Update doc
Update wapiti documentation including the new features
This commit is contained in:
parent
cb0dadd0fe
commit
1e90f3cf37
|
@ -77,6 +77,7 @@ Browsing features
|
|||
+ Adding some custom HTTP headers or setting a custom User-Agent.
|
||||
+ Using a Firefox headless browser for crawling
|
||||
+ Loading your own python code for complicated authentication cases (see `--form-script` option)
|
||||
+ Adding custom URL or PATH to update Wappalyzer database
|
||||
|
||||
|
||||
Supported attacks
|
||||
|
@ -103,12 +104,13 @@ Supported attacks
|
|||
+ Checking cookie security flags (secure and httponly flags)
|
||||
+ Cross Site Request Forgery (CSRF) basic detection
|
||||
+ Fingerprinting of web applications using the Wappalyzer database
|
||||
+ Enumeration of Wordpress and Drupal modules
|
||||
+ Enumeration of CMS module
|
||||
+ Subdomain takeovers detection
|
||||
+ Log4Shell (CVE-2021-44228) detection
|
||||
+ Spring4Shell (CVE-2020-5398) detection
|
||||
+ Check https redirections
|
||||
+ Check for file upload vulnerabilities
|
||||
+ Detection of network devices
|
||||
|
||||
Wapiti supports both GET and POST HTTP methods for attacks.
|
||||
It also supports multipart and can inject payloads in filenames (upload).
|
||||
|
@ -123,11 +125,11 @@ The aforementioned attacks are tied to the following module names :
|
|||
+ backup (Search copies of scripts and archives on the web server)
|
||||
+ brute_login_form (Brute Force login form using a dictionary list)
|
||||
+ buster (DirBuster like module)
|
||||
+ cms (Scan to detect CMS and their versions)
|
||||
+ cookieflags (Checks Secure and HttpOnly flags)
|
||||
+ crlf (CR-LF injection in HTTP headers)
|
||||
+ csp (Detect lack of CSP or weak CSP configuration)
|
||||
+ csrf (Detects forms not protected against CSRF or using weak anti-CSRF tokens)
|
||||
+ drupal_enum (Detect version of Drupal)
|
||||
+ exec (Code execution or command injection)
|
||||
+ file (Path traversal, file inclusion, etc)
|
||||
+ htaccess (Misconfigured htaccess restrictions)
|
||||
|
@ -136,6 +138,7 @@ The aforementioned attacks are tied to the following module names :
|
|||
+ https_redirect (Check https redirections)
|
||||
+ log4shell (Detects websites vulnerable to CVE-2021-44228)
|
||||
+ methods (Look for uncommon available HTTP methods like PUT)
|
||||
+ network_device (Look for common files to detect network devices)
|
||||
+ nikto (Look for known vulnerabilities by testing URL existence and checking responses)
|
||||
+ permanentxss (Rescan the whole target after the xss module execution looking for previously tainted payloads)
|
||||
+ redirect (Open Redirects)
|
||||
|
|
65
doc/wapiti.1
65
doc/wapiti.1
|
@ -1,7 +1,7 @@
|
|||
.\" generated with Ronn/v0.7.3
|
||||
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
||||
.
|
||||
.TH "WAPITI" "1" "October 2022" "" ""
|
||||
.TH "WAPITI" "1" "March 2024" "" ""
|
||||
.
|
||||
.SH "NAME"
|
||||
\fBwapiti\fR \- A web application vulnerability scanner in Python
|
||||
|
@ -50,6 +50,9 @@ ATTACK SPECIFICATION:
|
|||
.IP "\(bu" 4
|
||||
\fB\-l\fR, \fB\-\-level\fR \fILEVEL\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-cms\fR {drupal,joomla,prestashop,spip,wp}
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.P
|
||||
|
@ -68,12 +71,24 @@ PROXY AND AUTHENTICATION OPTIONS:
|
|||
\fB\-a\fR, \fB\-\-auth\-cred\fR \fICREDENTIALS\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-auth\-user\fR \fIUSERNAME\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-auth\-password\fR \fIPASSWORD\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-auth\-method\fR {basic,digest,ntlm}
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-cred\fR \fICREDENTIALS\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-user\fR \fIUSERNAME\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-password\fR \fIPASSWORD\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-url\fR \fIURL\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
|
@ -212,7 +227,7 @@ REPORT OPTIONS:
|
|||
\fB\-o\fR, \fB\-\-output\fR \fIOUTPUT_PATH\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-dr\fR, \fB\-\-detailed\-report\fR
|
||||
\fB\-dr\fR, \fB\-\-detailed\-report\fR \fILEVEL\fR
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
|
@ -226,7 +241,7 @@ OTHER OPTIONS:
|
|||
\fB\-\-version\fR
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-update\fR
|
||||
\fB\-\-update\fR [\fB\-\-wapp\-url\fR \fIWAPP_DB_URL\fR, \fB\-\-wapp\-dir\fR \fIWAPP_DB_PATH\fR]
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-h\fR
|
||||
|
@ -326,6 +341,9 @@ It may be useful on CGIs when developers have to parse the query\-string themsel
|
|||
.br
|
||||
Default value for this option is 1\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-cms\fR \fICMS_LIST\fR This option can only be used when the module cms is selected\. It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}\. Multiple choices are allowed, all the CMS will be scanned if this option is not set\.
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
.SH "PROXY AND AUTHENTICATION"
|
||||
|
@ -349,7 +367,22 @@ Make Wapiti use a Tor listener (same as \-\-proxy socks://127\.0\.0\.1:9050/)
|
|||
\fB\-a\fR, \fB\-\-auth\-cred\fR \fICREDENTIALS\fR
|
||||
.
|
||||
.br
|
||||
Set credentials to use for HTTP authentication on the target (see available methods bellow)\. Given value should be in the form login%password (% is used as a separator)
|
||||
(DEPRECATED) Set credentials to use for HTTP authentication on the target (see available methods bellow)\. Given value should be in the form login%password (% is used as a separator)
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-auth\-user\fR \fIUSERNAME\fR
|
||||
.
|
||||
.br
|
||||
Set username to use for HTTP authentication on the target (see available methods bellow)\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-auth\-password\fR \fIPASSWORD\fR
|
||||
.
|
||||
.br
|
||||
Set password to use for HTTP authentication on the target (see available methods bellow)\.
|
||||
.
|
||||
.IP "" 0
|
||||
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-auth\-method\fR \fITYPE\fR
|
||||
|
@ -361,7 +394,22 @@ Set the authentication mechanism to use\. Valid choices are basic, digest and nt
|
|||
\fB\-\-form\-cred\fR \fICREDENTIALS\fR
|
||||
.
|
||||
.br
|
||||
Set credentials to use for web form authentication on the target\. Given value should be in the form login%password (% is used as a separator)
|
||||
(DEPRECATED) Set credentials to use for web form authentication on the target\. Given value should be in the form login%password (% is used as a separator)
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-user\fR \fIUSERNAME\fR
|
||||
.
|
||||
.br
|
||||
Set username to use for web form authentication on the target\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-password\fR \fIPASSWORD\fR
|
||||
.
|
||||
.br
|
||||
Set password to use for web form authentication on the target\.
|
||||
.
|
||||
.IP "" 0
|
||||
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-\-form\-url\fR \fIURL\fR
|
||||
|
@ -728,10 +776,7 @@ Although the HTML reports were rewritten to be more responsive, they still are i
|
|||
Set the path were the report will be generated\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-dr\fR, \fB\-\-detailed\-report\fR
|
||||
.
|
||||
.br
|
||||
HTTP responses (headers and bodies) will appear in the report\.
|
||||
\fB\-dr\fR, \fB\-\-detailed\-report\fR \fILEVEL\fR Set the level of detailed report for the output\. Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report\.
|
||||
.
|
||||
.IP "" 0
|
||||
.
|
||||
|
@ -756,7 +801,7 @@ You can still prevent reports from being sent using that option\.
|
|||
\fB\-\-update\fR
|
||||
.
|
||||
.br
|
||||
Update particular Wapiti modules (download a fresh version of the \fBapps\.json\fR and \fBnikto_db\fR files) then exit\. You can combine it with \fB\-\-store\-config\fR to specify where to store downloaded files\.
|
||||
Update particular Wapiti modules (download a fresh version of the \fBapps\.json\fR and \fBnikto_db\fR files) then exit\. You can combine it with \fB\-\-store\-config\fR to specify where to store downloaded files\. You can also combine it with \fB\-\-wapp\-url\fR to update the Wappalyzer DB from a custom git repository, or with \fB\-\-wapp\-dir\fR to update it from a local Wappalyzer DB directory\.
|
||||
.
|
||||
.IP "\(bu" 4
|
||||
\fB\-h\fR, \fB\-\-help\fR
|
||||
|
|
|
@ -120,6 +120,7 @@ More detail on each option can be found in the following sections.</p>
|
|||
<li><code>-m</code> <var>MODULES_LIST</var></li>
|
||||
<li><code>--list-modules</code></li>
|
||||
<li><code>-l</code>, <code>--level</code> <var>LEVEL</var></li>
|
||||
<li><code>--cms</code> {drupal,joomla,prestashop,spip,wp}</li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -208,7 +209,7 @@ More detail on each option can be found in the following sections.</p>
|
|||
<ul>
|
||||
<li><code>-f</code>, <code>--format</code> {json,html,txt,xml}</li>
|
||||
<li><code>-o</code>, <code>--output</code> <var>OUTPUT_PATH</var></li>
|
||||
<li><code>-dr</code>, <code>--detailed-report</code></li>
|
||||
<li><code>-dr</code>, <code>--detailed-report</code> <var>LEVEL</var></li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -217,7 +218,7 @@ More detail on each option can be found in the following sections.</p>
|
|||
<ul>
|
||||
<li><code>--no-bugreport</code></li>
|
||||
<li><code>--version</code></li>
|
||||
<li><code>--update</code></li>
|
||||
<li><code>--update</code> [<code>--wapp-url</code> <var>WAPP_DB_URL</var>, <code>--wapp-dir</code> <var>WAPP_DB_PATH</var>]</li>
|
||||
<li><code>-h</code></li>
|
||||
</ul>
|
||||
|
||||
|
@ -263,6 +264,10 @@ While it may be successful in finding vulnerabilities that way, it was causing t
|
|||
This behavior is now hidden behind this option and can be reactivated by setting -l to 2.<br />
|
||||
It may be useful on CGIs when developers have to parse the query-string themselves.<br />
|
||||
Default value for this option is 1.</p></li>
|
||||
<li><p><code>--cms</code> <var>CMS_LIST</var>
|
||||
This option can only be used when the module cms is selected.
|
||||
It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}.
|
||||
Multiple choices are allowed, all the CMS will be scanned if this option is not set.</p></li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -276,17 +281,31 @@ Make Wapiti use a Tor listener (same as --proxy socks://127.0.0.1:9050/)</p></li
|
|||
<li><p><code>--mitm-port</code> <var>PORT</var>
|
||||
If used, this option will launch a mitmproxy instance listening on the given port instead of using an automated crawler to explore the target.
|
||||
Configure your browser to use the intercepting proxy then explore the target manually. Ctrl+C in the console when you are done.</p></li>
|
||||
<li><p><code>-a</code>, <code>--auth-user</code> <var>USERNAME</var><br />
|
||||
Set username to use for HTTP authentication on the target (see available methods bellow).</p></li>
|
||||
<li><p><code>-a</code>, <code>--auth-password</code> <var>PASSWORD</var><br />
|
||||
Set password to use for HTTP authentication on the target (see available methods bellow).</p></li>
|
||||
<li><p><code>-a</code>, <code>--auth-cred</code> <var>CREDENTIALS</var><br />
|
||||
(DEPRECATED) Set credentials to use for HTTP authentication on the target (see available methods bellow).
|
||||
Given value should be in the form login%password (% is used as a separator)</p></li>
|
||||
<li><p><code>--auth-user</code> <var>USERNAME</var><br />
|
||||
Set username to use for HTTP authentication on the target (see available methods bellow).</p>
|
||||
|
||||
<ul>
|
||||
<li><code>--auth-password</code> <var>PASSWORD</var><br />
|
||||
Set password to use for HTTP authentication on the target (see available methods bellow).</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p><code>--auth-method</code> <var>TYPE</var><br />
|
||||
Set the authentication mechanism to use. Valid choices are basic, digest and ntlm.
|
||||
NTLM authentication may require you to install an additional Python module.</p></li>
|
||||
<li><p><code>--form-cred</code> <var>CREDENTIALS</var><br />
|
||||
(DEPRECATED) Set credentials to use for web form authentication on the target.
|
||||
Given value should be in the form login%password (% is used as a separator)</p></li>
|
||||
<li><p><code>--form-user</code> <var>USERNAME</var><br />
|
||||
Set username to use for web form authentication on the target.</p></li>
|
||||
<li><p><code>--form-password</code> <var>PASSWORD</var><br />
|
||||
Set password to use for web form authentication on the target.</p></li>
|
||||
Set username to use for web form authentication on the target.</p>
|
||||
|
||||
<ul>
|
||||
<li><code>--form-password</code> <var>PASSWORD</var><br />
|
||||
Set password to use for web form authentication on the target.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><p><code>--form-url</code> <var>URL</var><br />
|
||||
If <code>--form-data</code> is not set, Wapiti will extract the login form at the given URL and fill it with the provided credentials.
|
||||
Otherwise raw credentials are sent directly to the given URL.</p></li>
|
||||
|
@ -451,8 +470,9 @@ Set the format of the report. Valid choices are json, html, txt and xml.<br />
|
|||
Although the HTML reports were rewritten to be more responsive, they still are impracticable when there is a lot of found vulnerabilities.</p></li>
|
||||
<li><p><code>-o</code>, <code>--output</code> <var>OUTPUT_PATH</var><br />
|
||||
Set the path were the report will be generated.</p></li>
|
||||
<li><p><code>-dr</code>, <code>--detailed-report</code><br />
|
||||
HTTP responses (headers and bodies) will appear in the report.</p></li>
|
||||
<li><p><code>-dr</code>, <code>--detailed-report</code> <var>LEVEL</var>
|
||||
Set the level of detailed report for the output.
|
||||
Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report.</p></li>
|
||||
</ul>
|
||||
|
||||
|
||||
|
@ -466,7 +486,8 @@ If a Wapiti attack module crashes of a non-caught exception a bug report is gene
|
|||
You can still prevent reports from being sent using that option.</p></li>
|
||||
<li><p><code>--update</code><br />
|
||||
Update particular Wapiti modules (download a fresh version of the <code>apps.json</code> and <code>nikto_db</code> files) then exit.
|
||||
You can combine it with <code>--store-config</code> to specify where to store downloaded files.</p></li>
|
||||
You can combine it with <code>--store-config</code> to specify where to store downloaded files.
|
||||
You can also combine it with <code>--wapp-url</code> to update the Wappalyzer DB from a custom git repository, or with <code>--wapp-dir</code> to update it from a local Wappalyzer DB directory.</p></li>
|
||||
<li><p><code>-h</code>, <code>--help</code><br />
|
||||
Show detailed options description. More details are available in this manpage though.</p></li>
|
||||
</ul>
|
||||
|
@ -500,7 +521,7 @@ Please read the LICENSE file for more information.</p>
|
|||
|
||||
<ol class='man-decor man-foot man foot'>
|
||||
<li class='tl'></li>
|
||||
<li class='tc'>October 2022</li>
|
||||
<li class='tc'>March 2024</li>
|
||||
<li class='tr'>wapiti(1)</li>
|
||||
</ol>
|
||||
|
||||
|
|
|
@ -31,6 +31,7 @@ ATTACK SPECIFICATION:
|
|||
* `-m` <MODULES_LIST>
|
||||
* `--list-modules`
|
||||
* `-l`, `--level` <LEVEL>
|
||||
* `--cms` {drupal,joomla,prestashop,spip,wp}
|
||||
|
||||
PROXY AND AUTHENTICATION OPTIONS:
|
||||
|
||||
|
@ -98,13 +99,13 @@ REPORT OPTIONS:
|
|||
|
||||
* `-f`, `--format` {json,html,txt,xml}
|
||||
* `-o`, `--output` <OUTPUT_PATH>
|
||||
* `-dr`, `--detailed-report`
|
||||
* `-dr`, `--detailed-report` <LEVEL>
|
||||
|
||||
OTHER OPTIONS:
|
||||
|
||||
* `--no-bugreport`
|
||||
* `--version`
|
||||
* `--update`
|
||||
* `--update` [`--wapp-url` <WAPP_DB_URL>, `--wapp-dir` <WAPP_DB_PATH>]
|
||||
* `-h`
|
||||
|
||||
## TARGET SPECIFICATION
|
||||
|
@ -144,6 +145,11 @@ OTHER OPTIONS:
|
|||
This behavior is now hidden behind this option and can be reactivated by setting -l to 2.
|
||||
It may be useful on CGIs when developers have to parse the query-string themselves.
|
||||
Default value for this option is 1.
|
||||
|
||||
* `--cms` <CMS_LIST>
|
||||
This option can only be used when the module cms is selected.
|
||||
It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}.
|
||||
Multiple choices are allowed, all the CMS will be scanned if this option is not set.
|
||||
|
||||
## PROXY AND AUTHENTICATION
|
||||
|
||||
|
@ -358,8 +364,9 @@ Wapiti will generate a report at the end of the attack process. Several formats
|
|||
* `-o`, `--output` <OUTPUT_PATH>
|
||||
Set the path were the report will be generated.
|
||||
|
||||
* `-dr`, `--detailed-report`
|
||||
HTTP responses (headers and bodies) will appear in the report.
|
||||
* `-dr`, `--detailed-report` <LEVEL>
|
||||
Set the level of detailed report for the output.
|
||||
Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report.
|
||||
|
||||
## OTHER OPTIONS
|
||||
|
||||
|
@ -373,6 +380,7 @@ Wapiti will generate a report at the end of the attack process. Several formats
|
|||
* `--update`
|
||||
Update particular Wapiti modules (download a fresh version of the `apps.json` and `nikto_db` files) then exit.
|
||||
You can combine it with `--store-config` to specify where to store downloaded files.
|
||||
You can also combine it with `--wapp-url` to update the Wappalyzer DB from a custom git repository, or with `--wapp-dir` to update it from a local Wappalyzer DB directory.
|
||||
|
||||
* `-h`, `--help`
|
||||
Show detailed options description. More details are available in this manpage though.
|
||||
|
|
Loading…
Reference in New Issue