This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Automated Audit using WAPITI"
From OWASP
m (Update header syntax to have a TOC) |
m |
||
(15 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | == Description == | |
− | + | WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates ([http://wapiti.sourceforge.net/ WAPITI homepage]). The application is available for contribution at ([http://sourceforge.net/projects/wapiti/ WAPITI Repository]). | |
+ | |||
+ | Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects. | ||
− | + | == Requirements == | |
− | + | Python 2.6+ | |
− | + | It is also recommended that you perform a build of the app: | |
− | |||
− | |||
− | |||
− | + | python setup.py install | |
− | == Command | + | == Command == |
− | <pre>python wapiti | + | <pre>python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report</pre> |
'''Options used:''' | '''Options used:''' | ||
* -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10. | * -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10. | ||
− | * -b: Set the scope of the scan, here we | + | * -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed. |
* -u: Use color to highlight vulnerables parameters in output. | * -u: Use color to highlight vulnerables parameters in output. | ||
* -v: Define verbosity level, here we print each url. | * -v: Define verbosity level, here we print each url. | ||
Line 37: | Line 36: | ||
* ''sql'': Standard error-based SQL injection scanner. | * ''sql'': Standard error-based SQL injection scanner. | ||
* ''xss'': Module for XSS detection. | * ''xss'': Module for XSS detection. | ||
+ | * ''buster'': Module for a file and directory buster attack - checking for "bad" files. | ||
+ | * ''shellshock'': Module for Shellshock bug detection. | ||
== Report == | == Report == | ||
− | A sample | + | A sample TXT report is available [http://wapiti.sourceforge.net/example.txt here]. |
− | |||
[[Category:Automated Audit]] | [[Category:Automated Audit]] | ||
− | |||
[[Category:Externally Linked Page]] | [[Category:Externally Linked Page]] | ||
+ | [[Category:Python]] | ||
+ | [[Category:Python Tool]] |
Latest revision as of 10:40, 21 January 2016
Description
WAPITI is a simple command line to tool to automate the audit of a web application. It's free and open source and has had some recent edits and updates (WAPITI homepage). The application is available for contribution at (WAPITI Repository).
Please be aware this command line does not replace a manual audit but can be useful to perform a first validation or exploration of legacy projects.
Requirements
Python 2.6+
It is also recommended that you perform a build of the app:
python setup.py install
Command
python wapiti http://mysite.com -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report
Options used:
- -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10.
- -b: Set the scope of the scan, here we analyze all the links to the pages which are in the same domain as the URL passed.
- -u: Use color to highlight vulnerables parameters in output.
- -v: Define verbosity level, here we print each url.
- -f: Define report type, here we choose HTML format.
- -o: Define report destination, in our case it must be a directory because we choose HTML format.
Attack modules used by WAPITI:
- backup: This module search backup of scripts on the server.
- blindsql: Time-based blind sql scanner.
- crlf: Search for CR/LF injection in HTTP headers.
- exec: Module used to detect command execution vulnerabilities.
- file: Search for include()/fread() and other file handling vulns.
- htaccess: Try to bypass weak htaccess configurations.
- nikto: Use a Nikto database to search for potentially dangerous files.
- permanentxss: Look for permanent XSS.
- sql: Standard error-based SQL injection scanner.
- xss: Module for XSS detection.
- buster: Module for a file and directory buster attack - checking for "bad" files.
- shellshock: Module for Shellshock bug detection.
Report
A sample TXT report is available here.