nikto's results differ from other vulnerability scanners , is it more or less accurate?

Question

I was doing some scanning on a web application, I used OWASP zap and Nessus. The risks that these two detected were medium to low, very few vulnerabilities.

Then I tried nikto, and the results were huge. It detected potential risks with the database and other "Major security problems" I was just wondering because I know these scanners detect potential risks that you can try to exploit it's not 100% accurate but which one of the three is the best to rely on as a starting point when you perform a pen testing?

Answer 1

Why are you looking for the best "starting point"? They all test for different things and each behaves differently. Regardless of the tool, you still need to verify the results, and each tool will be better at some sites than others.

The best one to start with is the one that offers the best value to you for that web application. Then run the others knowing the weaknesses they might have for your application.

Answer 2

Nikto is a web security tool which majorly looks for outdated software, dangerous files/CGI etc. Many of the modern scanners including Nessus, Openvas use Nikto to get information for their analysis (These tools have Nikto plugins).

Also, there are some cases where Nikto provides too many false positives compared to other Tools. Its always good to run multiple tools to see which tool reports relevant issues for your product.

Bottomline: Nikto is one of the powerful tools which can be used for reconnaissance. But should be analyzed properly before finalizing on the data reported

Answer 3

Depends on how the checks are being performed. Different scanners will use different techniques, which is why using multiple scanners is a good option. Manually testing a discovered vulnerability can reveal false positives. The manual testing may be simple as using curl against the URL and viewing the headers.

If you are getting a large number of false positives in Nikto it could be the scanner failed to recognise 404s, so it was getting "valid" hits for the different items in its checks DB.