wapiti(1)

1WAPITI(1)                                                            WAPITI(1)
2
3
4

NAME

6       wapiti - A web application vulnerability scanner in Python
7

SYNOPSIS

9       wapiti -u BASE_URL [options]
10

DESCRIPTION

12       Wapiti allows you to audit the security of your web applications.
13
14       It  performs  "black-box" scans, i.e. it does not study the source code
15       of the application but will scans the webpages of the deployed  webapp,
16       looking for scripts and forms where it can inject data.
17
18       Once  it  gets this list, Wapiti acts like a fuzzer, injecting payloads
19       to see if a script is vulnerable.
20
21       Wapiti is useful only to  discover  vulnerabilities  :  it  is  not  an
22       exploitation  tools.  Some  well known applications can be used for the
23       exploitation part like the recommanded sqlmap.
24

OPTIONS SUMMARY

26       Here is a summary of options. It is essentially what you will get  when
27       you  launch Wapiti without any argument. More detail on each option can
28       be found in the following sections.
29
30       TARGET SPECIFICATION:
31
32       ·   -u URL
33
34       ·   --scope {page,folder,domain,url}
35
36
37
38       ATTACK SPECIFICATION:
39
40       ·   -m MODULES_LIST
41
42       ·   --list-modules
43
44       ·   -l LEVEL
45
46
47
48       PROXY AND AUTHENTICATION OPTIONS:
49
50       ·   -p PROXY_URL
51
52       ·   -a CREDENTIALS
53
54       ·   --auth-type {basic,digest,kerberos,ntlm}
55
56       ·   -c COOKIE_FILE
57
58
59
60       SESSION OPTIONS:
61
62       ·   --skip-crawl
63
64       ·   --resume-crawl
65
66       ·   --flush-attacks
67
68       ·   --flush-session
69
70
71
72       SCAN AND ATTACKS TUNING:
73
74       ·   -s URL
75
76       ·   -x URL
77
78       ·   -r PARAMETER
79
80       ·   --skip PARAMETER
81
82       ·   -d DEPTH
83
84       ·   --max-links-per-page MAX_LINKS_PER_PAGE
85
86       ·   --max-files-per-dir MAX_FILES_PER_DIR
87
88       ·   --max-scan-time MAX_SCAN_TIME
89
90       ·   --max-parameters MAX
91
92       ·   -S, --scan-force {paranoid,sneaky,polite,normal,aggressive,insane}
93
94
95
96       HTTP AND NETWORK OPTIONS:
97
98       ·   -t SECONDS
99
100       ·   -H HEADER
101
102       ·   -A AGENT
103
104       ·   --verify-ssl {0,1}
105
106
107
108       OUTPUT OPTIONS:
109
110       ·   --color
111
112       ·   -v LEVEL
113
114
115
116       REPORT OPTIONS:
117
118       ·   -f {json,html,txt,openvas,vulneranet,xml}
119
120       ·   -o OUPUT_PATH
121
122
123
124       OTHER OPTIONS:
125
126       ·   --no-bugreport
127
128       ·   --version
129
130       ·   -h
131
132
133

TARGET SPECIFICATION

135       ·   -u, --url URL
136           The URL that will be used as the base for the scan. Every URL found
137           during the scan will be checked against the base URL and the corre‐
138           sponding scan scope (see --scope for details).
139           This is the only required argument. The scheme part of the URL must
140           be either http or https.
141
142       ·   --scope SCOPE
143           Define the scope of the scan and attacks. Valid choices are :
144
145       ·   url  :  will  only scan and attack the exact base URL given with -u
146           option.
147
148       ·   page : will attack every URL matching the  path  of  the  base  URL
149           (every query string variation).
150
151       ·   folder  : will scan and attack every URL starting with the base URL
152           value. This base URL should have a trailing slash (no filename).
153
154       ·   domain : will scan and attack every URL whose domain name match the
155           one from the base URL.
156
157       ·   punk  :  will  scan and attack every URL found whatever the domain.
158           Think twice before using that scope.
159
160
161
162
163
164

ATTACK SPECIFICATION

166       ·   -m, --module MODULE_LIST
167           Set the list of attack modules (modules names separated  with  com‐
168           mas) to launch against the target.
169           Default  behavior  (when  the option is not set) is to use the most
170           common modules.
171           Common modules can also be specified using the "common" keyword.
172           If you want to use common modules along with  XXE  module  you  can
173           pass -m common,xxe.
174           Activating all modules can be done with the "all" keyword (not rec‐
175           ommended though).
176           To launch a scan without launching any attack, just give  an  empty
177           value (-m "").
178           You  can filter on http methods too (only get or post). For example
179           -m "xss:get,exec:post".
180
181       ·   --list-modules
182           Print the list of available Wapiti modules and exit.
183
184       ·   -l, --level LEVEL
185           In previous versions Wapiti used to inject attack payloads in query
186           strings even if no parameter was present in the original URL.
187           While  it may be successful in finding vulnerabilities that way, it
188           was causing too many requests for not enough success.
189           This behavior is now hidden behind this option and can  be  reacti‐
190           vated by setting -l to 2.
191           It  may  be  useful  on  CGIs  when  developers  have  to parse the
192           query-string themselves.
193           Default value for this option is 1.
194
195
196

PROXY AND AUTHENTICATION OPTIONS

198       ·   -p, --proxy PROXY_URL
199           The given URL will be used as a proxy for HTTP and HTTPS  requests.
200           This URL can have one of the following scheme : http, https, socks.
201
202       ·   --tor
203           Make    Wapiti    use    a    Tor   listener   (same   as   --proxy
204           socks://127.0.0.1:9050/)
205
206       ·   -a, --auth-cred CREDENTIALS
207           Set credentials to use for HTTP authentication on the target.
208           Given value should be in the form login%password (% is  used  as  a
209           separator)
210
211       ·   --auth-type TYPE
212           Set  the  authentication mechanism to use. Valid choices are basic,
213           digest, kerberos and ntlm.
214           Kerberos and NTLM authentication may require you to  install  addi‐
215           tionnal Python modules.
216
217       ·   -c, --cookie COOKIE_FILE
218           Load  cookies  from  a  Wapiti  JSON  cookie  file. See wapiti-get‐
219           cookie(1) for more informations.
220
221
222

SESSION OPTIONS

224       Since  Wapiti  3.0.0,  scanned  URLs,  discovered  vulnerabilities  and
225       attacks  status  are stored in sqlite3 databases used as Wapiti session
226       files.
227       Default behavior when a previous scan session exists for the given base
228       URL and scope is to resume the scan and attack status.
229       Following options allows you to bypass this behavior/
230
231       ·   --skip-crawl
232           If  a previous scan was performed but wasn´t finished, don´t resume
233           the scan. Attack will be made on currently known URLs without scan‐
234           ning more.
235
236       ·   --resume-crawl
237           If  the  crawl  was previously stopped and attacks started, default
238           behavior is to skip crawling if the session is restored.
239           Use this option in order to continue the scan process while keeping
240           vulnerabilities and attacks in the session.
241
242       ·   --flush-attacks
243           Forget  everything  about  discovered vulnerabilities and which URL
244           was attacked by which module.
245           Only the scan (crawling) informations will be kept.
246
247       ·   --flush-session
248           Forget everything about the target for the given scope.
249
250       ·   --store-session Specify an alternative  path  for  storing  session
251           (.db and .pkl) files
252
253
254

SCAN AND ATTACKS TUNING

256       ·   -s, --start URL
257           If  for some reasons, Wapiti doesn´t find any (or enough) URLs from
258           the base URL you can still add URLs to start the scan with.
259           Those URLs will be given a depth of 0, just like the base URL.
260           This option can be called several times.
261           You can also give it a filename and Wapiti will read URLs from  the
262           given file (must be UTF-8 encoded), one URL per line.
263
264       ·   -x, --exclude URL
265           Prevent  the given URL from being scanned. Common use is to exclude
266           the logout URL to prevent the destruction of  session  cookies  (if
267           you specified a cookie file with --cookie).
268           This  option  can be applied several times. Excluded URL given as a
269           parameter can contain wildcards for basic pattern matching.
270
271       ·   -r, --remove PARAMETER
272           If the given parameter is found in scanned URL it will be automati‐
273           cally removed (URLs are edited).
274           This option can be used several times.
275
276       ·   --skip PARAMETER
277           Given  parameter  will  be  kept  in  URLs  and  forms but won´t be
278           attacked.
279           Useful if you already know non-vulnerable parameters.
280
281       ·   -d, --depth DEPTH
282           When Wapiti crawls a website it gives each found URL a depth value.
283           The base URL, and additionnal starting URLs (-s) are given a  depth
284           of 0.
285           Each link found in thoses URLs got a depth of 1, and so on.
286           Default maximum depth is 40 and is very large.
287           This limit make sure the scan will stop at some time.
288           For a fast scan a depth inferior to 5 is recommanded.
289
290       ·   --max-links-per-page MAX
291           This is another option to be able to reduce the number of URLs dis‐
292           covered by the crawler.
293           Only the first MAX links of each webpage will be extracted.
294           This option is not really effective as the same link may appear  on
295           different webpages.
296           It  should be useful is rare conditions, for exeample when there is
297           a lot a webpages without query string.
298
299       ·   --max-files-per-dir MAX
300           Limit the number of URLs to crawl under each folder  found  on  the
301           webserver.
302           Note that an URL with a trailing slash in the path is not necessar‐
303           ily a folder with Wapiti will treat it as its is.
304           Like the previous option it should be useful only in certain situa‐
305           tions.
306
307       ·   --max-scan-time MINUTES
308           Stop the scan after MINUTES minutes if it is still running.
309           Should  be useful to automatise scanning from another process (con‐
310           tinuous testing).
311
312       ·   --max-parameters MAX
313           URLs and forms having more than MAX input parameters will  be  dis‐
314           carded before launching attack modules.
315
316       ·   -S, --scan-force FORCE
317           The  more  input  parameters an URL or form have, the more requests
318           Wapiti will send.
319           The sum of requests can grow rapidly and attacking a form  with  40
320           or more input fields can take a huge ammount of time.
321           Wapiti  use  a  mathematical  formula to reduce the numbers of URLs
322           scanned for a given pattern (same variables names) when the  number
323           of parameters grows.
324           The  formula  is  maximum_allowed_patterns  =  220 / (math.exp(num‐
325           ber_of_parameters * factor) ** 2) where factor is an internal value
326           controller by the FORCE value you give as an option.
327           Availables  choices are : paranoid, sneaky, polite, normal, aggres‐
328           sive, insane.
329           Default value is normal (147 URLs for 1 parameter, 30 for 5, 5  for
330           10, 1 for 14 or more).
331           Insane mode just remove the calculation of thoses limits, every URL
332           will be attacked.
333           Paranoid mode will attack 30 URLs with 1 parameter, 5  for  2,  and
334           just 1 for 3 and more).
335
336       ·   --endpoint  URL  Some  attack modules are using an HTTP endpoint to
337           check for vulnerabilities.
338           For example the SSRF module inject the endpoint  URL  into  webpage
339           arguments to check if the target script try to fetch that URL.
340           Default endpoint is http://wapiti3.ovh/. Keep in mind that the tar‐
341           get and your computer must be able to join that  endpoint  for  the
342           module to work.
343           On  internal  pentests  this  endpoint may not be accessible to the
344           target hence you may prefer to set up your own endpoint.
345           This option will set both internal and external endpoint URL to the
346           same value.
347
348       ·   --internal-endpoint  URL  You  may want to specify an internal end‐
349           point different from the external one.
350           The internal endpoint  is  used  by  Wapiti  to  fetch  results  of
351           attacks.
352           If  you  are  behind a NAT it may be an URL for a local server (for
353           example http://192.168.0.1/)
354
355       ·   --external-endpoint URL Set the endpoint URL (the one that the tar‐
356           get will fetch in case of vulnerability).
357           Using  your own endpoint may reduce risk of being caught by NIDS or
358           WAF.
359
360
361

HTTP AND NETWORK OPTIONS

363       ·   -t, --timemout SECONDS
364           Time to wait (in seconds) for a HTTP  response  before  considering
365           failure.
366
367       ·   -H, --header HEADER
368           Set a custom HTTM header to inject in every request sent by Wapiti.
369           This option can be used several times.
370           Value should be a standard HTTP header line  (parameter  and  value
371           separated with a : sign).
372
373       ·   -A, --user-agent AGENT
374           Default  behavior  of  Wapiti  is to use the same User-Agent as the
375           TorBrowser, making it discreet when crawling  standard  website  or
376           .onion ones.
377           But  you  may have to change it to bypass some restrictions so this
378           option is here.
379
380       ·   --verify-ssl VALUE
381           Wapiti doesn´t care of certificates  validation  by  default.  That
382           behavior can be changed by passing 1 as a value to that option.
383
384
385

OUTPUT OPTIONS

387       Wapiti  prints its status to standard output. The two following options
388       allow to tune the output.
389
390       ·   --color
391           Outpout will be colorized based on the severity of the  information
392           (red is critical, orange for warnings, green for information).
393
394       ·   -v, --verbose LEVEL
395           Set  the  level  of  verbosity  for the output. Possible values are
396           quiet (O), normal (1, default behavior) and verbose (2).
397
398
399

REPORT OPTIONS

401       Wapiti will generate a report at the end of the attack process. Several
402       formats of reports are available.
403
404       ·   -f, --format FORMAT
405           Set  the  format  of the report. Valid choices are json, html, txt,
406           openvas, vulneranet and xml.
407           Although the HTML reports were rewritten  to  be  more  responsive,
408           they  still  are impraticable when there is a lot of found vulnera‐
409           bilities.
410
411       ·   -o, --output OUTPUT_PATH
412           Set the path were the report will be generated.
413
414
415

OTHER OPTIONS

417       ·   --version
418           Print Wapiti version then exit.
419
420       ·   --no-bugreport
421           If a Wapiti attack module crashes of a non-caught exception  a  bug
422           report  is  generated  and  sent  for  analysis in order to improve
423           Wapiti reliability. Note that only the content  of  the  report  is
424           kept.
425           You can still prevent reports from being sent using that option.
426
427       ·   -h, --help
428           Show  detailed  options  description. More details are available in
429           this manpage though.
430
431
432

LICENSE

434       Wapiti is covered by the GNU General Public License (GPL),  version  2.
435       Please read the COPYING file for more information.
436

COPYRIGHT

438       Copyright (c) 2006-2019 Nicolas Surribas.
439

AUTHORS

441       Nicolas Surribas is the main author, but the whole list of contributors
442       is found in the separate AUTHORS file.
443

WEBSITE

445       http://wapiti.sourceforge.net/
446

BUG REPORTS

448       If you find a  bug  in  Wapiti  please  report  it  to  https://source‐
449       forge.net/p/wapiti/bugs/
450