[Nikto-discuss] Nikto Capabilities

raymond lukanta raymond_pluto at hotmail.com
Sun Jan 5 05:33:24 CST 2014


So, Nikto checks the content of every files on the web server? Like code scanning?

--Raymond

> From: robin at digininja.org
> Date: Sun, 5 Jan 2014 11:26:14 +0000
> Subject: Re: [Nikto-discuss] Nikto Capabilities
> To: raymond_pluto at hotmail.com
> CC: resident.deity at gmail.com; nikto-discuss at attrition.org
> 
> On 5 January 2014 11:06, raymond lukanta <raymond_pluto at hotmail.com> wrote:
> > Hmm..
> >
> > Would you please give me further explanation about "Nikto will only check
> > for what it knows"?
> > As long as I understand, a web application scanner is also checking what it
> > knows (by using plugins or databases).
> 
> Nikto uses hardcoded rules to check for things, for example it will
> look for the string "ABC" in file findme.php and if it finds it then
> it will report that vulnerability XYZ exists. This is different to a
> lot of scanners which do this but also do fuzzing where they will take
> test.php?id=1 and then try different values for the id to try to
> detect vulnerabilities.
> 
> Therefore it can only detect things it knows about.
> 
> Robin
> 
> > Thanks,
> > --
> > Raymond
> >
> > ________________________________
> > Date: Sun, 5 Jan 2014 09:34:59 +0000
> > Subject: Re: [Nikto-discuss] Nikto Capabilities
> > From: resident.deity at gmail.com
> > To: raymond_pluto at hotmail.com
> > CC: nikto-discuss at attrition.org
> >
> >
> > Nikto performs a set of tests for pages on the web server and the
> > configuration of its responses. The tuning option allows these the number of
> > tests to be cut down, e.g. to known pages that have SQL injection.
> >
> > Where this differs from a web application scanner is that Nikto will only
> > check for what it knows.
> >
> > To be honest web server scanner is a pointless label anyway. It's a tool
> > that should be run as part of a set of tools (e.g. nmap, sslscan, sqlmap,
> > burp) used during a test. It's not mutually exclusive with other tools.
> >
> > On 4 Jan 2014 17:00, "raymond lukanta" <raymond_pluto at hotmail.com> wrote:
> >
> > I have a question about Nikto capabilities.
> > In the Nikto description, it is said that Nikto is a web server scanner.
> > But, in the -Tuning option
> > (http://cirt.net/nikto2-docs/options.html#id2741238), there're a test for
> > SQL injection and XSS. Actually, it makes me confused.
> >
> > I need explanation why Nikto do the test for SQL injection and XSS. Because
> > I think, injection and XSS is web application related (CMIIW).
> >
> >
> > Thanks.
> >
> > --
> > Raymond
> >
> > _______________________________________________
> > Nikto-discuss mailing list
> > Nikto-discuss at attrition.org
> > https://attrition.org/mailman/listinfo/nikto-discuss
> >
> >
> > _______________________________________________
> > Nikto-discuss mailing list
> > Nikto-discuss at attrition.org
> > https://attrition.org/mailman/listinfo/nikto-discuss
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20140105/ed39e138/attachment.html>


More information about the Nikto-discuss mailing list