DASTOpen source · GPL-3.0
Nikto
Community project
A long-running, free command-line scanner that checks a web server for outdated software versions, dangerous default files, and known misconfigurations. Simpler and older than modern DAST platforms, but still commonly used as a quick first pass before a deeper authenticated scan.
Verified Source: 1
- Product type
- Community project
- Deployment
- CLI
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
DASTHow Nikto measures up against the full Dynamic Application Security Testing taxonomy.
- Black-box scanning — supported
- Tests a running application from the outside, without access to source code.
- Authenticated scanning — not supported
- Crawls and tests pages that require a logged-in session.
- API scanning — not supported
- Tests REST and GraphQL APIs, not just traditional web pages.
- CI/CD scan automation — not supported
- Runs scans automatically as part of the build and deploy pipeline.
- Automated finding verification — not supported
- Confirms exploitability of findings to cut down false positives.
- OWASP Top 10 coverage — not supported
- Tests for the industry-standard set of common web application vulnerability classes.
Alternatives
Other Dynamic Application Security Testing tools with overlapping capabilities, sized for similar teams.