« Using Fuzzers in Software Testing: Identifying Application Risks | Main | MySpace superworm creator sentenced to probation, community service »

CGISecurity Interview with Sullo the Author of Nikto

Nikto is a very popular open source web application security scanner. I emailed the author 'Chris Sullo' asking him about some of his plans, views, and other tool related questions.

How long has Nikto been in development and how many people are actively working on it?

Although I've had patches and updates from a couple of dozen people (a few of them regularly), I've been the sole developer of Nikto since it's release in December, 2001.

What are the three biggest challenges that you've faced while developing a web application security scanner from a developmental perspective?

The biggest challenge, from a technical perspective, is trying to test and fix bugs against against the huge variety of web servers in the wild. Even when decent bug reports come in, if I don't have access to a Joe-Bob 1.0 server, it's hard ensure the problem is resolved.

Time management and motivation are much bigger factors. Lets face it--open source is tough. On one hand you may have software in wide use, and on the other a lot of open source work is taken for granted by the people using it (and in some cases profiting from it)--this is the unfortunate, double-edged sword of open source!

If you could pick two things about Nikto to spend some time improving what would they be?

Perhaps not so much an improvement--rather an enhancement--but I would like to spend the time to make Nikto crawl a web site. Even without trying to recreate tools like WebInspect/Appscan/Paros, information gathered from a crawl could make scanning much more accurate and efficient.

I'd also like to revamp the plugin "architecture" (such as it is), to allow for easier writing of plugins, and automatic registration if they are dropped in the plugin directory.

What types of vulnerabilities does Nikto and other web application security scanners have difficulty finding?

Blind SQL injection testing is still pretty rough in most cases (I can't count the false-positives I've seen from automated testing tools). Also, AJAX is presenting problems for tools that don't work around the problem by having proxy capabilities.

How does Nikto's web application assessment compare to tools such as Nessus?

They are very complimentary, though they do overlap in some areas. I find that in pretty much every case, it's beneficial to run both tools against a site. I understand some places have a paranoia about Nessus running against their servers, while they don't have the same fear of running Nikto--perhaps because of Nessus' broad reach and DoS attacks (though in my experience, a properly built server and a reasonably configured Nessus policy almost never cause problems).

What are your plans for enhancing Nikto's reporting capabilities?

Version 2 contains a template-driven report format, which will allow users to customize HTML reports for their own needs. There is also an experimental knowledge base which should, when fully developed, allow someone to regenerate old reports, as well as do a quick re-check of a site to see if issues have been resolved.

Besides the cost factor how does Nikto compare to a commercial scanner?

Nikto, at the moment, doesn't do any crawling of the web site or checking for flaws in custom applications--this is by far the biggest difference. They also tend to have nice GUIs and reports with pretty graphs.

What plans do you have for Nikto and what should we be expecting from future releases?

The biggest change will be to have more robust checking for false-positive conditions by examining the server's setup more-closely, as well as being able to hard-code false-positive signatures directly in the scan database. Tests can still be easily written in CSV format, but will allow multiple conditions to prove or disprove the existence of a vulnerability, and will also be categorized so users can either include (or exclude) a whole class of vulnerabilities from a scan.

Besides your own, what other tools do you use to perform web based assessments?

Almost every situation requires a different toolset. I typically use a combination of commercial and open source tools, including Paros, Burp, AppScan, WebInspect, blindSQLiX, and of course Firefox (with a handful of add-ons).

Besides Nikto what other projects are you currently involved in?

I am a project leader and developer for the Open Source Vulnerability Database (OSVDB.org), which is a vulnerability database committed to providing a free, unbiased resource for security professionals. Everyone, (especially developers!!), should volunteer and help us out.

Is there anything else you'd like to add?

Given the media attention on big security incidents, viruses, and data theft, I am shocked at the number of companies still deploying insecure servers and applications. I don't expect every developer to understand subtle application attacks and be an expert in hacking techniques, but when their code doesn't contain any input filtering... well lets hope they move into management sooner rather than later!

Boxers or briefs?

Boxers FTW!


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!