[Nikto-discuss] Plugins with SQLite

[David Lodge]

Quoting Frank Breedijk <FBreedijk at schubergphilis.com>:
> Using an SQL backend should be an option, not a requirement. One of  the  
> great points of nikto atm is its portability lack of  prerequisites.

> If the SQL backend option is there try to keep it as DBI generic as   
> possible. A lot of boxes already have mysql set up on them and you  may  
> find reluctance to add yet another database (YAD;) )

It looks like there is some agreement on this for managing plugins; people  
like the fact that nikto is small and standalone (just need Net::SSLeay  
and getargs long).

Other people would like it to talk to databases properly - though mainly  
this is about the results, rather than the tests. I'm particularly  
interested in this area as it highlights one of the big problems with pen  
testing tools: there are lots of useful and cool tools, but they produce a  
massive amount of false positives and don't interact very well.

So I think a roadmap forward would be to leave nikto as it is, small and  
customised for testing web apps and either abuse the XML export, or add an  
option export to allow it to send data to a flavour of database (up to the  
user). Then we can do differences etc. from a different application.

This should please the guys who like the "small nikto is good" and the  
people, like me, who want better talking 'twixt tools.

To be honest I've had this idea for ages - pen test tool reports are  
great, but I seem to spend my whole life in a spreadsheet chopping out the  
rubbish (Nessus, I'm looking at you here).

With the nikto base code, I'm just going to be tuning the database format,  
so it doesn't need extra modules, but it will use less memory and be more  
dynamic (no editing nikto_core to add a new database).

dave