[Nikto-discuss] Questions on Nikto Scanning on Injection

david lodge resident.deity at gmail.com
Mon Jul 27 12:18:48 UTC 2009

> Is Nikto capable of scanning XSS on user created web application?

No, Nikto was not designed to do user application scanning - it scans
the webserver and known bugs in common applications (e.g. XSS, SQL
injection, information disclosure).

It is feasible that Nikto could be extended to do this, but it's a lot
of work, and there are several good products out there that will do
this testing already (e.g. Paros Proxy or sqlmap).

> If yes, is there aything wrong with my Nikto scanning options so that Nikto
> cannot find out this (I aslo perform a default scanning, but nothing about
> XSS was shown)?

The tuning (-T) option is used to filter down what nikto tests - so if
you run the default tests you'll always run the XSS tests, but, these
are or common applications only.

> If not, what exactly the meaning of "Injection (XSS/Script/HTML). Any manner
> of injection, including cross site scripting (XSS) or content (HTML)" from
> the manual?

As above this tests for known XSS vulnerabilities in common
applications, for example, in Oracle application server.

Hope that helps


More information about the Nikto-discuss mailing list