Nikto 2.5.0 Released!

Nikto 2.5.0 has now been released!

Please Note: Breaking changes to JSON and XML output may have occurred. If you rely on these formats please test before upgrading.

The Nikto 2.5.0 version contains hundreds of updates over several years, including the highlights below.
  • IPv6 support (thanks to @richardleach)
  • Updated db_checks format uses multiple reference

Introducing: Site Crunch -- Optimize Your Site

Introducing... Site Crunch!

Site Crunch is a script which will recursively walk through a directory structure and do its best to compress or otherwise "minify" the files it finds. It is designed to help optimize web sites, so it works against JPG and PNG images, as well as CSS, JavaScript and HTML files. My limited testing shows sites can often quite easily shed 10% of their bulk--not an insignificant amount!

More details and downloads can be found here:


Dave flew solo on the Nikto project for nearly two years and now denies that he co-runs it with Sullo, though he adds stuff when interesting things happen and his development server doesn't blow up (it's amazing how many times that happens).

Dave has been in the security industry for too long. Originally hacking games, then a developer, then sysadmin, then generic dogsbody and finally penetration tester.



Chris Sullo

Chris started in the "futuristic" year 2000 as a place to house the default password and port databases. In 2001, he wrote and released Nikto, which quickly became one of the most popular open source web security tools.

He also co-founded the Open Security Foundation and served as a Treasurer and board member. With OSF, Chris was at various times a moderator, developer and whipping boy for the Open Source Vulnerability Database (OSVDB).


Firefox Search of Default Password List

Michel Chamberland has released a search add-on for Firefox that allows you to directly search the default password database directly. It's pretty straight-forward, but I like things that save time... and this does.

Grab it here.

Blogging @ Work

Just a quick note that I've decided this whole "blog" thing isn't just a fad, so I've started writing over at (the old) SPI Labs blog since, well, they pay me. So go subscribe. I just posted about oddities with hyphens in subdomain names and will try to keep posting more as the weeks go by.