Website Vulnerability Scanner
About the Website Vulnerability Scanner
Finds common vulnerabilities related to web server configuration and specific web application issues.
This is an online interface for the well known Nikto Vulnerability Scanner which can be used to find specific web vulnerabilities on your target server.
List of tests performedHere is the complete list of tests performed by this vulnerability scanner:
|Fingerprint web server software|
|Analyze HTTP headers for security misconfiguration|
|Check the SSL certificate of the server|
|Check to see whether the web server is at the latest version|
|Check if the current server version is affected by known issues|
|Check the HTTP Options returned by the server|
|Analyze robots.txt for interesting URLs|
|Check for multiple index files|
|Check whether a client access file exists, and if it contains a wildcard entry (clientaccesspolicy.xml, crossdomain.xml)|
|Check for web server XSS in Expect HTTP header|
|Check for sensitive files (archives, backups, certificates, key stores) based on hostname and some common words|
|Attempt to upload and delete a file through the PUT and DELETE HTTP methods|
|Test for the Bash Shellshock vulnerability|
|Discover server configuration problems such as Directory Listing|
|Enumerate existing CGI directories|
|Attempt to enumerate users directly from the web server (/~user)|
|Find administrative pages|
|Identify which type of web application is running|
|Check for information disclosure issues|
|Attempt to find interesting files/functionality|
|Check for the presence of known scripts vulnerable to XSS, SQL injection, LFI, RFI and Command injection|
Warning: This is an active scanning tool which generates a high amount of noise in the network. Most correctly configured IDSs will detect this scan as attack traffic. Do not use it if you don't have proper authorization from the target website owner.
- Target URL: This is the url of the website that will be scanned. The tool does not follow any redirects so the exact url will be scanned. If you want to scan only a certain directory or path, you can add it in the url like: http://www.mycompany.com/base_directory/. All urls must start with http or https.
How it works
This interface calls Nikto on the backend to perform the scanning with the proper parameters. Nikto implements multiple techniques for fingerprinting server software and for identifying server side vulnerabilities. It uses a signature database which is periodically updated and each signature contains a specific request that identifies an unique vulnerability.
Nikto sends a significant amount of HTTP requests to the target server in order to probe each signature from the database. However, it does not have such power to generate a denial of service effect.