Wapiti allows you to audit the security of your websites or web applications.
It performs “black-box” scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
This is free and open source software.
The software’s modules offer the following features:
- SQL Injections (Error based, boolean based, time based) and XPath Injections.
- Cross Site Scripting (XSS) reflected and permanent.
- File disclosure detection (local and remote include, require, fopen, readfile….).
- Command Execution detection (eval(), system(), passtru()…).
- XXE (Xml eXternal Entity) injection.
- CRLF Injection.
- Search for potentially dangerous files on the server.
- Bypass of weak htaccess configurations.
- Search for copies (backup) of scripts on the server.
- Shellshock.
- Folder and file enumeration (DirBuster like).
- Server Side Request Forgery (through use of an external Wapiti website).
- Open Redirects.
- Detection of uncommon HTTP methods (like PUT).
- Basic CSP Evaluator.
- Brute Force login form (using a dictionary list).
- Checking HTTP security headers.
- Checking cookie security flags (secure and httponly flags).
- Cross Site Request Forgery (CSRF) basic detection.
- Fingerprinting of web applications using the Wappalyzer database.
- Enumeration of WordPress and Drupal modules.
- Detection of subdomain takeovers vulnerabilities.
- Log4Shell vulnerability detection.
- Check for TLS misconfiguration and vulnerabilities.
Features include:
- Generates vulnerability reports in various formats (HTML, XML, JSON, TXT, CSV).
- Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
- Can give you colors in the terminal to highlight vulnerabilities.
- Different levels of verbosity.
- Fast and easy way to activate/deactivate attack modules.
- Adding a payload can be as easy as adding a line to a text file.
- Configurable number of concurrent tasks to perform HTTP requests.
Website: wapiti-scanner.github.io
Support: GitHub Code Repository
Developer: Nicolas Surribas
License: GNU General Public License v2.0
Wapiti is written in Python. Learn Python with our recommended free books and free tutorials.
Related Software
| Vulnerability Analysis Tools | |
|---|---|
| sqlmap | Penetration testing tool |
| BeEF | The Browser Exploitation Framework |
| pocsuite3 | Remote vulnerability testing framework |
| AFL++ | Security-oriented fuzzer |
| Wapiti | "Black-box" vulnerability scanner |
| jSQL Injection | Automatic SQL database injection |
| sif | Pentesting (recon/exploitation) suite |
| XSSer | Detect, exploit and report XSS vulnerabilities |
| Kanha | Web-app pentesting suite |
| simple fuzzer | A fuzzer with two network modes of operation |
| Doona | Fork of the Bruteforce Exploit Detector Tool |
Read our verdict in the software roundup.
 Explore our comprehensive directory of recommended free and open source software. Our carefully curated collection spans every major software category.This directory is part of our ongoing series of informative articles for Linux enthusiasts. It features hundreds of detailed reviews, along with open source alternatives to proprietary solutions from major corporations such as Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. You’ll also find interesting projects to try, hardware coverage, free programming books and tutorials, and much more. Discovered a useful open source Linux program that we haven’t covered yet? Let us know by completing this form. |