π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π§ͺ DVWA LABS
FREE
Part of the DVWA Lab Series β 30 Labs
Lab 25 of 30 Β· 83.3% complete
Every professional penetration tester uses automated scanners. Not because they replace manual testing β they donβt β but because running Nikto for five minutes and ZAP for twenty minutes before you start your manual session tells you things youβd waste an hour discovering by hand. Server version disclosures. Missing security headers. Known CVE matches on outdated components. The automated scanner does the breadth sweep so you can focus your manual time on depth.
Lab 25 puts you on the other side of that equation. Youβre going to point Nikto and ZAP at a target you already know is full of vulnerabilities β DVWA β and watch what they find. More importantly, youβre going to watch what they donβt find. The gap between what an automated scanner reports and what DVWA actually contains is the clearest illustration of why manual testing exists. The scanner finds SQL injection in the obvious form field. It misses the CSRF, the file inclusion at medium security, and the access control bypass entirely.
That gap is the thing every ethical hacker needs to understand before they build their first professional pentest methodology.
Which automated scanning tool have you used before?
Nikto β command line OWASP ZAP β GUI Burp Scanner (Pro) None yet β first time
π― DVWA Automated Scan Lab 25 Objectives
Run a complete Nikto scan against DVWA and interpret every finding in the output
Configure OWASP ZAP with an authenticated session and run an active scan against DVWA
Build a gap analysis table comparing what scanners found vs DVWAβs known vulnerabilities
Understand exactly why automated scanners miss CSRF, IDOR, and business logic flaws
β±οΈ Lab 25 Β· 3 terminal exercises Β· DVWA + Nikto + OWASP ZAP ### β
Prerequisites - DVWA running β Docker or VirtualBox from Lab 1 - Burp Suite integration from Lab 24 β the manual baseline youβll compare against scanner output - Kali Linux with Nikto installed β sudo apt install nikto if missing ### π DVWA Automated Scan Lab 25 Contents 1. Nikto β Web Server Scanner Fundamentals 2. Exercise 1: Running Nikto Against DVWA 3. OWASP ZAP β Application-Level Scanning 4. Exercise 2: Authenticated ZAP Scan Against DVWA 5. Exercise 3: Gap Analysis β What Automated Scanning Misses ## Nikto β Web Server Scanner Fundamentals Hereβs what itβs checking across those 6,700+ items: dangerous files that shouldnβt be publicly accessible, server headers that leak version numbers, outdated software signatures, insecure HTTP methods left enabled, and default configuration that nobody changed from the install defaults. Itβs not sending SQL injection payloads into form fields β thatβs not what it does. What it does is give you a server-level picture in under two minutes that would take 30 minutes to check manually. That baseline matters before you start application-level testing.
On a real engagement I run Nikto first, while Iβm reading the scope document and taking notes. It runs in the background and finishes by the time Iβm ready to start manual testing. The three findings I pay most attention to: version disclosures (are there CVEs for this server version?), missing security headers (quick wins for the report), and any exposed admin paths I hadnβt already found.
NIKTO β CORE COMMAND OPTIONSCopy
Basic scan
nikto -h http://TARGET_IP
Scan with HTTP authentication credentials
nikto -h http://TARGET_IP/dvwa -id admin:password
Scan with custom port
nikto -h http://TARGET_IP -p 8080
Save output to file
nikto -h http://TARGET_IP -o nikto_results.txt -Format txt
Understanding Nikto output prefixes
- β finding (potential issue) β β informational message OSVDB-XXXX β reference to Open Source Vulnerability Database
What Nikto looks for
Server header version disclosure (Apache/2.4.7 β outdated)
Missing security response headers
Dangerous HTTP methods (TRACE, OPTIONS)
Known sensitive file paths (/backup, /.git, /phpinfo.php)
Default files from web frameworks
β‘ EXERCISE 1 β KALI TERMINAL (20 MIN)
Run Nikto Against DVWA and Interpret Every Finding
β±οΈ 20 minutes Β· Kali Linux + DVWA running
Nikto against a known-vulnerable target gives you a reference dataset β you know what the target contains, so you can evaluate exactly what Nikto finds and what it misses. Work through every line of output.
Step 1: Confirm DVWA is running and note IP
Docker:
docker ps | grep dvwa
docker inspect [container_id] | grep IPAddress
VirtualBox: ip addr show eth0 (inside DVWA VM)
Step 2: Run Nikto with credentials nikto -h http://DVWA_IP/dvwa -id admin:password -o /tmp/nikto_dvwa.txt # Let it run β takes 3-8 minutes
Step 3: While Nikto runs β list DVWAβs known vulnerabilities Navigate to DVWA in your browser Count: how many vulnerability categories appear in the menu? List them: Brute Force, Command Injection, CSRF, File Inclusionβ¦ This is your ground truth β what does DVWA actually contain?
Step 4: Analyse Nikto output cat /tmp/nikto_dvwa.txt For each finding: a) What is the finding description? b) Is it a real security issue or informational? c) How does it relate to DVWAβs known vulnerabilities?
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)