Hacking Labs -- Day 2026 of 300
100%

DVWA Automated Scan Lab 2026 — Nikto & OWASP ZAP Against a Real Vulnerable Target | Hacking Lab25

Mr Elite 17 min read Hacking Labs -- Day 2026
DVWA Automated Scan Lab 2026 — Nikto & OWASP ZAP Against a Real Vulnerable Target | Hacking Lab25
🧪 DVWA LABS
FREE

Part of the DVWA Lab Series — 30 Labs

Lab 25 of 30 · 83.3% complete

Every professional penetration tester uses automated scanners. Not because they replace manual testing — they don’t — but because running Nikto for five minutes and ZAP for twenty minutes before you start your manual session tells you things you’d waste an hour discovering by hand. Server version disclosures. Missing security headers. Known CVE matches on outdated components. The automated scanner does the breadth sweep so you can focus your manual time on depth.

Lab 25 puts you on the other side of that equation. You’re going to point Nikto and ZAP at a target you already know is full of vulnerabilities — DVWA — and watch what they find. More importantly, you’re going to watch what they don’t find. The gap between what an automated scanner reports and what DVWA actually contains is the clearest illustration of why manual testing exists. The scanner finds SQL injection in the obvious form field. It misses the CSRF, the file inclusion at medium security, and the access control bypass entirely.

That gap is the thing every ethical hacker needs to understand before they build their first professional pentest methodology.

Which automated scanning tool have you used before?




🎯 DVWA Automated Scan Lab 25 Objectives

Run a complete Nikto scan against DVWA and interpret every finding in the output
Configure OWASP ZAP with an authenticated session and run an active scan against DVWA
Build a gap analysis table comparing what scanners found vs DVWA’s known vulnerabilities
Understand exactly why automated scanners miss CSRF, IDOR, and business logic flaws

⏱️ Lab 25 · 3 terminal exercises · DVWA + Nikto + OWASP ZAP

✅ Prerequisites

  • DVWA running — Docker or VirtualBox from
    Lab 1
  • Burp Suite integration from
    Lab 24

    — the manual baseline you’ll compare against scanner output

  • Kali Linux with Nikto installed — sudo apt install nikto if missing

📋 DVWA Automated Scan Lab 25 Contents

  1. Nikto — Web Server Scanner Fundamentals
  2. Exercise 1: Running Nikto Against DVWA
  3. OWASP ZAP — Application-Level Scanning
  4. Exercise 2: Authenticated ZAP Scan Against DVWA
  5. Exercise 3: Gap Analysis — What Automated Scanning Misses

Nikto — Web Server Scanner Fundamentals

Here’s what it’s checking across those 6,700+ items: dangerous files that shouldn’t be publicly accessible, server headers that leak version numbers, outdated software signatures, insecure HTTP methods left enabled, and default configuration that nobody changed from the install defaults. It’s not sending SQL injection payloads into form fields — that’s not what it does. What it does is give you a server-level picture in under two minutes that would take 30 minutes to check manually. That baseline matters before you start application-level testing.

On a real engagement I run Nikto first, while I’m reading the scope document and taking notes. It runs in the background and finishes by the time I’m ready to start manual testing. The three findings I pay most attention to: version disclosures (are there CVEs for this server version?), missing security headers (quick wins for the report), and any exposed admin paths I hadn’t already found.

NIKTO — CORE COMMAND OPTIONS
# Basic scan
nikto -h http://TARGET_IP
# Scan with HTTP authentication credentials
nikto -h http://TARGET_IP/dvwa -id admin:password
# Scan with custom port
nikto -h http://TARGET_IP -p 8080
# Save output to file
nikto -h http://TARGET_IP -o nikto_results.txt -Format txt
# Understanding Nikto output prefixes
+ → finding (potential issue)
– → informational message
OSVDB-XXXX → reference to Open Source Vulnerability Database
# What Nikto looks for
Server header version disclosure (Apache/2.4.7 ← outdated)
Missing security response headers
Dangerous HTTP methods (TRACE, OPTIONS)
Known sensitive file paths (/backup, /.git, /phpinfo.php)
Default files from web frameworks

⚡ EXERCISE 1 — KALI TERMINAL (20 MIN)
Run Nikto Against DVWA and Interpret Every Finding

⏱️ 20 minutes · Kali Linux + DVWA running

Nikto against a known-vulnerable target gives you a reference dataset — you know what the target contains, so you can evaluate exactly what Nikto finds and what it misses. Work through every line of output.

Step 1: Confirm DVWA is running and note IP
# Docker:
docker ps | grep dvwa
docker inspect [container_id] | grep IPAddress

# VirtualBox:
ip addr show eth0 (inside DVWA VM)

Step 2: Run Nikto with credentials
nikto -h http://DVWA_IP/dvwa -id admin:password -o /tmp/nikto_dvwa.txt
# Let it run — takes 3-8 minutes

Step 3: While Nikto runs — list DVWA’s known vulnerabilities
Navigate to DVWA in your browser
Count: how many vulnerability categories appear in the menu?
List them: Brute Force, Command Injection, CSRF, File Inclusion…
This is your ground truth — what does DVWA actually contain?

Step 4: Analyse Nikto output
cat /tmp/nikto_dvwa.txt
For each finding:
a) What is the finding description?
b) Is it a real security issue or informational?
c) How does it relate to DVWA’s known vulnerabilities?

Step 5: Count and categorise findings
How many findings are: High / Medium / Low / Informational?
How many of DVWA’s 15 vulnerability categories did Nikto detect?
Which vulnerability categories does Nikto completely miss?

✅ The ratio of Nikto findings to DVWA vulnerabilities is the key data point from this exercise. Nikto will find server-level issues — header disclosures, PHP info pages if present, dangerous methods. It will not find SQL injection, XSS, CSRF, file inclusion, or command injection — the application-level vulnerabilities that are DVWA’s core content. That’s not a failure of Nikto; it’s working exactly as designed. Nikto is a server scanner, not an application scanner. The professional lesson: tool selection must match what you’re trying to find.

📸 Screenshot your Nikto output. Share in #dvwa-labs

OWASP ZAP — Application-Level Scanning

ZAP is a full web application proxy and scanner — the open-source equivalent of Burp Suite for scanning purposes. It spiders the application (crawling all links and forms), then runs its active scanner (sending attack payloads to each discovered endpoint). The key difference from Nikto: ZAP tests application logic by submitting requests to forms and APIs with malicious payloads.

The authentication challenge is where most people stumble with ZAP on authenticated applications. If ZAP can’t log in, it scans the pre-login pages only and misses everything behind authentication. For DVWA, you need to either provide ZAP with the login form fields and credentials, or start with a manual authenticated browse and let ZAP build its context from that session.

OWASP ZAP — AUTHENTICATED SCAN SETUP
# Launch ZAP
zaproxy &
# Or from Kali menu: Applications → Web Application Analysis → OWASP ZAP
# Method 1: Quick Start (easiest for DVWA)
Quick Start tab → Automated Scan → URL: http://DVWA_IP/dvwa
# ZAP will encounter the login form — configure auth context:
# Method 2: Manual Explore + then scan (most reliable)
1. Quick Start → Manual Explore → URL: http://DVWA_IP/dvwa
2. ZAP opens Firefox → log in manually → browse all DVWA pages
3. Return to ZAP → Sites tree shows all visited URLs
4. Right-click DVWA_IP in Sites → Attack → Active Scan
# Read alerts after scan
Alerts tab → sort by Risk (High first)
Click each alert → read description, URL, evidence, solution

securityelites.com
Scanner Gap Analysis — DVWA Vulnerability Coverage
DVWA VulnerabilityNiktoZAP (Low)Manual Burp
SQL Injection
XSS Reflected
CSRF
File Inclusion⚠️
Command Injection⚠️
Security Headers
⚠️ = partial detection at Low security | ❌ = not detected

📸 Scanner gap analysis showing DVWA vulnerability coverage by tool. The pattern is clear: Nikto finds only server-level issues (security headers, version disclosure). ZAP finds injection vulnerabilities where payloads match templates at Low security. Manual Burp testing finds everything. CSRF is the most significant ZAP gap — it requires understanding token validation context that an automated scanner can’t infer. File Inclusion and Command Injection at higher security levels require evasion techniques beyond standard payload lists. This table is the professional argument for multi-layer testing methodology.

securityelites.com
Nikto Web Scanner — DVWA Output
$ nikto -h http://dvwa.local -port 80
– Nikto v2.x
+ Target IP: 192.168.56.101
+ Target Port: 80
+ Server: Apache/2.4.x (Debian)
+ /: Cookie PHPSESSID created without the httponly flag.
+ /: Cookie security created without the httponly flag.
+ /phpMyAdmin/: phpMyAdmin directory found.
+ /config/: Directory indexing found.
+ OSVDB-3092: /login.php: This might be interesting…
+ /setup.php: Setup page found. Review manually.
+ 6448 requests: 0 error(s) and 6 item(s) reported

📸 Nikto scan output against DVWA showing six findings including cookie flag misconfigurations, phpMyAdmin exposure, and directory indexing on /config/. The cookie findings (missing httponly flag) are present on every DVWA installation by design — they’re intentional vulnerabilities. The /config/ directory indexing and phpMyAdmin exposure are higher-value findings that would rate Medium on a real target. Nikto’s 6,448 requests complete in under two minutes against a local target — fast enough to run at the start of every assessment before deeper manual testing begins.

⚡ EXERCISE 2 — KALI TERMINAL (25 MIN)
Run an Authenticated ZAP Active Scan Against DVWA

⏱️ 25 minutes · OWASP ZAP + DVWA running

ZAP’s value over Nikto is application-level testing. Configure it with a live authenticated session and run the active scanner — then compare what it finds against what you know DVWA contains.

Step 1: Launch ZAP and start Manual Explore
zaproxy &
Quick Start → Manual Explore → URL: http://DVWA_IP/dvwa → Launch Browser

Step 2: Log in and browse all DVWA pages manually
In the ZAP-managed Firefox:
Log in as admin/password
DVWA Security → set to Low
Browse every vulnerability page: click each link in the DVWA menu
Submit at least one form on each page (even with test input)

Goal: build a complete site map in ZAP’s Sites tree

Step 3: Run Active Scan
Return to ZAP main window
In Sites tree → right-click DVWA_IP → Attack → Active Scan
Scope: DVWA_IP only
Scan Policy: Default Active Scan Policy
Click Start Scan

Step 4: Monitor scan progress
Active Scan tab shows progress
Alerts tab updates in real time as findings appear
Let scan complete (10-20 minutes)

Step 5: Review alerts by risk level
Alerts tab → sort by Risk (High first)
For each High/Medium alert:
a) What vulnerability did ZAP detect?
b) Which DVWA page/form was affected?
c) What payload did ZAP use to trigger the finding?
d) Is this a true positive or false positive?

Step 6: Compare ZAP findings against Nikto findings
Which vulnerabilities appear in both?
Which vulnerabilities appear in ZAP only?
Which DVWA vulnerabilities appear in neither?

✅ The authenticated ZAP session you built in Step 2 is the critical configuration step. Without it, ZAP scans only the login page and finds almost nothing valuable. With it, ZAP has visibility into every form on every DVWA page — and finds the SQL injection and XSS findings that Nikto completely missed. The SQL injection finding in ZAP will show you the exact payload that triggered a different response — compare that payload against what you’d use in Burp Repeater, and you’ll see why ZAP’s automated payloads find obvious injection but miss the more subtle variants at Medium and High security levels.

📸 Screenshot ZAP Alerts tab showing High-risk findings. Share in #dvwa-labs

securityelites.com
OWASP ZAP — Active Scan Results Dashboard
🔴 High
SQL Injection — /vulnerabilities/sqli/
Confirmed
🔴 High
Cross Site Scripting — /vulnerabilities/xss_r/
Confirmed
🟡 Medium
Absence of Anti-CSRF Tokens
Confirmed
🟡 Medium
X-Frame-Options Header Not Set
Confirmed
🔵 Low
Cookie Without SameSite Attribute (×3)
Confirmed

📸 OWASP ZAP active scan results against DVWA showing the expected vulnerability set at Low security level. ZAP correctly identifies SQL injection and XSS as High findings, CSRF and X-Frame-Options as Medium, and cookie attribute issues as Low. This is what a real scan output looks like before you differentiate automated findings from confirmed manual findings — ZAP flags the locations, your manual verification in Burp confirms exploitability and impact. The combination of automated scanning for coverage and manual verification for accuracy is the professional assessment workflow this lab trains.

⚡ EXERCISE 3 — KALI TERMINAL (20 MIN)
Build the Scanner Gap Analysis Table

⏱️ 20 minutes · Results from Exercises 1 and 2 required

The gap analysis is the most professionally valuable output from this lab. It teaches you exactly when to trust a scanner and when to keep testing manually. Build it from your actual Nikto and ZAP results.

Step 1: List all DVWA vulnerability categories
Browse DVWA menu → list all categories
You should have at least: Brute Force, Command Injection, CSRF,
File Inclusion, File Upload, SQL Injection, SQL Injection (Blind),
Weak Session IDs, XSS DOM, XSS Reflected, XSS Stored, CSP Bypass,
JS Attacks, Open HTTP Redirect

Step 2: For each category, check Nikto results
Did Nikto flag anything related to this category?
Mark: Yes / No / Partial

Step 3: For each category, check ZAP alerts
Did ZAP flag anything related to this category?
Mark: Yes / No / Partial
Note the ZAP alert risk level if found

Step 4: For each category you’ve previously completed in Labs 1-24
Mark whether manual Burp testing finds it: Yes (all labs do)

Step 5: Build the table and find the gaps
Create a table: Vulnerability | Nikto | ZAP | Manual
Identify: which categories are scanner-only gaps?
Answer: What is the MINIMUM testing methodology that catches all 14 categories?

Step 6: Write 3 sentences summarising when automated scanning is sufficient
vs when manual testing is required.
This is the methodology statement for your future pentest reports.

✅ The gap analysis table you just built is a professional deliverable — the methodology statement you wrote in Step 6 goes directly into your penetration test reports as the rationale for your testing approach. Every client who asks “why do we need manual testing if you’re running automated scanners?” gets that answer. CSRF, IDOR, business logic vulnerabilities, and multi-step attack chains require a human tester who understands application context. Automated scanners provide breadth; manual testing provides depth. Both are required for comprehensive assessment coverage.

📸 Screenshot your gap analysis table. Share in #dvwa-labs

📋 Lab 25 Reference — Scanner Commands

Nikto basicnikto -h http://TARGET
Nikto with authnikto -h http://TARGET -id user:pass
Nikto to filenikto -h http://TARGET -o results.txt -Format txt
ZAP launchzaproxy & (or Kali menu → Web Application Analysis)
ZAP auth setupQuick Start → Manual Explore → log in → browse → then Active Scan
ZAP active scanSites tree → right-click target → Attack → Active Scan
ZAP alertsAlerts tab → sort by Risk

✅ Lab 25 Complete — Scanner Capabilities and Gaps Understood

Nikto for server-level breadth, ZAP for application-level scanning, manual Burp for everything they miss. Lab 26 is the final methodology lab: authentication bypass — pulling together session management, parameter tampering, and access control testing into a single coherent workflow.


🧠 Lab 25 Check

Your ZAP scan finds SQL injection and reflected XSS on DVWA but misses CSRF entirely. Explain specifically why ZAP cannot detect CSRF, and what testing approach confirms it.



❓ DVWA Automated Scan FAQ

What does Nikto find on DVWA?
On DVWA: missing security headers (X-Frame-Options, Content-Security-Policy), server and PHP version disclosure in response headers, dangerous HTTP methods, and some exposed configuration paths. Nikto doesn’t find application-level vulnerabilities (SQLi, XSS, CSRF) — it’s a server-level scanner, not an application security scanner.
What does OWASP ZAP find on DVWA?
ZAP’s active scanner against DVWA at Low security typically finds: SQL injection in the SQLi form, reflected XSS in the XSS Reflected form, and various header-related informational alerts. ZAP misses CSRF, file inclusion at higher security levels, and any vulnerability requiring multi-step attack chains or evasion techniques beyond standard payload lists.
What is the difference between Nikto and OWASP ZAP?
Nikto: web server scanner, finds server-level issues (versions, methods, exposed files). Fast — 2-5 minutes. Doesn’t test application forms. ZAP: full web application proxy and scanner, finds application-level vulnerabilities by submitting attack payloads to forms and APIs. Slower — 10-60 minutes. Use both in sequence: Nikto for server breadth, ZAP for application depth, manual Burp for everything they miss.
What vulnerabilities do automated scanners miss?
Consistently missed: CSRF (requires contextual token validation analysis), IDOR and access control flaws (require multi-account testing), business logic vulnerabilities (require application context understanding), multi-step attack chains, and stored XSS where injection and reflection are on different pages. These are the vulnerabilities that justify manual penetration testing alongside automated scanning.
How long does a ZAP active scan take on DVWA?
10-20 minutes for DVWA. The spider phase takes 1-3 minutes. The active scan depends on scope settings and scan policy. DVWA has few endpoints compared to real applications — real application scans typically run 30-120 minutes depending on scope size.
Should I use Nikto or ZAP for real penetration testing?
Both, in sequence: Nikto first (5 minutes, server-level), then ZAP (20-60 minutes, application-level). Automated scanners provide breadth coverage across all endpoints. Manual Burp testing then provides depth on the most interesting attack surfaces. Neither alone is sufficient — the combination is standard professional methodology.
← Previous

Lab 24 — Burp Suite Integration

Next →

Lab 26 — Authentication Bypass

A professional automated scan workflow has three phases that this lab teaches in sequence. Phase one is configuration: setting scope correctly so scanners don’t waste time on third-party assets, configuring authentication so scanners test protected endpoints, and setting appropriate scan intensity for the target environment. Phase two is triage: reading scan output and categorising findings by confirmed-exploitable, likely-exploitable, and informational. Phase three is verification: taking every confirmed-exploitable finding into Burp Repeater to document exact reproduction steps. Most labs skip phase one entirely and wonder why their scanner output is full of out-of-scope findings. Most beginners skip phase three and submit scanner reports without manual verification — programmes reject those immediately. This lab builds all three phases as a single workflow.

The hardest skill to develop with automated scanning isn’t running the tools — it’s reading the output and deciding what needs manual verification. Automated scanners produce false positives, miss context-dependent vulnerabilities, and sometimes flag informational issues at High severity because of misconfigured templates. Every finding from Nikto and ZAP in this lab needs a manual verification step before it goes in a report. The automation does the coverage work: scanning 6,448 paths in two minutes, testing hundreds of vulnerability patterns simultaneously. Your job is the analysis: what does this finding mean in the context of this application, what’s the actual impact, and is it exploitable or just theoretical? That analysis is what separates a scanner output from a penetration test report.

📚 Further Reading

  • Lab 24 — Burp Suite Integration — The manual testing baseline you’re comparing against scanner output in this lab. The gap analysis is most meaningful when you’ve completed the same vulnerability categories manually first.
  • Kali Linux Day 24 — OWASP ZAP Tutorial — Full ZAP configuration guide including custom scan policies, authentication context setup, and API scanning — extends the basic ZAP workflow from this lab to professional assessment use.
  • Bug Bounty Automation Lab Under $100 — Nuclei is the automated scanner used in professional bug bounty automation — how its template-based approach compares to ZAP’s active scanning for production reconnaissance.
  • Kali Linux — Nikto Official Documentation — Complete Nikto command reference covering all scan modes, output formats, tuning options, and the full list of checks Nikto performs by category.
  • OWASP ZAP Official Documentation — The complete ZAP documentation covering authentication configuration, scan policy tuning, scripting, and API-based automation — the reference for advanced ZAP usage beyond this lab’s scope.
ME
Mr Elite
Owner, SecurityElites.com
The gap analysis table from this lab is one of the most useful things I keep from my early training. I still pull it out when clients ask why they need manual penetration testing if they’re already running automated scanners quarterly. CSRF, IDOR, business logic — three vulnerability categories that automated scanners structurally cannot find, that appear consistently in real applications, and that represent some of the highest-severity findings on real assessments. The scanners handle the repetitive template-matching work. Manual testing handles everything that requires understanding what the application is actually supposed to do. Both have their place, neither replaces the other, and knowing exactly where the line falls is what makes you a professional rather than someone who runs tools.

automated web scanner DVWA DVWA Nikto scan tutorial DVWA vulnerability scanner Nikto vs ZAP comparison OWASP ZAP DVWA tutorial web application scanner tutorial 2026
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Comment

Your email address will not be published. Required fields are marked *