Wapiti, The web-application vulnerability scanner

Table of contents
Reading Time: 3 minutes

Alright, Today I have come up with an interesting topic which is Wapiti. It is nothing but a tool, we will talk more about Wapiti in a while but let’s first talk ‘Why wapiti’. So, next when you are done with your application from development to testing make sure you have tested it against attacks and vulnerabilities out there on the internet. You can protect your application from security attacks and vulnerabilities when you know about them.  Almost every web application has potential security risks and loopholes that are hidden until we run a security test on them. Now you must be wondering why I am talking so much about security testing so much. In order to prevent malicious and security attacks on your web application, It has to be well tested. How it can be done?
There are several tools available in the market which do it for you and Wapiti is one of them. So Let’s talk about Wapiti in detail now. It is the web-application vulnerability tool which allows you to audit the security of your web-application. It is a command-line application and performs a black-box scan i.e It does not study the source code of the application but will scan the webpages of the deployed web-app.

Wapiti can detect following vulnerabilities

  • File disclosure (Local and remote include/require, fopen, readfile…)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (reflected and permanent)
  • Safeguards against scan endless-loops (max number of values for a parameter)
  • Possibility to set the first URLs to explore (even if not in scope)
  • Import of cookies (get them with the wapiti-cookie and wapiti-getcookie tools)
  • Can activate / deactivate SSL certificates verification
  • Try to extract URLs from javascript (very basic JS interpreter)
  • Weak .htaccess configurations that can be bypassed

Wapiti supports both GET and POST HTTP methods for attacks.


  1. Generates vulnerability reports in various formats (HTML, XML, JSON, TXT…)
  2. Can suspend and resume a scan or an attack
  3. Can give you colors in the terminal to highlight vulnerabilities
  4. Fast and easy way to activate/deactivate attack modules

Requirements to run Wapiti

Now let’s run Wapiti to target a web application. Today, I will be targeting a web application http://www.getcodesquad.com to scan the risks and threats and share the results. To run Wapiti you need to download it first. The current stable version is 2.3.0. Here is the download link You can download Wapiti Here!. Once it has been downloaded, just unzip the tar file and go to the bin folder of Wapiti.

Steps to run a security test on any web application.

  • Unzip the tar file which you downloaded from the above link
  • Go to the /bin directory of Wapiti
  • Now run the command ‘python wapiti ‘

The output will be generated on console as well as in an HTML  file.

There are several option with ‘python wapiti ‘ command.
For example
-u or –color, Use colors to highlight vulnerabilities and anomalies in output.

-v or –verbose, Set the verbosity level. Set the verbosity level.   0: quiet (default), 1: print each URL, 2: print every attack.

-f or –format,   Set the format type for the report.   Set the format type for the report.
json, html, txt ,xml.

-o or –output,  Set the name of the report file.  Set the name of the report file.   If the selected report format is ‘html’, this parameter will be used as a directory name.

-h or –help, To print this usage message.

The result for ‘python wapiti http://www.getcodesquad.com/login ‘ will be generated at
A report has been generated in the file /home/knoldus/.wapiti/generated_report
Open /home/knoldus/.wapiti/generated_report/index.html with a browser to see this report.


The report generated in the form of HTML looks like below

If you find any challenge, Do let me know in the comments.If you enjoyed this post, I’d be very grateful if you’d help it spread.Keep smiling, Keep testing! Cheers!

Knoldus Frontend Devs Group Initiative: visit.

Written by 

Deepak is a Software Consultant having experince of more than 5 years . He is very enthusiastic towards his work and is a good team player. He has sound knowledge of different technologies which include Java, C++, C, HTML, CSS, Javascript, C# always keen to learn new technologies.

3 thoughts on “Wapiti, The web-application vulnerability scanner4 min read

  1. We are using wapiti to scan web application for vulnerabilities. It scans page only for the specified URLs and crawling different pages is not happening that is scanning all the pages by specifying the depth of the scan. Do you have any suggestions for a command that scans all URLs that can be accessed from a single page?

  2. Does wapiti still capable of finding vulnerability. All the time I run it it finds nothing though I know the application which I’m scanning has vulnerability.

Comments are closed.