Nikto is a Perl script for testing web sites. It's useful, though there are more than a few things that are annoying about it. First is its dependence on other modules: I know, I know, I'm a grumpy old curmudgeon but I really dislike having to go track down stuff. I understand that sometimes the other modules are really, really necessary and I certainly don't expect someone to reinvent the wheel just to avoid this, but far to often it's just plain laziness - that probably doesn't apply here, I'm just grumbling in general..
Anyway, once you've satisfied its dependencies, update, and then just turn it loose on your site:
nikto.pl -update nikto.pl -host localhost -output /tmp/problems
That will display its progress on the screen as well as logging it to /tmp/problems for later review.
Nikto knows about a LOT of potential secuity problems. Unfortunately, if you have Custom 404 redirects in place, Nikto thinks you have each and every problem it knows about. It effectively tells you that early on:
+ Server does not respond with '404' for error messages (uses '301'). + This may increase false-positives.
That also confuses it terribly with TRACE, which apparently should be disabled (https://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf). But if the disable pushes it to a custom error page, Nikto thinks it's still enabled.
The obvious solution is to shut off custom error handling while testing with Nikto. That may be annoying, but the tests don't take all that long to run. Or, you can leave it as is and manually review the output, ignoring warnings due to that misunderstanding.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2009-11-07 Tony Lawrence