both User-Agent and your custom header I would suggest to attempt to inject both headers with a carriage-return line-feed character (\r\n) in between, however I have not tested this. Make sure you click the checkbox to enable the rule!

That’s it! Launch your Nikto scan, and inspect the modified traffic in the history tab to make sure your match and replace is working properly.

As I was writing this post, I came across a carnal0wnage post describing this technique to evade detection by IDS/IPS/WAFs which is good practice and something to keep in mind if you think your traffic is being blocked.