Wapiti v2.2.0 (Vulnerability Scanner for Web App) released

Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, LDAP injections, CRLF injections...It use the Python programming language.

Web Application vulnerability scanner / security auditor

JPEG - 4.1 kb

Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application but it will scan the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities:

  • File Handling Errors (Local and remote include/require, fopen, readfile...)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) Injection
  • LDAP Injection
  • Command Execution detection (eval(), system(), passtru()...)
  • CRLF Injection (HTTP Response Splitting, session fixation...)

Version 2.2.0

  • Added a manpage.
  • Internationalization : translations of Wapiti in spanish and french.
  • Options -k and -i allow the scan to be saved and restored later.
  • Added option -b to set the scope of the scan based on the root url given.
  • Wrote a library to save handle cookies and save them in XML format.
  • Modules are now loaded dynamically with a dependency system.
  • Rewrote the -m option used to activate / deactivate attack modules.
  • New module to search for backup files of scripts on the target webserver.
  • New module to search for weakly configured .htaccess.
  • New module to search dangerous files based on the Nikto database.
  • Differ "raw" XSS from "urlencoded" XSS.
  • Updated BeautifulSoup to version 3.0.8.
  • Better encoding support for webpages (convert to Unicode)
  • Added "resource consumption" as a vulnerability type.
  • Fixed bug ID 2779441 "Python Version 2.5 required?"
  • Fixed bug with special characters in HTML reports.
  • Fixed a lot of bugs.


Wapiti is developed in Python and use a Python library, called lswww.

More information: here

See the Roadmap, very interesting!

Wapiti is released under the GNU General Public License version 2 (the GPL)

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Penetration testing & Ethical Hacking :

    PCI DSS 11.3, SOX A13.3, GLBA 16 CFR Part 314.4 (c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001/27002 12.6, 15.2.2

  • Vulnerability Scanner :

    PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2


Related Articles

Application Scanner
Penetration testing & Ethical Hacking
Vulnerability Scanner