Wapiti / News: Recent posts

Hello everybody ! I'm very happy to make a new version of Wapiti available with great improvements.

As always you can get the latest version with pip install wapiti3

You will need a Python3 version equal or above 3.6.

Here is the changelog:

XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them
XSS: greatly reduced number of false negatives while slightly reducing false positives
XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present
XSS: reduced memory and CPU consumption
XSS: added more payloads to bypass filters and WAF
Exec: added a few more payloads
SQL: more heuristics to detect DBMS used on the target
Wappalyzer module allows to detect software used by a website, along with versions
New module to check the security settings of Cookies (HttpOnly, secure, etc)
New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc)
New module to check the security settings for Content-Security-Policy
New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented)
New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc)
New --update option allows to get last updates for detections databases (Wappalyzer and Nikto)
New --max-attack-time options allows to limit the execution time of each attack module
New --store-config options allows to set the path for Wapiti configuration files (detection databases)
Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie
Removed jQuery dependency
Fixed several issues with endpoints

Best regards

A new version ofg Wapiti is available and greatly reduce the amount of false positives in XSS attack modules.

Get it using pip install wapiti3

http://devloop.users.sourceforge.net/index.php?article217/one-crazy-month-of-web-vulnerability-scanning

Dear users,

Wapiti 3.0.2 is available.

You can download it from Sourceforge or get it using pip (package name is wapiti3).

What's new :

• New XXE module can send payloads in parameters, query string, file uploads and raw body.
• New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based).
• Fixed domain scope scanning.
• Reduced false positives in attack modules (specially time based ones).
• Reduced invalid links generated by js analysis and ignore obviously malformed HTML links.
• Do not crawl CSS files and remove query strings from JS files when crawling.
• Improved and changed existing payloads.
• Improved extracting forms from HTML pages (radio buttons / select, ...)
• Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe)
• --store-session option allow to specify a path where .db and .pkl files are stored.
• --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target
• Authentications options can now be used with wapiti-getcookie.
• Js parser can now deal with HTML comments.
• More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit)
• Fixed lot of bugs thank to received crash dumps.... read more

Wapiti 3.0.1 was released !

What's new :

• New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc)
• New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access)
• Improved mod_xss and mod_permanentxss modules to reduce false positives.
• Changed some XSS payloads for something more visual (banner at top the the webpage).
• Changed bug reporting URL.
• Fixed issue #54 in lamejs JS parser.
• Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings.... read more

I'm happy to announce that the new stable version of Wapiti is available !

Hi there !

Wapiti 3 is now in beta status :)

Working to bring a stable release soon.

Regards

Dear Wapiti users,

Wapiti is currently moving to Python 3.
Feel free to get the current development version on the SVN and try it.
Beware : this is pre-alpha version.

Regards

Hello everybody !

The current development version of Wapiti (on SVN only) got two new modules :
* mod_buster acts as a DirBuster and will find directories and files on the web server
* mod_shellshock will test scripts for the cve-2014-6271 vulnerability (bash bug aka shellshock)

Regards

Dear Wapiti users, I'm proud to announce a new version of Wapiti : 2.3.0.

Upgrade is more than recommended. This version brings a lot of stability, new browsing engine, new payloads, more attack vectors...

For a full list, here is the changelog :

Fixed a colosseum of bugs, especially related to unicode.                                                          
Software is much more stable.                                                                                      
New report template for HTML (using Kube CSS).                                                                     
Using v2.1.5 of Nikto database for mod_nikto.                                                                      
Replaced httplib2 with (python-)requests for everything related to HTTP.                                           
Remove BeautifulSoup from package. It is still required however.                                                   
Core rewrite (PEP8 + more Pythonic)                                                                                
New payloads for the backup, XSS, blind SQL, exec and file modules + more                                          
detection rules.                                                                                                   
So many improvements on lswww (crawler) that I can't make a list here. But                                         
Wapiti reached 48% on Wivet.                                                                                       
Wapiti cookie format is now based on JSON.                                                                         
Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy).                                          
Added a HTTPResource class for easier module creation.                                                             
Code restructuration for better setup.                                                                             
Attack of parameters in query string even for HTTP POST requests.                                                  
Attack on file uploads (injection in file names).                                                                  
Simpler (and less buggy) colored output with -c.                                                                   
A CURL PoC is given for each vulnerability/anomaly found + raw HTTP                                                
request representation in reports.                                                                                 
No more parameter reordering + can handle parameters repetition.                                                   
Added a JSON report generator + fixed the HTML report generator.                                                   
Added an option to not check SSL certificates.                                                                     
mod_xss : noscipt tag escaping.                                                                                    
Can work on parameters that don't have a value in query string.                                                    
mod_crlf is not activated by default anymore (must call it with -m).                                               
Startings URLs (-s) will be fetched even if out of scope.                                                          
Proxy support for wapiti-getcookie. and wapiti-cookie.                                                             
Attempt to bring an OpenVAS report generator.                                                                      
Added an home-made SWF parser to extract URLs from flash files.                                                    
Added an home-made (and more than basic) JS interpreter based on the                                               
pynarcissus parser. Lot of work still needs to be done on this.                                                    
New logo and webpage at wapiti.sf.net.                                                                             
Added german and malaysian translations.                                                                           
Added a script to create standalone archive for Windows (with py2exe).

Hi everybody !

I'm looking for some help to translate Wapiti in other languages than english and french.
If you want to join, please read this :
https://sourceforge.net/p/forge/helpwanted/translation/thread/c9226e52/

Thanks

Hello everybody !

I need help for the next stable version of Wapiti.
If you wan't to participate, please read the following forum posts.

Testers :
https://sourceforge.net/p/forge/helpwanted/testers/thread/4503853a/

Designers :
https://sourceforge.net/p/forge/helpwanted/artists/thread/fab50ced/

Web designers :
https://sourceforge.net/p/forge/helpwanted/programmers/thread/d29e6c54/

Kind regards

A new stable version is available with lot of new features and improvements.

Get it now !

28/19/2009
Version 2.2.0
Added a manpage.
Internationalization : translations of Wapiti in spanish and french.
Options -k and -i allow the scan to be saved and restored later.
Added option -b to set the scope of the scan based on the root url given.
Wrote a library to save handle cookies and save them in XML format.
Modules are now loaded dynamically with a dependency system.
Rewrote the -m option used to activate / deactivate attack modules.
New module to search for backup files of scripts on the target webserver.
New module to search for weakly configured .htaccess.
New module to search dangerous files based on the Nikto database.
Differ "raw" XSS from "urlencoded" XSS.
Updated BeautifulSoup to version 3.0.8.
Better encoding support for webpages (convert to Unicode)
Added "resource consumption" as a vulnerability type.
Fixed bug ID 2779441 "Python Version 2.5 required?"
Fixed bug with special characters in HTML reports.
Fixed a lot of bugs.

We hope everyone will love the improvements since the last beta version.
Scan is faster with httplib2 and blind SQL injections detection was implemented.
See the file ChangeLog_Wapiti for more information :)

Take a look at the ChangeLog for more information :
https://sourceforge.net/project/shownotes.php?release_id=453653&group_id=168625

or read the following post (french) :
http://devloop.lyua.org/blog/index.php?2006/10/07/329-wapiti-114

I corrected two bugs...
The first in lswww was an regular expression error when handling links to parent directory.
The second was a programming error in Wapiti with POST attacks and HTTP error code.

Please don't use the version 1.1.0 anymore...

Wapiti 1.1.1 fixed several errors like the 'unbound local error' or an error with redundant slashes in urls

This new version of Wapiti use the urllib2 module instead of httplib and urllib.

The -c option now allows you to create cookie files so you don't have to type the sessions IDs anymore. Wapiti does all the stuff :)

Proxy support have been added.

Detect more vulnerabilities : LDAP and CRLF Injection.

More efficient with MySQL and XSS injections.

This new release comes with new features and fixes several bugs with url handling or HTML study.

Wapiti will scan for more vulnerabilities like XPath Injection, Java errors or PHP require* functions.
Wapiti now attacks URLs that don't have parameters (QUERY_STRING)

Two more options appeared :
-r allow you to remove a parameter from urls
-u will highlight the vulnerable parameter using red color in output (Unix only)... read more

Wapiti now have cookie support.
Use getcookie.py or cookie.py to send credentials to a login form and get the session ID.
Then use this session ID with Wapiti (option -c or --cookie) to search vulnerabilities in private areas.
Several bugfixes have been made.