Nikto is an Open Source (GPL) Web scanner. Eliminates the routine manual work. Looking on the target site for unremoved scripts (some test.php, index_.php, etc.), database administration tools (/phpmyadmin/,/pma and similar) etc, IE checks the resource on the most frequent errors which are usually appears due to the human factor.
Plus, if it finds any popular script, then checks it on published exploits (which are in the base).
Reports possible ‘undesirable’ methods, like PUT and TRACE.
Well, and so on. Very convenient if you work as an auditor and every day makes analysis of the sites.

The minus of that tool is high percentage of false positives. For example if your site instead of a 404 error (when it should arise) gives all the time 200, then the scanner will tell you that all the scripts and vulnerabilities from it database appears on your site. In practice, this is not so common, but as a fact, much depends on the structure of your site.
Classical use:

/ localhost

If you want to be authorized on the site, you can set the cookie in a file nikto.conf, variable for cookie is STATIC-COOKIE.


Wikto-Nikto under Windows, but with some additions, as ‘fuzzy’ logic when you check the code for errors, it can use GHDB, getting references and resource folders, real-time monitoring of HTTP requests/responses. Wikto is written in C# and requires the .NET framework.

Nikto download page

Wikto download page

Previous articleSecurityHeaders
Next articleskipfish
Penetration Testing & Information Security Specialist, Certified Ethical Hacker. Uladzislau Murashka provides information security and penetration testing services, IDS/IPS implementation and configuration, infrastructure security assessment and hardening, participates in bug bounty programs.