Wapiti Full Tutorial | Updated 2024

Introduction

In this post, You will learn what is wapiti and how to use it. Yep, it is a comprehensive blog post on wapiti.

Below is the video format of the post and also I have mentioned my discord channel name take a sneak peak of it and join.

Video

What is Wapiti❓

Wapiti is an open-source tool for performing web application vulnerability scanning.

It can be used to identify potential security vulnerabilities in web applications, such as SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities.

It’s an impressive web-application vulnerability analysis tool and hopes you try it below is the download link.

Advertisement

Wapiti Installation

The wapiti tool comes pre-installed in kali and parrot if not just install using the below command.

sudo apt-get update
sudo apt-get install wapiti

Who developed wapiti

Wapiti is an open-source software it is made possible by many open-source developers and mostly the tool is coded by Nicolas Surribas also known as devl00p.

Below is the author link and the tool download link.

Features in Wapiti

  1. Ability to perform both black box and gray box testing
  2. Wapiti is its ability to perform both active and passive scanning.
  3. Wapiti can be run on a variety of platforms, including Windows, Linux, and Mac OS X.
  4. It can be run in a command-line interface, or through its web-based interface.
  5. Wapiti has many key features to know about that [click here]

How to use Wapiti

If you have any doubts about this tool, comment below or watch the youtube video. Join our discord server and ask doubts and stay in touch with us.

Discord: https://discord.gg/uekQW7RQZ8

Default Scan

To do a default scan we can just enter the below command, Using the below command will scan the target site through all modules such as (SQL, XSS) etc.,

wapiti -u http://192.168.65.6 

Specified Module Scan

Specifying the module will scan for only the particular type of vulnerability. For example, below I mentioned -m sql which will scan for SQL injection parameters.

wapiti -u http://192.168.65.6 -m sql

Also, we can specify multiple modules like below.

wapiti -u https://192.168.65.6 -m sql,xss

Bruteforcing

Basically what we do here is creating a cookie using the below command through the interactive process we can enter the usernames and password.

wapiti-getcookie -u http://192.168.65.6/phpMyAdmin/ -c cookie1.json

If you do not want to answer all those unwanted questions in an interactive session you can mention what you want., For instance bruteforcing.

wapiti-getcookie -u http://192.168.65.6/phpMyAdmin/ -c cookie.json -d "username=msfadmin&password=msfadmin&enter=submit"
  • -c Saves the results in json format
  • -d Mentioning the usernames and password

The result will be something like this ????????

Reporting

You can use the below command to generate the report.

wapiti -u http://192.168.65.6 -m sql -f html -o meta2
  • -f is for format
  • -o is the file where the data will be saved

It will be saved in a directory and inside that, we should open the .html file to see the results in web format.

Conclusion

Overall, Wapiti is a powerful and versatile tool for performing web application vulnerability scanning.

Its ability to perform both black box and gray box testing, as well as both active and passive scanning, makes it a valuable addition to any web application security testing toolkit.


Also Read: Commix Full Tutorial