Kali Linux Tools for Web Security: A Practitioner's Guide

Kali Linux ships with hundreds of security tools. For web application security specifically, about a dozen of them matter. This guide covers the core tools, when to use each, and how they chain together in a real scanning workflow.

This isn't a "top 10 tools" listicle. It's a practitioner's reference for how these tools actually get used together.

The Core Web Security Toolkit

nmap — The Starting Point

Every web security assessment starts with nmap. Before you can test a web application, you need to know what's running, on which ports, with what services.

What it does: Network discovery and port scanning. Identifies open ports, running services, service versions, and operating system details.

Key flags for web security:

# Quick service detection on common web ports
nmap -sV -p 80,443,8080,8443 target.com

# Comprehensive scan with scripts
nmap -sV -sC -p- target.com

# Aggressive scan with OS detection
nmap -A -T4 target.com

What to look for in output:

• Open ports beyond 80/443 (8080, 8443, 3000, 5000 — development servers left exposed)
• Service versions (outdated Apache, nginx, or application server versions)
• SSL/TLS on non-standard ports
• Database ports exposed (3306 MySQL, 5432 PostgreSQL, 27017 MongoDB)

Chains to: Everything else. Nmap results determine which tools run next.

nikto — Web Server Assessment

Once nmap confirms a web server is running, nikto probes it for misconfigurations and known vulnerabilities.

What it does: Web server scanner that checks for dangerous files, outdated server software, and server configuration problems. Tests over 6,700 potentially dangerous files and programs.

Key usage:

# Basic scan
nikto -h https://target.com

# Scan specific port
nikto -h target.com -p 8443

# With authentication
nikto -h https://target.com -id admin:password

# Tuning for specific test categories
nikto -h https://target.com -Tuning 1234

Tuning categories:

1. Interesting files
2. Misconfigurations
3. Information disclosure
4. Injection (XSS/Script/HTML)
5. Remote file retrieval (inside web root)
6. Denial of service (use cautiously)
7. Remote file retrieval (server-wide)
8. Command execution
9. SQL injection

0. File upload

What it finds that others miss: Server-level issues — default files, backup files (.bak, .old, ~), directory indexing, server headers leaking version information, and misconfigurations that application-level scanners often skip.

Chains to: Specific vulnerability scanners based on findings (SQL injection → sqlmap, XSS → manual testing or xsstrike).

nuclei — Template-Based Vulnerability Detection

Nuclei is the most versatile tool in the modern web security toolkit. Its template-based approach means it can detect virtually any known vulnerability pattern.

What it does: Sends HTTP requests defined in YAML templates and matches responses against expected patterns. The community template library covers thousands of CVEs, misconfigurations, exposed panels, and technology-specific vulnerabilities.

Key usage:

# Run all templates against a target
nuclei -u https://target.com

# Filter by severity
nuclei -u https://target.com -severity critical,high

# Specific template categories
nuclei -u https://target.com -tags cve,misconfig

# Technology-specific
nuclei -u https://target.com -tags wordpress
nuclei -u https://target.com -tags apache

# With a list of URLs
nuclei -l urls.txt -severity critical,high,medium

Why nuclei is powerful: The template library is community-maintained and constantly updated. When a new CVE drops, a nuclei template often appears within days. As of 2026, the library contains 8,000+ templates covering:

• Known CVEs with verified detection patterns
• Default credentials for common applications
• Exposed administration panels
• Misconfigured cloud services (S3 buckets, Azure blobs)
• Technology fingerprinting
• Information disclosure (debug endpoints, stack traces)

What makes good nuclei usage: Run broad first (all templates, high/critical severity), then narrow based on discovered technologies. If whatweb identifies WordPress, run WordPress-specific templates. If the application uses a specific framework, target those templates.

Chains to: Deep investigation of specific findings, manual exploitation verification.

sqlmap — SQL Injection Specialist

When you suspect SQL injection — from nikto findings, nuclei alerts, or manual observation — sqlmap is the definitive testing tool.

What it does: Automates detection and exploitation of SQL injection vulnerabilities. Supports MySQL, PostgreSQL, Oracle, MSSQL, SQLite, and more.

Key usage:

# Test a specific URL parameter
sqlmap -u "https://target.com/page?id=1" --batch

# Test a POST form
sqlmap -u "https://target.com/login" --data="user=test&pass=test" --batch

# With cookie/session
sqlmap -u "https://target.com/dashboard?id=1" --cookie="session=abc123" --batch

# Specify database type if known
sqlmap -u "https://target.com/api/users?id=1" --dbms=postgresql --batch

# Risk and level tuning
sqlmap -u "https://target.com/page?id=1" --level=3 --risk=2 --batch

Level vs Risk:

• Level (1-5): How many parameters and injection points to test. Higher = more thorough, slower.
• Risk (1-3): How aggressive the payloads are. Risk 3 includes heavy queries that could cause issues.
• For production environments: level 3, risk 1-2. For staging: level 5, risk 3.

When to use: Don't run sqlmap against every endpoint. Use it when:

• A parameter accepts user input that likely queries a database
• Nikto or nuclei flagged a potential injection point
• Error messages reveal database interaction (stack traces, SQL errors)

Chains from: Nmap (found database ports), nikto (found injection hints), nuclei (found SQL-related CVEs).

testssl.sh — TLS/SSL Configuration Analysis

TLS misconfigurations are among the most common web security issues. Testssl.sh is the comprehensive checker.

What it does: Tests a server's TLS/SSL implementation for supported protocols, cipher suites, certificate issues, and known vulnerabilities (POODLE, BEAST, Heartbleed, ROBOT, etc.).

Key usage:

# Full test
testssl.sh https://target.com

# Quick check (protocols + vulnerabilities only)
testssl.sh --fast https://target.com

# Specific checks
testssl.sh --protocols https://target.com
testssl.sh --vulnerable https://target.com
testssl.sh --headers https://target.com

# JSON output for parsing
testssl.sh --jsonfile results.json https://target.com

What to look for:

• TLS 1.0 or 1.1 still enabled (should be disabled)
• Weak cipher suites (RC4, DES, export ciphers)
• Missing HSTS header
• Certificate issues (expiring soon, wrong hostname, weak signature)
• Known vulnerabilities (Heartbleed, POODLE, ROBOT)
• Missing security headers (checked via --headers)

Chains from: Nmap (identified SSL/TLS on a port). Should be run against every HTTPS endpoint discovered.

whatweb — Technology Fingerprinting

Before you can test effectively, you need to know what you're testing against. Whatweb identifies the technology stack.

What it does: Identifies web technologies — CMS, frameworks, server software, JavaScript libraries, analytics tools, and more. Uses over 1,800 plugins.

Key usage:

# Basic identification
whatweb https://target.com

# Aggressive detection
whatweb -a 3 https://target.com

# Verbose output
whatweb -v https://target.com

Aggression levels:

1. Stealthy — one HTTP request
2. (unused)
3. Aggressive — additional requests for deeper identification
4. Heavy — tries all plugins, many requests

Why it matters for scanning workflows: Whatweb output determines which specialized scans to run:

• WordPress detected → WordPress-specific nuclei templates + wpscan
• Drupal detected → Drupal-specific scanning
• Outdated jQuery → client-side vulnerability checks
• Specific server version → targeted CVE scanning

Chains to: Nuclei (with technology-specific templates), specialized scanners.

How These Tools Chain Together

Here's how an experienced pentester sequences these tools, and why:

Step 1: nmap
  → Discover open ports and services
  → Identify web servers (HTTP/HTTPS)
  → Note any exposed database ports

Step 2: whatweb (for each web service found)
  → Identify CMS, framework, libraries
  → Determine technology-specific scan targets

Step 3: testssl.sh (for each HTTPS service)
  → Check TLS configuration
  → Identify protocol/cipher weaknesses

Step 4: nikto (for each web service)
  → Check server misconfigurations
  → Find default files, backups, directories
  → Surface potential injection points

Step 5: nuclei (for each web service)
  → Broad scan: high/critical severity first
  → Targeted: technology-specific templates from whatweb results
  → CVE-specific: based on server versions from nmap

Step 6: sqlmap (targeted, based on earlier findings)
  → Test parameters flagged by nikto/nuclei
  → Test forms and API endpoints that interact with databases
  → Only when there's evidence suggesting injection potential

Step 7: Manual investigation
  → Verify critical/high findings
  → Test business logic (no tool catches these)
  → Deep dive on interesting anomalies

The key insight: each tool informs the next. This isn't a checklist — it's a decision tree. If nmap finds no web servers, you don't run nikto. If whatweb identifies WordPress, you add WordPress-specific nuclei templates. If nikto finds SQL error messages, you prioritize sqlmap on those endpoints.

This adaptive, intelligence-driven approach is what separates a thorough assessment from a checkbox scan.

The Automation Gap

Every tool described here is excellent at what it does. The gap isn't in the tools — it's in the orchestration.

Running these tools manually takes hours of an experienced security engineer's time. Not because the tools are slow, but because the decision-making between steps is manual: reading output, deciding what to run next, configuring the next tool based on what was found.

Automating the individual tools is straightforward. Automating the decision-making between them — the intelligence that chains nmap results into nikto configurations into nuclei template selection into targeted sqlmap runs — is the hard problem.

That's exactly the problem AI orchestration is built to solve. The tools stay the same. The intelligence that connects them becomes automated. You get the depth of a manual assessment with the speed and consistency of automation.