Wapiti is a web application security auditor.
                      http://www.ict-romulus.eu/web/wapiti/home
                           http://wapiti.sourceforge.net/

This version  requires Python 2.4 or  superior with the urllib2 module.
The cookielib module is required if you want to use cookies.

How it works
============

Wapiti works as a black box vulnerability scanner,  that means it won't
study the source code of web applications but will work like a  fuzzer,
scanning the pages of the deployed web application, extracting links and
forms  and attacking  the scripts looking for  error messages  or  some
special strings.

It supports the following attacks :

+ Database Injection (PHP/ASP/JSP SQL Injections and XPath Injections)
+ Cross Site Scripting (XSS)
+ Bad File Handling detection (local and remote include, require, fopen,
  readfile...)
+ LDAP Injection
+ Command Execution detection (eval(), system(), passtru()...)
+ CRLF Injection

It support both GET and POST HTTP methods,  warns when an upload form is
found  and  make  the  difference  beetween  permanent  and pontual  XSS
vulnerabilities.
A warning  is also issued when  a HTTP 500 code is returned  (useful for
ASP/IIS)
You can use cookies to access members areas.
You can exclude urls from the scan.

Wapiti use a web spider library called lswww.
Wapiti and  lswww  use the Python  programming  language with its common
modules.

How to get the best results
===========================

Wapiti use the BeautifulSoup library as a HTML parser to correct bad html code.
You can also install libTidy as an additional HTML parser. Just install the
following applications :

Tidy     - http://tidy.sourceforge.net/
ctypes   - http://starship.python.net/crew/theller/ctypes/
uTidyLib - http://utidylib.berlios.de/


To find more vulnerabilities you can modify your PHP configuration to :
safe_mode = Off
display_errors = On (recommended)
magic_quotes_gpc = Off
allow_url_fopen = On

Where to get help
=================

In the prompt, just type the folliwing command to get the basic usage :
python wapiti.py -h

Here is a more detailed version of the usage :

Wapiti - A web application vulnerability scanner

Usage: python wapiti.py http://server.com/base/url/ [options]

Supported options are:
-s <url>
--start <url>
	To specify an url to start with
  You can specify several urls to start with, just repeat the -s option

-x <url>
--exclude <url>
	To exclude an url from the scan (for example logout scripts)
	You can also use a wildcard (*)
	Example : -x "http://server/base/?page=*&module=test"
	or -x http://server/base/admin/* to exclude a directory
  As for the -s option, you can call it several times.

-p <url_proxy>
--proxy <url_proxy>
	To specify a proxy
	Exemple: -p http://proxy:port/

  It is possible to use other types of proxy. Just change the protocol.
  socks://proxy:port/ or tor://proxy:port/ will use a SOCKSv5 proxy.
  socks4://proxy:port/ will use a SOCKSv4 proxy server.
  connect://proxy:port/ will tunnel request through HTTP CONNECT requests.

-c <cookie_file>
--cookie <cookie_file>
	To use a cookie.
  Use cookie.py or getcookie.py (in the net directory) to create a cookie.

-t <timeout>
--timeout <timeout>
	To fix the timeout (in seconds)
  The timeout is used to detect time-based blind SQL injections
  vulnerabilities. It should not be too small.
  Default timeout is 6 seconds.

-a <login%password>
--auth <login%password>
	Set credentials for HTTP authentication

-r <parameter_name>
--remove <parameter_name>
	Remove a parameter from URLs.
  e.g: "-r css" will remove the css parameter and its value from all urls.

-n <limit>
--nice <limit>
  Define a limit of urls to read with the same pattern.
  Use this option to prevent endless loops.
  Must be greater than 0

-m <module>
--module <module>
	Use a predefined set of scan/attack options
	GET_ALL: only use GET request (no POST)
	GET_XSS: only XSS attacks with HTTP GET method
	POST_XSS: only XSS attacks with HTTP POST method
  GET_SQL: only SQL attacks with HTTP GET method
  POST_SQL: only SQL attacks with HTTP POST method
  GET_FILE: only File Handling attacks with HTTP GET method
  If you want to create your own, look at the end of the wapiti.py file.

-u
--underline
	Use color to highlight vulnerables parameters in output

-v <level>
--verbose <level>
	Set the verbosity level
	0: quiet (default), 1: print each url, 2: print every attack

-f <type_file>
--reportType <type_file>
	Set the type of the report
	xml: Report in XML format
	html: Report in HTML format
  txt: plain text format
	
-o <output>
--output <output_file>
	Set the name of the report file
	If the selected report type is "html", this parameter must be a directory
	
-h
--help
	To print this usage message

Files you will find on the src directory :
.
|-- attack # attack modules used for the vulnerabilities Wapiti can detect.
|   |-- __init__.py
|   |-- attack.py
|   |-- crlfattack.py
|   |-- execattack.py
|   |-- filehandlingattack.py
|   |-- sqlinjectionattack.py
|   |-- vulnerabilitiesdescriptions.py
|   `-- xssattack.py
|
|-- config
|   |-- attacks # The payloads injected for the attacks.
|   |   |         You can take a look, add your owns or send us ideas :)
|   |   |
|   |   |-- blindSQLPayloads.txt
|   |   |-- execPayloads.txt
|   |   |-- fileHandlingPayloads.txt
|   |   `-- xssPayloads.txt
|   `-- vulnerabilities # XML file defining the vulnerabilities. Used for the
|       |                 generation of the report.
|       `-- vulnerabilities.xml
|
|-- file # to read the XML file we have just talked about.
|   |-- __init__.py
|   |-- auxtext.py
|   `-- vulnerabilityxmlparser.py
|
|-- net
|   |-- BeautifulSoup.py # Parser to analyse HTML pages.
|   |-- HTTP.py # wrapper to httplib2. Provide other functions (urlencode...)
|   |-- __init__.py
|   |-- cookie.py   # two tools to create a cookie file you can use with Wapiti
|   |-- getcookie.py
|   |
|   |-- httplib2 # We changed urllib2 for httplib2 because it use persistent 
|   |   |          connections and makes Wapiti faster :)
|   |   |-- LICENSE-socks
|   |   |-- README # documentation for httplib2
|   |   |-- README-socks # documentation for the socks library
|   |   |-- __init__.py
|   |   |-- iri2uri.py
|   |   `-- socks.py  # A library allowing the use of SOCKS proxy
|   |                   but also HTTP CONNECT...
|   |
|   |-- lswww.py # lswww is the spider module of Wapiti. It is called everytime
|   |              you scan a website. You can use it directly.
|   |              See "python lswww.py -h"
|   `-- lswwwv2.py
|
|-- report # modules used to generate a scan report. HTML, XML or TXT formats.
|   |-- __init__.py
|   |-- htmlreportgenerator.py
|   |-- reportgenerator.py
|   |-- txtreportgenerator.py
|   `-- xmlreportgenerator.py
|
|-- report_template # The files used as a template for the HTML reports.
|   |-- includes
|   |   |-- css
|   |   |   |-- canvaschart.css
|   |   |   `-- styles.css
|   |   |-- images
|   |   |   |-- 7_transparent.png
|   |   |   |-- collapse.gif
|   |   |   |-- expand.gif
|   |   |   |-- romulus_logo_transparent.png
|   |   |   `-- wapiti2.gif
|   |   `-- js
|   |       |-- canvaschartpainter.js
|   |       |-- canvaschartpainter.src.js
|   |       |-- chart.js
|   |       |-- chart.src.js
|   |       |-- chartplugin.js
|   |       |-- excanvas.js
|   |       |-- iecanvas.htc
|   |       |-- iecanvas.js
|   |       |-- jgchartpainter.js
|   |       |-- jgchartpainter.src.js
|   |       |-- jquery.js
|   |       |-- json.js
|   |       |-- piechart.js
|   |       |-- report.js
|   |       |-- svgchartpainter.js
|   |       `-- wz_jsgraphics.js
|   `-- index.html
|-- vulnerability.py
`-- wapiti.py # The big one ;-)