-
Notifications
You must be signed in to change notification settings - Fork 187
Basic usage
Wapiti is a powerful web application vulnerability scanner, designed to identify security weaknesses in web applications by performing black-box testing.
This guide will walk you through the basic usage of Wapiti, focusing on the core options: -u
, -v
, and --scope
.
The most fundamental command in Wapiti is to start a scan on a specific URL. The -u
(or --url
) option specifies the base URL that Wapiti will scan.
wapiti -u http://example.com
Explanation:
-
-u http://example.com
: This tells Wapiti to begin scanning the website athttp://example.com
. The scanner will look for potential vulnerabilities across the website, including within the same directory or subdirectories (depending on the scope, the default one isfolder
).
The --scope
option allows you to define the boundaries of the scan. The scope determines how far Wapiti will explore the target website from the base URL.
wapiti -u http://example.com --scope folder
Scope Options:
Let's say a target has three websites on different subdomains linked together. Existing URLs are the following:
- http://example.com/
- http://example.com/index.html
- http://example.com/archive/index.html
- http://example.com/archive/search.php
- http://blog.example.com/
- http://blog.example.com/?id=1
- http://blog.example.com/search?term=wapiti
- http://blog.example.com/search?term=infosec
- http://dev.example.com/admin/
Now let's see what Wapiti will scan based on the chosen scope.
-
url: Wapiti will only scan the exact URL you provide. For example, with
wapiti -u http://blog.example.com/?id=1 --scope url
, Wapiti will only scanhttp://blog.example.com/?id=1
with the given query string. However if the webpage contains some forms which sends data to the same exact URL then the form will be included in the scope. -
page: Wapiti will scan the page you provide whatever the query string. For example, if you specify
-u http://blog.example.com/search
with--scope page
thenhttp://blog.example.com/search?term=wapiti
will be scanned as well ashttp://blog.example.com/search?term=infosec
. -
folder: Wapiti will scan all URLs within the same directory as the base URL. For instance, with
wapiti -u http://example.com/archive/ --scope folder
, Wapiti will scan all pages withinhttp://example.com/archive/
(filessearch.php
andindex.html
). -
subdomain: Wapiti will scan all URLs under the same subdomain as the base URL. For example, if your base URL is
http://blog.example.com/?id=1
, Wapiti will scan all URLs underblog.example.com
. -
domain: Wapiti will scan all URLs under the entire root domain of the base URL. For instance,
wapiti -u http://blog.example.com --scope domain
will scan everything underexample.com
, including any subdomains (dev.example.com
andblog.example.com
). -
punk: This scope is the most aggressive and tells Wapiti to also scan URLs outside of the provided domain, potentially leading to unintended areas. Use with caution.
The -v
option controls the verbosity of the output, allowing you to manage how much information Wapiti provides during the scan.
wapiti -u http://example.com -v 1
Verbosity Levels:
- 0 (quiet): Wapiti runs silently, only showing discovered vulnerabilities.
- 1 (normal): This is the default setting, showing essential progress and findings.
- 2 (verbose): Wapiti provides detailed information about each step it takes, including tested HTTP requests.
Example:
wapiti -u http://example.com -v 2
In this example, Wapiti will provide detailed output, which is useful for debugging or for seeing exactly how Wapiti interacts with the target site.
Suppose you want to run a scan on the subdomain http://shop.example.com
, and you want to include all pages under this subdomain with detailed output. The command would be:
wapiti -u http://shop.example.com --scope subdomain -v 2
Explanation:
-
-u http://shop.example.com
: Sets the base URL to scan. -
--scope subdomain
: Expands the scan to all pages under theshop.example.com
subdomain. -
-v 2
: Outputs detailed information about the scan process.
This command ensures that you cover the entire subdomain with maximum insight into the scanning process.
By understanding these basic options, you can start using Wapiti effectively for your web application security needs. For more advanced usage, including authentication, module selection, and customized reporting, refer to the full documentation and other sections of the Wapiti wiki.