Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Wapiti - Web Application Vulnerability Scanner

Tags: wapiti urls scan

Wapiti is an open source command-line application that you can use to audit the security of your web applications.

It performs "black-box" scans, i.e. it does not study the source code of the application but will scan the webpages of the deployed web app, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :
  • File disclosure (Local and remote include/require, fopen, readfile...)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (reflected and permanent)
  • Command Execution detection (eval(), system(), passtru()...)
  • CRLF Injection (HTTP Response Splitting, session fixation...)
  • XXE (XmleXternal Entity) injection
  • Use of know potentially dangerous files (thanks to the Nikto database)
  • Weak .htaccess configurations that can be bypassed
  • Presence of backup files giving sensitive information (source code disclosure)

Wapiti supports both GET and POST HTTP methods for attacks. It also supports multipart and can inject payloads in filenames (upload).

It will display a warning when an anomaly is found (for example 500 errors and timeouts).

Features:

  • Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...)
  • Can suspend and resume a scan or an attack
  • Can give you colors in the terminal to highlight vulnerabilities
  • Different levels of verbosity
  • Fast and easy way to activate/deactivate attack modules
  • Adding a payload can be as easy as adding a line to a text file
  • Support HTTP and HTTPS proxies
  • Authentication via several methods : Basic, Digest, Kerberos or NTLM
  • Ability to restrain the scope of the scan (domain, folder, web page)
  • Automatic removal of a parameter in URLs
  • Safeguards against scan endless-loops (max number of values for a parameter)
  • Possibility to set the first URLs to explore (even if not in scope)
  • Can exclude some URLs of the scan and attacks (eg: logout URL)
  • Import of cookies (get them with the wapiti-cookie and wapiti-getcookie tools)
  • Can activate / deactivate SSL certificates verification
  • Extract URLs from Flash SWF files
  • Try to extract URLs from javascript (very basic JS interpreter)
  • HTML5 aware (understand recent HTML tags)

Usage:

python wapiti.py http://server.com/base/url/ [options] 

Options:
-s  
 --start  
  To specify an url to start with. This option can be called several times.
  Wapiti will browse these links to find more URLs even if the specified link is
not in the scope.

-x  
 --exclude  
  To exclude an URL from the scan (eg: logout URLs). This option can be called
several times to specify several URLs.
  Wildcards (*) can be used in URLs for basic regex.
  Example : -x http://server/base/?page=*&module=test
  or -x http://server/base/admin/* to exclude a directory.

 
-p  
 --proxy  
  To specify a proxy. Currently supported proxies are HTTP and HTTPS.
  This option can be called twice to specify the HTTP and the HTTPS proxy.
  Example: -p http://proxy:port/

 -c  
 --cookie  
  To import cookies to use for the scan. The cookie file must be in JSON format.
  Cookies can be grabbed using the cookie.py and getcookie.py utilities
(net directory).
 
-t  
 --timeout  
  To set the timeout (maximum time in seconds to wait for the server to send a
response).
 
-a  
 --auth  
  Set credentials for HTTP authentication.

 --auth-method
  If the server requires an authentication, set the authentication method to use.
  Currently supported methods are (some requires additional modules to install):
  + basic
  + digest
  + kerberos
  + ntlm

 -r  
 --remove  
  Remove a parameter (name and value) from URLs.

-n  
 --nice  
  Define a limit of URLs to browse with the same pattern (ie, the maximum number
of unique values for the same parameter).
  Use this option to prevent endless loops during scan. Limit must be greater
than 0.

-m
 --module
  Set the modules (and HTTP methods for each module) to use for attacks.
  Prefix a module name with a dash to deactivate the related module.
  To only browse the target (without sending any payloads), deactivate every
module with -m "-all".
  If you don't specify the HTTP methods, GET and POST will be used.
  Example: -m "-all,xss:get,exec:post"

 -u 
 --color 
  Use colors to highlight vulnerabilities and anomalies in output. 

 -v  
 --verbose  
  Set the verbosity level. 
  0: quiet (default), 1: print each URL, 2: print every attack. 

 -b
 --scope
  Set the scope of the scan:
  + page: to analyse only the page given as the root URL.
  + folder: to analyse all the URLs under the root URL passed to Wapiti
(default).
  + domain: to analyse all the links to the pages which are in the same
domain as the URL passed to Wapiti.

 -f  
 --format  
  Set the format type for the report. 
  json: Report in JSON format 
  html: Report in HTML format (default)
  openvas: Report in OpenVAS XML format 
  txt: Report in plain text (UTF-8) 
  vulneranet: Report in VulneraNET (XML based) format 
  xml: Report in XML format 

 -o  
 --output  
  Set the name of the report file. 
  If the selected report format is 'html', this parameter will be used
as a directory name.

 -i
 --continue
  This parameter indicates to Wapiti to resume the previous scan saved in the
specified XML status file.
  The file name is optional, if not specified, Wapiti takes the default file
from the "scans" folder.

 -k
 --attack
  This parameter indicates to Wapiti to resume the attacks without scanning the
website again, loading the scan status from the specified file.
  The file name is optional, if it is not specified, Wapiti takes the default
file from the "scans" folder.

 --verify-ssl
  This parameter indicates whether Wapiti must check SSL certificates.
  Default is to verify certificates

 -h 
 --help 
  To print this usage message


Download Wapiti

You might also like:
  • Vega - Web Application Security Scanner
  • Nessus - An Advanced Vulnerability Scanner
  • Resolver - A Reverse DNS Lookup Tool
  • Arachni - Web Application Security Scanner Framework
  • Sanewall - A Firewall Builder For Linux
  • Santoku - A Linux Distro For Mobile Security, Malware Analysis, and Forensics
  • SpiderFoot - An Open Source Intelligence Automation Tool
  • PacketFence - An Open Source Network Access Control System
  • Suricata - An Open Source IDS / IPS / NSM engine
  • Ghost Phisher - Tool For Phishing and Penetration Attacks
  • Evil FOCA - An Open-source Penetration Testing Tool
  • Viproy - VoIP Penetration Testing & Exploitation Kit
  • Android Data Extractor Lite - An Open Source Forensic Tool For Android


This post first appeared on Effect Hacking - Hacking Tools, How To Guides An, please read the originial post: here

Share the post

Wapiti - Web Application Vulnerability Scanner

×

Subscribe to Effect Hacking - Hacking Tools, How To Guides An

Get updates delivered right to your inbox!

Thank you for your subscription

×