Wapiti – Web Application Scanner / Black-box testing

Use Netsparker


Wapiti allows you to audit the security of your web applications.

It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :

  • File Handling Errors (Local and remote include/require, fopen, readfile…)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) Injection
  • LDAP Injection
  • Command Execution detection (eval(), system(), passtru()…)
  • CRLF Injection (HTTP Response Splitting, session fixation…)

Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS). Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. It does not provide a GUI for the moment and you must use it from a terminal.

Efficiency

Wapiti is developed in Python and use a Python library I made called lswww. This web spider library does the most of the work.
Unfortunately, the html parsers module within Python only works with well formated html pages so lswww fails to extract informations from bad-coded webpages.

You can read more here:

Wapiti

Posted in: Hacking Tools, Web Hacking

, ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.