Nikto Review 2026: Free Server Scanner Tested

Name: Nikto
Availability: OnlineOnly

Nikto is an open-source web server scanner that checks for 7,000+ potentially dangerous files, outdated software, and server misconfigurations. It does not test application logic. It tests server configuration.

Written in Perl by Chris Sullo, Nikto has been around since 2001. It has 10,000+ GitHub stars, 1,400+ forks, and 58 contributors. The latest stable release is v2.6.0 (February 2026). Licensed under GPL v3 for code.

Feature	Details
Language	Perl
License	GPL v3 (code), separate for database
Checks	7,000+
Protocols	HTTP, HTTPS
Output formats	HTML, XML, JSON, CSV, NBE (Nessus), Text
Authentication	HTTP Basic, cookies
Evasion modes	8 techniques
Tuning categories	13 test types
Docker image	`ghcr.io/sullo/nikto`
Included in	Kali Linux, Parrot OS

What is Nikto?

Nikto is a command-line scanner that hits a web server with thousands of requests looking for known problems. Default install files (/phpinfo.php, /admin/), backup files (.bak, .old), outdated server software, weak SSL configurations, insecure HTTP methods.

It is not a full DAST tool. It does not crawl applications, authenticate to login forms, execute JavaScript, or test business logic. Think of it as a quick reconnaissance pass before running ZAP, Burp Suite, or template-based scanners like Nuclei.

Nikto ships with Kali Linux and other security-focused distributions. Its check database gets community updates covering Apache, Nginx, IIS, and dozens of other web servers. The Center for Internet Security (CIS) Benchmarks recommend checking for default files, unnecessary services, and server misconfigurations — areas where Nikto’s automated checks are particularly effective.

What Nikto Does Not Do

Nikto does not authenticate to applications, render JavaScript, or test custom functionality. It checks the server, not the app. For authenticated application scanning, use a full DAST tool alongside Nikto.

Key Features

7,000+ Server Checks

Tests for default files, backup files, vulnerable CGI scripts, server version-specific CVEs, insecure HTTP methods (PUT, DELETE, TRACE), and directory indexing.

SSL/TLS Assessment

Checks for expired or self-signed certificates, weak cipher suites, outdated protocol versions (SSLv2, SSLv3, TLS 1.0), missing HSTS headers, and certificate chain issues.

Plugin Architecture

Modular design with 7 hook phases (init, start, recon, scan, prefetch, postfetch, report). Write custom plugins for organization-specific checks. Ships with plugins for Apache users, CGI scripts, cookies, headers, and outdated software.

13 Tuning Categories

Control exactly which tests run. Categories include interesting files, misconfigurations, info disclosure, XSS/injection, file retrieval, command execution, SQL injection, file upload, auth bypass, and software identification.

8 Evasion Techniques

Bypass simple WAF rules with URL encoding, directory self-references, premature URL endings, fake parameters, TAB spacers, case changes, and Windows directory separators.

6 Output Formats

HTML for human review, XML for tool integration, JSON for scripting, CSV for spreadsheets, NBE for Nessus import, plain text for quick checks.

Installation

Nikto requires Perl with Net::SSLeay, IO::Socket::SSL, and LWP::UserAgent modules.

# Kali Linux / Debian (pre-installed on Kali)
sudo apt update && sudo apt install nikto

# macOS
brew install nikto

# Docker
docker pull ghcr.io/sullo/nikto:latest
docker run --rm ghcr.io/sullo/nikto:latest -h https://target.example.com

# From source
git clone https://github.com/sullo/nikto.git
cd nikto/program
perl nikto.pl -h

Usage

Basic scans

# Scan a single host
nikto -h https://example.com

# Scan specific ports
nikto -h example.com -p 80,443,8080

# Save results as HTML
nikto -h example.com -o report.html -Format html

# Save as JSON
nikto -h example.com -o report.json -Format json

Tuning scans

# Only check for misconfigurations and info disclosure
nikto -h example.com -Tuning 23

# Tuning options:
# 1 - Interesting files    2 - Misconfigurations
# 3 - Info disclosure      4 - XSS/injection
# 5 - File retrieval (web root)  6 - DoS
# 7 - File retrieval (server)    8 - Command execution
# 9 - SQL injection        0 - File upload
# a - Auth bypass           b - Software ID
# c - Remote source inclusion
# x - Reverse (exclude these tests)

Proxy and authentication

# Through a proxy
nikto -h example.com -useproxy http://proxy:8080

# HTTP Basic auth
nikto -h example.com -id admin:password

# Cookies are configured in nikto.conf using STATIC-COOKIE
# Example nikto.conf entry: STATIC-COOKIE=session=abc123
nikto -h https://example.com

Pair with Nmap

Use Nmap for port discovery, then feed results to Nikto. This catches web servers running on non-standard ports that a direct Nikto scan would miss.

Getting started

Install Nikto — Use apt on Debian/Kali, brew on macOS, or pull the Docker image ghcr.io/sullo/nikto. Perl 5 with SSL modules required for source installs.

Run a basic scan — nikto -h https://your-target.com runs all 7,000+ checks against the target. Takes a few minutes depending on server response time.

Tune your scan — Use -Tuning flags to focus on specific check categories. -Tuning 123 covers interesting files, misconfigurations, and info disclosure without the noisier tests.

Export results — Add -o report.html -Format html for a readable report, or -Format json for programmatic processing.

CI/CD integration

# GitHub Actions example
name: Web Server Security Scan
on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 2am

jobs:
  nikto-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Install Nikto
        run: sudo apt-get update && sudo apt-get install -y nikto

      - name: Run Nikto scan
        run: |
          nikto -h ${{ vars.TARGET_URL }} \
            -o nikto-report.html \
            -Format html \
            -Tuning 123
        continue-on-error: true

      - name: Upload report
        uses: actions/upload-artifact@v4
        with:
          name: nikto-security-report
          path: nikto-report.html

# GitLab CI example
nikto-scan:
  stage: security
  image: ghcr.io/sullo/nikto:latest
  script:
    - nikto -h $TARGET_URL -o nikto-report.html -Format html
  artifacts:
    paths:
      - nikto-report.html
    expire_in: 1 week

When to use Nikto

Nikto is a first-pass reconnaissance tool. Run it to check server hardening before deeper application testing. It answers “is this web server configured safely?” in a few minutes.

Good for checking server hardening before a pentest, validating SSL/TLS configuration, and running automated weekly compliance checks.

Not the right tool if you need full application testing, authenticated scanning, JavaScript execution, API testing, or business logic validation. For those, use a dedicated DAST scanner and keep Nikto for the server layer. For other no-cost options, see free DAST tools.

Frequently Asked Questions

What is Nikto?

Nikto is an open-source web server scanner written in Perl that runs 7,000+ checks for dangerous files, outdated software, and server misconfigurations. Created by Chris Sullo, it has 10,100+ GitHub stars and 1,400+ forks. Latest stable release is v2.6.0.

Is Nikto free?

Yes. Nikto is free and open-source under the GPL v3 license for code (database files have separate licensing). It ships pre-installed on Kali Linux and can be installed via apt, Homebrew, Docker, or directly from GitHub.

What does Nikto scan for?

Nikto checks for server-level issues: default files left by installers, backup files, outdated server software, insecure HTTP methods (PUT, DELETE, TRACE), SSL/TLS weaknesses, known vulnerable CGI scripts, and directory indexing. It does not test application logic or execute JavaScript.

How does Nikto compare to ZAP or Burp Suite?

Nikto is a server-level reconnaissance tool, not a full application scanner. It cannot log into applications, follow JavaScript, or test business logic. Use Nikto for a quick first pass on server configuration, then run ZAP or Burp Suite for deeper application testing.

Can Nikto be used in CI/CD pipelines?

Yes. Nikto runs from the command line and outputs to HTML, XML, JSON, CSV, NBE, and plain text. You can run it in Docker (sullo/nikto), schedule it in GitHub Actions or GitLab CI, and parse output for critical findings.