The webserver is configured to redirect all HTTP request traffic to HTTPS. And there seems to be different application running on 80 and 443.
443 is not vulnerable but there are lot of vulnerability exists on 80. When I am trying to browse http://example.com through browser it redirects me to https://example.com.
Now when I use nikto to scan the site at port 80 it list a lot of vulnerable links. Please suggest.
A redirect (to https, or anywhere else) is a "302" return code from the server
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
which your browser honors, and then re-requests the redirected page.
If "nikto [...scans...] the site at port 80 [and] list a lot of vulnerable links"
then the server is still returning a page. You would need to use a modified web client which doesn't follow the "302" redirect, the way nikto apparently isn't.
That still seems odd though, as most web serves which send a redirect do not also send the original/old page. You may want to be sure nikto isn't just showing you the contents of the page after silently following the redirect to the https site.
Finally, the software running port 80 and 443 might be the same. A single web server can handle both http and https connections, and serve out the same or different pages in response
I think the site may have HSTS enabled, in which case your browser doesn't even do the HTTP request. You can remove the HSTS flag from the site in your browser, but it will get set again when you visit the HTTPS site.
