[Nikto-discuss] Questions on Nikto Scanning on Injection
resident.deity at gmail.com
Mon Jul 27 12:18:48 UTC 2009
> Is Nikto capable of scanning XSS on user created web application?
No, Nikto was not designed to do user application scanning - it scans
the webserver and known bugs in common applications (e.g. XSS, SQL
injection, information disclosure).
It is feasible that Nikto could be extended to do this, but it's a lot
of work, and there are several good products out there that will do
this testing already (e.g. Paros Proxy or sqlmap).
> If yes, is there aything wrong with my Nikto scanning options so that Nikto
> cannot find out this (I aslo perform a default scanning, but nothing about
> XSS was shown)?
The tuning (-T) option is used to filter down what nikto tests - so if
you run the default tests you'll always run the XSS tests, but, these
are or common applications only.
> If not, what exactly the meaning of "Injection (XSS/Script/HTML). Any manner
> of injection, including cross site scripting (XSS) or content (HTML)" from
> the manual?
As above this tests for known XSS vulnerabilities in common
applications, for example, in Oracle application server.
Hope that helps
More information about the Nikto-discuss