By name: performing-web-application-scanning-with-nikto description: Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve domain: cybersecurity subdomain: vulnerability-management tags:
- vulnerability-management
- cve
- nikto
- web-scanning
- owasp
- risk version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
- ID.RA-01
- ID.RA-02
- ID.IM-02
- ID.RA-06
Performing Web Application Scanning with Nikto
Overview
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies version-specific problems on over 270 servers. It performs comprehensive tests including XSS, SQL injection, server misconfigurations, default credentials, and known vulnerable CGI scripts.
When to Use
- When conducting security assessments that involve performing web application scanning with nikto
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Nikto installed (Perl-based, included in Kali Linux)
- Written authorization to scan target web servers
- Network access to target web applications
- Understanding of HTTP/HTTPS protocols
Core Concepts
This section covers core concepts for performing web application scanning with nikto.
- Ensure all prerequisites are met before proceeding
- Follow the documented workflow steps in sequence
- Record results and any anomalies encountered during this phase
What Nikto Detects
- Server misconfigurations and dangerous default files
- Outdated server software versions with known CVEs
- Common CGI vulnerabilities and dangerous scripts
- Default credentials and admin pages
- HTTP methods that should be disabled (PUT, DELETE, TRACE)
- SSL/TLS misconfigurations and weak ciphers
- Missing security headers (X-Frame-Options, CSP, HSTS)
- Information disclosure through headers and error pages
Nikto vs Other Web Scanners
| Feature | Nikto | OWASP ZAP | Burp Suite | Nuclei |
|---|---|---|---|---|
| License | Open Source | Open Source | Commercial | Open Source |
| Focus | Server/Config | App Logic | Full Pentest | Template-Based |
| Speed | Fast | Medium | Slow | Very Fast |
| False Positives | Moderate | Low | Low | Low |
| Authentication | Basic | Full | Full | Template |
| Active Community | Yes | Yes | Yes | Yes |
Workflow
- Scope the task — define objectives, boundaries, and success criteria
- Gather information — collect all necessary data and context before proceeding
- Execute the core workflow — follow the domain-specific steps methodically
- Validate results — verify outputs against expected outcomes or baselines
- Document findings — record results, anomalies, and recommendations
Step 1: Basic Scanning
# Basic scan against a target
nikto -h https://target.example.com
# Scan specific port
nikto -h target.example.com -p 8443
# Scan multiple ports
nikto -h target.example.com -p 80,443,8080,8443
# Scan with SSL enforcement
nikto -h target.example.com -ssl
# Scan from a host list file
nikto -h targets.txt
Step 2: Advanced Scanning Options
# Comprehensive scan with all tuning options
nikto -h https://target.example.com \
-Tuning 123456789abcde \
-timeout 10 \
-Pause 2 \
-Display V \
-output report.html \
-Format htm
# Tuning options control test types:
# 0 - File Upload
# 1 - Interesting File / Seen in logs
# 2 - Misconfiguration / Default File
# 3 - Information Disclosure
# 4 - Injection (XSS/Script/HTML)
# 5 - Remote File Retrieval - Inside Web Root
# 6 - Denial of Service
# 7 - Remote File Retrieval - Server Wide
# 8 - Command Execution / Remote Shell
# 9 - SQL Injection
# a - Authentication Bypass
# b - Software Identification
# c - Remote Source Inclusion
# d - WebService
# e - Administrative Console
# Scan with specific tuning (XSS + SQL injection + auth bypass)
nikto -h https://target.example.com -Tuning 49a
# Scan with authentication
nikto -h https://target.example.com -id admin:password
# Scan through a proxy
nikto -h https://target.example.com -useproxy http://proxy:8080
# Scan with custom User-Agent
nikto -h https://target.example.com -useragent "Mozilla/5.0 (Security Scan)"
# Scan specific CGI directories
nikto -h https://target.example.com -Cgidirs /cgi-bin/,/scripts/
# Evasion techniques (IDS avoidance for authorized testing)
# 1-Random URI encoding, 2-Directory self-reference
# 3-Premature URL ending, 4-Prepend long random string
nikto -h https://target.example.com -evasion 1234
Step 3: Output and Reporting
# Generate multiple output formats
nikto -h https://target.example.com -output scan.csv -Format csv
nikto -h https://target.example.com -output scan.xml -Format xml
nikto -h https://target.example.com -output scan.html -Format htm
nikto -h https://target.example.com -output scan.txt -Format txt
# JSON output (newer versions)
nikto -h https://target.example.com -output scan.json -Format json
# Save to multiple formats simultaneously
nikto -h https://target.example.com \
-output scan_report \
-Format htm
Step 4: Scan Multiple Targets
# Create targets file (one per line)
cat > targets.txt << 'EOF'
https://app1.example.com
https://app2.example.com:8443
http://internal-app.corp.local
192.168.1.100:8080
EOF
# Scan all targets
nikto -h targets.txt -output multi_scan.html -Format htm
# Parallel scanning with GNU parallel
cat targets.txt | parallel -j 5 "nikto -h {} -output {/}_report.html -Format htm"
Step 5: SSL/TLS Assessment
# Comprehensive SSL scan
nikto -h https://target.example.com -ssl \
-Tuning b \
-Display V
# Check for specific SSL vulnerabilities
# Nikto checks for:
# - Expired certificates
# - Self-signed certificates
# - Weak cipher suites
# - SSLv2/SSLv3 enabled
# - BEAST, POODLE, Heartbleed indicators
# - Missing HSTS header
Step 6: Integration with Other Tools
# Pipe Nmap results into Nikto
nmap -p 80,443,8080 --open -oG - 192.168.1.0/24 | \
awk '/open/{print $2}' | \
while read host; do nikto -h "$host" -output "${host}_nikto.html" -Format htm; done
# Export to Metasploit-compatible format
nikto -h target.example.com -output msf_import.xml -Format xml
# Parse Nikto XML output with Python for custom reporting
python3 -c "
import xml.etree.ElementTree as ET
tree = ET.parse('scan.xml')
for item in tree.findall('.//item'):
print(f\"[{item.get('id')}] {item.findtext('description', '')[:100]}\")
"
Interpreting Results
Performing Web Application Scanning With Nikto Output Summary
========================================
Status: [COMPLETE / PARTIAL / BLOCKED]
Findings: [count] items
Severity: [Critical / High / Medium / Low / Info]
Evidence: [file paths or log references]
Next Steps: [recommended actions]
Severity Classification
- OSVDB/CVE References: Cross-reference with NVD for CVSS scores
- Server Information Disclosure: Version banners, technology stack
- Dangerous HTTP Methods: PUT, DELETE, TRACE enabled
- Default/Backup Files: .bak, .old, .swp, web.config.bak
- Admin Interfaces: /admin, /manager, /console exposed
- Missing Security Headers: CSP, X-Frame-Options, HSTS
Common False Positives
- Generic checks triggered by custom 404 pages
- Anti-CSRF tokens flagged as form vulnerabilities
- CDN/WAF responses misidentified as vulnerable
- Load balancer health check pages
Best Practices
- Always obtain written authorization before scanning
- Run Nikto in conjunction with application-level scanners (ZAP, Burp)
- Use -Pause flag to reduce load on production servers
- Validate findings manually before reporting
- Combine with SSL testing tools (testssl.sh, sslyze) for comprehensive coverage
- Schedule regular scans as part of continuous vulnerability management
- Keep Nikto database updated for latest vulnerability checks
- Use appropriate evasion settings only for authorized IDS testing
Common Pitfalls
- Running Nikto without authorization (legal liability)
- Treating Nikto as a complete web application scanner (it focuses on server/config issues)
- Not validating results leading to false positive reports
- Scanning too aggressively against production systems
- Ignoring SSL/TLS findings as "informational"
Related Skills
- scanning-infrastructure-with-nessus
- scanning-apis-for-security-vulnerabilities
- performing-network-vulnerability-assessment
When NOT to Use
- You don't have explicit written authorization to test
- Task is about defense/detection, not offense (use detection skills)
- You need to implement security controls (use implementing-* skills)
- Task requires compliance auditing (use auditing-* skills)
- You're investigating an incident (use incident response skills)
- Target is out of scope for your engagement
- Task is about vulnerability scanning only (use scanning tools)
Red Flags
- Performing actions without explicit written authorization from the asset owner
- Testing against production systems without a defined scope and rules of engagement
- Testing without rate limiting, potentially causing service degradation
- Storing sensitive test data (credentials, tokens) in plain text logs
- Using automated scanners blindly without reviewing results for false positives
Verification
- All steps executed successfully against a test environment before production use
- Output documented with screenshots or logs demonstrating expected behavior
- Vulnerabilities reproduced with proof-of-concept and impact analysis
- False positives filtered out through manual verification
- Fix recommendations include code-level remediation guidance