adopt package & update: wapiti 3.0.2-1

upstream release

1 files changed, 486 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..25d0b58
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,486 @@
+02/09/2019
+    Wapiti 3.0.2
+    New XXE module cans end payloads in parameters, query string, file uploads and raw body.
+    New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based).
+    Fixed domain scope scanning.
+    Reduced false positives in attack modules (specially time based ones).
+    Reduced invalid links generated by js analysis and ignore obviously malformed HTML links.
+    Do not crawl CSS files and remove query strings from JS files when crawling.
+    Improved and changed existing payloads.
+    Improved extracting forms from HTML pages (radio buttons / select, ...)
+    Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe)
+    --store-session option allow to specify a path where .db and .pkl files are stored.
+    --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target
+    Authentications options can now be used with wapiti-getcookie.
+    Js parser can now deal with HTML comments.
+    More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit)
+    Fixed lot of bugs thank to received crash dumps.
+
+11/05/2018
+    Wapiti 3.0.1
+    New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc)
+    New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access)
+    Improved mod_xss and mod_permanentxss modules to reduce false positives.
+    Changed some XSS payloads for something more visual (banner at top the the webpage).
+    Changed bug reporting URL.
+    Fixed issue #54 in lamejs JS parser.
+    Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings.
+
+03/01/2018
+    Release of Wapiti 3.0.0
+
+02/01/2018
+    Added --list-modules and --resume-crawl options.
+
+23/12/2017
+    Ported to Python3.
+    Persister rewritten to use sqlite3 databases (for session management).
+    Added ascii-art because you know... it's an attack tool so it's required feature.
+    Changed output format (stdout) to something more like sqlmap output.
+    python-lxml and libxml2 are required dependencies unless you opt-out with --with-html5lib at setup.
+    SOCKS5 proxy support is back.
+    New -u mandatory option must be use to specify the base URL.
+    Added -d (--depth) option to limit the maximum depth of links following.
+    Added -H (--header) option to add HTTP headers to every request.
+    Added -A (--user-agent) option to set the User-Agent string.
+    Added --skip option to skip parameters during attacks.
+    Added -S (--scan-force) option to control the ammount of requests sent for attacks.
+    Added --max-parameters to not attack URLs anf forms having more than X input parameters.
+    Added -l (--level) option to allow attacking query strings without parameters.
+    Added --max-scan-time option to stop the scan after the given amount of minutes.
+    Added a buster module for directory and file busting.
+    Added a Shellshock detection module.
+    Added buitin list of well known parameters to skip during attack.
+    More control on execution flow when KeyboardInterrupt is triggered.
+    Reduced false-positives situations on time-based attacks (mainly blind_sql)
+    Replace getopt for argparse.
+    Fixed bugs related to obtaining user's locale (issue #20).
+    Enhancement to support new CVE notation [issue 37).
+    Can now report minor issues (notices) besides anomalies and vulnerabilities.
+    Added mod_delay module to report time consuming webpages.
+    Renamed some options (should be easier to remember).
+    More exec, file, xss payloads.
+    Fixed a bug with JSON cookie management for IPv6 addresses and custom ports.
+    XSS attack module can escape HTML comments for payload generation.
+    Fixed -r issue on URLs having only one parameter.
+    No SSL/TLS check by default (--verify-ssl behavior).
+    Added a Mutator class for easy payload injection in parameters.
+    Rewrote report generators, added Mako as a dependency for HTML reports. Less JS.
+    Crash report are send to a website, opt-out with --no-bugreport.
+    Improvements on backup, sql and exec modules submitted by Milan Bartos.
+    Payload files can now include special flags that will be interpreted by Wapiti.
+    wapiti-cookie and wapiti-getcookie were merged in a new wapiti-getcookie tool.
+
+
+20/10/2013
+        Version 2.3.0
+        Fixed a colosseum of bugs, especially related to unicode.
+        Software is much more stable.
+        New report template for HTML (using Kube CSS).
+        Using v2.1.5 of Nikto database for mod_nikto.
+        Replaced httplib2 with (python-)requests for everything related to HTTP.
+        Remove BeautifulSoup from package. It is still required however.
+        Core rewrite (PEP8 + more Pythonic)
+        New payloads for the backup, XSS, blind SQL, exec and file modules + more
+        detection rules.
+        So many improvements on lswww (crawler) that I can't make a list here. But
+        Wapiti reached 48% on Wivet.
+        Wapiti cookie format is now based on JSON.
+        Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy).
+        Added a HTTPResource class for easier module creation.
+        Code restructuration for better setup.
+        Attack of parameters in query string even for HTTP POST requests.
+        Attack on file uploads (injection in file names).
+        Simpler (and less buggy) colored output with -c.
+        A CURL PoC is given for each vulnerability/anomaly found + raw HTTP
+        request representation in reports.
+        No more parameter reordering + can handle parameters repetition.
+        Added a JSON report generator + fixed the HTML report generator.
+        Added an option to not check SSL certificates.
+        mod_xss : noscipt tag escaping.
+        Can work on parameters that don't have a value in query string.
+        mod_crlf is not activated by default anymore (must call it with -m).
+        Startings URLs (-s) will be fetched even if out of scope.
+        Proxy support for wapiti-getcookie. and wapiti-cookie.
+        Attempt to bring an OpenVAS report generator.
+        Added an home-made SWF parser to extract URLs from flash files.
+        Added an home-made (and more than basic) JS interpreter based on the
+        pynarcissus parser. Lot of work still needs to be done on this.
+        New logo and webpage at wapiti.sf.net.
+        Added german and malaysian translations.
+        Added a script to create standalone archive for Windows (with py2exe).
+
+29/12/2009
+    Version 2.2.1 (already)
+        Bugfixes only
+        Fixed a bug in lswww if root url is not given complete.
+        Fixed a bug in lswww with a call to BeautifulSoup made on non text files.
+        Fixed a bug that occured when verbosity = 2. Unicode error on stderr.
+        Check the document's content-type and extension before attacking files on
+        the query string.
+        Added a timeout check in the nikto module when downloading the database.
+
+28/12/2009
+        Version 2.2.0
+        Added a manpage.
+        Internationalization : translations of Wapiti in spanish and french.
+        Options -k and -i allow the scan to be saved and restored later.
+        Added option -b to set the scope of the scan based on the root url given.
+        Wrote a library to save handle cookies and save them in XML format.
+        Modules are now loaded dynamically with a dependency system.
+        Rewrote the -m option used to activate / deactivate attack modules.
+        New module to search for backup files of scripts on the target webserver.
+        New module to search for weakly configured .htaccess.
+        New module to search dangerous files based on the Nikto database.
+        Differ "raw" XSS from "urlencoded" XSS.
+        Updated BeautifulSoup to version 3.0.8.
+        Better encoding support for webpages (convert to Unicode)
+        Added "resource consumption" as a vulnerability type.
+        Fixed bug ID 2779441 "Python Version 2.5 required?"
+        Fixed bug with special characters in HTML reports.
+
+05/04/2008
+        Added more patterns for file handling vulnerabilities in PHP.
+        Added GET_SQL and POST_SQL as modules (-m) for attacks.
+        Modifier getcookie.py and cookie.py so they try to get the cookies
+        even if cookielib fails.
+
+27/03/2007
+        Updated ChangeLogs
+
+26/03/2009
+        Fixed bug ID 2433127. Comparison was made with HTTP error codes
+        on numeric values but httplib2 return the status code as a string.
+        Forbid httplib2 to handle HTTP redirections. Wapiti and lswww will
+        take care of this (more checks on urls...)
+        Fixed a bug with Blind SQL attacks (the same attack could be launched
+        several times)
+        Fixed an error in blindSQLPayloads.txt.
+        Changed the error message when Wapiti don't get any data from lswww.
+        Verifications to be sure blind SQL attacks won't be launched if "standard"
+        SQL attacks works.
+
+25/03/2009
+        Exported blind SQL payloads from the code. Now in config file
+        blindSQLPayloads.txt.
+        Set timeout for time-based BSQL attacks to timetout used for HTTP
+        requests + 1 second.
+        Added Blind SQL as a type of vulnerability in the report generator.
+        More verbosity for permanent XSS scan.
+        More docstrings.
+        Updated the REAME.
+
+24/03/2009
+        Added some docstring to the code.
+        Removed warnign on alpha code.
+        First Blind SQL Injection implementation in Wapiti.
+        Fixed some timeout errors.
+
+22/03/2009
+        Fixed character encoding error in sql injection module.
+        Changed the md5 and sha1 import in httplib2 to hashlib.
+
+28/11/2008
+        Google Charts API is added to generate the charts of the reports.
+
+15/11/2008
+        Re-integration of standard HTTP proxies in httplib2.
+        Integration of HTTP CONNECT tunneling in Wapiti.
+        Fixed bug ID 2257654 "getcookie.py error missing action in html form"
+
+02/11/2008
+        Integraded the proxy implementation of httplib2 in Wapiti.
+        Can now use SOCKSv5 and SOCKSv4 proxies.
+
+22/10/2008
+        Fixed a bug with Cookie headers.
+
+19/10/2008
+        Remplaced urllib2 by httplib2.
+        Wapiti now use persistent HTTP connections, speed up the scan.
+        Included a python SOCKS library.
+
+09/10/2008
+        Version 2.0.0-beta
+  Added the possibility to generate reports of the vulnerabilities found
+  in HTML, XML or plain-text format. See options -o and -f.
+        HTTP authentification now works.
+        Added the option -n (or --nice) to prevent endless loops during scanning.
+        More patterns for SQL vulnerability detection
+        Code refactoring : more clear and more object-oriented
+        New XSS function is now fully implemented
+  The payloads have been separated from the code into configuration files.
+        Updated BeautifulSoup
+
+15/09/2008
+  Version 1.1.7-alpha
+        Use GET method if not specified in "method" tag
+        Keep an history of XSS payloads
+        New XSS engine for GET method using a list of payloads to bypass filters
+        New module HTTP.py for http requests
+        Added fpassthru to file handling warnings
+        Added a new new detection string for MS-SQL, submitted by Joe McCray
+
+28/01/2007
+        Version 1.1.6
+        New version of lswww
+
+24/10/2006
+        Version 1.1.5
+        Wildcard exclusion with -x (--exclude) option
+
+22/10/2006
+        Fixed a typo in wapiti.py (setAuthCreddentials : one 'd' is enough)
+        Fixed a bug with set_auth_credentials.
+
+07/10/2006
+        Version 1.1.4
+        Some modifications have been made on getccokie.py so it can work
+        on Webmin (and probably more web applications)
+        Added -t (--timeout) option to set the timeout in seconds
+        Added -v (--verbose) option to set the verbosity. Three availables
+        modes :
+        0: only print found vulnerabilities
+        1: print current attacked urls (existing urls)
+        2: print every attack payload and url (very much informations... good
+        for debugging)
+        Wapiti is much more modular and comes with some functions to set scan
+        and attack options... look the code ;)
+        Some defaults options are availables as "modules" with option -m
+        (--module) :
+        GET_XSS: only scan for XSS with HTTP GET method (no post)
+        POST_XSS: XSS attacks using POST and not GET
+        GET_ALL: every attack without POST requests
+        
+12/08/2006
+        Version 1.1.3
+        Fixed the timeout bug with chunked responses
+        (ID = 1536565 on SourceForge)
+
+09/08/2006
+        Version 1.1.2
+        Fixed a bug with HTTP 500 and POST attacks
+
+05/08/2006
+        Version 1.1.1
+        Fixed the UnboundLocalError due to socket timeouts
+        (bug ID = 1534415 on SourceForge)
+
+27/07/2006
+        Version 1.1.0 with urllib2
+        Detection string for mysql_error()
+        Changed the mysql payload (see http://shiflett.org/archive/184 )
+        Modification of the README file
+
+22/07/2006
+        Added CRLF Injection.
+
+20/07/2006
+        Added LDAP Injection and Command Execution (eval, system, passthru...)
+
+11/07/2006
+        -r (--remove) option to remove parameters from URLs
+        Support for Basic HTTP Auth added but don't work with Python 2.4.
+        Proxy support.
+        Now use cookie files (option "-c file" or "--cookie file")
+        -u (--underline) option to highlight vulnerable parameter in URL
+        Detect more vulnerabilities.
+
+04/07/2006:
+        Now attacks scripts using QUERY_STRING as a parameter
+        (i.e. http://server/script?attackme)
+
+23/06/2006:
+        Version 1.0.1
+        Can now use cookies !! (use -c var=data or --cookie var=data)
+        Two utilities added : getcookie.py (interactive) and cookie.py (command line) to get a cookie.
+        Now on Sourceforge
+
+25/04/2006:
+        Version 1.0.0
+03/01/2018
+    Release of Wapiti 3.0.0
+
+23/12/2017
+    lswww is now renamed to Crawler.
+    All HTML parsing is now made with BeautifulSoup. lxml should be the parsing engine but it's possible to opt-out at
+    setup with --html5lib.
+    Analysis on JS in event handlers (onblur, onclick, etc)
+    Changed behavior ot 'page' scope, added 'url' scope.
+    Default mime type used for upload fields is image/gif.
+    Added yaswf as a dependency for SWF parsing.
+    Custom HTTP error codes check.
+    Fixed a bug with 'button' input types.
+    Updated pynarcissus with a python3 version for js parsing.
+    Rewrote "in scope" check.
+
+29/12/2009
+    Version 2.3.1
+    Fixed a bug in lswww if root url is not given complete.
+    Fixed a bug in lswww with a call to BeautifulSoup made on non text files.
+    Fixed a bug that occured when verbosity = 2. Unicode error on stderr.
+
+27/12/2009
+        Version 2.3.0
+        Internationalization and translation to english and spanish when called from
+        Wapiti.
+        Ability to save a scan session and restore it later (-i)
+        Added option -b to set the scope of the scan based on the root url given as
+        argument.
+        Fixed bug ID 2779441 "Python Version 2.5 required?"
+        Use an home made cookie library instead or urllib2's one.
+        Keep aditionnal informations on the webpages (headers + encoding)
+        Use BeautifulSoup to detect webpage encoding and handle parsing errors.
+        Fixed a bug when "a href" or "form action" have an empty string as value.
+        Better support of Unicode.
+
+26/03/2009
+        Version 2.2.0
+        Fixed bug ID 2433127 with HTTP 404 error codes.
+        Don't let httplib2 manage HTTP redirections : return the status code
+        and let lswww handle the new url.
+
+25/03/2009
+        Version 2.1.9
+        Added option -e (or --export)
+        Saves urls and forms data to a XML file.
+        We hope other fuzzers will allow importation of this file.
+
+24/03/2009
+        More verifications on timeout errors.
+
+22/03/2009
+        Version 2.1.8
+        Fixed bug ID: 2415094
+        Check on protocol found in hyperlinks was case-sentitive.
+        Moved it to non-case-sensitive.
+        Integration of a second linkParser class called linkParser2 from
+        lswwwv2.py. This parser use only regexp to extract links and forms.
+
+25/11/2008
+        httplib2 use lowercase names for the HTTP headers in opposition to
+        urllib2 (first letter was uppercase).
+        Changed the verifications on headers.
+
+15/11/2008
+        Fixed a bug with links going to parrent directory.
+
+02/11/2008
+        Better integration of proxy support provided by httplib2.
+        It's now possible to use SOCKS proxies.
+
+19/10/2008
+        Version 2.1.7
+        Now use httplib2 (http://code.google.com/p/httplib2/)n MIT licence
+        instead of urllib2.
+        The ability to use persistents connections makes the scan faster.
+
+09/10/2008
+        Version 2.1.6
+        HTTP authentification now works
+        Added the option -n (or --nice) to prevent endless loops during scanning
+
+28/01/2007
+        Version 2.1.5
+        First take a look at the Content-Type instead of the document extension
+        Added BeautifulSoup as an optionnal module to correct bad html documents
+        (better use tidy if you can)
+
+24/10/2006
+        Version 2.1.4
+        Wildcard exclusion with -x (--exclude) option
+
+22/10/2006
+        Fixed an error with url parameters handling that appeared in precedent
+        version.
+        Fixed a typo in lswww.py (setAuthCreddentials : one 'd' is enough)
+
+07/10/2006
+        Version 2.1.3
+        Three verbose mode with -v (--verbose) option
+        0: print only results
+        1: print dots for each page accessed (default mode)
+        2: print each found url durring scan
+        Timeout in seconds can be set with -t (--timeout) option
+        Fixed bug "crash when no content-type is returned"
+        Fixed an error with 404 webpages
+        Fixed a bug when the only parameter of an url is a forbidden one
+
+09/08/2006
+        Version 2.1.2
+        Fixed a bug with regular expressions
+
+05/08/2006
+        Version 2.1.1
+        Remove redundant slashes from urls
+        (e.g. http://server/dir//page.php converted to
+        http://server/dir/page.php)
+
+20/07/2006
+        Version 2.1.0 with urllib2
+
+11/07/2006
+        -r (--remove) option to remove parameters from URLs
+        Generate URL with GET forms instead of using POST by default
+        Support for Basic HTTP Auth added but don't work with Python 2.4.
+        Now use cookie files (option "-c file" or "--cookie file")
+        Extracts links from Location header fields
+        
+
+06/07/2006
+        Extract links from "Location:" headers (HTTP 301 and 302)
+        Default type for "input" elements is set to "text"
+        (as written in the HTML 4.0 specifications)
+        Added "search" in input types (created for Safari browsers)
+
+04/07/2006
+        Fixed a bug with empty parameters tuples
+        (convert http://server/page?&a=2 to http://server/page?a=2)
+
+23/06/2006
+        Version 2.0.1
+        Take care of the "submit" type
+        No extra data sent when a page contains several forms
+        Corrected a bug with urls finishing by '?'
+        Support Cookies !!
+
+25/04/2006
+        Version 2.0
+        Extraction des formulaires sous la forme d'une liste de tuples
+        contenant chacun un string (url du script cible) et un dict
+        contenant les noms des champs et leur valeur par d�faut (ou 'true'
+        si vide)
+        Recense les scripts gerant l'upload
+        Peut maintenant fonctionner comme module
+
+19/04/2006
+        Version 1.1
+        Lecture des tags insensible a la casse
+        Gestion du Ctrl+C pour interrompre proprement le programme
+        Extraction des urls dans les balises form (action)
+
+12/10/2005
+        Version 1.0
+        Gestion des liens syntaxiquement valides mais pointant
+        vers des ressources inexistantes (404)
+
+11/09/2005
+        Beta4
+        Utilisation du module getopt qui permet de specifier
+        facilement les urls a visiter en premier, les urls a
+        exclure (nouveau !) ou encore le proxy a utiliser
+
+24/08/2005
+        Beta3
+        Ajout d'un timeout pour la lecture des pages pour ne pas
+        bloquer sur un script bugge
+
+23/08/2005
+        Version beta2
+        Prise en charge des indexs generes par Apache
+        Filtre sur les protocoles
+        Gestion des liens qui remontent l'arborescence
+        Gestion des liens vides
+
+02/08/2005
+        Sortie de la beta1