<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>So, Nikto checks the content of every files on the web server? Like code scanning?<br><br><font size="2"><span style="color:rgb(79, 129, 189);font-family:Arial, sans-serif;line-height:17px;background-color:rgb(255, 255, 255);">--</span><br style="line-height:17px;color:rgb(79, 129, 189);font-family:Arial, sans-serif;"><span style="color:rgb(79, 129, 189);font-family:Arial, sans-serif;line-height:17px;background-color:rgb(255, 255, 255);">Raymond</span></font><br><br><div>> From: robin@digininja.org<br>> Date: Sun, 5 Jan 2014 11:26:14 +0000<br>> Subject: Re: [Nikto-discuss] Nikto Capabilities<br>> To: raymond_pluto@hotmail.com<br>> CC: resident.deity@gmail.com; nikto-discuss@attrition.org<br>> <br>> On 5 January 2014 11:06, raymond lukanta <raymond_pluto@hotmail.com> wrote:<br>> > Hmm..<br>> ><br>> > Would you please give me further explanation about "Nikto will only check<br>> > for what it knows"?<br>> > As long as I understand, a web application scanner is also checking what it<br>> > knows (by using plugins or databases).<br>> <br>> Nikto uses hardcoded rules to check for things, for example it will<br>> look for the string "ABC" in file findme.php and if it finds it then<br>> it will report that vulnerability XYZ exists. This is different to a<br>> lot of scanners which do this but also do fuzzing where they will take<br>> test.php?id=1 and then try different values for the id to try to<br>> detect vulnerabilities.<br>> <br>> Therefore it can only detect things it knows about.<br>> <br>> Robin<br>> <br>> > Thanks,<br>> > --<br>> > Raymond<br>> ><br>> > ________________________________<br>> > Date: Sun, 5 Jan 2014 09:34:59 +0000<br>> > Subject: Re: [Nikto-discuss] Nikto Capabilities<br>> > From: resident.deity@gmail.com<br>> > To: raymond_pluto@hotmail.com<br>> > CC: nikto-discuss@attrition.org<br>> ><br>> ><br>> > Nikto performs a set of tests for pages on the web server and the<br>> > configuration of its responses. The tuning option allows these the number of<br>> > tests to be cut down, e.g. to known pages that have SQL injection.<br>> ><br>> > Where this differs from a web application scanner is that Nikto will only<br>> > check for what it knows.<br>> ><br>> > To be honest web server scanner is a pointless label anyway. It's a tool<br>> > that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap,<br>> > burp) used during a test. It's not mutually exclusive with other tools.<br>> ><br>> > On 4 Jan 2014 17:00, "raymond lukanta" <raymond_pluto@hotmail.com> wrote:<br>> ><br>> > I have a question about Nikto capabilities.<br>> > In the Nikto description, it is said that Nikto is a web server scanner.<br>> > But, in the -Tuning option<br>> > (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for<br>> > SQL injection and XSS. Actually, it makes me confused.<br>> ><br>> > I need explanation why Nikto do the test for SQL injection and XSS. Because<br>> > I think, injection and XSS is web application related (CMIIW).<br>> ><br>> ><br>> > Thanks.<br>> ><br>> > --<br>> > Raymond<br>> ><br>> > _______________________________________________<br>> > Nikto-discuss mailing list<br>> > Nikto-discuss@attrition.org<br>> > https://attrition.org/mailman/listinfo/nikto-discuss<br>> ><br>> ><br>> > _______________________________________________<br>> > Nikto-discuss mailing list<br>> > Nikto-discuss@attrition.org<br>> > https://attrition.org/mailman/listinfo/nikto-discuss<br>> ><br></div> </div></body>
</html>