HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Pentest Wapiti - Web Vulnerability Scanner

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,860
Solutions
4
Reputation
27
Reaction score
45,546
Points
1,813
Credits
55,340
‎7 Years of Service‎
 
56%

How it works​

Wapiti works as a "black-box" vulnerability scanner, that means it won't study the source code of web applications but will work like a fuzzer, scanning the pages of the deployed web application, extracting links and forms and attacking the scripts, sending payloads and looking for error messages, special strings or abnormal behaviors.

General features​

  • Generates vulnerability reports in various formats (HTML, XML, JSON, TXT, CSV).
  • Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
  • Can give you colors in the terminal to highlight vulnerabilities.
  • Different levels of verbosity.
  • Fast and easy way to activate/deactivate attack modules.
  • Adding a payload can be as easy as adding a line to a text file.
  • Configurable number of concurrent tasks to perform HTTP requests.

Browsing features​

  • Support HTTP, HTTPS and SOCKS5 proxies.
  • HTTP authentication on the target (Basic, Digest, NTLM)
  • Authentication by filling login forms.
  • Ability to restrain the scope of the scan (domain, folder, page, url).
  • Automatic removal of one or more parameters in URLs.
  • Multiple safeguards against scan endless-loops (for example, limit of values for a parameter).
  • Possibility to set the first URLs to explore (even if not in scope).
  • Can exclude some URLs of the scan and attacks (eg: logout URL).
  • Import cookies from your Chrome or Firefox browser or using the wapiti-getcookie tool.
  • Can activate / deactivate SSL certificates verification.
  • Extract URLs from Flash SWF files.
  • Try to extract URLs from javascript (very basic JS interpreter).
  • HTML5 aware (understand recent HTML tags).
  • Several options to control the crawler behavior and limits.
  • Skipping some parameter names during attack.
  • Setting a maximum time for the scan process.
  • Adding some custom HTTP headers or setting a custom User-Agent.
  • Using a Firefox headless browser for crawling
  • Loading your own python code for complicated authentication cases (see --form-script option)
  • Adding custom URL or PATH to update Wappalyzer database
  • Scan REST APIs given an OpenAPI (swagger) file

Supported attacks​

  • SQL Injections (Error based, boolean based, time based) and XPath Injections
  • LDAP injections (Error based and boolean based)
  • Cross Site Scripting (XSS) reflected and permanent
  • File disclosure detection (local and remote include, require, fopen, readfile...)
  • Command Execution detection (eval(), system(), passtru()...)
  • XXE (Xml eXternal Entity) injection
  • CRLF Injection
  • Search for potentially dangerous files on the server (thank to the Nikto db)
  • Bypass of weak htaccess configurations
  • Search for copies (backup) of scripts on the server
  • Shellshock
  • Folder and file enumeration (DirBuster like)
  • Server Side Request Forgery (through use of an external Wapiti website)
  • Open Redirects
  • Detection of uncommon HTTP methods (like PUT)
  • Basic CSP Evaluator
  • Brute Force login form (using a dictionary list)
  • Checking HTTP security headers
  • Checking cookie security flags (secure and httponly flags)
  • Cross Site Request Forgery (CSRF) basic detection
  • Fingerprinting of web applications using the Wappalyzer database, gives related CVE information
  • Enumeration of CMS modules for Wordpress, Drupal, Joomla, SPIP, etc
  • Subdomain takeovers detection
  • Log4Shell (CVE-2021-44228) detection
  • Spring4Shell (CVE-2020-5398) detection
  • Check https redirections
  • Check for file upload vulnerabilities
  • Detection of network devices
  • Inject payloads inside JSON body too
Wapiti supports both GET and POST HTTP methods for attacks. It also supports multipart and can inject payloads in filenames (upload). Display a warning when an anomaly is found (for example 500 errors and timeouts) Makes the difference between permanent and reflected XSS vulnerabilities.

Module names​

The aforementioned attacks are tied to the following module names :

  • backup (Search copies of scripts and archives on the web server)
  • brute_login_form (Brute Force login form using a dictionary list)
  • buster (DirBuster like module)
  • cms (Scan to detect CMS and their versions)
  • cookieflags (Checks Secure and HttpOnly flags)
  • crlf (CR-LF injection in HTTP headers)
  • csp (Detect lack of CSP or weak CSP configuration)
  • csrf (Detects forms not protected against CSRF or using weak anti-CSRF tokens)
  • exec (Code execution or command injection)
  • file (Path traversal, file inclusion, etc)
  • htaccess (Misconfigured htaccess restrictions)
  • htp (Identify web technologies used the HashThePlanet database)
  • http_header (Check HTTP security headers)
  • https_redirect (Check https redirections)
  • ldap (Error-based and boolean-based LDAP injection detection)
  • log4shell (Detects websites vulnerable to CVE-2021-44228)
  • methods (Look for uncommon available HTTP methods like PUT)
  • network_device (Look for common files to detect network devices)
  • nikto (Look for known vulnerabilities by testing URL existence and checking responses)
  • permanentxss (Rescan the whole target after the xss module execution looking for previously tainted payloads)
  • redirect (Open Redirects)
  • shellshock (Test Shellshock attack, see
    This link is hidden for visitors. Please Log in or register now.
    )
  • spring4shell (Detects websites vulnerable to CVE-2020-5398)
  • sql (Error-based and boolean-based SQL injection detection)
  • ssl (Evaluate the security of SSL/TLS certificate configuration, requires
    This link is hidden for visitors. Please Log in or register now.
    )
  • ssrf (Server Side Request Forgery)
  • takeover (Subdomain takeover)
  • timesql (SQL injection vulnerabilities detected with time-based methodology)
  • upload (File upload vulnerabilities)
  • wapp (Not an attack module, retrieves web technologies with versions and categories in use on the target, find corresponding CVEs)
  • wp_enum (Enumerate plugins and themes on a Wordpress website)
  • xss (XSS injection module)
  • xxe (XML External Entity attack)
Module names can be given as comma separated list using the "-m" or "--module" option.

To find more vulnerabilities (as some attacks are error-based), you can modify your webserver configurations.

For example, you can set the following values in your PHP configuration :

Code: 
safe_mode = Off
display_errors = On (recommended)
magic_quotes_gpc = Off
allow_url_fopen = On
mysql.trace_mode = On

Find and download the release from
This link is hidden for visitors. Please Log in or register now.
.

Or from here:

 
You must log in or register to reply here.
Back
Top