[ad]<\/p>\n
Wapiti allows you to audit the security of your web applications.<\/p>\n
It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.<\/p>\n
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.<\/p>\n
Wapiti can detect the following vulnerabilities :<\/p>\n
Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP\/IIS). Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. It does not provide a GUI for the moment and you must use it from a terminal.<\/p>\n
Efficiency<\/strong><\/p>\n Wapiti is developed in Python and use a Python library I made called lswww. This web spider library does the most of the work. You can read more here:<\/p>\n <\/p>\n
\nUnfortunately, the html parsers module within Python only works with well formated html pages so lswww fails to extract informations from bad-coded webpages.<\/p>\n