-
Notifications
You must be signed in to change notification settings - Fork 187
Adding and excluding URLs
Wapiti provides command-line options to fine-tune the scan and attacks. This section covers the -s
(start URL) and -x
(exclude URL) options.
If Wapiti doesn't find enough URLs from the base URL, you can use the -s
option to add additional URLs to start the scan. These URLs are treated with a depth of 0, just like the base URL. This option can be used multiple times.
Additionally, you can provide a filename containing URLs, with each URL on a new line. The file must be UTF-8 encoded.
Usage:
wapiti -u http://example.com -s http://example.com/login -s urls.txt
In this example:
- The scan starts from
http://example.com/login
in addition to the base URL. - The URLs from
urls.txt
will also be added to the initial scan.
It is worth to note also that those URLs will be considered even if out of the specified scope.
The -x
option is used to exclude certain URLs from the scan. A common use case is excluding the logout URL to avoid destroying session cookies when using the --cookie
option.
This option can also be called multiple times and supports wildcards for basic pattern matching.
Usage:
wapiti -u http://example.com -x http://example.com/logout
This excludes the logout URL from the scan.
Example:
-
To exclude multiple URLs:
wapiti -u http://example.com -x http://example.com/logout -x http://example.com/logout?* -x "*/admin/*"
In this case, the scan will avoid the logout URL, any variations of logout with query strings, and any URLs that match
/admin/
.