Python-coded Wapiti is a potent online vulnerability detector. As a black-box vulnerability scanner, it examines the deployed web application's pages, extracting links and forms, and attacking the scripts rather than studying the source code of web applications.

Wapiti is a robust web vulnerability scanner that is implemented in Python. It functions as a black-box vulnerability scanner, which means it doesn't analyze the source code of web applications. Instead, it scans the pages of the deployed web application, extracts links and forms, and carries out attacks on the scripts to identify potential vulnerabilities. This approach allows Wapiti to assess the security of web applications without requiring access to the application's internal source code.


  • Generates     vulnerability reports in various formats (HTML, XML, JSON, TXT, CSV).
  • Can     suspend and resume a scan or an attack.
  • Supports     HTTP, HTTPS, and SOCKS5 proxies.
  • HTTP     authentication on the target (Basic, Digest, NTLM).
  • Authentication     by filling login forms.
  • Ability     to restrain the scope of the scan (domain, folder, page, URL).
  • Configurable     number of concurrent tasks for HTTP requests.
  • Supports     multiple attack modules (SQL injection, XSS, file disclosure, command     execution, etc.).
  • Can     activate/deactivate SSL certificates verification.
  • Supports     both basic and advanced scanning options.


Wapiti is installed by default in kali

Use the command


In the console to invoke the functionality


Basic usage:


For more options:


Specify modules:


Save the output in a file:


Wapiti supports both GET and POST HTTP methods for attacks.

Screenshot of the tooloperation

Table of Contents: