Wapiti: Powerful and Automated Web Vulnerability Scanner

Wapiti is a powerful automated command-line vulnerability scanner designed for penetration testers and bug bounty hunters. It assists in scanning web applications to identify security vulnerabilities and loopholes. Wapiti is open-source and written in Python, and it comes pre-installed with Kali Linux, a popular penetration testing distribution.

Hello everyone! Today, I'll demonstrate how to utilize Wapiti to uncover potential security vulnerabilities on websites. Let's get started!

Before we proceed, ensure you have three essential items ready.

• First, you'll need Kali Linux installed and running on a virtual machine. This virtual environment isolates your scanning activities and safeguards your main computer. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.

• Next, you'll need a website to scan. In this tutorial, we'll use a website called Metasploitable2, which is deliberately designed to be vulnerable for educational purposes. This provides a safe space to practice without harming a real website. Make sure the virtual machine's network adapter is configured in a special mode called "Host-only" to allow communication between Kali and your target website.

• Next, we need a Steady Internet Connection. A stable internet connection is essential for the scanning process to communicate with the target website. First, ensure you have a reliable internet connection. This is crucial for the scanning process to interact with the target website. Access your Kali VM, navigate to settings, then to Network adapter, and confirm that the second adapter is connected to the NAT network.

Once three prerequisites are in place, you're prepared to scan for vulnerabilities on target websites. To begin, we'll exploit a website running on Metasploitable2. 

Before proceeding with the scanning process, it's crucial to identify the target's address. Open a terminal window in Kali Linux and execute the "netdiscover" command.

┌──(kali㉿kali)-[~]

└─$ sudo netdiscover -i eth1

This command acts like a digital radar, searching your network for devices. It will list the discovered devices along with their IP addresses.

We already know previously that Metasploitable2 has a web page running on Port 80. Launch a browser, and you can access its web interface by typing the IP address into your web browser's address bar.

To begin, let's perform a vulnerability scan on this webpage to identify any security issues.

You can find Wapiti within the "Web Applications" menu on Kali Linux, usually located under "Web Vulnerability Scanners".

Executing the Wapiti command will reveal all available options along with detailed features and functionalities.

$ wapiti -h

 ██╗    ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗

 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗

 ██║ █╗ ██║███████║██████╔╝██║   ██║   ██║ █████╔╝

 ██║███╗██║██╔══██║██╔═══╝ ██║   ██║   ██║ ╚═══██╗

 ╚███╔███╔╝██║  ██║██║     ██║   ██║   ██║██████╔╝

  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝   ╚═╝   ╚═╝╚═════╝  

Wapiti-3.0.4 (wapiti.sourceforge.io)

usage: wapiti [-h] [-u URL] [--scope {page,folder,domain,url,punk}] [-m MODULES_LIST] [--list-modules] [--update] [-l LEVEL]

              [-p PROXY_URL] [--tor] [-a CREDENTIALS] [--auth-type {basic,digest,kerberos,ntlm,post}] [-c COOKIE_FILE] [--skip-crawl]

              [--resume-crawl] [--flush-attacks] [--flush-session] [--store-session PATH] [--store-config PATH] [-s URL] [-x URL]

              [-r PARAMETER] [--skip PARAMETER] [-d DEPTH] [--max-links-per-page MAX] [--max-files-per-dir MAX]

              [--max-scan-time SECONDS] [--max-attack-time SECONDS] [--max-parameters MAX] [-S FORCE] [-t SECONDS] [-H HEADER]

              [-A AGENT] [--verify-ssl {0,1}] [--color] [-v LEVEL] [-f FORMAT] [-o OUPUT_PATH]

              [--external-endpoint EXTERNAL_ENDPOINT_URL] [--internal-endpoint INTERNAL_ENDPOINT_URL] [--endpoint ENDPOINT_URL]

              [--no-bugreport] [--version]

Wapiti-3.0.4: Web application vulnerability scanner

options:

  -h, --help            show this help message and exit

  -u URL, --url URL     The base URL used to define the scan scope (default scope is folder)

  --scope {page,folder,domain,url,punk}

                        Set scan scope

  -m MODULES_LIST, --module MODULES_LIST

                        List of modules to load

  --list-modules        List Wapiti attack modules and exit

  --update              Update Wapiti attack modules and exit

  -l LEVEL, --level LEVEL

                        Set attack level

  -p PROXY_URL, --proxy PROXY_URL

                        Set the HTTP(S) proxy to use. Supported: http(s) and socks proxies

  --tor                 Use Tor listener (127.0.0.1:9050)

  -a CREDENTIALS, --auth-cred CREDENTIALS

                        Set HTTP authentication credentials

  --auth-type {basic,digest,kerberos,ntlm,post}

                        Set the authentication type to use

  -c COOKIE_FILE, --cookie COOKIE_FILE

                        Set a JSON cookie file to use

  --skip-crawl          Don't resume the scanning process, attack URLs scanned during a previous session

  --resume-crawl        Resume the scanning process (if stopped) even if some attacks were previously performed

  --flush-attacks       Flush attack history and vulnerabilities for the current session

  --flush-session       Flush everything that was previously found for this target (crawled URLs, vulns, etc)

  --store-session PATH  Directory where to store attack history and session data.

  --store-config PATH   Directory where to store configuration databases.

  -s URL, --start URL   Adds an url to start scan with

  -x URL, --exclude URL

                        Adds an url to exclude from the scan

  -r PARAMETER, --remove PARAMETER

                        Remove this parameter from urls

  --skip PARAMETER      Skip attacking given parameter(s)

  -d DEPTH, --depth DEPTH

                        Set how deep the scanner should explore the website

  --max-links-per-page MAX

                        Set how many (in-scope) links the scanner should extract for each page

  --max-files-per-dir MAX

                        Set how many pages the scanner should explore per directory

  --max-scan-time SECONDS

                        Set how many seconds you want the scan to last (floats accepted)

  --max-attack-time SECONDS

                        Set how many seconds you want each attack module to last (floats accepted)

  --max-parameters MAX  URLs and forms having more than MAX input parameters will be erased before attack.

  -S FORCE, --scan-force FORCE

                        Easy way to reduce the number of scanned and attacked URLs. Possible values: paranoid, sneaky, polite, normal,

                        aggressive, insane

  -t SECONDS, --timeout SECONDS

                        Set timeout for requests

  -H HEADER, --header HEADER

                        Set a custom header to use for every requests

  -A AGENT, --user-agent AGENT

                        Set a custom user-agent to use for every requests

  --verify-ssl {0,1}    Set SSL check (default is no check)

  --color               Colorize output

  -v LEVEL, --verbose LEVEL

                        Set verbosity level (0: quiet, 1: normal, 2: verbose)

  -f FORMAT, --format FORMAT

                        Set output format. Supported: json, html (default), txt, xml

  -o OUPUT_PATH, --output OUPUT_PATH

                        Output file or folder

  --external-endpoint EXTERNAL_ENDPOINT_URL

                        Url serving as endpoint for target

  --internal-endpoint INTERNAL_ENDPOINT_URL

                        Url serving as endpoint for attacker

  --endpoint ENDPOINT_URL

                        Url serving as endpoint for both attacker and target

  --no-bugreport        Don't send automatic bug report when an attack module fails

  --version             Show program's version number and exit

┌──(kali㉿kali)-[~]

└─$ 

For this demonstration, we will focus our scan on Multillidae. The reason for this selection is to avoid the lengthy process of scanning the entire site, which could take a significant amount of time to complete.

By narrowing our scan to specific sections of the site, we can efficiently identify and address potential vulnerabilities.

Now, let's initiate a scan on our target. Open a new terminal and enter wapiti -u, here, paste the URL of multillidae”. Then, type -o, and specify the directory name with its location.

┌──(kali㉿kali)-[~]

└─$ wapiti -u http://192.168.95.104/multillidae -o /home/kali/wapiti_report

Wapiti will automatically scan the website for vulnerabilities. 

Once the scanning process is complete, Wapiti will execute various modules to identify potential security issues.

Keep in mind that Wapiti crawls through all the pages of the website and applies its modules, which can be time-consuming. For instance, on a Metasploitable virtual machine, the scan and module execution took over 15 minutes to finish. On a real-world website, this process could potentially take hours, depending on the size and complexity of the site.

Therefore, be patient during the scanning process, and ensure that you allocate sufficient time for Wapiti to thoroughly analyze the target website for vulnerabilities.

Here, if the website or web application has a large number of pages, the scanning process might take a significant amount of time. However, we have the option to skip certain modules to expedite the process. For instance, if we are confident that the target website does not have any vulnerabilities related to command execution (exec), we can skip this specific module. 

During the module execution, if needed, press CTRL+C to interrupt the process.

Here, if you press 'r' and press Enter, Wapiti will halt the scanning process and generate the report. To skip the current module and move to the next one, simply press 'n' and Enter. You can also continue the current attack using 'c', or quit without generating a report by pressing 'q'.

Once the scan is completed, an HTML report will be generated in the specified directory. You can navigate to this directory using a file manager.

Finally, open the generated HTML report in a web browser to view the comprehensive analysis of the scan results. This report will provide detailed insights into any vulnerabilities detected during the scanning process.

You can click on the identified vulnerabilities in the Wapiti report to access more detailed information. Let's take a closer look at an example, such as the Command execution vulnerability highlighted in the Wapiti report.

Wapiti is a valuable tool widely utilized by cybersecurity researchers and bug bounty hunters due to its effectiveness in identifying vulnerabilities.

While we covered only the basics in the previous section, it's worth noting that Wapiti offers a wide range of advanced options and features.

One notable capability of Wapiti is its ability to pause a scan and resume it later. This feature is particularly useful when scans require extended periods to complete, sometimes taking an entire day or more.

Now that you're familiar with practicing in a safe environment, let's use Wapiti to test a live website on the internet.

For this exercise, we'll perform a scan on a website called "testphp.vulnweb.com." Please keep in mind that this website is intentionally designed to be vulnerable for educational purposes.

The process is similar to what we did previously. However, instead of using the IP address of a local host like Metasploitable2, we'll use a URL link.

In the terminal type, wapiti -u, and here paste the URL. Now type -o, and mention the output file name.

┌──(kali㉿kali)-[~]

└─$ wapiti -u http://testphp.vulnweb.com -o /home/kali/acureport_wapiti

This command initiates the complete scanning process.

As before, if you need to skip a running module, press CTRL+C. To skip the current module and proceed to the next one, press 'r' followed by Enter.

Once the scan is completed, Wapiti will save the report in the specified directory. Navigate to this directory and open the HTML file to view the detailed scan report.

Wapiti is a widely recognized tool used by security researchers, users, and System Administrators alike. In an era where cybercriminals exploit new and existing vulnerabilities due to poor security practices, Wapiti offers an effective solution for auditing websites and web servers.

Its commands and arguments are straightforward, making it accessible to users of varying technical levels. Despite its simplicity, Wapiti is a powerful tool. The HTML-format report it generates provides a clear overview of urgent issues and potential solutions, eliminating the need for extensive manual searching and problem-solving.

Using Wapiti, you can gain valuable insights into your system's vulnerabilities and receive actionable guidance toward resolving them.

If you have any doubts or questions, feel free to leave them in the comments section. Thank you for your attention.