Web Vulnerability Scanner
loginNikto is a web-vulnerability scanner that fires thousands of requests per target probing for known-bad URLs and CVEs. A public, unauthenticated form for it is indistinguishable from attack tooling, so it's disabled.
This tool isn't available in the anonymous view. Sign in to access it.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What does Nikto check for?
Nikto tests web servers against a database of 6,000+ known vulnerabilities, dangerous files, and misconfigurations. It checks for: outdated server software, default credentials, exposed admin interfaces, insecure HTTP methods (PUT/DELETE), missing security headers, directory listing, backup files, and known CVEs for popular web software like Apache, nginx, IIS, and CMS platforms.
How many requests does Nikto send?
A typical Nikto scan sends thousands of HTTP requests per target — one for each item in its vulnerability database. This is why it's noisy and easily detected by IDS/WAF. It is not a stealth tool; it prioritises thoroughness over evasion. Always obtain written permission before scanning any system.
When should I use Nikto vs OWASP ZAP?
Nikto excels at finding known CVEs, dangerous files, and server misconfigurations — static, signature-based checks. OWASP ZAP is better for application-level vulnerabilities (SQL injection, XSS, CSRF) found by actively interacting with the app's logic. Use both for comprehensive coverage: Nikto for infrastructure checks, ZAP for application security.