Wapiti is another terminal-based Web vulnerability scanner, which sends GET and POST requests to target sites looking for the following vulnerabilities (http://wapiti.sourceforge.net/):
- File disclosure
- Database injection
- XSS (cross-site scripting)
- Command execution detection
- CRLF injection
- XXE (XML eXternal Entity) injection
- Use of known potentially dangerous files
- Weak
.htaccessconfigurations that can be bypassed - Presence of backup files that give sensitive information (source code disclosure)
In this recipe, we will use Wapiti to discover vulnerabilities in one of our test applications and generate a report of the scan.
- We can call Wapiti from a terminal window, as shown:
wapiti http://192.168.56.102/peruggia/ -o wapiti_result -f html -m "-blindsql"We will scan the Peruggia application in our vulnerable_vm, save the output in HTML format inside the
wapiti_resultdirectory, and skip the blind SQL injection tests. - If we open the report's directory and then the
index.htmlfile, then we will see something like this:
Here, we can see that Wapiti has found 12 cross-site scripting (XSS) and 20 file handling vulnerabilities.
- Now click on Cross Site Scripting.
- Select a vulnerability and click on HTTP Request. We will take the second one and select and copy the URL part of the request:
- Now, we paste that URL in the browser, as shown:
http://192.168.56.102/peruggia/index.php?action=comment&pic_id=%3E%3C%2Fform%3E%3Cscript%3Ealert%28%27wxs0lvms89%27%29%3C%2Fscript%3E
And we have an XSS indeed.
We skipped the blind SQL injection test in this recipe (-m "-blindsql"), as this application is vulnerable to that attack. It provokes a time-out error that makes Wapiti close before the scan is finished because Wapiti tests multiple times by injecting the sleep() command until the server surpasses the time-out threshold. Also, we have selected the HTML format for output (-o html) and wapiti_result as our report's destination directory; we can also have other formats, such as JSON, openvas, TXT, or XML.
Other interesting options in Wapiti are:
-x <URL>: Exclude the specified URL from the scan; useful for logout and password change URLs.-i <file>: Resumes a previously saved scan from an XML file. The filename is optional, as Wapiti takes the file from thescansfolder if omitted.-a <login%password>: Uses specified credentials for HTTP login.--auth-method <method>: Defines the authentication method for the-aoption; it can bebasic,digest,kerberos, orntlm.-s <URL>: Defines a URL to start the scan with.-p <proxy_url>: Uses an HTTP or HTTPS proxy.