Update doc

Update wapiti documentation including the new features

README.rst

@@ -77,6 +77,7 @@ Browsing features
 + Adding some custom HTTP headers or setting a custom User-Agent.
 + Using a Firefox headless browser for crawling
 + Loading your own python code for complicated authentication cases (see `--form-script` option)
++ Adding custom URL or PATH to update Wappalyzer database
 
 
 Supported attacks
@@ -103,12 +104,13 @@ Supported attacks
 + Checking cookie security flags (secure and httponly flags)
 + Cross Site Request Forgery (CSRF) basic detection
 + Fingerprinting of web applications using the Wappalyzer database
-+ Enumeration of Wordpress and Drupal modules
++ Enumeration of CMS module
 + Subdomain takeovers detection
 + Log4Shell (CVE-2021-44228) detection
 + Spring4Shell (CVE-2020-5398) detection
 + Check https redirections
 + Check for file upload vulnerabilities
++ Detection of network devices
 
 Wapiti supports both GET and POST HTTP methods for attacks.  
 It also supports multipart and can inject payloads in filenames (upload).  
@@ -123,11 +125,11 @@ The aforementioned attacks are tied to the following module names :
 + backup (Search copies of scripts and archives on the web server)
 + brute_login_form (Brute Force login form using a dictionary list)
 + buster (DirBuster like module)
++ cms (Scan to detect CMS and their versions)
 + cookieflags (Checks Secure and HttpOnly flags)
 + crlf (CR-LF injection in HTTP headers)
 + csp (Detect lack of CSP or weak CSP configuration)
 + csrf (Detects forms not protected against CSRF or using weak anti-CSRF tokens)
-+ drupal_enum (Detect version of Drupal)
 + exec (Code execution or command injection)
 + file (Path traversal, file inclusion, etc)
 + htaccess (Misconfigured htaccess restrictions)
@@ -136,6 +138,7 @@ The aforementioned attacks are tied to the following module names :
 + https_redirect (Check https redirections)
 + log4shell (Detects websites vulnerable to CVE-2021-44228)
 + methods (Look for uncommon available HTTP methods like PUT)
++ network_device (Look for common files to detect network devices)
 + nikto (Look for known vulnerabilities by testing URL existence and checking responses)
 + permanentxss (Rescan the whole target after the xss module execution looking for previously tainted payloads)
 + redirect (Open Redirects)

doc/wapiti.1

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "WAPITI" "1" "October 2022" "" ""
+.TH "WAPITI" "1" "March 2024" "" ""
 .
 .SH "NAME"
 \fBwapiti\fR \- A web application vulnerability scanner in Python
@@ -50,6 +50,9 @@ ATTACK SPECIFICATION:
 .IP "\(bu" 4
 \fB\-l\fR, \fB\-\-level\fR \fILEVEL\fR
 .
+.IP "\(bu" 4
+\fB\-\-cms\fR {drupal,joomla,prestashop,spip,wp}
+.
 .IP "" 0
 .
 .P
@@ -68,12 +71,24 @@ PROXY AND AUTHENTICATION OPTIONS:
 \fB\-a\fR, \fB\-\-auth\-cred\fR \fICREDENTIALS\fR
 .
 .IP "\(bu" 4
+\fB\-\-auth\-user\fR \fIUSERNAME\fR
+.
+.IP "\(bu" 4
+\fB\-\-auth\-password\fR \fIPASSWORD\fR
+.
+.IP "\(bu" 4
 \fB\-\-auth\-method\fR {basic,digest,ntlm}
 .
 .IP "\(bu" 4
 \fB\-\-form\-cred\fR \fICREDENTIALS\fR
 .
 .IP "\(bu" 4
+\fB\-\-form\-user\fR \fIUSERNAME\fR
+.
+.IP "\(bu" 4
+\fB\-\-form\-password\fR \fIPASSWORD\fR
+.
+.IP "\(bu" 4
 \fB\-\-form\-url\fR \fIURL\fR
 .
 .IP "\(bu" 4
@@ -212,7 +227,7 @@ REPORT OPTIONS:
 \fB\-o\fR, \fB\-\-output\fR \fIOUTPUT_PATH\fR
 .
 .IP "\(bu" 4
-\fB\-dr\fR, \fB\-\-detailed\-report\fR
+\fB\-dr\fR, \fB\-\-detailed\-report\fR \fILEVEL\fR
 .
 .IP "" 0
 .
@@ -226,7 +241,7 @@ OTHER OPTIONS:
 \fB\-\-version\fR
 .
 .IP "\(bu" 4
-\fB\-\-update\fR
+\fB\-\-update\fR [\fB\-\-wapp\-url\fR \fIWAPP_DB_URL\fR, \fB\-\-wapp\-dir\fR \fIWAPP_DB_PATH\fR]
 .
 .IP "\(bu" 4
 \fB\-h\fR
@@ -326,6 +341,9 @@ It may be useful on CGIs when developers have to parse the query\-string themsel
 .br
 Default value for this option is 1\.
 .
+.IP "\(bu" 4
+\fB\-\-cms\fR \fICMS_LIST\fR This option can only be used when the module cms is selected\. It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}\. Multiple choices are allowed, all the CMS will be scanned if this option is not set\.
+.
 .IP "" 0
 .
 .SH "PROXY AND AUTHENTICATION"
@@ -349,7 +367,22 @@ Make Wapiti use a Tor listener (same as \-\-proxy socks://127\.0\.0\.1:9050/)
 \fB\-a\fR, \fB\-\-auth\-cred\fR \fICREDENTIALS\fR
 .
 .br
-Set credentials to use for HTTP authentication on the target (see available methods bellow)\. Given value should be in the form login%password (% is used as a separator)
+(DEPRECATED) Set credentials to use for HTTP authentication on the target (see available methods bellow)\. Given value should be in the form login%password (% is used as a separator)
+.
+.IP "\(bu" 4
+\fB\-\-auth\-user\fR \fIUSERNAME\fR
+.
+.br
+Set username to use for HTTP authentication on the target (see available methods bellow)\.
+.
+.IP "\(bu" 4
+\fB\-\-auth\-password\fR \fIPASSWORD\fR
+.
+.br
+Set password to use for HTTP authentication on the target (see available methods bellow)\.
+.
+.IP "" 0
+
 .
 .IP "\(bu" 4
 \fB\-\-auth\-method\fR \fITYPE\fR
@@ -361,7 +394,22 @@ Set the authentication mechanism to use\. Valid choices are basic, digest and nt
 \fB\-\-form\-cred\fR \fICREDENTIALS\fR
 .
 .br
-Set credentials to use for web form authentication on the target\. Given value should be in the form login%password (% is used as a separator)
+(DEPRECATED) Set credentials to use for web form authentication on the target\. Given value should be in the form login%password (% is used as a separator)
+.
+.IP "\(bu" 4
+\fB\-\-form\-user\fR \fIUSERNAME\fR
+.
+.br
+Set username to use for web form authentication on the target\.
+.
+.IP "\(bu" 4
+\fB\-\-form\-password\fR \fIPASSWORD\fR
+.
+.br
+Set password to use for web form authentication on the target\.
+.
+.IP "" 0
+
 .
 .IP "\(bu" 4
 \fB\-\-form\-url\fR \fIURL\fR
@@ -728,10 +776,7 @@ Although the HTML reports were rewritten to be more responsive, they still are i
 Set the path were the report will be generated\.
 .
 .IP "\(bu" 4
-\fB\-dr\fR, \fB\-\-detailed\-report\fR
-.
-.br
-HTTP responses (headers and bodies) will appear in the report\.
+\fB\-dr\fR, \fB\-\-detailed\-report\fR \fILEVEL\fR Set the level of detailed report for the output\. Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report\.
 .
 .IP "" 0
 .
@@ -756,7 +801,7 @@ You can still prevent reports from being sent using that option\.
 \fB\-\-update\fR
 .
 .br
-Update particular Wapiti modules (download a fresh version of the \fBapps\.json\fR and \fBnikto_db\fR files) then exit\. You can combine it with \fB\-\-store\-config\fR to specify where to store downloaded files\.
+Update particular Wapiti modules (download a fresh version of the \fBapps\.json\fR and \fBnikto_db\fR files) then exit\. You can combine it with \fB\-\-store\-config\fR to specify where to store downloaded files\. You can also combine it with \fB\-\-wapp\-url\fR to update the Wappalyzer DB from a custom git repository, or with \fB\-\-wapp\-dir\fR to update it from a local Wappalyzer DB directory\.
 .
 .IP "\(bu" 4
 \fB\-h\fR, \fB\-\-help\fR

doc/wapiti.ronn

@@ -31,6 +31,7 @@ ATTACK SPECIFICATION:
   * `-m` <MODULES_LIST>
   * `--list-modules`
   * `-l`, `--level` <LEVEL>
+  * `--cms` {drupal,joomla,prestashop,spip,wp}
 
 PROXY AND AUTHENTICATION OPTIONS:
 
@@ -98,13 +99,13 @@ REPORT OPTIONS:
 
   * `-f`, `--format` {json,html,txt,xml}
   * `-o`, `--output` <OUTPUT_PATH>
-  * `-dr`, `--detailed-report`
+  * `-dr`, `--detailed-report` <LEVEL>
 
 OTHER OPTIONS:
 
   * `--no-bugreport`
   * `--version`
-  * `--update`
+  * `--update` [`--wapp-url` <WAPP_DB_URL>, `--wapp-dir` <WAPP_DB_PATH>]
   * `-h`
 
 ## TARGET SPECIFICATION
@@ -144,6 +145,11 @@ OTHER OPTIONS:
     This behavior is now hidden behind this option and can be reactivated by setting -l to 2.  
     It may be useful on CGIs when developers have to parse the query-string themselves.  
     Default value for this option is 1.
+
+  * `--cms` <CMS_LIST>
+    This option can only be used when the module cms is selected.
+    It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}.
+    Multiple choices are allowed, all the CMS will be scanned if this option is not set.
 
 ## PROXY AND AUTHENTICATION
 
@@ -358,8 +364,9 @@ Wapiti will generate a report at the end of the attack process. Several formats
   * `-o`, `--output` <OUTPUT_PATH>  
     Set the path were the report will be generated.
 
-  * `-dr`, `--detailed-report`  
-    HTTP responses (headers and bodies) will appear in the report.
+  * `-dr`, `--detailed-report` <LEVEL>
+    Set the level of detailed report for the output.
+    Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report.
 
 ## OTHER OPTIONS
 
@@ -373,6 +380,7 @@ Wapiti will generate a report at the end of the attack process. Several formats
   * `--update`  
     Update particular Wapiti modules (download a fresh version of the `apps.json` and `nikto_db` files) then exit. 
     You can combine it with `--store-config` to specify where to store downloaded files.
+    You can also combine it with `--wapp-url` to update the Wappalyzer DB from a custom git repository, or with `--wapp-dir` to update it from a local Wappalyzer DB directory.
 
   * `-h`, `--help`  
     Show detailed options description. More details are available in this manpage though.