Web Application Analysiswebvulnerabilityscannerxssinjectionblack-boxfuzzer

Wapiti

Wapiti is a black-box web application vulnerability scanner that audits security by scanning deployed web pages for scripts and forms to inject payloads. It detects vulnerabilities like SQL injections, XSS, file disclosures, command execution, and more.

Description

Wapiti allows users to audit the security of web applications without access to source code. It performs black-box scans by crawling web pages, identifying scripts and forms, and fuzzing them with payloads to detect vulnerabilities. This makes it suitable for testing live deployments where source code is unavailable.

Key use cases include penetration testing of web apps, identifying common injection flaws, XSS risks, file handling issues, and server misconfigurations. It supports various scopes like URL, page, folder, subdomain, or domain, and integrates features like authentication, proxy usage, and headless browsing for realistic testing scenarios.

The tool leverages databases like Nikto's for dangerous file detection and supports advanced attacks such as SSRF via external services. Additional utilities like wapiti-getcookie help in cookie management for authenticated scans.

How It Works

Wapiti conducts black-box scans by crawling web applications to find scripts and forms, then fuzzes them with payloads to detect vulnerabilities. It checks for database injections (SQL, XPath), reflected/permanent XSS, file disclosures (include, fopen), command execution (eval, system), XXE, CRLF injection, weak htaccess, backup files, Shellshock, directory brute-forcing, and SSRF. Uses mitmproxy for traffic interception, Playwright for browser automation, and supports Tor/proxies for anonymity.

Installation

bash

sudo apt install wapiti

Flags

-u, --url URLThe base URL used to define the scan scope (default scope is folder)

--swagger URISwagger file URI (path or URL) to target API endpoints

--data dataUrlencoded data to send with the base URL if it is a POST request

--scope {url,page,folder,subdomain,domain,punk}Set scan scope

-m MODULES_LISTList of modules to use

--list-modulesList available modules

-l LEVELSet maximum crawl level

-p PROXY_URLProxy URL to use

--torUse Tor proxy

--mitm-port PORTPort for mitmproxy

--headless {no,hidden,visible}Headless browser mode

-a CREDENTIALSAuthentication credentials

--auth-user USERNAMEHTTP authentication username

--auth-password PASSWORDHTTP authentication password

--auth-method {basic,digest,ntlm}HTTP authentication method

-c COOKIE_FILECookie file

Examples

Show help message and usage information for wapiti

wapiti -h

Scan a base URL with default folder scope

wapiti -u URL

Target API endpoints from a Swagger file URI

wapiti --swagger URI

Send urldecoded POST data with the base URL

wapiti --data data -u URL

Set scan scope to single URL

wapiti --scope url -u URL

Scan using a specified proxy

wapiti -p PROXY_URL -u URL

Scan using Tor proxy

wapiti --tor -u URL

Show help for wapiti-getcookie utility

wapiti-getcookie -h

Fetch cookies from a webpage and store in Wapiti JSON format

wapiti-getcookie -u URL -c COOKIE

Updated 2026-04-16kali.org ↗