What It Is
Nikto is a web server scanner written in Perl. It is used for initial checks of sites or servers against known vulnerabilities and configuration errors.
The project is not a stealth tool. It is better understood as a legal audit helper for systems you own or are allowed to test.
What Is Inside
The main script lives in `program/`. Nikto can be run through its shebang, through Perl, or inside a container.
The scanner can save reports in several formats, add HTTP headers, and check many known signs of unsafe configuration.
How People Use It
An administrator runs Nikto against a test or production domain, then reviews the report: which findings are real, which are false positives, and what should be fixed first.
Nikto should only be used where permission exists. Even a basic scanner creates visible traffic and may violate rules on someone else’s infrastructure.
Example
The command runs a basic check against a site and writes the result as JSON for later review.
Basic Scan
The example scans the target site and writes a report file.
nikto -h https://example.com -o nikto-report.json -Format jsonStrengths And Limits
Nikto’s strength is quick startup and a clear report on common problems. It works well as a first inspection layer.
The limitation is depth. It does not replace manual audit, business-logic testing, dependency review, or full application security testing.
Project Context
Nikto is maintained in the sullo/nikto repository; its public project history starts on 2012-11-24. GitHub reports the primary language as Perl, and the license as NOASSERTION.
For a catalog page, this context matters because the reader sees a real project with an owner, license, technical base, and public change history rather than an abstract name.