[Nikto-discuss] Nikto Capabilities

[raymond lukanta]

Hmm..
Would you please give me further explanation about "Nikto will only check for what it knows"?As long as I understand, a web application scanner is also checking what it knows (by using plugins or databases).
Thanks,
--Raymond

Date: Sun, 5 Jan 2014 09:34:59 +0000
Subject: Re: [Nikto-discuss] Nikto Capabilities
From: resident.deity at gmail.com
To: raymond_pluto at hotmail.com
CC: nikto-discuss at attrition.org

Nikto performs a set of tests for pages on the web server and the configuration of its responses. The tuning option allows these the number of tests to be cut down, e.g. to known pages that have SQL injection.

Where this differs from a web application scanner is that Nikto will only check for what it knows.
To be honest web server scanner is a pointless label anyway. It's a tool that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap, burp) used during a test. It's not mutually exclusive with other tools.



On 4 Jan 2014 17:00, "raymond lukanta" <raymond_pluto at hotmail.com> wrote:




I have a question about Nikto capabilities. In the Nikto description, it is said that Nikto is a web server scanner. But, in the -Tuning option (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for SQL injection and XSS. Actually, it makes me confused.

I need explanation why Nikto do the test for SQL injection and XSS. Because I think, injection and XSS is web application related (CMIIW).


Thanks.
--
Raymond 		 	   		  

_______________________________________________

Nikto-discuss mailing list

Nikto-discuss at attrition.org

https://attrition.org/mailman/listinfo/nikto-discuss



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20140105/36f46d62/attachment.html>