Tuesday, 12 April 2016

Wapiti on ubuntu 14.04

Wapiti is an open source web application vulnerability scanner. It can detect the following vulnerabilities:

backup: This module search backup of scripts on the server.
blindsql: Time-based blind sql scanner.
crlf: Search for CR/LF injection in HTTP headers.
exec: Module used to detect command execution vulnerabilities.
file: Search for include()/fread() and other file handling vulns.
htaccess: Try to bypass weak htaccess configurations.
nikto: Use a Nikto database to search for potentially dangerous files.
permanentxss: Look for permanent XSS.
sql: Standard error-based SQL injection scanner.
xss: Module for XSS detection.
buster: Module for a file and directory buster attack – checking for “bad” files.
shellshock: Module for Shellshock bug detection.

sudo apt-get install wapiti

wapiti http://example.org/cool-things -u -n 5 -b domain -v 2 -o /tmp/outfilename

-u, --color
    use colours

-b, --scope
    set the scope of the scan:
    page: only analyse the page given in the url
    folder: analyse all urls in the root url given (default option)
    domain: analyse all links to pages in the same domain

-n, --nice
    use this to prevent infinite loops, I usually go with 5

-f, --format
    change the output format

-v verbose
    0: none
    1: print each url
    2) print each attack

# if you dont specify a -v flag, then you get a blank screen for ages

Ref:- https://jonathansblog.co.uk/wapiti-tutorial

No comments:

Post a Comment