Skip to content

Releases: wapiti-scanner/wapiti

v3.2.0:

13 Aug 09:29
Compare
Choose a tag to compare
  • Update mod_nikto, mod_wapp databases
  • Search known CVEs for software versions versions found by mod_wapp
  • Add --cookie-value option to easily pass cookies to the crawler
  • Add a mod_ldap module for error-based and boolean-based LDAP injection
  • mod_ssl is now based on the sslcan binary, install it on our own
  • Improvements on mod_network_device (detect Citrix, CheckPoint, FortiWeb, FortiNet, Harbor, etc)
  • Scan APIs given a Swagger (OpenAPI) file
  • Add capabilities to inject payloads inside JSON bodies
  • Add Wordpress module and theme enumeration
  • Add Drupal, SPIP, Joomla, PrestaShop enumeration module

3.1.8

16 May 19:22
Compare
Choose a tag to compare
mod_spring4shell: New Module to detect the Spring4Shell vulnerability
mod_upload: New module to detect unrestricted file uploads (attempt to upload PHP code)
mod_https_redirect: New module to detect lack of redirect-to-https behavior
mod_crlf: Fix double-encoding errors
mod_methods: In-depth check of methods allowed by a web server
mod_permanentxss: Fix several bugs
mod_xss: Detect if HTML injection is allowed when XSS injection failed
mod_wapp: several improvements like CPE versions added to output
mod_log4shell: Add Ubiquiti UniFi to targets
mod_buster: Discovered assets are added to the generated report
Core: make module errors more verbose
Core: add a Dockerfile to quickly set up your own PHP endpoint
CLI: renamed some authentication options

3.1.7

05 Mar 18:06
Compare
Choose a tag to compare

Support Python 3.11

3.1.6

31 Jan 21:34
Compare
Choose a tag to compare

31/01/2023
Wapiti 3.1.6
Wappalyze: improve detection with DOM rules
Core: fix proxy option

3.1.5

16 Jan 21:04
Compare
Choose a tag to compare
LFI: adds a payload for loknop technique (chaining PHP filters)
mod_cookie: Fix bad WSTG code for bad cookie attribute
Core: use proxy settings for updating
Core: fix creds options
Core: update most dependencies

3.1.4

24 Oct 18:16
Compare
Choose a tag to compare

Wapiti 3.1.4

  • Crawler: Adds support for Firefox headless (using the new --headless option)
  • Core: improve authentication. You can now pass HTTP auth (basic, ntml, etc) AND login by sending creds to an HTML form
  • Core: remove internationalization

Authentication related optionshave changed, check the manual page for information

3.1.3

09 Jul 15:42
Compare
Choose a tag to compare

09/07/2022: Wapiti 3.1.3

  • Reports: Add a new --detailed-report option that will put HTTP responses (headers and bodies) in the report.
  • Crawler: Add a new --mitm-port option that will replace the crawler with an intercepting proxy (mitmproxy)
  • Core: Dropped support of Python 3.7

Fix crash after scan

13 May 16:34
Compare
Choose a tag to compare

Fix a crash that may occur after the crawling and before laucnhing attacks (connection pool was closed)

3.1.1

23 Feb 13:40
Compare
Choose a tag to compare

Wapiti 3.1.1
Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example)
Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability
XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed
CLI: --update option will only update chosen modules
CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string.

3.1.0

06 Feb 18:36
Compare
Choose a tag to compare
Wapiti 3.1.0
Crawler: Fix passing named "button" tags in HTML forms
Modules: Skip modules that fails to load properly (missing dependencies, code error, etc)
Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr)
CSRF: Django anti-CSRF token added to the whitelist
Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports
Crawler: Improved the parsing of HTML redirections (meta refresh)
HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files.
Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed.
Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto)
Core: Load correctly resources if Wapiti is running from an egg file.