This post is a wapiti tutorial. You’ll find various wapiti options, how to import wapiti scan results into metasploit and how you can disable wapiti modules to speed up your scans.
A basic one-liner command to get you started would be:
wapiti http://example.org/cool-things -u -n 5 -b domain -v 2 -o /tmp/outfile.html
More about the command line arguments:
-u, --color use colours -b, --scope set the scope of the scan: page: only analyse the page given in the url folder: analyse all urls in the root url given (default option) domain: analyse all links to pages in the same domain -n, --nice use this to prevent infinite loops, I usually go with 5 -f, --format change the output format json: html: openvas: txt: vulneranet: xml: -v verbose 0: none 1: print each url 2: print each attack # if you don't specify a -v flag, then you get a blank screen for ages
These basics will help you build the first command above, and will show you what the options mean.
There is a man page for wapiti, which has lots of information in it, including how to exclude patterns (useful once you know more about a host and want to narrow in on a target)
the openvas format is good too, as it allows you to import into openvas.
Wapiti does take a while to run a full scan on your target if you include all of the modules
Wapiti tutorial: Disabling specific scan modules
wapiti comes with built in modules to test for various vulnerabilities in your remote targets:
backup: This module search backup of scripts on the server.
blindsql: Time-based blind sql scanner.
crlf: Search for CR/LF injection in HTTP headers.
exec: Module used to detect command execution vulnerabilities.
file: Search for include()/fread() and other file handling vulns.
htaccess: Try to bypass weak htaccess configurations.
nikto: Use a Nikto database to search for potentially dangerous files.
permanentxss: Look for permanent XSS.
sql: Standard error-based SQL injection scanner.
xss: Module for XSS detection.
buster: Module for a file and directory buster attack – checking for “bad” files.
shellshock: Module for Shellshock bug detection.
you can exclude modules with the -m flag, and you can exclude all modules with -m “-all”
to scan only for sql and blindsql attacks, you can use the following parameters:
-m "-all,sql,blindsql" # eg wapiti http://example.org/cool-things -u -n 5 -b domain -m "-all,sql,blindsql" -v 2 -o /tmp/outfile.html
this will disable all modules, then re-enable the blindsql module
Wapiti tutorial: Wapiti output
Watapi generates various types of output, I usually go for html first, and then xml to import into metasploit
-f, --format change the output format json: html: openvas: txt: vulneranet: xml:
Wapiti in metsploit
You can import wapiti scans into metasploit, and have the results added to your metasploit database.
fire up msfconsole
msfconsole # type db_import
you will see the available importers, wapiti is the last one
to import a wapiti scan, the result has to be saved as an xml file
you use the -f xml flag for wapiti to output an xml file do this
To import the wapiti xml file into metasploit, run the following from insode msfconsole
The results will be imported into the metasploit database
Cookies, csrf tokens and other things
Most web applications use csrf tokens and cookies. To do anything thats locked behind an authentication (eg behing the login area) you can pass credentials to wapiti
you can also pass an authenticated cookie to wapiti so that it can pages that require authentication.
look at the -c, –cookie section in the man page