Wapiti is a robust web vulnerability scanner that is implemented in Python. It functions as a black-box vulnerability scanner, which means it doesn't analyze the source code of web applications. Instead, it scans the pages of the deployed web application, extracts links and forms, and carries out attacks on the scripts to identify potential vulnerabilities. This approach allows Wapiti to assess the security of web applications without requiring access to the application's internal source code.
Features
- Generates vulnerability reports in various formats (HTML, XML, JSON, TXT, CSV).
- Can suspend and resume a scan or an attack.
- Supports HTTP, HTTPS, and SOCKS5 proxies.
- HTTP authentication on the target (Basic, Digest, NTLM).
- Authentication by filling login forms.
- Ability to restrain the scope of the scan (domain, folder, page, URL).
- Configurable number of concurrent tasks for HTTP requests.
- Supports multiple attack modules (SQL injection, XSS, file disclosure, command execution, etc.).
- Can activate/deactivate SSL certificates verification.
- Supports both basic and advanced scanning options.
Installation
Wapiti is installed by default in kali
Use the command
In the console to invoke the functionality
Running
Basic usage:
For more options:
Specify modules:
Save the output in a file:
Wapiti supports both GET and POST HTTP methods for attacks.
Screenshot of the tooloperation
