The web-application vulnerability scanner

Wapiti allows you to audit the security of your websites or web applications.

It performs "black-box" scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

What's new in Wapiti 3.1.1 ? Take a look here.

Wapiti modules cover:

Wapiti supports both GET and POST HTTP methods for attacks.
It also supports multipart forms and can inject payloads in filenames (upload).
Warnings are raised when an anomaly is found (for example 500 errors and timeouts)
Wapiti is able to make the difference between permanent and reflected XSS vulnerabilities.

General features :

Browsing features

Wapiti is a command-line application.
Here is an example of output against a vulnerable web application.
You may find some useful information in the README and the INSTALL files.
Have any questions ? You may find answers in the FAQ.


>> Download Wapiti here <<

or install it easily using PIP:

pip install wapiti3


 ██╗    ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗
 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗
 ██║ █╗ ██║███████║██████╔╝██║   ██║   ██║ █████╔╝
 ██║███╗██║██╔══██║██╔═══╝ ██║   ██║   ██║ ╚═══██╗
 ╚███╔███╔╝██║  ██║██║     ██║   ██║   ██║██████╔╝
  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝   ╚═╝   ╚═╝╚═════╝
Wapiti 3.1.0 (
usage: wapiti [-h] [-u URL] [--scope {page,folder,domain,url,punk}]
              [-m MODULES_LIST] [--list-modules] [--update] [-l LEVEL]
              [-p PROXY_URL] [--tor] [-a CREDENTIALS]
              [--auth-type {basic,digest,ntlm,post}] [-c COOKIE_FILE]
              [--drop-set-cookie] [--skip-crawl] [--resume-crawl]
              [--flush-attacks] [--flush-session] [--store-session PATH]
              [--store-config PATH] [-s URL] [-x URL] [-r PARAMETER]
              [--skip PARAMETER] [-d DEPTH] [--max-links-per-page MAX]
              [--max-files-per-dir MAX] [--max-scan-time SECONDS]
              [--max-attack-time SECONDS] [--max-parameters MAX] [-S FORCE]
              [--tasks tasks] [--external-endpoint EXTERNAL_ENDPOINT_URL]
              [--internal-endpoint INTERNAL_ENDPOINT_URL]
              [--endpoint ENDPOINT_URL] [--dns-endpoint DNS_ENDPOINT_DOMAIN]
              [-t SECONDS] [-H HEADER] [-A AGENT] [--verify-ssl {0,1}] [--color]
              [-v LEVEL] [--log OUTPUT_PATH] [-f FORMAT] [-o OUTPUT_PATH]
              [--no-bugreport] [--version]
wapiti: error: one of the arguments -u/--url --list-modules --update is required
Shortest way (with default options) to launch a Wapiti scan :
wapiti -u http://target/

Every option is detailed in the wapiti(1) manpage.

Wapiti also comes with a utility to fetch cookies from websites called wapiti-getcookie. The corresponding manpage is here.


Wapiti is released under the GNU General Public License version 2 (the GPL).



  Security For Everyone