[Nikto-discuss] Nikto Capabilities

Robin Wood robin at digininja.org
Sun Jan 5 05:26:14 CST 2014


On 5 January 2014 11:06, raymond lukanta <raymond_pluto at hotmail.com> wrote:
> Hmm..
>
> Would you please give me further explanation about "Nikto will only check
> for what it knows"?
> As long as I understand, a web application scanner is also checking what it
> knows (by using plugins or databases).

Nikto uses hardcoded rules to check for things, for example it will
look for the string "ABC" in file findme.php and if it finds it then
it will report that vulnerability XYZ exists. This is different to a
lot of scanners which do this but also do fuzzing where they will take
test.php?id=1 and then try different values for the id to try to
detect vulnerabilities.

Therefore it can only detect things it knows about.

Robin

> Thanks,
> --
> Raymond
>
> ________________________________
> Date: Sun, 5 Jan 2014 09:34:59 +0000
> Subject: Re: [Nikto-discuss] Nikto Capabilities
> From: resident.deity at gmail.com
> To: raymond_pluto at hotmail.com
> CC: nikto-discuss at attrition.org
>
>
> Nikto performs a set of tests for pages on the web server and the
> configuration of its responses. The tuning option allows these the number of
> tests to be cut down, e.g. to known pages that have SQL injection.
>
> Where this differs from a web application scanner is that Nikto will only
> check for what it knows.
>
> To be honest web server scanner is a pointless label anyway. It's a tool
> that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap,
> burp) used during a test. It's not mutually exclusive with other tools.
>
> On 4 Jan 2014 17:00, "raymond lukanta" <raymond_pluto at hotmail.com> wrote:
>
> I have a question about Nikto capabilities.
> In the Nikto description, it is said that Nikto is a web server scanner.
> But, in the -Tuning option
> (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for
> SQL injection and XSS. Actually, it makes me confused.
>
> I need explanation why Nikto do the test for SQL injection and XSS. Because
> I think, injection and XSS is web application related (CMIIW).
>
>
> Thanks.
>
> --
> Raymond
>
> _______________________________________________
> Nikto-discuss mailing list
> Nikto-discuss at attrition.org
> https://attrition.org/mailman/listinfo/nikto-discuss
>
>
> _______________________________________________
> Nikto-discuss mailing list
> Nikto-discuss at attrition.org
> https://attrition.org/mailman/listinfo/nikto-discuss
>


More information about the Nikto-discuss mailing list