Nikto

Web Server Scanner

"Web server misconfiguration scanner — dangerous files, outdated software, and known vulnerabilities."

What it does

Nikto is one of the oldest and most reliable web vulnerability scanners. It focuses specifically on web server misconfigurations that are commonly overlooked: test files left in production, backup files containing source code, outdated server software, dangerous HTTP methods enabled, information leakage in headers and error pages.

Unlike nuclei which is template-based, nikto uses a comprehensive database of known bad patterns and dangerous paths. It checks thousands of potential issues in a systematic way. Three scan modes let you balance speed against coverage.

Scan options

OptionDescriptionEst. time

quick

Fast surface check — top issues only

~5 min/host

standardDEFAULT

Comprehensive scan — most checks, recommended

~10 min/host

thorough

Exhaustive check — everything, slowest

~20 min/host

Example findings

HIGHHTTP PUT Method Enabled — File Upload Possiblenikto

HIGH/phpinfo.php Exposed — Full PHP Config Leakednikto

MEDIUMApache 2.4.49 — Path Traversal CVE-2021-41773nikto

MEDIUMDirectory Listing Enabled at /uploads/nikto

← Back to all tools ▶ Scan with Nikto

What it finds

▸Dangerous HTTP methods enabled (PUT, DELETE, TRACE)
▸Test and backup files exposed (/test.php, /backup.zip, /.bak)
▸Default files and installations (/phpinfo.php, /server-status)
▸Outdated web server software with known CVEs
▸Information disclosure in headers and error pages
▸Insecure cookie attributes
▸Directory listing enabled
▸CGI vulnerabilities

Works well with

HTTPX →Headers →Nuclei →