The web-application vulnerability scanner

Wapiti allows you to audit the security of your websites or web applications.

It performs "black-box" scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

What's new in Wapiti 3.0.0 ? Take a look at this wiki page.

Wapiti can detect the following vulnerabilities :

A buster module also allows to brute force directories and files names on the target webserver.

Wapiti supports both GET and POST HTTP methods for attacks.
It also supports multipart forms and can inject payloads in filenames (upload).
Warnings are raised when an anomaly is found (for example 500 errors and timeouts)
Wapiti is able to make the difference beetween permanent and reflected XSS vulnerabilities.

General features :

Browsing features

Wapiti is a command-line application.
Here is an exemple of output against a vulnerable web application.
You may find some useful informations in the README and the INSTALL files.
Have any questions ? You may find answers in the FAQ.


>> Download Wapiti here <<


 ██╗    ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗ 
 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗
 ██║ █╗ ██║███████║██████╔╝██║   ██║   ██║ █████╔╝
 ██║███╗██║██╔══██║██╔═══╝ ██║   ██║   ██║ ╚═══██╗
 ╚███╔███╔╝██║  ██║██║     ██║   ██║   ██║██████╔╝
  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝   ╚═╝   ╚═╝╚═════╝  
Wapiti-3.0.0 (
usage: wapiti [-h] [-u URL] [--scope {page,folder,domain,url}]
              [-m MODULES_LIST] [--list-modules] [-l LEVEL] [-p PROXY_URL]
              [-a CREDENTIALS] [--auth-type {basic,digest,kerberos,ntlm}]
              [-c COOKIE_FILE] [--skip-crawl] [--resume-crawl]
              [--flush-attacks] [--flush-session] [-s URL] [-x URL]
              [-r PARAMETER] [--skip PARAMETER] [-d DEPTH]
              [--max-links-per-page MAX] [--max-files-per-dir MAX]
              [--max-scan-time MINUTES] [--max-parameters MAX] [-S FORCE]
              [-t SECONDS] [-H HEADER] [-A AGENT] [--verify-ssl {0,1}]
              [--color] [-v LEVEL] [-f FORMAT] [-o OUPUT_PATH]
              [--no-bugreport] [--version]
wapiti: error: one of the arguments -u/--url --list-modules is required
Shortest way (with default options) to launch a Wapiti scan :
wapiti -u http://target/

Every option is detailed in the wapiti(1) manpage.

Wapiti also comes with an utility to fetch cookies from websites called wapiti-getcookie. The corresponding manpage is here.


Wapiti is released under the GNU General Public License version 2 (the GPL).