Performing Web Application Scanning with Nikto
Overview
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies version-specific problems on over 270 servers. It performs comprehensive tests including XSS, SQL injection, server misconfigurations, default credentials, and known vulnerable CGI scripts.
Prerequisites
- Nikto installed (Perl-based, included in Kali Linux)
- Written authorization to scan target web servers
- Network access to target web applications
- Understanding of HTTP/HTTPS protocols
Core Concepts
What Nikto Detects
- Server misconfigurations and dangerous default files
- Outdated server software versions with known CVEs
- Common CGI vulnerabilities and dangerous scripts
- Default credentials and admin pages
- HTTP methods that should be disabled (PUT, DELETE, TRACE)
- SSL/TLS misconfigurations and weak ciphers
- Missing security headers (X-Frame-Options, CSP, HSTS)
- Information disclosure through headers and error pages
Nikto vs Other Web Scanners
| Feature | Nikto | OWASP ZAP | Burp Suite | Nuclei |
|---|---|---|---|---|
| License | Open Source | Open Source | Commercial | Open Source |
| Focus | Server/Config | App Logic | Full Pentest | Template-Based |
| Speed | Fast | Medium | Slow | Very Fast |
| False Positives | Moderate | Low | Low | Low |
| Authentication | Basic | Full | Full | Template |
| Active Community | Yes | Yes | Yes | Yes |
Implementation Steps
Step 1: Basic Scanning
# Basic scan against a target
nikto -h https://target.example.com
# Scan specific port
nikto -h target.example.com -p 8443
# Scan multiple ports
nikto -h target.example.com -p 80,443,8080,8443
# Scan with SSL enforcement
nikto -h target.example.com -ssl
# Scan from a host list file
nikto -h targets.txtStep 2: Advanced Scanning Options
# Comprehensive scan with all tuning options
nikto -h https://target.example.com \
-Tuning 123456789abcde \
-timeout 10 \
-Pause 2 \
-Display V \
-output report.html \
-Format htm
# Tuning options control test types:
# 0 - File Upload
# 1 - Interesting File / Seen in logs
# 2 - Misconfiguration / Default File
# 3 - Information Disclosure
# 4 - Injection (XSS/Script/HTML)
# 5 - Remote File Retrieval - Inside Web Root
# 6 - Denial of Service
# 7 - Remote File Retrieval - Server Wide
# 8 - Command Execution / Remote Shell
# 9 - SQL Injection
# a - Authentication Bypass
# b - Software Identification
# c - Remote Source Inclusion
# d - WebService
# e - Administrative Console
# Scan with specific tuning (XSS + SQL injection + auth bypass)
nikto -h https://target.example.com -Tuning 49a
# Scan with authentication
nikto -h https://target.example.com -id admin:password
# Scan through a proxy
nikto -h https://target.example.com -useproxy http://proxy:8080
# Scan with custom User-Agent
nikto -h https://target.example.com -useragent "Mozilla/5.0 (Security Scan)"
# Scan specific CGI directories
nikto -h https://target.example.com -Cgidirs /cgi-bin/,/scripts/
# Evasion techniques (IDS avoidance for authorized testing)
# 1-Random URI encoding, 2-Directory self-reference
# 3-Premature URL ending, 4-Prepend long random string
nikto -h https://target.example.com -evasion 1234Step 3: Output and Reporting
# Generate multiple output formats
nikto -h https://target.example.com -output scan.csv -Format csv
nikto -h https://target.example.com -output scan.xml -Format xml
nikto -h https://target.example.com -output scan.html -Format htm
nikto -h https://target.example.com -output scan.txt -Format txt
# JSON output (newer versions)
nikto -h https://target.example.com -output scan.json -Format json
# Save to multiple formats simultaneously
nikto -h https://target.example.com \
-output scan_report \
-Format htmStep 4: Scan Multiple Targets
# Create targets file (one per line)
cat > targets.txt << 'EOF'
https://app1.example.com
https://app2.example.com:8443
http://internal-app.corp.local
192.168.1.100:8080
EOF
# Scan all targets
nikto -h targets.txt -output multi_scan.html -Format htm
# Parallel scanning with GNU parallel
cat targets.txt | parallel -j 5 "nikto -h {} -output {/}_report.html -Format htm"Step 5: SSL/TLS Assessment
# Comprehensive SSL scan
nikto -h https://target.example.com -ssl \
-Tuning b \
-Display V
# Check for specific SSL vulnerabilities
# Nikto checks for:
# - Expired certificates
# - Self-signed certificates
# - Weak cipher suites
# - SSLv2/SSLv3 enabled
# - BEAST, POODLE, Heartbleed indicators
# - Missing HSTS headerStep 6: Integration with Other Tools
# Pipe Nmap results into Nikto
nmap -p 80,443,8080 --open -oG - 192.168.1.0/24 | \
awk '/open/{print $2}' | \
while read host; do nikto -h "$host" -output "${host}_nikto.html" -Format htm; done
# Export to Metasploit-compatible format
nikto -h target.example.com -output msf_import.xml -Format xml
# Parse Nikto XML output with Python for custom reporting
python3 -c "
import xml.etree.ElementTree as ET
tree = ET.parse('scan.xml')
for item in tree.findall('.//item'):
print(f\"[{item.get('id')}] {item.findtext('description', '')[:100]}\")
"Interpreting Results
Severity Classification
- OSVDB/CVE References: Cross-reference with NVD for CVSS scores
- Server Information Disclosure: Version banners, technology stack
- Dangerous HTTP Methods: PUT, DELETE, TRACE enabled
- Default/Backup Files: .bak, .old, .swp, web.config.bak
- Admin Interfaces: /admin, /manager, /console exposed
- Missing Security Headers: CSP, X-Frame-Options, HSTS
Common False Positives
- Generic checks triggered by custom 404 pages
- Anti-CSRF tokens flagged as form vulnerabilities
- CDN/WAF responses misidentified as vulnerable
- Load balancer health check pages
Best Practices
- Always obtain written authorization before scanning
- Run Nikto in conjunction with application-level scanners (ZAP, Burp)
- Use -Pause flag to reduce load on production servers
- Validate findings manually before reporting
- Combine with SSL testing tools (testssl.sh, sslyze) for comprehensive coverage
- Schedule regular scans as part of continuous vulnerability management
- Keep Nikto database updated for latest vulnerability checks
- Use appropriate evasion settings only for authorized IDS testing
Common Pitfalls
- Running Nikto without authorization (legal liability)
- Treating Nikto as a complete web application scanner (it focuses on server/config issues)
- Not validating results leading to false positive reports
- Scanning too aggressively against production systems
- Ignoring SSL/TLS findings as "informational"
Related Skills
- scanning-infrastructure-with-nessus
- scanning-apis-for-security-vulnerabilities
- performing-network-vulnerability-assessment
Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC7.1 (Monitoring), CC8.1 (Change Management)
- ISO 27001: A.12.6 (Technical Vulnerability Management)
- NIST 800-53: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), CM-6 (Configuration Settings)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add performing-web-application-scanning-with-nikto
# Or load dynamically via MCP
grc.load_skill("performing-web-application-scanning-with-nikto")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.