Metadata-Version: 2.4
Name: wapiti3
Version: 3.2.7
Summary: A web application vulnerability scanner
Author-email: Nicolas Surribas <nicolas.surribas@gmail.com>
License:                     GNU GENERAL PUBLIC LICENSE
                               Version 2, June 1991
        
         Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
         51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
         Everyone is permitted to copy and distribute verbatim copies
         of this license document, but changing it is not allowed.
        
                                    Preamble
        
          The licenses for most software are designed to take away your
        freedom to share and change it.  By contrast, the GNU General Public
        License is intended to guarantee your freedom to share and change free
        software--to make sure the software is free for all its users.  This
        General Public License applies to most of the Free Software
        Foundation's software and to any other program whose authors commit to
        using it.  (Some other Free Software Foundation software is covered by
        the GNU Lesser General Public License instead.)  You can apply it to
        your programs, too.
        
          When we speak of free software, we are referring to freedom, not
        price.  Our General Public Licenses are designed to make sure that you
        have the freedom to distribute copies of free software (and charge for
        this service if you wish), that you receive source code or can get it
        if you want it, that you can change the software or use pieces of it
        in new free programs; and that you know you can do these things.
        
          To protect your rights, we need to make restrictions that forbid
        anyone to deny you these rights or to ask you to surrender the rights.
        These restrictions translate to certain responsibilities for you if you
        distribute copies of the software, or if you modify it.
        
          For example, if you distribute copies of such a program, whether
        gratis or for a fee, you must give the recipients all the rights that
        you have.  You must make sure that they, too, receive or can get the
        source code.  And you must show them these terms so they know their
        rights.
        
          We protect your rights with two steps: (1) copyright the software, and
        (2) offer you this license which gives you legal permission to copy,
        distribute and/or modify the software.
        
          Also, for each author's protection and ours, we want to make certain
        that everyone understands that there is no warranty for this free
        software.  If the software is modified by someone else and passed on, we
        want its recipients to know that what they have is not the original, so
        that any problems introduced by others will not reflect on the original
        authors' reputations.
        
          Finally, any free program is threatened constantly by software
        patents.  We wish to avoid the danger that redistributors of a free
        program will individually obtain patent licenses, in effect making the
        program proprietary.  To prevent this, we have made it clear that any
        patent must be licensed for everyone's free use or not licensed at all.
        
          The precise terms and conditions for copying, distribution and
        modification follow.
        
                            GNU GENERAL PUBLIC LICENSE
           TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
        
          0. This License applies to any program or other work which contains
        a notice placed by the copyright holder saying it may be distributed
        under the terms of this General Public License.  The "Program", below,
        refers to any such program or work, and a "work based on the Program"
        means either the Program or any derivative work under copyright law:
        that is to say, a work containing the Program or a portion of it,
        either verbatim or with modifications and/or translated into another
        language.  (Hereinafter, translation is included without limitation in
        the term "modification".)  Each licensee is addressed as "you".
        
        Activities other than copying, distribution and modification are not
        covered by this License; they are outside its scope.  The act of
        running the Program is not restricted, and the output from the Program
        is covered only if its contents constitute a work based on the
        Program (independent of having been made by running the Program).
        Whether that is true depends on what the Program does.
        
          1. You may copy and distribute verbatim copies of the Program's
        source code as you receive it, in any medium, provided that you
        conspicuously and appropriately publish on each copy an appropriate
        copyright notice and disclaimer of warranty; keep intact all the
        notices that refer to this License and to the absence of any warranty;
        and give any other recipients of the Program a copy of this License
        along with the Program.
        
        You may charge a fee for the physical act of transferring a copy, and
        you may at your option offer warranty protection in exchange for a fee.
        
          2. You may modify your copy or copies of the Program or any portion
        of it, thus forming a work based on the Program, and copy and
        distribute such modifications or work under the terms of Section 1
        above, provided that you also meet all of these conditions:
        
            a) You must cause the modified files to carry prominent notices
            stating that you changed the files and the date of any change.
        
            b) You must cause any work that you distribute or publish, that in
            whole or in part contains or is derived from the Program or any
            part thereof, to be licensed as a whole at no charge to all third
            parties under the terms of this License.
        
            c) If the modified program normally reads commands interactively
            when run, you must cause it, when started running for such
            interactive use in the most ordinary way, to print or display an
            announcement including an appropriate copyright notice and a
            notice that there is no warranty (or else, saying that you provide
            a warranty) and that users may redistribute the program under
            these conditions, and telling the user how to view a copy of this
            License.  (Exception: if the Program itself is interactive but
            does not normally print such an announcement, your work based on
            the Program is not required to print an announcement.)
        
        These requirements apply to the modified work as a whole.  If
        identifiable sections of that work are not derived from the Program,
        and can be reasonably considered independent and separate works in
        themselves, then this License, and its terms, do not apply to those
        sections when you distribute them as separate works.  But when you
        distribute the same sections as part of a whole which is a work based
        on the Program, the distribution of the whole must be on the terms of
        this License, whose permissions for other licensees extend to the
        entire whole, and thus to each and every part regardless of who wrote it.
        
        Thus, it is not the intent of this section to claim rights or contest
        your rights to work written entirely by you; rather, the intent is to
        exercise the right to control the distribution of derivative or
        collective works based on the Program.
        
        In addition, mere aggregation of another work not based on the Program
        with the Program (or with a work based on the Program) on a volume of
        a storage or distribution medium does not bring the other work under
        the scope of this License.
        
          3. You may copy and distribute the Program (or a work based on it,
        under Section 2) in object code or executable form under the terms of
        Sections 1 and 2 above provided that you also do one of the following:
        
            a) Accompany it with the complete corresponding machine-readable
            source code, which must be distributed under the terms of Sections
            1 and 2 above on a medium customarily used for software interchange; or,
        
            b) Accompany it with a written offer, valid for at least three
            years, to give any third party, for a charge no more than your
            cost of physically performing source distribution, a complete
            machine-readable copy of the corresponding source code, to be
            distributed under the terms of Sections 1 and 2 above on a medium
            customarily used for software interchange; or,
        
            c) Accompany it with the information you received as to the offer
            to distribute corresponding source code.  (This alternative is
            allowed only for noncommercial distribution and only if you
            received the program in object code or executable form with such
            an offer, in accord with Subsection b above.)
        
        The source code for a work means the preferred form of the work for
        making modifications to it.  For an executable work, complete source
        code means all the source code for all modules it contains, plus any
        associated interface definition files, plus the scripts used to
        control compilation and installation of the executable.  However, as a
        special exception, the source code distributed need not include
        anything that is normally distributed (in either source or binary
        form) with the major components (compiler, kernel, and so on) of the
        operating system on which the executable runs, unless that component
        itself accompanies the executable.
        
        If distribution of executable or object code is made by offering
        access to copy from a designated place, then offering equivalent
        access to copy the source code from the same place counts as
        distribution of the source code, even though third parties are not
        compelled to copy the source along with the object code.
        
          4. You may not copy, modify, sublicense, or distribute the Program
        except as expressly provided under this License.  Any attempt
        otherwise to copy, modify, sublicense or distribute the Program is
        void, and will automatically terminate your rights under this License.
        However, parties who have received copies, or rights, from you under
        this License will not have their licenses terminated so long as such
        parties remain in full compliance.
        
          5. You are not required to accept this License, since you have not
        signed it.  However, nothing else grants you permission to modify or
        distribute the Program or its derivative works.  These actions are
        prohibited by law if you do not accept this License.  Therefore, by
        modifying or distributing the Program (or any work based on the
        Program), you indicate your acceptance of this License to do so, and
        all its terms and conditions for copying, distributing or modifying
        the Program or works based on it.
        
          6. Each time you redistribute the Program (or any work based on the
        Program), the recipient automatically receives a license from the
        original licensor to copy, distribute or modify the Program subject to
        these terms and conditions.  You may not impose any further
        restrictions on the recipients' exercise of the rights granted herein.
        You are not responsible for enforcing compliance by third parties to
        this License.
        
          7. If, as a consequence of a court judgment or allegation of patent
        infringement or for any other reason (not limited to patent issues),
        conditions are imposed on you (whether by court order, agreement or
        otherwise) that contradict the conditions of this License, they do not
        excuse you from the conditions of this License.  If you cannot
        distribute so as to satisfy simultaneously your obligations under this
        License and any other pertinent obligations, then as a consequence you
        may not distribute the Program at all.  For example, if a patent
        license would not permit royalty-free redistribution of the Program by
        all those who receive copies directly or indirectly through you, then
        the only way you could satisfy both it and this License would be to
        refrain entirely from distribution of the Program.
        
        If any portion of this section is held invalid or unenforceable under
        any particular circumstance, the balance of the section is intended to
        apply and the section as a whole is intended to apply in other
        circumstances.
        
        It is not the purpose of this section to induce you to infringe any
        patents or other property right claims or to contest validity of any
        such claims; this section has the sole purpose of protecting the
        integrity of the free software distribution system, which is
        implemented by public license practices.  Many people have made
        generous contributions to the wide range of software distributed
        through that system in reliance on consistent application of that
        system; it is up to the author/donor to decide if he or she is willing
        to distribute software through any other system and a licensee cannot
        impose that choice.
        
        This section is intended to make thoroughly clear what is believed to
        be a consequence of the rest of this License.
        
          8. If the distribution and/or use of the Program is restricted in
        certain countries either by patents or by copyrighted interfaces, the
        original copyright holder who places the Program under this License
        may add an explicit geographical distribution limitation excluding
        those countries, so that distribution is permitted only in or among
        countries not thus excluded.  In such case, this License incorporates
        the limitation as if written in the body of this License.
        
          9. The Free Software Foundation may publish revised and/or new versions
        of the General Public License from time to time.  Such new versions will
        be similar in spirit to the present version, but may differ in detail to
        address new problems or concerns.
        
        Each version is given a distinguishing version number.  If the Program
        specifies a version number of this License which applies to it and "any
        later version", you have the option of following the terms and conditions
        either of that version or of any later version published by the Free
        Software Foundation.  If the Program does not specify a version number of
        this License, you may choose any version ever published by the Free Software
        Foundation.
        
          10. If you wish to incorporate parts of the Program into other free
        programs whose distribution conditions are different, write to the author
        to ask for permission.  For software which is copyrighted by the Free
        Software Foundation, write to the Free Software Foundation; we sometimes
        make exceptions for this.  Our decision will be guided by the two goals
        of preserving the free status of all derivatives of our free software and
        of promoting the sharing and reuse of software generally.
        
                                    NO WARRANTY
        
          11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
        FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
        OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
        PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
        OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
        MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
        TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
        PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
        REPAIR OR CORRECTION.
        
          12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
        WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
        REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
        INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
        OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
        TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
        YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
        PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
        POSSIBILITY OF SUCH DAMAGES.
        
                             END OF TERMS AND CONDITIONS
        
                    How to Apply These Terms to Your New Programs
        
          If you develop a new program, and you want it to be of the greatest
        possible use to the public, the best way to achieve this is to make it
        free software which everyone can redistribute and change under these terms.
        
          To do so, attach the following notices to the program.  It is safest
        to attach them to the start of each source file to most effectively
        convey the exclusion of warranty; and each file should have at least
        the "copyright" line and a pointer to where the full notice is found.
        
            <one line to give the program's name and a brief idea of what it does.>
            Copyright (C) <year>  <name of author>
        
            This program is free software; you can redistribute it and/or modify
            it under the terms of the GNU General Public License as published by
            the Free Software Foundation; either version 2 of the License, or
            (at your option) any later version.
        
            This program is distributed in the hope that it will be useful,
            but WITHOUT ANY WARRANTY; without even the implied warranty of
            MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
            GNU General Public License for more details.
        
            You should have received a copy of the GNU General Public License along
            with this program; if not, write to the Free Software Foundation, Inc.,
            51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
        
        Also add information on how to contact you by electronic and paper mail.
        
        If the program is interactive, make it output a short notice like this
        when it starts in an interactive mode:
        
            Gnomovision version 69, Copyright (C) year name of author
            Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
            This is free software, and you are welcome to redistribute it
            under certain conditions; type `show c' for details.
        
        The hypothetical commands `show w' and `show c' should show the appropriate
        parts of the General Public License.  Of course, the commands you use may
        be called something other than `show w' and `show c'; they could even be
        mouse-clicks or menu items--whatever suits your program.
        
        You should also get your employer (if you work as a programmer) or your
        school, if any, to sign a "copyright disclaimer" for the program, if
        necessary.  Here is a sample; alter the names:
        
          Yoyodyne, Inc., hereby disclaims all copyright interest in the program
          `Gnomovision' (which makes passes at compilers) written by James Hacker.
        
          <signature of Ty Coon>, 1 April 1989
          Ty Coon, President of Vice
        
        This General Public License does not permit incorporating your program into
        proprietary programs.  If your program is a subroutine library, you may
        consider it more useful to permit linking proprietary applications with the
        library.  If this is what you want to do, use the GNU Lesser General
        Public License instead of this License.
        
Project-URL: homepage, https://wapiti-scanner.github.io/
Project-URL: repository, https://github.com/wapiti-scanner/wapiti
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Console
Classifier: Intended Audience :: End Users/Desktop
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: GNU General Public License v2 (GPLv2)
Classifier: Natural Language :: English
Classifier: Operating System :: MacOS :: MacOS X
Classifier: Operating System :: POSIX
Classifier: Operating System :: Unix
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Internet :: WWW/HTTP :: Indexing/Search
Classifier: Topic :: Software Development :: Testing
Requires-Python: <3.14,>=3.12
Description-Content-Type: text/x-rst
License-File: LICENSE
Requires-Dist: aiocache==0.12.3
Requires-Dist: aiohttp==3.13.0
Requires-Dist: aiosqlite==0.21.0
Requires-Dist: wapiti-arsenic==28.2
Requires-Dist: beautifulsoup4==4.14.2
Requires-Dist: browser-cookie3==0.20.1
Requires-Dist: dnspython==2.8.0
Requires-Dist: h11<0.17,>=0.16.0
Requires-Dist: httpcore==1.0.9
Requires-Dist: httpx[brotli,socks]==0.28.1
Requires-Dist: httpx-ntlm==1.4.0
Requires-Dist: humanize==4.13.0
Requires-Dist: loguru==0.7.3
Requires-Dist: mako==1.3.10
Requires-Dist: markupsafe==3.0.3
Requires-Dist: mitmproxy==12.1.2
Requires-Dist: msgpack==1.1.1
Requires-Dist: packaging==24.1
Requires-Dist: pyasn1==0.6.1
Requires-Dist: sqlalchemy==2.0.44
Requires-Dist: tld==0.13.1
Requires-Dist: typing-extensions>=4.13.2
Requires-Dist: urwid>=2.6.15
Requires-Dist: yaswfp==0.9.3
Requires-Dist: wapiti-swagger==0.1.9
Provides-Extra: test
Requires-Dist: humanize==4.13.0; extra == "test"
Requires-Dist: pytest==8.0.2; extra == "test"
Requires-Dist: pytest-cov==4.1.0; extra == "test"
Requires-Dist: pytest-asyncio==0.23.5; extra == "test"
Requires-Dist: respx==0.22.0; extra == "test"
Provides-Extra: dev
Requires-Dist: build; extra == "dev"
Requires-Dist: humanize==4.13.0; extra == "dev"
Requires-Dist: pylint==3.3.6; extra == "dev"
Requires-Dist: pytest==8.0.2; extra == "dev"
Requires-Dist: pytest-cov==4.1.0; extra == "dev"
Requires-Dist: pytest-asyncio==0.23.5; extra == "dev"
Requires-Dist: respx==0.22.0; extra == "dev"
Requires-Dist: wheel; extra == "dev"
Dynamic: license-file

==================================
Wapiti - Web Vulnerability Scanner
==================================

.. image:: https://img.shields.io/pypi/v/wapiti3?label=PyPI&logo=PyPI&logoColor=white&color=blue
    :alt: PyPI version
    :target: https://pypi.python.org/pypi/wapiti3
.. image:: https://img.shields.io/pypi/pyversions/wapiti3
    :alt: Supported Python versions
    :target: https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md
.. image:: https://img.shields.io/github/license/wapiti-scanner/wapiti
    :alt: License: GPL-2.0
    :target: https://github.com/wapiti-scanner/wapiti/blob/master/LICENSE
.. image:: https://img.shields.io/pypi/dd/wapiti3
    :alt: Downloads per day on PyPi
    :target: https://pypi.python.org/pypi/wapiti3
.. image:: https://codecov.io/gh/wapiti-scanner/wapiti/branch/master/graph/badge.svg?token=GFEIORAFB8
    :target: https://codecov.io/gh/wapiti-scanner/wapiti

Wapiti is a web vulnerability scanner written in Python.

http://wapiti-scanner.github.io/

Requirements
============
In order to work correctly, Wapiti needs Python 3.12 or 3.13.

All Python module dependencies will be installed automatically if you use the setup.py script or `pip install wapiti3`

See `INSTALL.md <https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md>`__ for more details on installation.

Running Wapiti on Windows can be accomplished through the use of `WSL <https://learn.microsoft.com/en-us/training/modules/get-started-with-windows-subsystem-for-linux/>`__.

How it works
============

Wapiti works as a "black-box" vulnerability scanner,  that means it won't
study the source code of web applications but will work like a  fuzzer,
scanning the pages of the deployed web application, extracting links and
forms  and attacking  the scripts, sending payloads and looking for error
messages, special strings or abnormal behaviors.


General features
================

+ Generates vulnerability reports in various formats (HTML, XML, JSON, TXT, CSV).
+ Can suspend and resume a scan or an attack (session mechanism using sqlite3 databases).
+ Can give you colors in the terminal to highlight vulnerabilities.
+ Different levels of verbosity.
+ Fast and easy way to activate/deactivate attack modules.
+ Adding a payload can be as easy as adding a line to a text file.
+ Configurable number of concurrent tasks to perform HTTP requests.


Browsing features
=================

+ Support HTTP, HTTPS and SOCKS5 proxies.
+ HTTP authentication on the target (Basic, Digest, NTLM)
+ Authentication by filling login forms.
+ Ability to restrain the scope of the scan (domain, folder, page, url).
+ Automatic removal of one or more parameters in URLs.
+ Multiple safeguards against scan endless-loops (for example, limit of values for a parameter).
+ Possibility to set the first URLs to explore (even if not in scope).
+ Can exclude some URLs of the scan and attacks (eg: logout URL).
+ Import cookies from your Chrome or Firefox browser or using the `wapiti-getcookie` tool.
+ Can activate / deactivate SSL certificates verification.
+ Extract URLs from Flash SWF files.
+ Try to extract URLs from javascript (very basic JS interpreter).
+ HTML5 aware (understand recent HTML tags).
+ Several options to control the crawler behavior and limits.
+ Skipping some parameter names during attack.
+ Setting a maximum time for the scan process.
+ Adding some custom HTTP headers or setting a custom User-Agent.
+ Using a Firefox headless browser for crawling
+ Loading your own python code for complicated authentication cases (see `--form-script` option)
+ Adding custom URL or PATH to update Wappalyzer database
+ Scan REST APIs given an OpenAPI (swagger) file


Supported attacks
=================

+ SQL Injections (Error based, boolean based, time based) and XPath Injections
+ LDAP injections (Error based and boolean based)
+ Cross Site Scripting (XSS) reflected and permanent
+ File disclosure detection (local and remote include, require, fopen, readfile...)
+ Command Execution detection (eval(), system(), passtru()...)
+ XXE (Xml eXternal Entity) injection
+ CRLF Injection
+ Search for potentially dangerous files on the server (thank to the Nikto db)
+ Bypass of weak htaccess configurations
+ Search for copies (backup) of scripts on the server
+ Shellshock
+ Folder and file enumeration (DirBuster like)
+ Server Side Request Forgery (through use of an external Wapiti website)
+ Open Redirects
+ Detection of uncommon HTTP methods (like PUT)
+ Basic CSP Evaluator 
+ Brute Force login form (using a dictionary list)
+ Checking HTTP security headers
+ Checking cookie security flags (secure and httponly flags)
+ Cross Site Request Forgery (CSRF) basic detection
+ Fingerprinting of web applications using the Wappalyzer database, gives related CVE information
+ Enumeration of CMS modules for Wordpress, Drupal, Joomla, SPIP, etc
+ Subdomain takeovers detection
+ Log4Shell (CVE-2021-44228) detection
+ Spring4Shell (CVE-2020-5398) detection
+ Check https redirections
+ Check for file upload vulnerabilities
+ Detection of network devices
+ Inject payloads inside JSON body too

Wapiti supports both GET and POST HTTP methods for attacks.  
It also supports multipart and can inject payloads in filenames (upload).  
Display a warning when an anomaly is found (for example 500 errors and timeouts)  
Makes the difference between permanent and reflected  XSS vulnerabilities.

Module names
============

The aforementioned attacks are tied to the following module names :

+ backup (Search copies of scripts and archives on the web server)
+ brute_login_form (Brute Force login form using a dictionary list)
+ buster (DirBuster like module)
+ cms (Scan to detect CMS and their versions)
+ cookieflags (Checks Secure and HttpOnly flags)
+ crlf (CR-LF injection in HTTP headers)
+ csp (Detect lack of CSP or weak CSP configuration)
+ csrf (Detects forms not protected against CSRF or using weak anti-CSRF tokens)
+ exec (Code execution or command injection)
+ file (Path traversal, file inclusion, etc)
+ htaccess (Misconfigured htaccess restrictions)
+ htp (Identify web technologies used the HashThePlanet database)
+ http_header (Check HTTP security headers)
+ https_redirect (Check https redirections)
+ ldap (Error-based and boolean-based LDAP injection detection)
+ log4shell (Detects websites vulnerable to CVE-2021-44228)
+ methods (Look for uncommon available HTTP methods like PUT)
+ network_device (Look for common files to detect network devices)
+ nikto (Look for known vulnerabilities by testing URL existence and checking responses)
+ permanentxss (Rescan the whole target after the xss module execution looking for previously tainted payloads)
+ redirect (Open Redirects)
+ shellshock (Test Shellshock attack, see `Wikipedia <https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29>`__)
+ spring4shell (Detects websites vulnerable to CVE-2020-5398)
+ sql (Error-based and boolean-based SQL injection detection)
+ ssl (Evaluate the security of SSL/TLS certificate configuration, requires `sslscan <https://github.com/rbsec/sslscan>`__)
+ ssrf (Server Side Request Forgery)
+ takeover (Subdomain takeover)
+ timesql (SQL injection vulnerabilities detected with time-based methodology)
+ upload (File upload vulnerabilities)
+ wapp (Not an attack module, retrieves web technologies with versions and categories in use on the target, find corresponding CVEs)
+ wp_enum (Enumerate plugins and themes on a Wordpress website)
+ xss (XSS injection module)
+ xxe (XML External Entity attack)

Module names can be given as comma separated list using the "-m" or "--module" option.


How to get the best results
===========================

To find more vulnerabilities (as some attacks are error-based), you can modify
your webserver configurations.

For example, you can set the following values in your PHP configuration :

.. code-block::

    safe_mode = Off
    display_errors = On (recommended)
    magic_quotes_gpc = Off
    allow_url_fopen = On
    mysql.trace_mode = On


Where to get help
=================

In the prompt, just type the following command to get the basic usage :

    wapiti -h

You can also take a look at the manpage (wapiti.1 or wapiti.1.html) for more details on each option.

We also have an official wiki which is more exhaustive : https://github.com/wapiti-scanner/wapiti/wiki

If you have another question, first check the `FAQ <https://github.com/wapiti-scanner/wapiti/blob/master/doc/FAQ.md>`__

If you find a bug, fill an issue : https://github.com/wapiti-scanner/wapiti/issues


How to help the Wapiti project
==============================

You can :

+ Support the project by making a donation ( http://sf.net/donate/index.php?group_id=168625 )
+ Create or improve attack modules
+ Create or improve report generators and templates
+ Send bugfixes, patches...
+ Write some GUIs
+ Create a tool to convert PCAP files to Wapiti sqlite3 session files
+ Talk about Wapiti around you

Licensing
=========

Wapiti is released under the GNU General Public License version 2 (the GPL).
Source code is available on `Github <https://github.com/wapiti-scanner/wapiti>`__.

Created by Nicolas SURRIBAS.

Sponsors
========

Cyberwatch https://cyberwatch.fr/

Security For Everyone https://securityforeveryone.com/

Disclaimer
==========

Wapiti is a cybersecurity software. It performs security assessments on a provided target, which can lead to malfunctions and crashes on the target, as well as potential data loss.

Usage of Wapiti for attacking a target without prior consent of its owner is illegal. It is the end user's responsibility to obey all applicable local laws.

Developers and people involved in the Wapiti project assume no liability and are not responsible for any misuse or damage caused by this program.
