This post is a wapiti tutorial. You’ll find various wapiti options, how to import wapiti scan results into metasploit and how you can disable wapiti modules to speed up your scans.
A basic one-liner command to get you started would be:
wapiti http://example.org/cool-things -u -n 5 -b domain -v 2 -o /tmp/outfile.html
More about the command line arguments:
-u, --color use colours -b, --scope set the scope of the scan: page: only analyse the page given in the url folder: analyse all urls in the root url given (default option) domain: analyse all links to pages in the same domain -n, --nice use this to prevent infinite loops, I usually go with 5 -f, --format change the output format json: html: openvas: txt: vulneranet: xml: -v verbose 0: none 1: print each url 2: print each attack # if you don't specify a -v flag, then you get a blank screen for ages
These basics will help you build the first command above, and will show you what the options mean.
There is a man page for wapiti, which has lots of information in it, including how to exclude patterns (useful once you know more about a host and want to narrow in on a target)
the openvas format is good too, as it allows you to import into openvas.