-
Notifications
You must be signed in to change notification settings - Fork 187
HTTP and web authentication
Wapiti provides several options to authenticate using HTTP or web forms, allowing you to test authenticated areas of a website. You can use either basic/digest/NTLM authentication or handle web forms for login.
-
-a
,--auth-cred
(Deprecated)
Set credentials to use for HTTP authentication on the target. The value should be in the form oflogin%password
(where%
is used as a separator).Example:
wapiti --auth-cred user%password
-
--auth-user
Set the username for HTTP authentication. -
--auth-password
Set the password for HTTP authentication. -
--auth-method
Set the authentication mechanism to use. Valid choices are:basic
digest
-
ntlm
(may require installing an additional Python module)
Example:
wapiti --auth-user admin --auth-password pass123 --auth-method basic
-
--form-cred
(Deprecated)
Set credentials for web form authentication. The value should be in the form oflogin%password
(where%
is used as a separator). -
--form-user
Set the username for web form authentication. -
--form-password
Set the password for web form authentication. -
--form-url
If--form-data
is not provided, Wapiti will automatically extract and fill the login form at the given URL using the provided credentials.Example:
wapiti --form-user admin --form-password pass123 --form-url https://example.com/login -u https://example.com/ wapiti --form-data "uid=john&kpw=letmein&token=45854547" --form-url https://example.com/auth -u https://example.com/
-
--form-enctype
Send data specified with--form-data
using the given content-type (default is"application/x-www-form-urlencoded"
). -
--form-script
Use a custom Python authentication plugin (see some example here). -
--side-file
Use a.side
file generated using Selenium IDE to perform an authenticated scan.