Skip to main content

Automated Vulnerability Scanning

WSTG-INFO-02, WSTG-CONF-01


Purpose and Limitations​

Automated scanners provide a fast, broad sweep that catches common, well-known vulnerabilities. They are a starting point - not a conclusion. A scanner that reports "no vulnerabilities" does not mean the application is secure. Scanners consistently miss: IDOR, business logic flaws, chained vulnerabilities, authentication weaknesses, and anything requiring contextual understanding of the application.

Use automated scanning to:

  • Quickly identify low-hanging fruit (outdated software, default configs, missing headers)
  • Confirm that obvious issues exist before investing manual effort
  • Establish a baseline of what the application exposes

Do not use automated scanning to:

  • Replace manual testing
  • Report findings without manual confirmation
  • Test against WAF-protected targets without tuning (you will get blocked)

nikto - Quick Web Server and Application Scan​

nikto is the fastest broad-coverage web scanner. It checks for thousands of known issues: outdated software, dangerous HTTP methods, default files, misconfigured headers, and common vulnerability signatures.

# Basic scan
nikto -h http://target.com

# HTTPS target
nikto -h https://target.com -ssl

# Specify port
nikto -h target.com -p 8080

# Scan multiple targets from file
nikto -h targets.txt

# Output to file
nikto -h http://target.com -o nikto-output.txt -Format txt

# Tuning - scan for specific categories only
# -T options: 0=file upload, 1=interesting files, 2=misconfig, 3=info disclosure,
# 4=injection, 5=remote file retrieval, 6=DoS (avoid), 7=remote source inclusion,
# 8=cmd execution, 9=SQL injection, a=auth bypass, b=software identification
nikto -h http://target.com -T 123489a

# Evade basic IDS (URL encoding, random case, etc.)
nikto -h http://target.com -evasion 1

# Authenticated scan with cookies
nikto -h http://target.com -cookies "session=abc123"

# Increase timeout for slow targets
nikto -h http://target.com -timeout 20

Interpreting nikto output​

nikto prefixes findings with + and flags severity by context:

  • OSVDB-xxxxx - references the Open Source Vulnerability Database
  • Server: Apache/2.4.29 - version disclosure; cross-reference for known CVEs
  • Allowed HTTP Methods: GET, POST, PUT, DELETE - dangerous methods enabled
  • Anti-CSRF token not found - forms lack CSRF protection
  • X-Frame-Options header not set - clickjacking possible
  • Cookie flags missing - session tokens without Secure/HttpOnly
caution

nikto generates obvious attack patterns. It will appear in server logs and trigger most WAFs. Do not run nikto against targets where detection is a concern.


wapiti - Crawl-Based Web Vulnerability Scanner​

wapiti crawls the application like a browser, discovers all forms and parameters, then tests each one. It covers a broader set of application-layer vulnerabilities than nikto, including SQLi, XSS, command injection, SSRF, file disclosure, and more.

# Basic crawl and scan
wapiti -u http://target.com

# Set crawl depth
wapiti -u http://target.com --depth 3

# Enable specific attack modules
# Available: backup, brute_login_form, cms, cookieflags, crlf, csrf, exec,
# file, htaccess, http_headers, ldap, log4shell, methods, nikto,
# permanentxss, redirect, shellshock, sql, ssrf, timesql, wapp,
# xss, xxe
wapiti -u http://target.com -m sql,xss,exec,file,ssrf,xxe

# Scan with authentication (cookie-based)
wapiti -u http://target.com -c "session=abc123; auth_token=xyz"

# Scan with authentication (HTTP Basic)
wapiti -u http://target.com --auth-type basic --auth-cred username:password

# Set request scope - only test URLs under a specific path
wapiti -u http://target.com/app/ --scope folder

# Output report
wapiti -u http://target.com -o /tmp/wapiti-report -f html

# Throttle requests (stealth)
wapiti -u http://target.com --delay 0.5 --max-attack-time 60

# Scan only specific forms/pages (skip crawl)
wapiti -u http://target.com/login -m sql,xss --scope page

wapiti vs nikto: When to use which​

ScenarioTool
Fast check of server-level misconfigs and known CVEsnikto
Application-layer vulnerability discovery (SQLi, XSS, SSRF)wapiti
Target has many forms and input fieldswapiti (crawl mode)
Single page with a known parameterwapiti with --scope page
Initial reconnaisance sweep before manual testingBoth
WAF-protected targetNeither - use manual testing

Interpreting Scanner Results​

Treat every scanner finding as a lead, not a confirmed vulnerability.

Triage process​

  1. Read the finding description - understand what the scanner claims to have found
  2. Replay the request manually - use curl or the browser to reproduce the exact request
  3. Confirm the vulnerability - does the response actually confirm the issue? (A SQLi finding with no data returned may be a false positive)
  4. Assess severity - what is the actual impact if this is exploitable?
  5. Document - record confirmed findings with request/response evidence

Common false positives​

Scanner FindingReality Check
"SQL injection possible"Replay with SLEEP(5) - does the response actually delay?
"XSS possible"Does the payload actually reflect in the response unescaped?
"File disclosure"Does the URL actually return sensitive file content?
"Missing security headers"Valid finding - but low severity; confirm and document
"Outdated software version"Confirm the version number is accurate; check if the CVE is actually exploitable

Targeted NSE Scripts for Web​

nmap's NSE library includes web-specific scripts useful for targeted checks beyond what nikto/wapiti cover:

# HTTP enumeration - titles, methods, headers
nmap -p 80,443 --script http-enum,http-methods,http-headers <TARGET>

# Check for Git repository exposure
nmap -p 80 --script http-git <TARGET>

# WordPress-specific enumeration
nmap -p 80 --script http-wordpress-enum <TARGET>

# SQL injection detection
nmap -p 80 --script http-sql-injection <TARGET>

# Shellshock detection
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/test.cgi <TARGET>

# Default credentials for web apps
nmap -p 80 --script http-default-accounts <TARGET>

# Check for common web backdoors
nmap -p 80 --script http-backdoor <TARGET>