loading
loading
Scanners
A web application vulnerability scanner written in Python3.
overview
wapiti scans a web application the way a black-box tester would. It crawls the target to map pages, forms, and parameters, then injects payloads into those entry points and reads the responses for signs of a vulnerability. It never looks at source code, so it works against any stack as long as the app answers HTTP.
Its module set covers common web classes: SQL injection, cross-site scripting, file disclosure, command execution, SSRF, and more, with Log4Shell endpoints for out-of-band checks. You control how hard it pushes through attack level, scan scope, and time budgets, and it writes a report in HTML, JSON, XML, CSV, or text.
In a Trickest workflow it takes a base URL and writes a folder and a file of results. Run it after a crawler and prober have confirmed a host is live, so it spends its budget fuzzing reachable endpoints instead of dead ones.
use cases
Point wapiti at a base URL, let it crawl the scope, and fuzz every discovered form and parameter for injection and disclosure flaws in one run.
Set the scan scope to page, folder, domain, or url so the crawler stays inside the area you are authorized to test instead of wandering off-site.
Use the attack level and scan-force settings to run a polite pass on a fragile app or an aggressive pass on a robust one.
Write JSON or XML output so the findings feed a triage stage or a ticketing step instead of a human reading an HTML page.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | The base URL used to define the scan scope |
| scope | STRING | --scope | Set scan scope (page, folder, domain, url, or punk) |
| module | STRING | --module | List of modules to load |
| level | STRING | --level | Set attack level |
| depth | STRING | --depth | Set how deep the scanner should explore the website |
| format | STRING | --format | Set output format. Supported: csv, html, json, txt, xml. Default is html. |
| scan-force | STRING | --scan-force | Easy way to reduce the number of scanned and attacked URLs. Possible values: paranoid, sneaky, polite, normal, aggressive, insane |
| max-scan-time | STRING | --max-scan-time | Set how many seconds you want the scan to last (floats accepted) |
Showing key inputs. wapiti exposes 34 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | The base URL used to define the scan scope |
| data | STRING | --data | Urlencoded data to send with the base URL if it is a POST request |
| skip | STRING | --skip | Skip attacking given parameter(s) |
| color | BOOLEAN | --color | Colorize output |
| depth | STRING | --depth | Set how deep the scanner should explore the website |
| level | STRING | --level | Set attack level |
| proxy | STRING | --proxy | Set the HTTP(S) proxy to use. Supported: http(s) and socks proxies |
| scope | STRING | --scope | Set scan scope (page, folder, domain, url, or punk) |
| start | STRING | --start | Adds a url to start scan with |
| tasks | STRING | --tasks | Number of concurrent tasks to use for the exploration (crawling) of the target. |
| cookie | FILE | --cookie | Set a JSON cookie file to use. |
| format | STRING | --format | Set output format. Supported: csv, html, json, txt, xml. Default is html. |
| header | STRING | --header | Set a custom header to use for every requests |
| module | STRING | --module | List of modules to load |
| remove | STRING | --remove | Remove this parameter from urls |
| exclude | STRING | --exclude | Adds a url to exclude from the scan |
| timeout | STRING | --timeout | Set timeout for requests in seconds |
| verbose | STRING | --verbose | Set verbosity level (0: quiet, 1: normal, 2: verbose) |
| endpoint | STRING | --endpoint | URL serving as endpoint for both attacker and target |
| auth-cred | STRING | --auth-cred | Set HTTP authentication credentials |
| auth-type | STRING | --auth-type | Set the authentication type to use (basic, digest, ntlm, or post) |
| scan-force | STRING | --scan-force | Easy way to reduce the number of scanned and attacked URLs. Possible values: paranoid, sneaky, polite, normal, aggressive, insane |
| user-agent | STRING | --user-agent | Set a custom user-agent to use for every requests |
| verify-ssl | STRING | --verify-ssl | Set SSL check (0 or 1, default is 0) |
| dns-endpoint | STRING | --dns-endpoint | Domain serving as DNS endpoint for Log4Shell attack |
| no-bugreport | BOOLEAN | --no-bugreport | Don't send automatic bug report when an attack module fails |
| max-scan-time | STRING | --max-scan-time | Set how many seconds you want the scan to last (floats accepted) |
| max-parameters | STRING | --max-parameters | URLs and forms having more than MAX input parameters will be erased before attack. |
| drop-set-cookie | BOOLEAN | --drop-set-cookie | Ignore Set-Cookie header from HTTP responses |
| max-attack-time | STRING | --max-attack-time | Set how many seconds you want each attack module to last (floats accepted) |
| external-endpoint | STRING | --external-endpoint | URL serving as endpoint for target |
| internal-endpoint | STRING | --internal-endpoint | URL serving as endpoint for attacker |
| max-files-per-dir | STRING | --max-files-per-dir | Set how many pages the scanner should explore per directory |
| max-links-per-page | STRING | --max-links-per-page | Set how many (in-scope) links the scanner should extract for each page |
example
# crawl example.com in domain scope, XSS+SQL modules, JSON reportwapiti --url https://example.com/ --scope domain --module xss,sql --level 1 --depth 3 --format json --max-scan-time 600[*] Wapiti 3.x - a web application vulnerability scanner[*] Target: https://example.com/[*] Scope: domain[+] https://example.com/login[+] https://example.com/search?q=[+] https://example.com/api/v1/items[*] Attack module xss loaded[*] Attack module sql loaded[!] XSS found in GET https://example.com/search?q=[!] SQL Injection found in GET https://example.com/product?id=[*] Report saved as report.jsonguidance
Reach for Wapiti when you need an automated black-box audit of a web app's forms and parameters. It crawls and fuzzes a single target, so run it against confirmed-live hosts. For template-driven CVE checks across many hosts, use nuclei instead.
Template-driven scanner for known CVEs and misconfigurations. Wapiti fuzzes parameters generically instead.
Another black-box fuzzing scanner. Wapiti has a broader, better-maintained module set.
Classic server scanner focused on known files and configs. Wapiti goes deeper into form and parameter injection.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A target is confirmed live by httpx, then Wapiti crawls and fuzzes it before the findings land as a queryable output.
Facts on this page come from the live Trickest tool library.