Nikto Changelog

New in version 2.1.5

October 10th, 2012
  • Ticket 261: Update CSV report to include banner info and put data into proper columns
  • Ticket 247: Move etag header check to postfetch so no additional requests are made
  • Ticket 245: Liberal use of CDATA in XML report to prevent problems. Thanks to Peter Wang for reporting.
  • Ticket 242: nikto_headers.plugin now uses nfetch instead of direct LW calls
  • Ticket 234: Add plugin for crossdomain.xml (and clientaccesspolicy.xml) to look for wildcards and warn about entries
  • Ticket 233: Fix bad values in robots.txt from causing crashes
  • Ticket 229: Don't repeat XML headers if appending to an existing report file, thanks to digininja for idea
  • Ticket 228: Add client SSL certificate support. Thanks to monnerat for code submission!
  • Ticket 226: Add GMT offset to time outputs
  • Ticket 225: Template variables now have terminating hash to prevent collisions
  • Ticket 224: Space in robots.txt kills scanner
  • Ticket 222: Fix problems with banner parsing related to spaces, should result in fewer missed matches which should be hits.
  • Ticket 220: Certificate wildcard matching incorrect
  • Ticket 217: Add -IgnoreCode option to allow db_404_strings' @CODE at the command line
  • Ticket 214: Relocate databases to 'databases/' directory from 'plugins/'
  • Ticket 211: Shuffled some information in HTML report and added more summary data. Added error count and total check count to XML (note: DTD change).
  • Ticket 209: Find IPs in HTTP headers
  • Ticket 202: -maxtime maximum execution time per host (seconds)
  • Ticket 175: -until run until specified time or duration
  • Ticket 174: Checked for sites parked at hosting providers or advertising pages
  • Ticket 161: robots.txt now checks for listed files (content search, etc.)
  • Ticket 91: Identification of WEBrick fails. Updates made to handle banners with multiple items but no spaces
  • Ticket 74: Removed 'single' mode code from nikto. There are better tools for this nowadays.
  • Ticket 57: nfetch no longer uses global request/response hashes
  • Ticket 1: Save full response on positive, plaintext & JSON
  • Completely remove cache functionality as it was near worthless and added a lot of overhead
  • Including JSON-PP source to not require JSON installation. http://search.cpan.org/~makamaka/JSON-2.53/lib/JSON/backportPP.pm
  • Add IP address to CSV output. NOTE: this changes a parse-able report format!
  • add_vulnerability now takes in %request and %response for saving of data
  • nfetch() now returns headers received as argument 6--no more hash reference over-writing headers to send
  • Added sub get_ips() to centralize IP extraction from strings
  • Output file name now takes '.' which will auto-generate output filename like nikto_hostname_port.EXT
  • Fix -root not appearing in report output, reported by Cédric Michel
  • nikto_favicon.plugin checks for icons in
  • tags
  • Add check for non-empty OPTIONS response body, which could be related to something like http://zacstewart.com/2012/04/14/http-options-method.html
  • Add nikto_paths.plugin to look for things to add to db_variables values
  • Items found in robots.txt are now added to values from db_variables
  • Keep tokens from getting into _extensions, thanks to Erik Cabetas
  • Fix vhost not being set properly, thanks to Brian Poole
  • Fix crash on invalid regex chars in robots.txt (dis)allow lines
  • Default to use Net::SSL instead of Net::SSLeay as a result of too many memory issues in SSLeay