Full Report
A seasonal Wikto version was released on the 22nd (Version 2.0.2911-20215) which has an issue with the web spider funtionality. HTTPS requests are being made in plain text, and this obviously means that attempts to spider such sites will not work. A bug fix for this is available from www.sensepost.com Thanks to Mark Murdock for the heads up.
Analysis Summary
# Tool/Technique: Wikto (Version 2.0.2911-20215 Bug)
## Overview
Wikto is an open-source web application security auditing tool primarily used for web spidering and discovering files/directories. The specific version (2.0.2911-20215) released around December 22nd has a critical bug where HTTPS requests are sent in plain text, causing web spider functionality to fail on secure sites.
## Technical Details
- Type: Tool
- Platform: Unknown (Likely Windows/Linux given it's a general web tool)
- Capabilities: Web spidering, directory/file enumeration (though broken in this variant).
- First Seen: December 2021 (Implied by version/article context if the date format is recent, but the article date is 2008, suggesting this specific version number refers to a release discussed on that date, or is a modern recreation of an old advisory context. For analysis purposes, we treat the described behavior as the focus.)
## MITRE ATT&CK Mapping
Since this is a security testing tool suffering a configuration error, the primary mapping relates to reconnaissance:
- **TA0043 - Reconnaissance**
- **T1595 - Active Scanning** (Potentially relevant if the tool attempted to scan during spidering, though the primary action is site mapping/discovery)
- **T1593.001 - Web Services** (If it attempted enumeration against web services)
*Note: As this is a vulnerability *in* the tool itself, direct TTP mapping is weak unless the tool's intended function is mapped.*
## Functionality
### Core Capabilities
- Web Spidering: Intended to traverse a website structure.
- HTTP/HTTPS Request Handling: Intended to communicate with web servers.
### Advanced Features
The bug renders advanced features related to secure sites non-functional as HTTPS traffic is improperly serialized.
## Indicators of Compromise
This report describes a bug in a legitimate security tool, not malware propagation. Therefore, traditional IOCs related to criminal activity are not applicable.
- File Hashes: N/A (Specific version hash not provided)
- File Names: Wikto executable/files associated with the tool.
- Registry Keys: N/A
- Network Indicators: N/A (The *failure* mode is sending HTTPS in plain text, which would reveal cleartext data if successful, but this is a functional failure, not a C2 indicator.)
- Behavioral Indicators: Sending unencrypted (plain text) data over what should be an HTTPS channel during spidering attempts.
## Associated Threat Actors
The tool itself is publicly available and used by security professionals (pentesters, researchers). No specific threat actors are known to exploit this particular bug/version deficiency for malicious purposes other than potentially revealing unintended information during security testing or configuration misuse.
## Detection Methods
Detection focuses on identifying the tool's behavior or the misconfiguration in network traffic monitoring.
- Signature-based detection: Signatures for the Wikto binary (if known).
- Behavioral detection: Detecting unusual plain text traffic destined for port 443 (HTTPS) initiated by a known web spidering utility.
- YARA rules: N/A
## Mitigation Strategies
The primary mitigation strategy addresses the tool's operational failure.
- Prevention measures: Downloading and using the patched version of Wikto from SensePost (www.sensepost.com/research/wikto).
- Hardening recommendations: Ensure any tool used for web scanning or spidering is running the latest stable version to avoid known functional bugs, especially those affecting secure communications.
## Related Tools/Techniques
- Nikto (Often confused with Wikto, also from SensePost)
- OWASP ZAP
- Burp Suite (For similar web enumeration and spidering tasks)