Wapiti is another terminal-based Web vulnerability scanner, which sends GET and POST requests to target sites looking for the following vulnerabilities (http://wapiti.sourceforge.net/):
.htaccess
configurations that can be bypassedIn this recipe, we will use Wapiti to discover vulnerabilities in one of our test applications and generate a report of the scan.
wapiti http://192.168.56.102/peruggia/ -o wapiti_result -f html -m "-blindsql"
We will scan the Peruggia application in our vulnerable_vm, save the output in HTML format inside the wapiti_result
directory, and skip the blind SQL injection tests.
index.html
file, then we will see something like this:Here, we can see that Wapiti has found 12 cross-site scripting (XSS) and 20 file handling vulnerabilities.
http://192.168.56.102/peruggia/index.php?action=comment&pic_id=%3E%3C%2Fform%3E%3Cscript%3Ealert%28%27wxs0lvms89%27%29%3C%2Fscript%3E
And we have an XSS indeed.
We skipped the blind SQL injection test in this recipe (-m "-blindsql"
), as this application is vulnerable to that attack. It provokes a time-out error that makes Wapiti close before the scan is finished because Wapiti tests multiple times by injecting the sleep()
command until the server surpasses the time-out threshold. Also, we have selected the HTML format for output (-o html
) and wapiti_result
as our report's destination directory; we can also have other formats, such as JSON, openvas, TXT, or XML.
Other interesting options in Wapiti are:
-x <URL>
: Exclude the specified URL from the scan; useful for logout and password change URLs.-i <file>
: Resumes a previously saved scan from an XML file. The filename is optional, as Wapiti takes the file from the scans
folder if omitted.-a <login%password>
: Uses specified credentials for HTTP login.--auth-method <method>
: Defines the authentication method for the -a
option; it can be basic
, digest
, kerberos
, or ntlm
.-s <URL>
: Defines a URL to start the scan with.-p <proxy_url>
: Uses an HTTP or HTTPS proxy.3.149.232.152