NAME

       Wapiti - A web application vulnerability scanner in Python.

SYNOPSIS

       wapiti ROOT_URL [OPTIONS]

DESCRIPTION

       Wapiti allows you to audit the security of your web applications.
       It  performs  "black-box" scans, i.e. it does not study the source code of the application but will scans
       the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
       Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

OPTIONS

       -s, --start=URL
              To specify an url to start with.

       -x, --exclude=URL
              To exclude an url from the scan (for example logout scripts).  You can also use a wildcard (*)
              Example :
                     -x "http://server/base/?page=*&module=test"
              or
                     -x http://server/base/admin/* to exclude a directory

       -b, --scope=SCOPE
              Set the scope of the scan:
                     page :  to analyse only the page passed in the URL
                     folder : to analyse all the links to the pages which are in the  same  folder  as  the  URL
                     passed to Wapiti.
                     domain  :  to  analyse  all  the links to the pages which are in the same domain as the URL
                     passed to Wapiti.
              If no scope is set, Wapiti scans all the tree under the given URL.

       -p, --proxy=PROXY_URL
              To specify a proxy.
              Example:
                     -p http://proxy:port/
                     -p socks://proxy:port/

       -c, --cookie=COOKIE
              To import session cookies from the COOKIE file.

       -t, --timeout=TIMEOUT
              Set the timeout to TIMEOUT (in seconds).

       -a, --auth=LOGIN%PASSWORD
              Set credentials for HTTP authentication ('%' is used as a separator).

       -r, --remove=PARAM
              Automatically remove the parameter PARAM from the urls.

       -n, --nice=LIMIT
              Define a limit of urls to read with the same pattern.
              Use this option to prevent endless loops. Must be greater than 0.

       -m, --module=MODULE_OPTIONS
              Set the modules and HTTP methods to use for attacks.
              Example:
                     -m "-all,xss:get,exec:post"

       -i, --continue=FILE
              This parameter indicates Wapiti to continue with the scan  from  the  specified  file,  this  file
              should  contain  data  from a previous scan.  The file is optional, if it is not specified, Wapiti
              takes the default filefrom "scans" folder.

       -k, --attack=FILE
              This parameter indicates Wapiti  to  perform  attacks  without  scanning  again  the  website  and
              following  the  data of this file.  The file is optional, if it is not specified, Wapiti takes the
              default file from "scans" folder.

       -u, --underline
              Use color to highlight vulnerables parameters in output.

       -v, --verbose=LEVEL
              Set the verbosity level to LEVEL.
              0: quiet (default), 1: print each url, 2: print every attack.

       -f, --reportType=TYPE
              Set the type of the report to TYPE (values are xml, txt, html).

       -o, --output=FILE
              Write the report to FILE.
              If the selected report type is "html", this parameter must be a directory.

       -h, --help
              To print this usage message.

LICENCE

       wapiti is covered by the GNU General Public License (GPL), version 2.
       Please read the COPYING file for more information.

COPYRIGHT

       Copyright (c) 2006 Nicolas Surribas.

AUTHORS

       Nicolas Surribas
       David del Pozo
       Alberto Pastor

BUG REPORTS

       If you find a bug in Wapiti please report it to http://sourceforge.net/tracker/?group_id=168625

SEE ALSO

       The README file that comes with Wapiti gives more detailed information on the options.