Ovaldi (OVAL support in OpenVAS)NiktoStarting a Nikto scanUnderstanding Nikto results

Understanding Nikto results

Some web servers are (intentionally or unintentionally) configured to respond to requests for non-existent files with an HTTP status code other than 404. This can be used to direct these requests from human users to a page with helpful information (like a sitemap), but tends to confuse security assessment tools like Nikto checking whether possibly sensitive or dangerous content can be accessed on the target server.

The Nikto plugin is able to recognize this condition in most web servers and will (in the default setting) refuse to launch Nikto under these circumstances. You can however force the Nikto plugin to launch Nikto by enabling the option Force scan even without 404s in the plugin preferences.

If you enable this option, please be aware that the results of the Nikto scan are likely to contain false positives; because of the web server configuration described above Nikto may be convinced that certain files exist on the web server, even though the server simply redirected these requests to a generic page.

This is especially true for older versions of Nikto (< 2.0); but even with newer versions you may need to manually evaluate whether the threats reported by Nikto are real threats or simply the result of the web server configuration.


Ovaldi (OVAL support in OpenVAS)NiktoStarting a Nikto scanUnderstanding Nikto results