Wapiti

Siehe auch

• Nikto

• OpenVAS

Das seit 2006 existierende, in Python 3 geschriebene Wapiti prüft Webseiten und Web-Applikationen auf Schwachstellen, indem es die Seitenstruktur ermittelt und daraufhin versucht, Daten und Payloads an Skripte und Formulare zu übergeben („Black Box Test“).

Folgende Module werden standardmässig ausgeführt:

• blindsql: Detect SQL injection vulnerabilities using blind time-based technique.

• cookieflags: Evaluate the security of cookies on the website.

• csp: Evaluate the security level of Content Security Policies of the web server.

• exec: Detect scripts vulnerable to command and/or code execution.

• file: Detect file-related vulnerabilities such as directory traversal and include() vulnerabilities.

• http_headers: Evaluate the security of HTTP headers.

• permanentxss: Detect stored (aka permanent) Cross-Site Scripting vulnerabilities on the web server.

• redirect: Detect Open Redirect vulnerabilities.

• sql: Detect SQL (but also LDAP and XPath) injection vulnerabilities by triggering errors (error-based technique).

• ssrf: Detect Server-Side Request Forgery vulnerabilities.

• xss: Detects stored (aka permanent) Cross-Site Scripting vulnerabilities on the web server.

Diese Module bei Bedarf :

• backup: Uncover backup files on the web server.

• brute_login_form: Attempt to login on authentication forms using known weak credentials (like admin/admin).

• buster: Brute force paths on the web-server to discover hidden files and directories.

• crlf: Detect Carriage Return Line Feed (CRLF) injection vulnerabilities.

• csrf: Detect forms missing Cross-Site Request Forgery protections (CSRF tokens).

• htaccess: Attempt to bypass access controls to a resource by using a custom HTTP method.

• methods: Detect uncommon HTTP methods (like PUT) that may be allowed by a script.

• nikto: Perform a brute-force attack to uncover known and potentially dangerous scripts on the web server.

• shellshock: Detects scripts vulnerable to the infamous ShellShock vulnerability.

• wapp: Identify web technologies used by the web server using Wappalyzer database.

• xxe: Detect scripts vulnerable to XML external entity injection (also known as XXE).

Links

• Homepage: https://sourceforge.net/projects/wapiti/

• Source Code: https://sourceforge.net/p/wapiti/git/ci/master/tree/

Installation

pip3 install wapiti3

Verwendung

wapiti --update
wapiti --url https://www.example.com
wapiti --url https://www.example.com/wp-login.php --module common,backup,brute_login_form,buster,htaccess,methods,wapp

Built on 2024-04-18