Wapiti is a vulnerability assessment framework that performs black box security auditing of the web applications. The vulnerabilities that can be assessed with Wapiti include database injections, Local File Inclusion (LFI), Remote File Inclusion (RFI), command execution, CRLF injection, Server Side Request Forgery (SSRF), XML External Entity (XXE) injection, Shellshock bugs, .htaccess attacks, and source code disclosure vulnerabilities. The database injection includes SQL, XPATH, PHP, ASP, and JSP injection attacks. Command execution attack analysis includes detection of eval(), system(), and pastru() vulnerabilities. Wapiti makes use of the pre-installed modules to perform these assessments.
Wapiti Installation
Wapiti is a Python based framework. Clone Wapiti using the following Github path.
git clone https://github.com/IFGHou/wapiti
Navigate to the wapiti directory to install the framework using the following commands.
cd wapiti python3 setup.py install
Wapiti Working
The framework can be launched by running the wapiti executable from bin folder in Wapiti directory. The help command loads all the mandatory and optional parameters of Wapiti.
python3 wapiti -h
The following basic command executes Wapiti framework to scan vulnerabilities in target web application.
python3 wapiti –u <target web application>
Let’s assume a web application (testphp.vunweb.com). The following command loads all Wapiti modules to scan the application for the aforesaid vulnerabilities.
python3 wapiti –u http://testphp.vulbweb.com
Wapiti finds all the available links on the target web application and runs each module one by one against each file (link). If any file (link) is found vulnerable, Wapiti mentions it in Command Line Interface (CLI) along with the attack path and potential injection parameters.
Since Wapiti basic command loads all the modules, the process can take some time to scan web applications with too many directories and pages. The CTRL+C command halts the current scan process with few options, such as skipping the active module and executing the next, generating report without performing further analysis, and stopping the whole scanning process without generating any reports.
Besides launching all modules, Wapiti allows using a specific module. The –lists-modules argument lists all the available modules in Wapiti framework.
Python3 wapiti --list-modules
The –m parameter in the following format executes desired module for specific vulnerabilities assessment.
python3 wapiti –u <target web application> -m <module name>
For instance, we can limit the vulnerability search scope to SQL injections by using the sql module in the following format.
python3 wapiti –u http://testphp.vulnweb.com –m sql
The above command loads all the modules, however executes only sql module to find out SQL related vulnerabilities in the target web application.
The module goes through each directory and page to find out the SQL vulnerabilities. We can define depth level to limit the scanning process to desired number of links or files. The –max-links-per-page argument is used to define the maximum links to be scanned one each page of the target web application. Similarly, –max-files-per-dir argument is used to define maximum number of files per directory. Wapiti supports many other arguments that can be used along with the search command. All these options can be explored in the help section. Besides displaying individual findings in CLI, Wapiti generates a detailed report of detected vulnerabilities in the root directory. The report is in HTML format that can be viewed in preferred web browser.
Conclusion
Wapiti is an automated way of searching top level web application vulnerabilities. The framework does not rely on the provided url path. Rather, it scans all the directories and pages in the target to find out the potential vulnerabilities.