Skip to content

Adding and excluding URLs

devloop edited this page Sep 26, 2024 · 1 revision

Wapiti provides command-line options to fine-tune the scan and attacks. This section covers the -s (start URL) and -x (exclude URL) options.


-s / --start: Add Starting URLs for the Scan

If Wapiti doesn't find enough URLs from the base URL, you can use the -s option to add additional URLs to start the scan. These URLs are treated with a depth of 0, just like the base URL. This option can be used multiple times.

Additionally, you can provide a filename containing URLs, with each URL on a new line. The file must be UTF-8 encoded.

Usage:

wapiti -u http://example.com -s http://example.com/login -s urls.txt

In this example:

  • The scan starts from http://example.com/login in addition to the base URL.
  • The URLs from urls.txt will also be added to the initial scan.

It is worth to note also that those URLs will be considered even if out of the specified scope.


-x / --exclude: Exclude Specific URLs

The -x option is used to exclude certain URLs from the scan. A common use case is excluding the logout URL to avoid destroying session cookies when using the --cookie option.

This option can also be called multiple times and supports wildcards for basic pattern matching.

Usage:

wapiti -u http://example.com -x http://example.com/logout

This excludes the logout URL from the scan.

Example:

  • To exclude multiple URLs:

    wapiti -u http://example.com -x http://example.com/logout -x http://example.com/logout?* -x "*/admin/*"
    

    In this case, the scan will avoid the logout URL, any variations of logout with query strings, and any URLs that match /admin/.