Features

Overview

Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but it will scan the webpages of the deployed webapps, looking for scripts and forms where it can inject data. Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

 

Version info

Version 2.2.1 (Latest version)

Vulnerabilities detector

  • New attacks based on the Nikto database
  • Improvements in the existent attacks

 

Internationalization

Three languages are now available:

  • English
  • French
  • Spanish

 

Version 2.1

Vulnerabilities detector

Some improvements:

  • New Blind SQL tests functionality
  • Cross site scripting (XSS) attacks have been improved
  • New payloads have been added

 

Generation of reports

  • The information of the reports have been improved
  • Charts are generated by Google Charts API

 

Cookies management

Now, Wapiti provides two new tools that allow user to obtain Cookies from the target server and create new Cookies files.

 

Version 2.0

Vulnerabilities detector

  • File Handling Errors (Local and remote include/require, fopen, readfile...)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) Injection
  • LDAP Injection
  • Command Execution detection (eval(), system(), passtru()...)
  • CRLF Injection (HTTP Response Splitting, session fixation...)

Wapiti is able to differentiate punctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS)

 

Demo online

Wapiti has a online scan based in the same spider and scan engine that the full version. The online version only scans the vulnerabilities in the page passed in the form and does not scan the linked pages in the first page.

 

Generation of reports

Wapiti shows a detailed information about the vulnerabilities in a report.

Useful content in the report:

  • Statistics
  • Details of the successful attacks
  • Vulnerabilities information
    • Description
    • How to solve
    • References

Format of the reports:

  • HTML Report: details of the vulnerabilities and statistics
  • XML Report: for exporting data easily
  • TXT Report

 

Wapiti Web 2.0 Site

A new site has been developed for community participation and promote the use of Wapiti

  • Wapiti information: news, features and roadmap
  • Wiki
  • Blog
  • Demo online

 

Code refactoring

  • More easy to mantain
  • More easy the extension of the application
  • Posibility of developing and integration new attacks easily.
  • Configuration of the attacks in external files (text or XML files).

 

Documentation

Developers guide and users guide

 

Version 1.1.6

Vulnerabilities detector

  • File Handling Errors (Local and remote include/require, fopen, readfile...)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) Injection
  • LDAP Injection
  • Command Execution detection (eval(), system(), passtru()...)
  • CRLF Injection (HTTP Response Splitting, session fixation...)

Wapiti is able to differentiate punctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS)