Provided by: wapiti_2.2.1+dfsg-1_all 
NAME
Wapiti - A web application vulnerability scanner in Python.
SYNOPSIS
wapiti ROOT_URL [OPTIONS]
DESCRIPTION
Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application
but will scans the webpages of the deployed webapp, looking for scripts and forms where it
can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script
is vulnerable.
OPTIONS
-s, --start=URL
To specify an url to start with.
-x, --exclude=URL
To exclude an url from the scan (for example logout scripts). You can also use a
wildcard (*)
Example :
-x "http://server/base/?page=*&module=test"
or
-x http://server/base/admin/* to exclude a directory
-b, --scope=SCOPE
Set the scope of the scan:
page : to analyse only the page passed in the URL
folder : to analyse all the links to the pages which are in the same folder
as the URL passed to Wapiti.
domain : to analyse all the links to the pages which are in the same domain
as the URL passed to Wapiti.
If no scope is set, Wapiti scans all the tree under the given URL.
-p, --proxy=PROXY_URL
To specify a proxy.
Example:
-p http://proxy:port/
-p socks://proxy:port/
-c, --cookie=COOKIE
To import session cookies from the COOKIE file.
-t, --timeout=TIMEOUT
Set the timeout to TIMEOUT (in seconds).
-a, --auth=LOGIN%PASSWORD
Set credentials for HTTP authentication ('%' is used as a separator).
-r, --remove=PARAM
Automatically remove the parameter PARAM from the urls.
-n, --nice=LIMIT
Define a limit of urls to read with the same pattern.
Use this option to prevent endless loops. Must be greater than 0.
-m, --module=MODULE_OPTIONS
Set the modules and HTTP methods to use for attacks.
Example:
-m "-all,xss:get,exec:post"
-i, --continue=FILE
This parameter indicates Wapiti to continue with the scan from the specified file,
this file should contain data from a previous scan. The file is optional, if it is
not specified, Wapiti takes the default filefrom "scans" folder.
-k, --attack=FILE
This parameter indicates Wapiti to perform attacks without scanning again the
website and following the data of this file. The file is optional, if it is not
specified, Wapiti takes the default file from "scans" folder.
-u, --underline
Use color to highlight vulnerables parameters in output.
-v, --verbose=LEVEL
Set the verbosity level to LEVEL.
0: quiet (default), 1: print each url, 2: print every attack.
-f, --reportType=TYPE
Set the type of the report to TYPE (values are xml, txt, html).
-o, --output=FILE
Write the report to FILE.
If the selected report type is "html", this parameter must be a directory.
-h, --help
To print this usage message.
LICENCE
wapiti is covered by the GNU General Public License (GPL), version 2.
Please read the COPYING file for more information.
COPYRIGHT
Copyright (c) 2006 Nicolas Surribas.
AUTHORS
Nicolas Surribas
David del Pozo
Alberto Pastor
BUG REPORTS
If you find a bug in Wapiti please report it to
http://sourceforge.net/tracker/?group_id=168625
SEE ALSO
The README file that comes with Wapiti gives more detailed information on the options.