[Nikto-discuss] Questions on Nikto Scanning on Injection

Tse 山下的風 tseyatnam at hotmail.com
Mon Jul 27 03:24:36 UTC 2009

Hello everyone! I am a newbie to Nikto. Please offer me some help. : )

I used Nikto to perform a scanning on Injection with command "perl nikto.pl -h -T 4 ".
Let's talk about my web application first. 

I created a textbox where user can input anything to submit the server and filtering will NOT be done on both the client and server. When I input     '   <script>alert("Hi there!")</script>    '  ,  an alert appears. That means XSS can be performed, right?
However, Nikto cannot find out the XSS in my web application.

So, I would like to ask:

Is Nikto capable of scanning XSS on user created web application?
If yes, is there aything wrong with my Nikto scanning options so that
Nikto cannot find out this (I aslo perform a default scanning, but
nothing about XSS was shown)?
If not, what exactly the meaning of "Injection (XSS/Script/HTML). Any manner of injection, including cross site scripting (XSS) or content (HTML)" from the manual?

Thank you.
收發郵件以外 -  了解更多Windows Live™卓越功能
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090726/4e0d46b7/attachment.html 

More information about the Nikto-discuss mailing list