Provided by: wapiti_2.2.1+dfsg-1_all
NAME
Wapiti - A web application vulnerability scanner in Python.
SYNOPSIS
wapiti ROOT_URL [OPTIONS]
DESCRIPTION
Wapiti allows you to audit the security of your web applications. It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
OPTIONS
-s, --start=URL To specify an url to start with. -x, --exclude=URL To exclude an url from the scan (for example logout scripts). You can also use a wildcard (*) Example : -x "http://server/base/?page=*&module=test" or -x http://server/base/admin/* to exclude a directory -b, --scope=SCOPE Set the scope of the scan: page : to analyse only the page passed in the URL folder : to analyse all the links to the pages which are in the same folder as the URL passed to Wapiti. domain : to analyse all the links to the pages which are in the same domain as the URL passed to Wapiti. If no scope is set, Wapiti scans all the tree under the given URL. -p, --proxy=PROXY_URL To specify a proxy. Example: -p http://proxy:port/ -p socks://proxy:port/ -c, --cookie=COOKIE To import session cookies from the COOKIE file. -t, --timeout=TIMEOUT Set the timeout to TIMEOUT (in seconds). -a, --auth=LOGIN%PASSWORD Set credentials for HTTP authentication ('%' is used as a separator). -r, --remove=PARAM Automatically remove the parameter PARAM from the urls. -n, --nice=LIMIT Define a limit of urls to read with the same pattern. Use this option to prevent endless loops. Must be greater than 0. -m, --module=MODULE_OPTIONS Set the modules and HTTP methods to use for attacks. Example: -m "-all,xss:get,exec:post" -i, --continue=FILE This parameter indicates Wapiti to continue with the scan from the specified file, this file should contain data from a previous scan. The file is optional, if it is not specified, Wapiti takes the default filefrom "scans" folder. -k, --attack=FILE This parameter indicates Wapiti to perform attacks without scanning again the website and following the data of this file. The file is optional, if it is not specified, Wapiti takes the default file from "scans" folder. -u, --underline Use color to highlight vulnerables parameters in output. -v, --verbose=LEVEL Set the verbosity level to LEVEL. 0: quiet (default), 1: print each url, 2: print every attack. -f, --reportType=TYPE Set the type of the report to TYPE (values are xml, txt, html). -o, --output=FILE Write the report to FILE. If the selected report type is "html", this parameter must be a directory. -h, --help To print this usage message.
LICENCE
wapiti is covered by the GNU General Public License (GPL), version 2. Please read the COPYING file for more information.
COPYRIGHT
Copyright (c) 2006 Nicolas Surribas.
AUTHORS
Nicolas Surribas David del Pozo Alberto Pastor
BUG REPORTS
If you find a bug in Wapiti please report it to http://sourceforge.net/tracker/?group_id=168625
SEE ALSO
The README file that comes with Wapiti gives more detailed information on the options.