{"id":311,"date":"2006-08-07T15:03:48","date_gmt":"2006-08-07T15:03:48","guid":{"rendered":"https:\/\/www.darknet.org.uk\/2006\/08\/wapiti-web-application-scanner-black-box-testing\/"},"modified":"2015-09-09T19:40:39","modified_gmt":"2015-09-09T11:40:39","slug":"wapiti-web-application-scanner-black-box-testing","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2006\/08\/wapiti-web-application-scanner-black-box-testing\/","title":{"rendered":"Wapiti – Web Application Scanner \/ Black-box testing"},"content":{"rendered":"
[ad]<\/p>\n
Wapiti allows you to audit the security of your web applications.<\/p>\n
It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.<\/p>\n
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.<\/p>\n
Wapiti can detect the following vulnerabilities :<\/p>\n
Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP\/IIS). Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. It does not provide a GUI for the moment and you must use it from a terminal.<\/p>\n
Efficiency<\/strong><\/p>\n Wapiti is developed in Python and use a Python library I made called lswww. This web spider library does the most of the work. You can read more here:<\/p>\n <\/p>\n
\nUnfortunately, the html parsers module within Python only works with well formated html pages so lswww fails to extract informations from bad-coded webpages.<\/p>\n