Cybersec
/
wapiti
mirror of https://github.com/wapiti-scanner/wapiti.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update doc 

Update wapiti documentation including the new features
This commit is contained in:
Oussama BENGHECHOUA 2024-03-28 16:20:38 +01:00 committed by Florian Wininger
parent cb0dadd0fe
commit 1e90f3cf37
4 changed files with 106 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.rst
View File

@ -77,6 +77,7 @@ Browsing features
+ Adding some custom HTTP headers or setting a custom User-Agent.
+ Using a Firefox headless browser for crawling
+ Loading your own python code for complicated authentication cases (see `--form-script` option)
+ Adding custom URL or PATH to update Wappalyzer database
Supported attacks
@ -103,12 +104,13 @@ Supported attacks
+ Checking cookie security flags (secure and httponly flags)
+ Cross Site Request Forgery (CSRF) basic detection
+ Fingerprinting of web applications using the Wappalyzer database
+ Enumeration of Wordpress and Drupal modules
+ Enumeration of CMS module
+ Subdomain takeovers detection
+ Log4Shell (CVE-2021-44228) detection
+ Spring4Shell (CVE-2020-5398) detection
+ Check https redirections
+ Check for file upload vulnerabilities
+ Detection of network devices
Wapiti supports both GET and POST HTTP methods for attacks.
It also supports multipart and can inject payloads in filenames (upload).
@ -123,11 +125,11 @@ The aforementioned attacks are tied to the following module names :
+ backup (Search copies of scripts and archives on the web server)
+ brute_login_form (Brute Force login form using a dictionary list)
+ buster (DirBuster like module)
+ cms (Scan to detect CMS and their versions)
+ cookieflags (Checks Secure and HttpOnly flags)
+ crlf (CR-LF injection in HTTP headers)
+ csp (Detect lack of CSP or weak CSP configuration)
+ csrf (Detects forms not protected against CSRF or using weak anti-CSRF tokens)
+ drupal_enum (Detect version of Drupal)
+ exec (Code execution or command injection)
+ file (Path traversal, file inclusion, etc)
+ htaccess (Misconfigured htaccess restrictions)
@ -136,6 +138,7 @@ The aforementioned attacks are tied to the following module names :
+ https_redirect (Check https redirections)
+ log4shell (Detects websites vulnerable to CVE-2021-44228)
+ methods (Look for uncommon available HTTP methods like PUT)
+ network_device (Look for common files to detect network devices)
+ nikto (Look for known vulnerabilities by testing URL existence and checking responses)
+ permanentxss (Rescan the whole target after the xss module execution looking for previously tainted payloads)
+ redirect (Open Redirects)

65
doc/wapiti.1
View File

@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "WAPITI" "1" "October 2022" "" ""
.TH "WAPITI" "1" "March 2024" "" ""
.
.SH "NAME"
\fBwapiti\fR \- A web application vulnerability scanner in Python
@ -50,6 +50,9 @@ ATTACK SPECIFICATION:
.IP "\(bu" 4
\fB\-l\fR, \fB\-\-level\fR \fILEVEL\fR
.
.IP "\(bu" 4
\fB\-\-cms\fR {drupal,joomla,prestashop,spip,wp}
.
.IP "" 0
.
.P
@ -68,12 +71,24 @@ PROXY AND AUTHENTICATION OPTIONS:
\fB\-a\fR, \fB\-\-auth\-cred\fR \fICREDENTIALS\fR
.
.IP "\(bu" 4
\fB\-\-auth\-user\fR \fIUSERNAME\fR
.
.IP "\(bu" 4
\fB\-\-auth\-password\fR \fIPASSWORD\fR
.
.IP "\(bu" 4
\fB\-\-auth\-method\fR {basic,digest,ntlm}
.
.IP "\(bu" 4
\fB\-\-form\-cred\fR \fICREDENTIALS\fR
.
.IP "\(bu" 4
\fB\-\-form\-user\fR \fIUSERNAME\fR
.
.IP "\(bu" 4
\fB\-\-form\-password\fR \fIPASSWORD\fR
.
.IP "\(bu" 4
\fB\-\-form\-url\fR \fIURL\fR
.
.IP "\(bu" 4
@ -212,7 +227,7 @@ REPORT OPTIONS:
\fB\-o\fR, \fB\-\-output\fR \fIOUTPUT_PATH\fR
.
.IP "\(bu" 4
\fB\-dr\fR, \fB\-\-detailed\-report\fR
\fB\-dr\fR, \fB\-\-detailed\-report\fR \fILEVEL\fR
.
.IP "" 0
.
@ -226,7 +241,7 @@ OTHER OPTIONS:
\fB\-\-version\fR
.
.IP "\(bu" 4
\fB\-\-update\fR
\fB\-\-update\fR [\fB\-\-wapp\-url\fR \fIWAPP_DB_URL\fR, \fB\-\-wapp\-dir\fR \fIWAPP_DB_PATH\fR]
.
.IP "\(bu" 4
\fB\-h\fR
@ -326,6 +341,9 @@ It may be useful on CGIs when developers have to parse the query\-string themsel
.br
Default value for this option is 1\.
.
.IP "\(bu" 4
\fB\-\-cms\fR \fICMS_LIST\fR This option can only be used when the module cms is selected\. It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}\. Multiple choices are allowed, all the CMS will be scanned if this option is not set\.
.
.IP "" 0
.
.SH "PROXY AND AUTHENTICATION"
@ -349,7 +367,22 @@ Make Wapiti use a Tor listener (same as \-\-proxy socks://127\.0\.0\.1:9050/)
\fB\-a\fR, \fB\-\-auth\-cred\fR \fICREDENTIALS\fR
.
.br
Set credentials to use for HTTP authentication on the target (see available methods bellow)\. Given value should be in the form login%password (% is used as a separator)
(DEPRECATED) Set credentials to use for HTTP authentication on the target (see available methods bellow)\. Given value should be in the form login%password (% is used as a separator)
.
.IP "\(bu" 4
\fB\-\-auth\-user\fR \fIUSERNAME\fR
.
.br
Set username to use for HTTP authentication on the target (see available methods bellow)\.
.
.IP "\(bu" 4
\fB\-\-auth\-password\fR \fIPASSWORD\fR
.
.br
Set password to use for HTTP authentication on the target (see available methods bellow)\.
.
.IP "" 0
.
.IP "\(bu" 4
\fB\-\-auth\-method\fR \fITYPE\fR
@ -361,7 +394,22 @@ Set the authentication mechanism to use\. Valid choices are basic, digest and nt
\fB\-\-form\-cred\fR \fICREDENTIALS\fR
.
.br
Set credentials to use for web form authentication on the target\. Given value should be in the form login%password (% is used as a separator)
(DEPRECATED) Set credentials to use for web form authentication on the target\. Given value should be in the form login%password (% is used as a separator)
.
.IP "\(bu" 4
\fB\-\-form\-user\fR \fIUSERNAME\fR
.
.br
Set username to use for web form authentication on the target\.
.
.IP "\(bu" 4
\fB\-\-form\-password\fR \fIPASSWORD\fR
.
.br
Set password to use for web form authentication on the target\.
.
.IP "" 0
.
.IP "\(bu" 4
\fB\-\-form\-url\fR \fIURL\fR
@ -728,10 +776,7 @@ Although the HTML reports were rewritten to be more responsive, they still are i
Set the path were the report will be generated\.
.
.IP "\(bu" 4
\fB\-dr\fR, \fB\-\-detailed\-report\fR
.
.br
HTTP responses (headers and bodies) will appear in the report\.
\fB\-dr\fR, \fB\-\-detailed\-report\fR \fILEVEL\fR Set the level of detailed report for the output\. Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report\.
.
.IP "" 0
.
@ -756,7 +801,7 @@ You can still prevent reports from being sent using that option\.
\fB\-\-update\fR
.
.br
Update particular Wapiti modules (download a fresh version of the \fBapps\.json\fR and \fBnikto_db\fR files) then exit\. You can combine it with \fB\-\-store\-config\fR to specify where to store downloaded files\.
Update particular Wapiti modules (download a fresh version of the \fBapps\.json\fR and \fBnikto_db\fR files) then exit\. You can combine it with \fB\-\-store\-config\fR to specify where to store downloaded files\. You can also combine it with \fB\-\-wapp\-url\fR to update the Wappalyzer DB from a custom git repository, or with \fB\-\-wapp\-dir\fR to update it from a local Wappalyzer DB directory\.
.
.IP "\(bu" 4
\fB\-h\fR, \fB\-\-help\fR

47
doc/wapiti.1.html
View File

@ -120,6 +120,7 @@ More detail on each option can be found in the following sections.</p>
<li><code>-m</code> <var>MODULES_LIST</var></li>
<li><code>--list-modules</code></li>
<li><code>-l</code>, <code>--level</code> <var>LEVEL</var></li>
<li><code>--cms</code> {drupal,joomla,prestashop,spip,wp}</li>
</ul>
@ -208,7 +209,7 @@ More detail on each option can be found in the following sections.</p>
<ul>
<li><code>-f</code>, <code>--format</code> {json,html,txt,xml}</li>
<li><code>-o</code>, <code>--output</code> <var>OUTPUT_PATH</var></li>
<li><code>-dr</code>, <code>--detailed-report</code></li>
<li><code>-dr</code>, <code>--detailed-report</code> <var>LEVEL</var></li>
</ul>
@ -217,7 +218,7 @@ More detail on each option can be found in the following sections.</p>
<ul>
<li><code>--no-bugreport</code></li>
<li><code>--version</code></li>
<li><code>--update</code></li>
<li><code>--update</code> [<code>--wapp-url</code> <var>WAPP_DB_URL</var>, <code>--wapp-dir</code> <var>WAPP_DB_PATH</var>]</li>
<li><code>-h</code></li>
</ul>
@ -263,6 +264,10 @@ While it may be successful in finding vulnerabilities that way, it was causing t
This behavior is now hidden behind this option and can be reactivated by setting -l to 2.<br />
It may be useful on CGIs when developers have to parse the query-string themselves.<br />
Default value for this option is 1.</p></li>
<li><p><code>--cms</code> <var>CMS_LIST</var>
This option can only be used when the module cms is selected.
It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}.
Multiple choices are allowed, all the CMS will be scanned if this option is not set.</p></li>
</ul>
@ -276,17 +281,31 @@ Make Wapiti use a Tor listener (same as --proxy socks://127.0.0.1:9050/)</p></li
<li><p><code>--mitm-port</code> <var>PORT</var>
If used, this option will launch a mitmproxy instance listening on the given port instead of using an automated crawler to explore the target.
Configure your browser to use the intercepting proxy then explore the target manually. Ctrl+C in the console when you are done.</p></li>
<li><p><code>-a</code>, <code>--auth-user</code> <var>USERNAME</var><br />
Set username to use for HTTP authentication on the target (see available methods bellow).</p></li>
<li><p><code>-a</code>, <code>--auth-password</code> <var>PASSWORD</var><br />
Set password to use for HTTP authentication on the target (see available methods bellow).</p></li>
<li><p><code>-a</code>, <code>--auth-cred</code> <var>CREDENTIALS</var><br />
(DEPRECATED) Set credentials to use for HTTP authentication on the target (see available methods bellow).
Given value should be in the form login%password (% is used as a separator)</p></li>
<li><p><code>--auth-user</code> <var>USERNAME</var><br />
Set username to use for HTTP authentication on the target (see available methods bellow).</p>
<ul>
<li><code>--auth-password</code> <var>PASSWORD</var><br />
Set password to use for HTTP authentication on the target (see available methods bellow).</li>
</ul>
</li>
<li><p><code>--auth-method</code> <var>TYPE</var><br />
Set the authentication mechanism to use. Valid choices are basic, digest and ntlm.
NTLM authentication may require you to install an additional Python module.</p></li>
<li><p><code>--form-cred</code> <var>CREDENTIALS</var><br />
(DEPRECATED) Set credentials to use for web form authentication on the target.
Given value should be in the form login%password (% is used as a separator)</p></li>
<li><p><code>--form-user</code> <var>USERNAME</var><br />
Set username to use for web form authentication on the target.</p></li>
<li><p><code>--form-password</code> <var>PASSWORD</var><br />
Set password to use for web form authentication on the target.</p></li>
Set username to use for web form authentication on the target.</p>
<ul>
<li><code>--form-password</code> <var>PASSWORD</var><br />
Set password to use for web form authentication on the target.</li>
</ul>
</li>
<li><p><code>--form-url</code> <var>URL</var><br />
If <code>--form-data</code> is not set, Wapiti will extract the login form at the given URL and fill it with the provided credentials.
Otherwise raw credentials are sent directly to the given URL.</p></li>
@ -451,8 +470,9 @@ Set the format of the report. Valid choices are json, html, txt and xml.<br />
Although the HTML reports were rewritten to be more responsive, they still are impracticable when there is a lot of found vulnerabilities.</p></li>
<li><p><code>-o</code>, <code>--output</code> <var>OUTPUT_PATH</var><br />
Set the path were the report will be generated.</p></li>
<li><p><code>-dr</code>, <code>--detailed-report</code><br />
HTTP responses (headers and bodies) will appear in the report.</p></li>
<li><p><code>-dr</code>, <code>--detailed-report</code> <var>LEVEL</var>
Set the level of detailed report for the output.
Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report.</p></li>
</ul>
@ -466,7 +486,8 @@ If a Wapiti attack module crashes of a non-caught exception a bug report is gene
You can still prevent reports from being sent using that option.</p></li>
<li><p><code>--update</code><br />
Update particular Wapiti modules (download a fresh version of the <code>apps.json</code> and <code>nikto_db</code> files) then exit.
You can combine it with <code>--store-config</code> to specify where to store downloaded files.</p></li>
You can combine it with <code>--store-config</code> to specify where to store downloaded files.
You can also combine it with <code>--wapp-url</code> to update the Wappalyzer DB from a custom git repository, or with <code>--wapp-dir</code> to update it from a local Wappalyzer DB directory.</p></li>
<li><p><code>-h</code>, <code>--help</code><br />
Show detailed options description. More details are available in this manpage though.</p></li>
</ul>
@ -500,7 +521,7 @@ Please read the LICENSE file for more information.</p>
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>October 2022</li>
<li class='tc'>March 2024</li>
<li class='tr'>wapiti(1)</li>
</ol>

16
doc/wapiti.ronn
View File

@ -31,6 +31,7 @@ ATTACK SPECIFICATION:
* `-m` <MODULES_LIST>
* `--list-modules`
* `-l`, `--level` <LEVEL>
* `--cms` {drupal,joomla,prestashop,spip,wp}
PROXY AND AUTHENTICATION OPTIONS:
@ -98,13 +99,13 @@ REPORT OPTIONS:
* `-f`, `--format` {json,html,txt,xml}
* `-o`, `--output` <OUTPUT_PATH>
* `-dr`, `--detailed-report`
* `-dr`, `--detailed-report` <LEVEL>
OTHER OPTIONS:
* `--no-bugreport`
* `--version`
* `--update`
* `--update` [`--wapp-url` <WAPP_DB_URL>, `--wapp-dir` <WAPP_DB_PATH>]
* `-h`
## TARGET SPECIFICATION
@ -144,6 +145,11 @@ OTHER OPTIONS:
This behavior is now hidden behind this option and can be reactivated by setting -l to 2.
It may be useful on CGIs when developers have to parse the query-string themselves.
Default value for this option is 1.
* `--cms` <CMS_LIST>
This option can only be used when the module cms is selected.
It allows to specify the CMS to scan from the list {drupal,joomla,prestashop,spip,wp}.
Multiple choices are allowed, all the CMS will be scanned if this option is not set.
## PROXY AND AUTHENTICATION
@ -358,8 +364,9 @@ Wapiti will generate a report at the end of the attack process. Several formats
* `-o`, `--output` <OUTPUT_PATH>
Set the path were the report will be generated.
* `-dr`, `--detailed-report`
HTTP responses (headers and bodies) will appear in the report.
* `-dr`, `--detailed-report` <LEVEL>
Set the level of detailed report for the output.
Possible values are (1) : includes HTTP requestes in the report, (2) : includes HTTP responses (headers and bodies) in the report.
## OTHER OPTIONS
@ -373,6 +380,7 @@ Wapiti will generate a report at the end of the attack process. Several formats
* `--update`
Update particular Wapiti modules (download a fresh version of the `apps.json` and `nikto_db` files) then exit.
You can combine it with `--store-config` to specify where to store downloaded files.
You can also combine it with `--wapp-url` to update the Wappalyzer DB from a custom git repository, or with `--wapp-dir` to update it from a local Wappalyzer DB directory.
* `-h`, `--help`
Show detailed options description. More details are available in this manpage though.