The web-application vulnerability scanner


Wapiti allows you to audit the security of your websites or web applications.

It performs "black-box" scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

What's new in Wapiti 3.2.0 ? Take a look here.

Wapiti modules cover:

Wapiti supports both GET and POST HTTP methods for attacks.
It also supports multipart forms and can inject payloads in filenames (upload).
Warnings are raised when an anomaly is found (for example 500 errors and timeouts)
Wapiti is able to make the difference between permanent and reflected XSS vulnerabilities.

General features :

Browsing features

Wapiti is a command-line application.
Here is an example of output against a vulnerable web application.
You may find some useful information in the README and the INSTALL files.
Have any questions ? You may find answers in the FAQ.

Download

>> Download Wapiti here <<


or install it easily using PIP:

pip install wapiti3

Usage


 ██╗    ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗
 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗
 ██║ █╗ ██║███████║██████╔╝██║   ██║   ██║ █████╔╝
 ██║███╗██║██╔══██║██╔═══╝ ██║   ██║   ██║ ╚═══██╗
 ╚███╔███╔╝██║  ██║██║     ██║   ██║   ██║██████╔╝
  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝   ╚═╝   ╚═╝╚═════╝
Wapiti 3.2.0 (wapiti-scanner.github.io)
usage: wapiti [-h] [-u URL] [--swagger URI] [--data data]
              [--scope {url,page,folder,subdomain,domain,punk}] [-m MODULES_LIST]
              [--list-modules] [-l LEVEL] [-p PROXY_URL] [--tor] [--mitm-port PORT]
              [--headless {no,hidden,visible}] [--wait TIME] [-a CREDENTIALS]
              [--auth-user USERNAME] [--auth-password PASSWORD]
              [--auth-method {basic,digest,ntlm}] [--form-cred CREDENTIALS]
              [--form-user USERNAME] [--form-password PASSWORD] [--form-url URL]
              [--form-data DATA] [--form-enctype DATA] [--form-script FILENAME]
              [-c COOKIE_FILE] [-sf SIDE_FILE] [-C COOKIE_VALUE] [--drop-set-cookie]
              [--skip-crawl] [--resume-crawl] [--flush-attacks] [--flush-session]
              [--store-session PATH] [--store-config PATH] [-s URL] [-x URL]
              [-r PARAMETER] [--skip PARAMETER] [-d DEPTH] [--max-links-per-page MAX]
              [--max-files-per-dir MAX] [--max-scan-time SECONDS]
              [--max-attack-time SECONDS] [--max-parameters MAX] [-S FORCE]
              [--tasks tasks] [--external-endpoint EXTERNAL_ENDPOINT_URL]
              [--internal-endpoint INTERNAL_ENDPOINT_URL] [--endpoint ENDPOINT_URL]
              [--dns-endpoint DNS_ENDPOINT_DOMAIN] [-t SECONDS] [-H HEADER]
              [-A AGENT] [--verify-ssl {0,1}] [--color] [-v LEVEL]
              [--log OUTPUT_PATH] [-f FORMAT] [-o OUTPUT_PATH]
              [-dr DETAILED_REPORT_LEVEL] [--no-bugreport] [--update] [--version]
              [--cms CMS_LIST] [--wapp-url WAPP_URL] [--wapp-dir WAPP_DIR]
Shortest way (with default options) to launch a Wapiti scan :
wapiti -u http://target/

Every option is detailed in the wapiti(1) manpage.

Wapiti also comes with a utility to fetch cookies from websites called wapiti-getcookie. The corresponding manpage is here.


Need help? Check out the wiki


Licensing

Wapiti is released under the GNU General Public License version 2 (the GPL).

Sponsors

  Cyberwatch

  Security For Everyone