Automated Vulnerability Scanning
WSTG-INFO-02, WSTG-CONF-01
Purpose and Limitationsβ
Automated scanners provide a fast, broad sweep that catches common, well-known vulnerabilities. They are a starting point - not a conclusion. A scanner that reports "no vulnerabilities" does not mean the application is secure. Scanners consistently miss: IDOR, business logic flaws, chained vulnerabilities, authentication weaknesses, and anything requiring contextual understanding of the application.
Use automated scanning to:
- Quickly identify low-hanging fruit (outdated software, default configs, missing headers)
- Confirm that obvious issues exist before investing manual effort
- Establish a baseline of what the application exposes
Do not use automated scanning to:
- Replace manual testing
- Report findings without manual confirmation
- Test against WAF-protected targets without tuning (you will get blocked)
nikto - Quick Web Server and Application Scanβ
nikto is the fastest broad-coverage web scanner. It checks for thousands of known issues: outdated software, dangerous HTTP methods, default files, misconfigured headers, and common vulnerability signatures.
# Basic scan
nikto -h http://target.com
# HTTPS target
nikto -h https://target.com -ssl
# Specify port
nikto -h target.com -p 8080
# Scan multiple targets from file
nikto -h targets.txt
# Output to file
nikto -h http://target.com -o nikto-output.txt -Format txt
# Tuning - scan for specific categories only
# -T options: 0=file upload, 1=interesting files, 2=misconfig, 3=info disclosure,
# 4=injection, 5=remote file retrieval, 6=DoS (avoid), 7=remote source inclusion,
# 8=cmd execution, 9=SQL injection, a=auth bypass, b=software identification
nikto -h http://target.com -T 123489a
# Evade basic IDS (URL encoding, random case, etc.)
nikto -h http://target.com -evasion 1
# Authenticated scan with cookies
nikto -h http://target.com -cookies "session=abc123"
# Increase timeout for slow targets
nikto -h http://target.com -timeout 20
Interpreting nikto outputβ
nikto prefixes findings with + and flags severity by context:
OSVDB-xxxxx- references the Open Source Vulnerability DatabaseServer: Apache/2.4.29- version disclosure; cross-reference for known CVEsAllowed HTTP Methods: GET, POST, PUT, DELETE- dangerous methods enabledAnti-CSRF token not found- forms lack CSRF protectionX-Frame-Options header not set- clickjacking possibleCookie flags missing- session tokens without Secure/HttpOnly
nikto generates obvious attack patterns. It will appear in server logs and trigger most WAFs. Do not run nikto against targets where detection is a concern.
wapiti - Crawl-Based Web Vulnerability Scannerβ
wapiti crawls the application like a browser, discovers all forms and parameters, then tests each one. It covers a broader set of application-layer vulnerabilities than nikto, including SQLi, XSS, command injection, SSRF, file disclosure, and more.
# Basic crawl and scan
wapiti -u http://target.com
# Set crawl depth
wapiti -u http://target.com --depth 3
# Enable specific attack modules
# Available: backup, brute_login_form, cms, cookieflags, crlf, csrf, exec,
# file, htaccess, http_headers, ldap, log4shell, methods, nikto,
# permanentxss, redirect, shellshock, sql, ssrf, timesql, wapp,
# xss, xxe
wapiti -u http://target.com -m sql,xss,exec,file,ssrf,xxe
# Scan with authentication (cookie-based)
wapiti -u http://target.com -c "session=abc123; auth_token=xyz"
# Scan with authentication (HTTP Basic)
wapiti -u http://target.com --auth-type basic --auth-cred username:password
# Set request scope - only test URLs under a specific path
wapiti -u http://target.com/app/ --scope folder
# Output report
wapiti -u http://target.com -o /tmp/wapiti-report -f html
# Throttle requests (stealth)
wapiti -u http://target.com --delay 0.5 --max-attack-time 60
# Scan only specific forms/pages (skip crawl)
wapiti -u http://target.com/login -m sql,xss --scope page
wapiti vs nikto: When to use whichβ
| Scenario | Tool |
|---|---|
| Fast check of server-level misconfigs and known CVEs | nikto |
| Application-layer vulnerability discovery (SQLi, XSS, SSRF) | wapiti |
| Target has many forms and input fields | wapiti (crawl mode) |
| Single page with a known parameter | wapiti with --scope page |
| Initial reconnaisance sweep before manual testing | Both |
| WAF-protected target | Neither - use manual testing |
Interpreting Scanner Resultsβ
Treat every scanner finding as a lead, not a confirmed vulnerability.
Triage processβ
- Read the finding description - understand what the scanner claims to have found
- Replay the request manually - use
curlor the browser to reproduce the exact request - Confirm the vulnerability - does the response actually confirm the issue? (A SQLi finding with no data returned may be a false positive)
- Assess severity - what is the actual impact if this is exploitable?
- Document - record confirmed findings with request/response evidence
Common false positivesβ
| Scanner Finding | Reality Check |
|---|---|
| "SQL injection possible" | Replay with SLEEP(5) - does the response actually delay? |
| "XSS possible" | Does the payload actually reflect in the response unescaped? |
| "File disclosure" | Does the URL actually return sensitive file content? |
| "Missing security headers" | Valid finding - but low severity; confirm and document |
| "Outdated software version" | Confirm the version number is accurate; check if the CVE is actually exploitable |
Targeted NSE Scripts for Webβ
nmap's NSE library includes web-specific scripts useful for targeted checks beyond what nikto/wapiti cover:
# HTTP enumeration - titles, methods, headers
nmap -p 80,443 --script http-enum,http-methods,http-headers <TARGET>
# Check for Git repository exposure
nmap -p 80 --script http-git <TARGET>
# WordPress-specific enumeration
nmap -p 80 --script http-wordpress-enum <TARGET>
# SQL injection detection
nmap -p 80 --script http-sql-injection <TARGET>
# Shellshock detection
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/test.cgi <TARGET>
# Default credentials for web apps
nmap -p 80 --script http-default-accounts <TARGET>
# Check for common web backdoors
nmap -p 80 --script http-backdoor <TARGET>