Conducting a security audit with Nikto

Published on 2013-01-05 by John Collins. Socials: YouTube - X - Spotify - Amazon Music - Apple Podcast

Introduction to Nikto

According to the Nikto website:

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

In this tutorial, I will show you how to install Nikto and use it to carry out a security audit of a HTTP server running your web application.


As Nikto is written in Perl, you will need to have Perl installed. On most Linux systems you will probably have Perl already installed as a dependency for something else. To check if it is installed, try:

$ perl -v

This is perl 5, version 14, subversion 3 (v5.14.3) built for x86_64-linux-thread-multi

Copyright 1987-2012, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at, the Perl Home Page.

As you can see, this tells us we already have Perl 5.14.3 installed. If it is not already installed on your system, try (as root):

$ yum install perl

Now you will need to download the Nikto package itself (check the version number here in case there is a newer version available):

$ wget

...and extract:

$ tar -zxvf nikto-2.1.5.tar.gz


Before you begin to us Nikto, it is a good idea to run the following command to update Nikto to the latest version:

$ perl -update
+ No updates required.
+ message: Please submit Nikto bugs to

To run a test scan on your local HTTP server with Nikto, use the following command:

$ perl -h localhost -output report.html

Nikto will now run all of its tests and send the output to the report.html file. Open that file in a web browser once the scan has finished, here is an example of the summary from a HTML report generated by Nikto:

At this point, you will need to spend some time studying the report from Nikto to determine if there are any items which you need to act upon (in my initial tests with the tool there were plenty of false positives but each report item still needs to be reviewed). The report will contain a test link for each item, enabling you to quickly assess the priority of each item flagged.

For more detailed information about Nikto, check the manual.

Updated 2023 : note that the above post was originally published in 2013, but is left here for archival purposes. I have fixed some broken links above.