Nikto

Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items including over 7,000 potentially dangerous files and programs.

With over 10,000 GitHub stars, 1,400 forks, and contributions from 60+ developers, Nikto remains one of the most trusted tools for web server security assessments.

What is Nikto?

Nikto is a command-line web server scanner designed for quick security assessments of web server configurations.

Written in Perl (93% of the codebase), it checks for outdated server software, dangerous files, server misconfigurations, and other issues that could expose a web server to attack.

Unlike full DAST tools that crawl applications and test business logic, Nikto focuses on server-level security.

It does not authenticate to applications, follow JavaScript, or test custom functionality.

Instead, it rapidly checks known security issues, making it ideal as a first-pass assessment tool before deeper application testing.

Nikto is included in Kali Linux and other security-focused distributions.

Its tests are updated regularly by the community, with the database containing checks for specific vulnerabilities in Apache, Nginx, IIS, and many other web servers.

Key Features

Comprehensive Server Checks

Nikto tests for over 7,000 potentially dangerous files, scripts, and server configurations:

• Default files left by installers (/phpinfo.php, /test.php, /admin/)
• Backup files that may contain sensitive information (.bak, .old, ~ files)
• Known vulnerable CGI scripts and programs
• Server version-specific vulnerabilities
• Insecure HTTP methods (PUT, DELETE, TRACE)
• Directory indexing and information disclosure

SSL/TLS Assessment

Nikto examines SSL/TLS configurations to identify weaknesses:

• Expired or self-signed certificates
• Weak cipher suites
• SSL/TLS protocol versions (SSLv2, SSLv3, TLS 1.0)
• Missing security headers (HSTS, etc.)
• Certificate chain issues

Plugin Architecture

Nikto’s plugin system allows community contributions and custom checks:

• nikto_apacheusers - Checks for common Apache usernames
• nikto_cgi - Tests for vulnerable CGI scripts
• nikto_cookies - Analyzes cookie security
• nikto_headers - Examines HTTP headers for issues
• nikto_outdated - Identifies outdated software versions

Create custom plugins for organization-specific requirements.

Multiple Output Formats

Generate reports in formats suitable for different workflows:

• HTML for human review
• XML for tool integration
• CSV for spreadsheet analysis
• JSON for programmatic processing
• Text for quick review
• NBE (Nessus) for import into vulnerability management

Installation

Kali Linux / Debian

Nikto is included in Kali Linux by default.

On Debian-based systems:

sudo apt update
sudo apt install nikto

macOS with Homebrew

brew install nikto

From Source

# Clone the repository
git clone https://github.com/sullo/nikto.git
cd nikto/program

# Run directly with Perl
perl nikto.pl -h

Docker

# Pull the official image
docker pull sullo/nikto

# Run a scan
docker run --rm sullo/nikto -h https://target.example.com

Requirements

Nikto requires Perl with the following modules:

• Net::SSLeay (for HTTPS support)
• IO::Socket::SSL (for SSL/TLS)
• LWP::UserAgent (for HTTP requests)

Install missing modules via CPAN:

cpan Net::SSLeay IO::Socket::SSL

How to Use Nikto

Basic Scan

# Scan a single host
nikto -h https://example.com

# Scan with specific port
nikto -h example.com -p 8080

# Scan multiple ports
nikto -h example.com -p 80,443,8080

Output Options

# Save results to HTML report
nikto -h example.com -o report.html -Format html

# Save as JSON for processing
nikto -h example.com -o report.json -Format json

# Multiple output formats
nikto -h example.com -o report -Format html,xml,json

Tuning Scans

Control which tests Nikto runs using tuning options:

# Only run specific test categories
nikto -h example.com -Tuning 1234

# Tuning options:
# 1 - Interesting File / Seen in logs
# 2 - Misconfiguration / Default File
# 3 - Information Disclosure
# 4 - Injection (XSS/Script/HTML)
# 5 - Remote File Retrieval - Inside Web Root
# 6 - Denial of Service
# 7 - Remote File Retrieval - Server Wide
# 8 - Command Execution / Remote Shell
# 9 - SQL Injection
# 0 - File Upload
# a - Authentication Bypass
# b - Software Identification
# c - Remote Source Inclusion
# x - Reverse Tuning (exclude these tests)

Proxy and Authentication

# Use a proxy
nikto -h example.com -useproxy http://proxy:8080

# HTTP Basic authentication
nikto -h example.com -id admin:password

# Use cookies for session
nikto -h example.com -Cookies "session=abc123"

Evasion Techniques

# URL encoding to bypass simple filters
nikto -h example.com -evasion 1

# Evasion options:
# 1 - Random URI encoding
# 2 - Directory self-reference (/./)
# 3 - Premature URL ending
# 4 - Prepend long random string
# 5 - Fake parameter
# 6 - TAB as request spacer
# 7 - Change the case of the URL
# 8 - Use Windows directory separator (\)

Integration

CI/CD Pipeline Integration

Run Nikto as part of automated security testing:

# GitHub Actions example
name: Web Server Security Scan

on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 2am
  workflow_dispatch:

jobs:
  nikto-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Install Nikto
        run: sudo apt-get update && sudo apt-get install -y nikto

      - name: Run Nikto scan
        run: |
          nikto -h ${{ vars.TARGET_URL }} \
            -o nikto-report.html \
            -Format html \
            -Tuning 123  # Info disclosure, misconfig, interesting files
        continue-on-error: true

      - name: Upload report
        uses: actions/upload-artifact@v4
        with:
          name: nikto-security-report
          path: nikto-report.html

      - name: Check for critical findings
        run: |
          # Parse HTML report for critical items
          if grep -q "OSVDB-" nikto-report.html; then
            echo "Nikto found potential vulnerabilities"
            # Optional: fail the build
            # exit 1
          fi

# GitLab CI example
stages:
  - security

nikto-scan:
  stage: security
  image: sullo/nikto
  script:
    - nikto -h $TARGET_URL -o nikto-report.html -Format html
  artifacts:
    paths:
      - nikto-report.html
    expire_in: 1 week
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - if: $CI_PIPELINE_SOURCE == "web"

Combining with Other Tools

Nikto works well alongside other security tools:

# Use with ZAP for comprehensive testing
# 1. Run Nikto for server-level issues
nikto -h https://target.com -o nikto-results.xml -Format xml

# 2. Run ZAP for application-level testing
zap-cli quick-scan -s xss,sqli https://target.com

# 3. Combine results for full coverage

# Use Nmap for port discovery, then Nikto
nmap -p 80,443,8080,8443 --open target.com -oG - | \
  awk '/open/{print $2}' | \
  xargs -I {} nikto -h {}

When to Use Nikto

Use Nikto when:

• You need a quick first-pass assessment of web server security
• Checking for common misconfigurations and dangerous defaults
• Validating server hardening before application testing
• Running automated compliance checks for known vulnerabilities
• Assessing SSL/TLS configuration
• You want a lightweight tool without complex setup

Use alongside or instead of Nikto when:

• You need full application testing (use ZAP, Burp Suite, or Nuclei)
• Testing authenticated functionality (Nikto does not log into applications)
• Scanning JavaScript-heavy SPAs (Nikto does not execute JavaScript)
• You need API security testing (use dedicated API security tools)
• Business logic testing is required

Nikto excels as a reconnaissance tool that quickly identifies server-level issues.

Pair it with a full DAST scanner for comprehensive web application security testing.