Nikto 2.6.0

Nikto 2.6.0 is now available on GitHub.

This is a major release with significant internal improvements, new capabilities, and long-term architectural upgrades.

⚠️ Important Note

This release introduces format changes to JSON and XML reports that may impact
existing parsers and integrations. Also the primary branch has been set to main.

🔧 What’s New in 2.6.0

Nikto 2.6.0 includes hundreds of improvements, with highlights below:

• ~10% faster scans through core engine optimizations
• New Domain Specific Language (DSL) for more expressive, accurate tests
• Rewritten JSON, XML, and SQL report plugins
• Multiple report formats per scan (generate several outputs at once)
• All-new cross-platform LFI testing with platform detection
• Cookies enabled by default for more realistic scanning
• Randomized User-Agent selection per request
• Bulk scanner script for running multiple Nikto instances using screen
• Legacy plugin and dead-code removal (no test coverage lost)
• Reference cleanup (OSVDB, Securiteam, SecurityFocus removed)
• License update: Nikto code is now GPLv3
• New and more accurate tests added
• Improved config loading to reduce distro-specific issues (including Kali)
• Bash wrapper util to execute multiple scans in screen

…and many additional fixes and refinements.

Getting Started

You can start using Nikto 2.6.0 by updating an existing installation from GitHub or by downloading a release archive from the repository.

Feedback & Issues

As always, if you encounter bugs or problems, please open an issue on GitHub.

Nikto 2.5.0

Nikto 2.5.0 has now been promoted to release and the master branch!

Note: Breaking changes to JSON and XML output may have occurred. If you rely on these formats please test before upgrading.

This version contains hundreds of updates over several years, including the highlights below.

• IPv6 support (thanks to @richardleach)
• Updated db_checks format uses multiple reference
• Hundreds of OSVDB and BID references replaced
• Removal of some very old and false-positive prone tests
• Decode Netscaler cookies (thanks to @canberkpolat)
• Add -usecookies flag to send received cookies with subsequent requests
• Add -followredirects flag to signal 3xx responses should be fetched and tested
• Add -noslash to remove trailing slash from directories
• Check for indexing on redirect paths
• Alert on alt-svc header
• Hundreds of bug fixes, test updates and enhancements, and other optimization changes

You can start using Nikto 2.5.0 by performing a git pull from the master branch, cloning the repository again, or downloading the zip file.

As always, if you encounter bugs or problems, please open an issue.