https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=MlantzOWASP - User contributions [en]2026-04-26T00:26:07ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Automated_Audit_using_WAPITI&diff=188044Automated Audit using WAPITI2015-01-14T04:25:57Z<p>Mlantz: </p>
<hr />
<div>== Description ==<br />
<br />
WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates ([http://wapiti.sourceforge.net/ WAPITI homepage]). The application is available for contribution at ([http://sourceforge.net/projects/wapiti/ WAPITI Repository]). <br />
<br />
Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects.<br />
<br />
== Requirements ==<br />
<br />
Python 2.6+<br />
<br />
It is also recommended that you perform a build of the app:<br />
<br />
python setup.py install<br />
<br />
== Command ==<br />
<br />
<pre>python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report</pre><br />
<br />
'''Options used:'''<br />
* -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.<br />
* -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed.<br />
* -u: Use color to highlight vulnerables parameters in output.<br />
* -v: Define verbosity level, here we print each url.<br />
* -f: Define report type, here we choose HTML format.<br />
* -o: Define report destination, in our case it must be a directory because we choose HTML format.<br />
<br />
'''Attack modules used by WAPITI:'''<br />
* ''backup'': This module search backup of scripts on the server.<br />
* ''blindsql'': Time-based blind sql scanner.<br />
* ''crlf'': Search for CR/LF injection in HTTP headers.<br />
* ''exec'': Module used to detect command execution vulnerabilities.<br />
* ''file'': Search for include()/fread() and other file handling vulns.<br />
* ''htaccess'': Try to bypass weak htaccess configurations.<br />
* ''nikto'': Use a Nikto database to search for potentially dangerous files.<br />
* ''permanentxss'': Look for permanent XSS.<br />
* ''sql'': Standard error-based SQL injection scanner.<br />
* ''xss'': Module for XSS detection.<br />
* ''buster'': Module for a file and directory buster attack - checking for "bad" files.<br />
* ''shellshock'': Module for Shellshock bug detection.<br />
<br />
== Report ==<br />
<br />
A sample TXT report is available [http://wapiti.sourceforge.net/example.txt here].<br />
<br />
[[Category:Code Snippet]]<br />
[[Category:Automated Audit]]<br />
[[Category:Externally Linked Page]]<br />
[[Category:Python]]</div>Mlantzhttps://wiki.owasp.org/index.php?title=Automated_Audit_using_WAPITI&diff=188043Automated Audit using WAPITI2015-01-14T04:23:58Z<p>Mlantz: </p>
<hr />
<div>== Description ==<br />
<br />
WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates ([http://wapiti.sourceforge.net/ WAPITI homepage]). The application is available for contribution at ([http://sourceforge.net/projects/wapiti/ WAPITI Repository]). <br />
<br />
Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects.<br />
<br />
== Command line ==<br />
<br />
<pre>python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report</pre><br />
<br />
'''Options used:'''<br />
* -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.<br />
* -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed.<br />
* -u: Use color to highlight vulnerables parameters in output.<br />
* -v: Define verbosity level, here we print each url.<br />
* -f: Define report type, here we choose HTML format.<br />
* -o: Define report destination, in our case it must be a directory because we choose HTML format.<br />
<br />
'''Attack modules used by WAPITI:'''<br />
* ''backup'': This module search backup of scripts on the server.<br />
* ''blindsql'': Time-based blind sql scanner.<br />
* ''crlf'': Search for CR/LF injection in HTTP headers.<br />
* ''exec'': Module used to detect command execution vulnerabilities.<br />
* ''file'': Search for include()/fread() and other file handling vulns.<br />
* ''htaccess'': Try to bypass weak htaccess configurations.<br />
* ''nikto'': Use a Nikto database to search for potentially dangerous files.<br />
* ''permanentxss'': Look for permanent XSS.<br />
* ''sql'': Standard error-based SQL injection scanner.<br />
* ''xss'': Module for XSS detection.<br />
* ''buster'': Module for a file and directory buster attack - checking for "bad" files.<br />
* ''shellshock'': Module for Shellshock bug detection.<br />
<br />
== Report ==<br />
<br />
A sample TXT report is available [http://wapiti.sourceforge.net/example.txt here].<br />
<br />
[[Category:Code Snippet]]<br />
[[Category:Automated Audit]]<br />
[[Category:Externally Linked Page]]<br />
[[Category:Python]]</div>Mlantzhttps://wiki.owasp.org/index.php?title=Automated_Audit_using_WAPITI&diff=188042Automated Audit using WAPITI2015-01-14T04:22:40Z<p>Mlantz: /* Report */</p>
<hr />
<div>Last revision (mm/dd/yy): '''01/13/2015'''<br />
<pre style="color:#088A08">This type of article aims to provide to development teams an easy/quick way <br />
to perform automated audit tests against their web application projects.</pre><br />
<br />
== Description ==<br />
<br />
WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates ([http://wapiti.sourceforge.net/ WAPITI homepage]). The application is available for contribution at ([http://sourceforge.net/projects/wapiti/ WAPITI Repository]). <br />
<br />
Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects.<br />
<br />
== Command line ==<br />
<br />
<pre>python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report</pre><br />
<br />
'''Options used:'''<br />
* -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.<br />
* -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed.<br />
* -u: Use color to highlight vulnerables parameters in output.<br />
* -v: Define verbosity level, here we print each url.<br />
* -f: Define report type, here we choose HTML format.<br />
* -o: Define report destination, in our case it must be a directory because we choose HTML format.<br />
<br />
'''Attack modules used by WAPITI:'''<br />
* ''backup'': This module search backup of scripts on the server.<br />
* ''blindsql'': Time-based blind sql scanner.<br />
* ''crlf'': Search for CR/LF injection in HTTP headers.<br />
* ''exec'': Module used to detect command execution vulnerabilities.<br />
* ''file'': Search for include()/fread() and other file handling vulns.<br />
* ''htaccess'': Try to bypass weak htaccess configurations.<br />
* ''nikto'': Use a Nikto database to search for potentially dangerous files.<br />
* ''permanentxss'': Look for permanent XSS.<br />
* ''sql'': Standard error-based SQL injection scanner.<br />
* ''xss'': Module for XSS detection.<br />
* ''buster'': Module for a file and directory buster attack - checking for "bad" files.<br />
* ''shellshock'': Module for Shellshock bug detection.<br />
<br />
== Report ==<br />
<br />
A sample TXT report is available [http://wapiti.sourceforge.net/example.txt here].<br />
<br />
[[Category:Code Snippet]]<br />
[[Category:Automated Audit]]<br />
[[Category:Externally Linked Page]]<br />
[[Category:Python]]</div>Mlantzhttps://wiki.owasp.org/index.php?title=Automated_Audit_using_WAPITI&diff=188041Automated Audit using WAPITI2015-01-14T04:21:56Z<p>Mlantz: </p>
<hr />
<div>Last revision (mm/dd/yy): '''01/13/2015'''<br />
<pre style="color:#088A08">This type of article aims to provide to development teams an easy/quick way <br />
to perform automated audit tests against their web application projects.</pre><br />
<br />
== Description ==<br />
<br />
WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates ([http://wapiti.sourceforge.net/ WAPITI homepage]). The application is available for contribution at ([http://sourceforge.net/projects/wapiti/ WAPITI Repository]). <br />
<br />
Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects.<br />
<br />
== Command line ==<br />
<br />
<pre>python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report</pre><br />
<br />
'''Options used:'''<br />
* -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.<br />
* -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed.<br />
* -u: Use color to highlight vulnerables parameters in output.<br />
* -v: Define verbosity level, here we print each url.<br />
* -f: Define report type, here we choose HTML format.<br />
* -o: Define report destination, in our case it must be a directory because we choose HTML format.<br />
<br />
'''Attack modules used by WAPITI:'''<br />
* ''backup'': This module search backup of scripts on the server.<br />
* ''blindsql'': Time-based blind sql scanner.<br />
* ''crlf'': Search for CR/LF injection in HTTP headers.<br />
* ''exec'': Module used to detect command execution vulnerabilities.<br />
* ''file'': Search for include()/fread() and other file handling vulns.<br />
* ''htaccess'': Try to bypass weak htaccess configurations.<br />
* ''nikto'': Use a Nikto database to search for potentially dangerous files.<br />
* ''permanentxss'': Look for permanent XSS.<br />
* ''sql'': Standard error-based SQL injection scanner.<br />
* ''xss'': Module for XSS detection.<br />
* ''buster'': Module for a file and directory buster attack - checking for "bad" files.<br />
* ''shellshock'': Module for Shellshock bug detection.<br />
<br />
== Report ==<br />
<br />
A sample HTML report is available [http://www.ict-romulus.eu/web/wapiti/wiki/-/wiki/Main/Wapiti%20HTML%20Report here].<br />
<br />
[[Category:Code Snippet]]<br />
[[Category:Automated Audit]]<br />
[[Category:Externally Linked Page]]<br />
[[Category:Python]]</div>Mlantzhttps://wiki.owasp.org/index.php?title=Automated_Audit_using_WAPITI&diff=188040Automated Audit using WAPITI2015-01-14T04:21:27Z<p>Mlantz: </p>
<hr />
<div>Last revision (mm/dd/yy): '''01/13/2015'''<br />
<pre style="color:#088A08">This type of article aims to provide to development teams an easy/quick way <br />
to perform automated audit tests against their web application projects over implementation phase.</pre><br />
<br />
== Description ==<br />
<br />
WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates ([http://wapiti.sourceforge.net/ WAPITI homepage]). The application is available for contribution at ([http://sourceforge.net/projects/wapiti/ WAPITI Repository]). <br />
<br />
Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects.<br />
<br />
== Command line ==<br />
<br />
<pre>python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report</pre><br />
<br />
'''Options used:'''<br />
* -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.<br />
* -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed.<br />
* -u: Use color to highlight vulnerables parameters in output.<br />
* -v: Define verbosity level, here we print each url.<br />
* -f: Define report type, here we choose HTML format.<br />
* -o: Define report destination, in our case it must be a directory because we choose HTML format.<br />
<br />
'''Attack modules used by WAPITI:'''<br />
* ''backup'': This module search backup of scripts on the server.<br />
* ''blindsql'': Time-based blind sql scanner.<br />
* ''crlf'': Search for CR/LF injection in HTTP headers.<br />
* ''exec'': Module used to detect command execution vulnerabilities.<br />
* ''file'': Search for include()/fread() and other file handling vulns.<br />
* ''htaccess'': Try to bypass weak htaccess configurations.<br />
* ''nikto'': Use a Nikto database to search for potentially dangerous files.<br />
* ''permanentxss'': Look for permanent XSS.<br />
* ''sql'': Standard error-based SQL injection scanner.<br />
* ''xss'': Module for XSS detection.<br />
* ''buster'': Module for a file and directory buster attack - checking for "bad" files.<br />
* ''shellshock'': Module for Shellshock bug detection.<br />
<br />
== Report ==<br />
<br />
A sample HTML report is available [http://www.ict-romulus.eu/web/wapiti/wiki/-/wiki/Main/Wapiti%20HTML%20Report here].<br />
<br />
[[Category:Code Snippet]]<br />
[[Category:Automated Audit]]<br />
[[Category:Externally Linked Page]]<br />
[[Category:Python]]</div>Mlantz