Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.
his release contains a number of important bug fixes, as well as new functionality and improvements, which have been added to the development branch over the last 19 months.
New features:
- Save full response on positive, plaintext & JSON
- -maxtime maximum execution time per host (seconds)
- -until run until specified time or duration
- -IgnoreCode option to allow db_404_strings @CODE from the command line
- Replay saved JSON requests with replay.pl
- Client SSL certificate support
- Output file name now takes ‘.’ which will auto-generate name
- Content parsing to add items to db_variables values for enhanced testing
- robots.txt lines are now added to db_variables values for enhanced testing.
New checks:
- Check for wildcards in crossdomain.xml and clientaccesspolicy.xml
- Find IPs in HTTP headers
- Checked for sites parked at hosting providers or advertising pages
- Parsed robots.txt now checks for listed files (for content search, etc.)
- nikto_favicon.plugin checks for icons in tags.
Enhancements:
- Fix bugs/minor enhancements in: XML reports, robots.txt parsing, wildcard certificate matching, banner parsing, tons more!
- Default to use Net::SSL instead of Net::SSLeay as a result of too many memory issues in SSLeay
- CSV reports include the same info as other reports
- HTML reports include more meta information.