Wapiti v2.2.0 (Vulnerability Scanner for Web App) released
Wapiti is a vulnerability scanner for web applications. It currently search vulnerabilities like XSS, SQL and XPath injections, file inclusions, command execution, LDAP injections, CRLF injections...It use the Python programming language.
Web Application vulnerability scanner / security auditor
Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application but it will scan the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
Wapiti can detect the following vulnerabilities:
- File Handling Errors (Local and remote include/require, fopen, readfile...)
- Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
- XSS (Cross Site Scripting) Injection
- LDAP Injection
- Command Execution detection (eval(), system(), passtru()...)
- CRLF Injection (HTTP Response Splitting, session fixation...)
- Added a manpage.
- Internationalization : translations of Wapiti in spanish and french.
- Options -k and -i allow the scan to be saved and restored later.
- Added option -b to set the scope of the scan based on the root url given.
- Wrote a library to save handle cookies and save them in XML format.
- Modules are now loaded dynamically with a dependency system.
- Rewrote the -m option used to activate / deactivate attack modules.
- New module to search for backup files of scripts on the target webserver.
- New module to search for weakly configured .htaccess.
- New module to search dangerous files based on the Nikto database.
- Differ "raw" XSS from "urlencoded" XSS.
- Updated BeautifulSoup to version 3.0.8.
- Better encoding support for webpages (convert to Unicode)
- Added "resource consumption" as a vulnerability type.
- Fixed bug ID 2779441 "Python Version 2.5 required?"
- Fixed bug with special characters in HTML reports.
- Fixed a lot of bugs.
Wapiti is developed in Python and use a Python library, called lswww.
More information: here
See the Roadmap, very interesting!
Wapiti is released under the GNU General Public License version 2 (the GPL)
|Penetration testing & Ethical Hacking||