What Are the Top Vulnerabilities Detected by Nikto?
Every day, millions of websites run quietly in the background, serving content, processing payments, and storing user data. Most look secure from the outside. But under the surface, small missteps in server setup can open doors to hackers. And one free tool has been catching these mistakes for over two decades: Nikto. Nikto doesn’t guess. It doesn’t rely on AI or fancy dashboards. It simply asks the web server questions, then listens carefully to the answers. And in those answers, it often finds red flags that even experienced admins miss. In this detailed guide, we’ll walk through the top 10 vulnerabilities Nikto detects most often, explain what they mean in plain English, show real-world examples, and tell you exactly how to fix them. Whether you’re a website owner, developer, or just curious about security, this post will help you understand what Nikto sees, and why it matters in 2025.
Table of Contents
- How Nikto Finds Vulnerabilities
- 1. Outdated Web Server Software
- 2. Exposed Sensitive Files (phpinfo.php, .env, etc.)
- 3. Directory Indexing Enabled
- 4. Default or Test Pages Left Online
- 5. Misconfigured HTTP Headers
- 6. Unnecessary HTTP Methods Allowed (PUT, DELETE)
- 7. Exposed Version Control Folders (.git, .svn)
- 8. Known Vulnerable CGI Scripts
- 9. Weak SSL/TLS Configurations
- 10. Server Banner Information Leak
- Top 10 Vulnerabilities: Summary Table
- Prevention Tips for Each Vulnerability
- Conclusion: Stay Ahead with Nikto
How Nikto Finds Vulnerabilities
Nikto works like a curious inspector. It sends hundreds of harmless HTTP requests to a web server and studies the responses. It looks at:
- HTTP headers (like a server’s ID card)
- File and folder names
- Error messages
- SSL certificate details
- Allowed actions (like uploading files)
It compares what it sees against a massive database of known issues. If something matches a risky pattern, Nikto raises a flag. No login needed. No code execution. Just smart observation.
1. Outdated Web Server Software
What it is: The web server (Apache, Nginx, IIS) is running an old version no longer supported by the vendor.
Why it’s dangerous: Old versions have known security bugs. Hackers search for them using tools like Shodan or Google. A single unpatched flaw can lead to full server takeover.
Nikto says:+ Server: Apache/2.2.22 (Debian)+ Apache 2.2.22 appears to be outdated (current is at least 2.4.57)
How to fix: Update to the latest stable version. On Ubuntu: sudo apt update && sudo apt upgrade apache2
2. Exposed Sensitive Files (phpinfo.php, .env, etc.)
What it is: Files that reveal internal server details are publicly accessible.
Common culprits:
phpinfo.php– Shows PHP settings, paths, and versions.env– Contains database passwords and API keysconfig.php.bak– Backup files with credentials
Nikto says:+ /phpinfo.php: PHP info leak (shows version, config, paths)
How to fix: Delete or protect these files. Never leave phpinfo.php on production.
3. Directory Indexing Enabled
What it is: Visitors can see a list of all files in a folder if no index.html exists.
Nikto says:+ /images/: Directory indexing found.
Why it’s bad: Attackers can download backups, scripts, or config files.
How to fix (Apache): Add Options -Indexes to .htaccess or server config.
4. Default or Test Pages Left Online
What it is: Installation pages from Apache, Tomcat, or PHP are still accessible.
Examples:
/server-status/test.php/phpMyAdmin/setup/
Nikto says:+ /test.php: Test page found. Remove in production.
How to fix: Delete test files. Restrict admin tools with IP whitelisting.
5. Misconfigured HTTP Headers
What it is: Missing security headers that protect against attacks like clickjacking or XSS.
Important headers:
X-Frame-OptionsContent-Security-PolicyX-Content-Type-Options
Nikto says:+ The anti-clickjacking X-Frame-Options header is not present.
How to fix: Add headers in server config or via .htaccess.
6. Unnecessary HTTP Methods Allowed (PUT, DELETE)
What it is: The server allows file uploads or deletions via HTTP methods beyond GET and POST.
Nikto says:+ Allowed HTTP methods: GET, POST, PUT, DELETE+ PUT may allow file uploads. Test with caution.
Why it’s risky: Attackers can upload malicious webshells.
How to fix: Limit to GET, POST, HEAD in Apache/Nginx config.
7. Exposed Version Control Folders (.git, .svn)
What it is: Source code repositories are accessible online.
Critical risk: Attackers can download your entire codebase, including secrets.
Nikto says:+ /.git/: Git repository exposed. Huge risk.
How to fix: Never deploy with .git. Use git archive or CI/CD pipelines.
8. Known Vulnerable CGI Scripts
What it is: Old Perl or shell scripts with published exploits.
Examples:
/cgi-bin/admin.pl/cgi-bin/test-cgi
Nikto says:+ OSVDB-877: /cgi-bin/test-cgi potentially vulnerable to shell injection
How to fix: Remove unused CGI scripts. Audit active ones.
9. Weak SSL/TLS Configurations
What it is: Outdated encryption protocols or ciphers are in use.
Nikto says:+ SSL: Server supports weak cipher (RC4)+ SSL: TLSv1.0 enabled (deprecated)
How to fix: Disable SSLv3, TLS 1.0/1.1. Use only TLS 1.2+ with strong ciphers.
10. Server Banner Information Leak
What it is: The server reveals its exact software and version in headers.
Nikto says:+ Server: Apache/2.4.41 (Ubuntu)+ Server leaks exact version. Hide with ServerTokens Prod
How to fix (Apache): Add ServerTokens Prod and ServerSignature Off to config.
Top 10 Vulnerabilities: Summary Table
| Rank | Vulnerability | Risk Level | Nikto Message Example | Fix |
|---|---|---|---|---|
| 1 | Outdated Server | High | Apache 2.2.22 appears outdated | Update to latest version |
| 2 | Exposed Sensitive Files | Critical | /phpinfo.php: PHP info leak | Delete or restrict access |
| 3 | Directory Indexing | Medium | /uploads/: Directory indexing found | Disable with Options -Indexes |
| 4 | Default/Test Pages | Medium | /test.php: Test page found | Remove all test files |
| 5 | Missing Security Headers | Medium | X-Frame-Options header missing | Add via server config |
| 6 | Unnecessary HTTP Methods | High | PUT, DELETE allowed | Limit to GET, POST |
| 7 | Exposed .git/.svn | Critical | /.git/: Repository exposed | Never deploy with VCS |
| 8 | Vulnerable CGI Scripts | High | OSVDB-877: test-cgi vulnerable | Remove or update |
| 9 | Weak SSL/TLS | Medium | TLSv1.0 enabled | Use TLS 1.2+ |
| 10 | Server Banner Leak | Low | Server: Apache/2.4.41 | Set ServerTokens Prod |
Prevention Tips for Each Vulnerability
- Keep software updated: Use package managers or auto-updates.
- Delete test files: Before going live, remove
phpinfo.php,test/, etc. - Disable directory listing: Always set
Options -Indexes. - Use CI/CD: Never deploy with
.gitor.env. - Apply security headers: Use tools like securityheaders.com.
- Run Nikto regularly: Schedule weekly scans.
- Review logs: Watch for suspicious file access.
Conclusion: Stay Ahead with Nikto
Nikto doesn’t find every vulnerability. It doesn’t break into your site or steal data. But what it does find, attackers find too. And they act fast.
The top vulnerabilities Nikto detects aren’t complex zero-days. They’re simple mistakes: an old server version, a forgotten test file, a misconfigured header. Yet these same mistakes appear in millions of breach reports every year.
The fix? Run Nikto. Fix what it finds. Run it again. Security isn’t a one-time event. It’s a habit.
Start today. Scan your server. Close the doors before someone walks in.
What does Nikto actually do?
Nikto sends HTTP requests to a web server and checks responses for signs of misconfiguration or known risks.
Is Nikto safe to run on my site?
Yes. It only reads. It does not modify or exploit anything.
Can Nikto find hacked websites?
Not directly. But it can spot signs like webshells or defaced default pages.
Does Nikto work on WordPress sites?
Yes. It checks the server, not the CMS. But pair it with WPScan for full coverage.
Why does Nikto flag my server version?
Exact versions help attackers find known exploits. Hide them when possible.
Should I delete phpinfo.php?
Yes. Never leave it on a live server. It leaks too much information.
Can Nikto scan password-protected sites?
Yes. Use -id user:pass for basic authentication.
Is directory indexing really dangerous?
Yes. It lets attackers browse and download sensitive files.
Does Nikto detect SQL injection?
No. It flags vulnerable scripts, but doesn’t test injection.
Can I trust all Nikto warnings?
Not blindly. Some are false positives. Always verify manually.
How often should I run Nikto?
Weekly at minimum. After every server change, run it again.
Does Nikto work on Nginx?
Yes. It detects Nginx version leaks, misconfigs, and exposed files.
Can Nikto scan localhost?
Yes: nikto -h http://127.0.0.1
Is .git folder exposure really that bad?
Yes. Attackers can download your entire source code, including secrets.
Does Nikto support HTTPS?
Yes. Just use https://yoursite.com in the command.
Can I automate Nikto scans?
Yes. Use cron, GitHub Actions, or monitoring tools.
Where are Nikto’s vulnerability checks stored?
In databases/ folder. Updated with nikto -update.
Is Nikto part of OWASP?
Yes. It’s an official OWASP project.
Can Nikto detect DDoS risks?
No. It focuses on configuration and file exposure.
Where can I download Nikto?
From GitHub: https://github.com/sullo/nikto
What's Your Reaction?
