4.2. Web Audit with Nikto and Wapiti

Content:

 

Nikto and Wapiti are both useful tools for website security auditing. They operate in terminal mode and can be used as additional tools for identifying vulnerabilities on a website. Both programs are already installed on Kali and can be accessed through the quick-access menu (similar to the Start menu in Windows):

  1. Go to "Applications" in the menu.
  2. Navigate to "03-Web Application Analysis."
  3. Click on "Web Vulnerability Scanners."

From there, you can launch and use Nikto and Wapiti to perform security audits and vulnerability assessments on websites. These tools can help you identify potential weaknesses and security issues in web applications:

Start menu to open Nikto and Wapiti

 

Wapiti

The program offers a multitude of options, and you can view the full list of options by running the command

wapiti -h

Additionally, descriptions of all the options are available on the official website. The program is primarily designed to search for vulnerabilities such as XSS (Cross-Site Scripting), SQLi (SQL Injection), XXE (XML External Entity) vulnerabilities, and others. To view the complete list of modules, execute the command

wapiti --list-modules

Displaying list of modules in Wapiti

Knowing the module names, you can include or exclude them from the test. As an example, let's perform a vulnerability assessment on the Peruggia application to check for Command Injection, XSS, and Path Traversal vulnerabilities. We'll save the scanning results in a text file for further analysis:

wapiti -u http://10.0.2.4/peruggia/ -m xss,exec,file -o scan_report -f txt –color

Here's an explanation of the command options:

-u: Specifies the URL to scan.

-m: Contains a list of scanning modules (vulnerability types).

-o: Specifies the name of the file or folder where the report will be saved.

-f: Defines the format of the report (options include xml, html, txt, json).

--color: Displays program output in color, but this option works only for the terminal and is not available for report files.

The scanning results for the application will be generated and saved in the specified format for further analysis:

Wapiti scan result of website

Here's what the report looks like in a text file:

Wapiti scan result in text file

The program has detected some vulnerabilities. Let's look at some of them.

In the Cross-Site Scripting section, several GET parameters are marked as vulnerable. Here, URLs with the exploits are also provided:

Cross Site Scripting vulnerabilities in Wapiti report

Let's open the URL in a web browser to verify the results:

Checking XSS exploit in browser

A pop-up window with a set of characters appeared, which is a clear indication of the vulnerability's presence. At this stage, we can confirm that there is indeed a vulnerability on the website. We will delve into how to test and exploit it in detail in future lessons.

Let's continue. In the Path Traversal section, there are also some entries:

Path traversal findings in Wapiti report

Let's open the very first URL:

Confirmation of patch traversal in browser

The application window displays the contents of the file "/etc/passwd." This file contains a list of local system users, their usernames, and access permissions. Their passwords are stored in the "/etc/shadow" file in encrypted form.

We've now identified another confirmed vulnerability that allows viewing the contents of files on the server. When performing scans, it's important to keep in mind one aspect. Wapiti saves scanning results, so if you run the scan again, the program will display the previous result. To reset the results and force the program to scan the website again, add the --flush-session option to the command.

 

Nikto

To run the Nikto program, simply execute the command nikto. A list of supported options will be displayed immediately.

This program was developed for quick scanning, so it generates a lot of "noise" and can easily be detected by Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), and in the logs of the tested server.

For a quick scan, you can execute the command

nikto -host website_URL

However, we will use additional options to improve the testing results. We will be testing the Cyclone application and save the scanning results in an HTML file named "Cyclone_nikto_scan.html":

nikto -host http://10.0.2.4/cyclone -output Cyclone_nikto_scan.html -Format htm -followredirects

Here's an explanation of the command options:

-host: Specifies the target to be tested, which can be an IP address or URL.

-output: Specifies the filename to save the report.

-Format: Determines the report format. Available options include TXT, JSON, XML, HTM, CSV, SQL, NBE. You can omit this option, as the program can automatically determine the format based on the file extension provided in the -output option.

-followredirects: Instructs Nikto to follow redirection links.

The scanning result in the terminal will look like this:

Nikto scan result in terminal

Here's what the HTML-format report looks like:

Nikto report in HTML-form

Unfortunately, the report appears quite simple, and it lacks grouping of results by vulnerability name. However, you can customize the report format by editing the template files for HTML/XML reports. All templates are stored in the directory /var/lib/nikto/templates/:

Directoriy with Nikto report templates