Nikto is a very popular open source web application security scanner. I
emailed the author 'Chris Sullo' asking him about some of his plans,
views, and other tool related questions.
How long has Nikto been in development and how many people are actively working on it?
Although
I've had patches and updates from a couple of dozen people (a few of
them regularly), I've been the sole developer of Nikto since it's
release in December, 2001.
What are the three biggest challenges
that you've faced while developing a web application security scanner
from a developmental perspective?
The biggest challenge, from a
technical perspective, is trying to test and fix bugs against against
the huge variety of web servers in the wild. Even when decent bug
reports come in, if I don't have access to a Joe-Bob 1.0 server, it's
hard ensure the problem is resolved.
Time management and
motivation are much bigger factors. Lets face it--open source is tough.
On one hand you may have software in wide use, and on the other a lot
of open source work is taken for granted by the people using it (and in
some cases profiting from it)--this is the unfortunate, double-edged
sword of open source!
If you could pick two things about Nikto to spend some time improving what would they be?
Perhaps
not so much an improvement--rather an enhancement--but I would like to
spend the time to make Nikto crawl a web site. Even without trying to
recreate tools like WebInspect/Appscan/Paros, information gathered from
a crawl could make scanning much more accurate and efficient.
I'd
also like to revamp the plugin "architecture" (such as it is), to allow
for easier writing of plugins, and automatic registration if they are
dropped in the plugin directory.
What types of vulnerabilities does Nikto and other web application security scanners have difficulty finding?
Blind
SQL injection testing is still pretty rough in most cases (I can't
count the false-positives I've seen from automated testing tools).
Also, AJAX is presenting problems for tools that don't work around the
problem by having proxy capabilities.
How does Nikto's web application assessment compare to tools such as Nessus?
They
are very complimentary, though they do overlap in some areas. I find
that in pretty much every case, it's beneficial to run both tools
against a site. I understand some places have a paranoia about Nessus
running against their servers, while they don't have the same fear of
running Nikto--perhaps because of Nessus' broad reach and DoS attacks
(though in my experience, a properly built server and a reasonably
configured Nessus policy almost never cause problems).
What are your plans for enhancing Nikto's reporting capabilities?
Version
2 contains a template-driven report format, which will allow users to
customize HTML reports for their own needs. There is also an
experimental knowledge base which should, when fully developed, allow
someone to regenerate old reports, as well as do a quick re-check of a
site to see if issues have been resolved.
Besides the cost factor how does Nikto compare to a commercial scanner?
Nikto,
at the moment, doesn't do any crawling of the web site or checking for
flaws in custom applications--this is by far the biggest difference.
They also tend to have nice GUIs and reports with pretty graphs.
What plans do you have for Nikto and what should we be expecting from future releases?
The
biggest change will be to have more robust checking for false-positive
conditions by examining the server's setup more-closely, as well as
being able to hard-code false-positive signatures directly in the scan
database. Tests can still be easily written in CSV format, but will
allow multiple conditions to prove or disprove the existence of a
vulnerability, and will also be categorized so users can either include
(or exclude) a whole class of vulnerabilities from a scan.
Besides your own, what other tools do you use to perform web based assessments?
Almost
every situation requires a different toolset. I typically use a
combination of commercial and open source tools, including Paros, Burp,
AppScan, WebInspect, blindSQLiX, and of course Firefox (with a handful
of add-ons).
Besides Nikto what other projects are you currently involved in?
I
am a project leader and developer for the Open Source Vulnerability
Database (OSVDB.org), which is a vulnerability database committed to
providing a free, unbiased resource for security professionals.
Everyone, (especially developers!!), should volunteer and help us out.
Is there anything else you'd like to add?
Given
the media attention on big security incidents, viruses, and data theft,
I am shocked at the number of companies still deploying insecure
servers and applications. I don't expect every developer to understand
subtle application attacks and be an expert in hacking techniques, but
when their code doesn't contain any input filtering... well lets hope
they move into management sooner rather than later!
Boxers or briefs?
Boxers FTW!