Wapiti, The web-application vulnerability scanner

Alright, Today I have come up with an interesting topic which is Wapiti. Wapiti is nothing but a tool, we will talk more about Wapiti in a while but let’s first talk ‘Why wapiti’. So, next when you are done with your application from development to testing make sure you have tested it against attacks and vulnerabilities out there on the internet. You can protect your application from security attacks and vulnerabilities when you know about them.  Almost every web application has potential security risks and loopholes that are hidden until we run a security test on them. Now you must be wondering why I am talking so much about security testing so much. In order to prevent malicious and security attacks on your web application, It has to be well tested. How it can be done?
There are several tools available in the market which do it for you and Wapiti is one of them. So Let’s talk about Wapiti in detail now. Wapiti is the web-application vulnerability tool which allows you to audit the security of your web-application. It is a command-line application and performs a black-box scan i.e It does not study the source code of the application but will scan the webpages of the deployed web-app.

Wapiti can detect following vulnerabilities

  • File disclosure (Local and remote include/require, fopen, readfile…)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (reflected and permanent)
  • Safeguards against scan endless-loops (max number of values for a parameter)
  • Possibility to set the first URLs to explore (even if not in scope)
  • Import of cookies (get them with the wapiti-cookie and wapiti-getcookie tools)
  • Can activate / deactivate SSL certificates verification
  • Try to extract URLs from javascript (very basic JS interpreter)
  • Weak .htaccess configurations that can be bypassed

Wapiti supports both GET and POST HTTP methods for attacks.

Features of Wapiti

  1. Generates vulnerability reports in various formats (HTML, XML, JSON, TXT…)
  2. Can suspend and resume a scan or an attack
  3. Can give you colors in the terminal to highlight vulnerabilities
  4. Fast and easy way to activate/deactivate attack modules

Requirements to run Wapiti

Now let’s run Wapiti to target a web application. Today, I will be targeting a web application http://www.getcodesquad.com to scan the risks and threats and share the results. To run Wapiti you need to download it first. The current stable version is 2.3.0. Here is the download link You can download Wapiti Here!. Once it has been downloaded, just unzip the tar file and go to the bin folder of Wapiti.

Steps to run a security test on any web application.

  • Unzip the tar file which you downloaded from the above link
  • Go to the /bin directory of Wapiti
  • Now run the command ‘python wapiti ‘

The output will be generated on console as well as in an HTML  file.

There are several option with ‘python wapiti ‘ command.
For example
-u or –color, Use colors to highlight vulnerabilities and anomalies in output.

-v or –verbose, Set the verbosity level. Set the verbosity level.   0: quiet (default), 1: print each URL, 2: print every attack.

-f or –format,   Set the format type for the report.   Set the format type for the report.
json, html, txt ,xml.

-o or –output,  Set the name of the report file.  Set the name of the report file.   If the selected report format is ‘html’, this parameter will be used as a directory name.

-h or –help, To print this usage message.

The result for ‘python wapiti http://www.getcodesquad.com/login ‘ will be generated at
A report has been generated in the file /home/knoldus/.wapiti/generated_report
Open /home/knoldus/.wapiti/generated_report/index.html with a browser to see this report.


The report generated in the form of HTML looks like below

If you find any challenge, Do let me know in the comments.If you enjoyed this post, I’d be very grateful if you’d help it spread.Keep smiling, Keep testing! Cheers!

Knoldus Frontend Devs Group Initiative: visit.

About deepak028

There is nothing much to describe me.However, I am a very ordinary person who believes in sharing knowledge.
This entry was posted in Scala and tagged , , , . Bookmark the permalink.

One Response to Wapiti, The web-application vulnerability scanner

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s