Nikto is an open source web application scanning tool which helps cybersecurity professionals to cover such activities in an easy, fast paced and in a command line manner.
Thanks to its simplicity, it is really a piece of cake to install it and start using it in order to start getting results. Moreover, it tests the web application for different vulnerabilities like SQL Injection, XSS, misconfigurations, file upload, RCE and more.
Nevertheless, from my perspective, is not the most comprehensive tool for running web application scanning since there are other more advanced tools like Burp suite or OWASP ZAP proxy which provides more features and tuning in terms of web application scanning.
In addition, Nikto doesn’t provide too much crawling or URL brute forcing compared to the other previous two mentioned tools. It is also susceptible of flagging false positives as other dynamic testing tools could do but, at the end, it also depends on how the web application being scanned behaves.
In any case, due to its ease of use and its lightweight, I do recommend to give it a try for supporting scanning because the more information you can get from different tools, the more visibility you get regarding your system.
How to install Nikto
Let’s explore some of the ways to get this tool installed. First, we will use the official Nikto git repository to download and install it:
Using wget to download it:
$ wget https://github.com/sullo/nikto/archive/refs/heads/master.zip
$ unzip master.zip
$ cd nikto-master/program/
$ ./nikto.pl
Using git:
$ git clone --depth 1 https://github.com/sullo/nikto.git
$ unzip master.zip
$ cd nikto-master/program/
$ ./nikto.pl
Or yum can be used as well:
$ sudo yum install nikto -y
$ nikto
As you can see, it is pretty easy to install the tool and start using it
How to scan web applications with Nikto
For this explanation, the vulnerable target used for testing Nikto will be the webgoat but, to simplify the process, the docker image of webgoat will be used.
Let’s proceed to install the test bed (it needs sudo to root privileges):
$ sudo yum install -y docker
$ sudo systemctl start docker
$ sudo docker run -d -p 8080:8080 -t webgoat/webgoat-8.0:latest
After the above steps, proceed to do some tests in order to validate that everything went fine:
$ sudo docker ps
$ curl -v http://localhost:8080/WebGoat/login
As you may see in the above picture, Webgoat docker image is running correctly and responding to http on port 8080. Next, use Nikto to scan the page without any additional option and see the results:
$ ./nikto.pl -h http://localhost:8080/WebGoat/login
By default, Nikto runs with all the plugins and produces the default report format as the above picture shows. But it is possible to use different options to change the output format with “-Format” option to get a .csv file, and the “-o” option to write it in a target path:
$ ./nikto.pl -h http://localhost:8080/WebGoat/login -Format csv -o report.csv
There’s another option that could be helpful if you want to automate the web application scanning with Nikto on a CI/CD pipeline. This option is the “-maxtime” which limits the scan time in order to avoid Nikto to over extend the CI/CD process, and end with fail for at least leave the rest of the pipeline stages to run:
$ ./nikto.pl -h http://localhost:8080/WebGoat/login -maxtime 5s
In the report of the above picture, you may see the entry “ERROR: Host maximum execution time of 5 seconds reached” that tells the max time set in the command has reached and that terminates Nikto prematurely.
You may also want to target multiple URLs in a single execution. To do so, create a text file with the URLs in list and pass it to Nikto in the following way:
$ echo "http://localhost:8080/WebGoat/login" > targets.txt
$ echo "http://172.17.0.2:8080/WebGoat/login" >> targets.txt
$ ./nikto.pl -h targets.txt
The above Nikto command will perform a scan for each URL in order.
On the other hand, you can perform scan by using only the plugins you are interested to make it even faster and more efficient. This is done with the “-Tuning” option and the following command, will run Nikto to search for XSS vulnerabilities:
$ ./nikto.pl -h http://172.17.0.2:8080/WebGoat/login -Tuning 4
As you may appreciate, in this last scan the number of requests are way more lower than the default scan and it took less time to conclude.
Interpreting the Nikto report results
The Nikto default report, it’s structured in the following way:
- Nikto version
- IP, Hostname and port of the target
- SSL information and the scanning start time
- The scan findings report section and the summary of the report.
- Number of hosts tested
In the findings section, each of the items begins with “+” symbol and, depending on the plugin, there are records that has a “OSVDB” identifier that stands for Open Security Vulnerability Data Base, currently deprecated since 2016 (CVE and OSVDB mapping: https://cve.mitre.org/data/refs/refmap/source-OSVDB.html).
There could be many different OSVDB findings but, in the particular case of OSVDB-3092, which Nikto will show the message “This might be interesting…”, it could give you a hint of what could be the next URL path to target with Nikto, in order to continue to obtain more information about the web application.