Basic usage

Basic Usage of Wapiti

Wapiti is a powerful web application vulnerability scanner, designed to identify security weaknesses in web applications by performing black-box testing.

This guide will walk you through the basic usage of Wapiti, focusing on the core options: -u, -v, and --scope.

1. Starting a Basic Scan

The most fundamental command in Wapiti is to start a scan on a specific URL. The -u (or --url) option specifies the base URL that Wapiti will scan.

wapiti -u http://example.com

Explanation:

• -u http://example.com: This tells Wapiti to begin scanning the website at http://example.com. The scanner will look for potential vulnerabilities across the website, including within the same directory or subdirectories (depending on the scope, the default one is folder).

2. Understanding the Scope of the Scan

The --scope option allows you to define the boundaries of the scan. The scope determines how far Wapiti will explore the target website from the base URL.

wapiti -u http://example.com --scope folder

Scope Options:

Let's say a target has three websites on different subdomains linked together. Existing URLs are the following:

• http://example.com/
• http://example.com/index.html
• http://example.com/archive/index.html
• http://example.com/archive/search.php
• http://blog.example.com/
• http://blog.example.com/?id=1
• http://blog.example.com/search?term=wapiti
• http://blog.example.com/search?term=infosec
• http://dev.example.com/admin/

Now let's see what Wapiti will scan based on the chosen scope.

• url: Wapiti will only scan the exact URL you provide. For example, with wapiti -u http://blog.example.com/?id=1 --scope url, Wapiti will only scan http://blog.example.com/?id=1 with the given query string. However if the webpage contains some forms which sends data to the same exact URL then the form will be included in the scope.

• page: Wapiti will scan the page you provide whatever the query string. For example, if you specify -u http://blog.example.com/search with --scope page then http://blog.example.com/search?term=wapiti will be scanned as well as http://blog.example.com/search?term=infosec.

• folder: Wapiti will scan all URLs within the same directory as the base URL. For instance, with wapiti -u http://example.com/archive/ --scope folder, Wapiti will scan all pages within http://example.com/archive/ (files search.php and index.html).

• subdomain: Wapiti will scan all URLs under the same subdomain as the base URL. For example, if your base URL is http://blog.example.com/?id=1, Wapiti will scan all URLs under blog.example.com.

• domain: Wapiti will scan all URLs under the entire root domain of the base URL. For instance, wapiti -u http://blog.example.com --scope domain will scan everything under example.com, including any subdomains (dev.example.com and blog.example.com).

• punk: This scope is the most aggressive and tells Wapiti to also scan URLs outside of the provided domain, potentially leading to unintended areas. Use with caution.

3. Controlling Output Verbosity

The -v option controls the verbosity of the output, allowing you to manage how much information Wapiti provides during the scan.

wapiti -u http://example.com -v 1

Verbosity Levels:

• 0 (quiet): Wapiti runs silently, only showing discovered vulnerabilities.
• 1 (normal): This is the default setting, showing essential progress and findings.
• 2 (verbose): Wapiti provides detailed information about each step it takes, including tested HTTP requests.

Example:

wapiti -u http://example.com -v 2

In this example, Wapiti will provide detailed output, which is useful for debugging or for seeing exactly how Wapiti interacts with the target site.

---

4. Practical Example: Running a Detailed Scan

Suppose you want to run a scan on the subdomain http://shop.example.com, and you want to include all pages under this subdomain with detailed output. The command would be:

wapiti -u http://shop.example.com --scope subdomain -v 2

Explanation:

• -u http://shop.example.com: Sets the base URL to scan.
• --scope subdomain: Expands the scan to all pages under the shop.example.com subdomain.
• -v 2: Outputs detailed information about the scan process.

This command ensures that you cover the entire subdomain with maximum insight into the scanning process.

---

By understanding these basic options, you can start using Wapiti effectively for your web application security needs. For more advanced usage, including authentication, module selection, and customized reporting, refer to the full documentation and other sections of the Wapiti wiki.