3 files changed, 464 insertions, 0 deletions

diff --git a/wapiti/.SRCINFO b/wapiti/.SRCINFO
new file mode 100644
index 0000000..7b894ba
--- /dev/null
+++ b/wapiti/.SRCINFO
@@ -0,0 +1,28 @@
+pkgbase = wapiti
+        pkgdesc = Comprehensive web app vulnerability scanner written in Python
+        pkgver = 3.1.2
+        pkgrel = 1
+        url = https://wapiti-scanner.github.io
+        changelog = ChangeLog
+        arch = any
+        license = GPL
+        makedepends = python-setuptools
+        depends = python
+        depends = python-requests
+        depends = python-beautifulsoup4
+        depends = python-lxml
+        depends = python-yaswfp
+        depends = python-browser-cookie3
+        depends = python-mako
+        depends = python-python-socks
+        depends = python-tld
+        depends = python-httpx
+        depends = python-aiocache
+        depends = python-sqlalchemy
+        optdepends = python-requests-kerberos: Kerberos authentication
+        optdepends = python-requests-ntlm: NTLM authentication
+        options = zipman
+        source = https://github.com/wapiti-scanner/wapiti/releases/download/3.1.2/wapiti3-3.1.2.tar.gz
+        sha256sums = d10c51577792f949c9afa143043c9a25e6e86542cb48489d944ace45612aaea9
+
+pkgname = wapiti
diff --git a/wapiti/ChangeLog b/wapiti/ChangeLog
new file mode 100644
index 0000000..645c857
--- /dev/null
+++ b/wapiti/ChangeLog
@@ -0,0 +1,392 @@
+13/05/2022
+    Wapiti 3.1.2
+    mod_http_headers: Deprecate X-XSS-Protection header
+    mod_drupal_enum: Reduce false positives
+    mod_csp: Rework some WSTG categories
+    Crawler: Fix crash caused by unclosed async httpx responses
+
+23/02/2022
+    Wapiti 3.1.1
+    Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example)
+    Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability
+    XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed
+    CLI: --update option will only update chosen modules
+    CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string.
+
+06/02/2022
+    Wapiti 3.1.0
+    Crawler: Fix passing named "button" tags in HTML forms
+    Modules: Skip modules that fails to load properly (missing dependencies, code error, etc)
+    Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr)
+    CSRF: Django anti-CSRF token added to the whitelist
+    Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports
+    Crawler: Improved the parsing of HTML redirections (meta refresh)
+    HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files.
+    Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed.
+    Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto)
+    Core: Load correctly resources if Wapiti is running from an egg file.
+
+15/12/2021
+    Wapiti 3.0.9
+    CLI: New "passive" module option allows to use less aggressives modules only
+    WP_ENUM: Improve detection of Wordpress
+    SSL: New module to check TLS/SSL configuration, powered by SSLyze
+    Log4Shell: New attack module to detect the infamous vulnerability
+
+18/11/2021
+    Wapiti 3.0.8
+    CLI: prevent users from using -a without specifying --auth-type (and vice versa)
+    Crawler: Upgrade HTTP related dependencies (httpx, httpcore, httpx-socks)
+
+14/10/2021
+    Wapiti 3.0.7
+    Crawler: Extract URLs from AngularJS based websites
+    Crawler: Support HTTP responses compressed with Brotli
+    Crawler: Fix handling of upload forms (due to moving to httpx), handling of button fields having a value
+    CLI: Added option to log output to a file
+    Modules: Increased speed of modules Nikto, buster, drupal_enum, brute_login_form thank to concurrency
+    Modules: Added a module to detect subdomain takeovers
+    XSS: Removed references to wapiti3.ovh for XSS payloads
+    Modules: Fixed some false positives in modules backup, Nikto and SQL
+    Modules: Upgrade Wappalyzer module
+    Crawler: Upgrade HTTP related dependencies (httpx, httpcore)
+
+13/05/2021
+    Wapiti 3.0.5
+    SQL: boolean based blind SQL injection support added
+    Report: added CSV as output format
+    Cookie: you can drop cookies from HTTP responses with --drop-set-cookie
+    Cookie: you can load cookies from your browser with -c <chrome or firefox>
+    Session: fixed an issue that could cause URLs being rescanned when resuming a session
+    CMS: New modules to detect versions and installed modules for Wordpress and Drupal
+    Fingerprinting: several issues fixed on mod_wapp
+    Crawler: HTTP requests are processed concurrently for faster crawling. Check the new --tasks option.
+
+20/02/2021
+    Wapiti 3.0.4
+    XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them
+    XSS: greatly reduced number of false negatives while slightly reducing false positives
+    XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present
+    XSS: reduced memory and CPU consumption
+    XSS: added more payloads to bypass filters and WAF
+    Exec: added a few more payloads
+    SQL: more heuristics to detect DBMS used on the target
+    Wappalyzer module allows to detect software used by a website, along with versions
+    New module to check the security settings of Cookies (HttpOnly, secure, etc)
+    New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc)
+    New module to check the security settings for Content-Security-Policy
+    New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented)
+    New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc)
+    New --update option allows to get last updates for detections databases (Wappalyzer and Nikto)
+    New --max-attack-time options allows to limit the execution time of each attack module
+    New --store-config options allows to set the path for Wapiti configuration files (detection databases)
+    Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie
+    Removed jQuery dependency
+    Fixed several issues with endpoints
+
+20/02/2020
+    Wapiti 3.0.3
+    An important work was made to reduce false positives in XSS detections.
+    That research involved scanning more than 1 million websites to discover those issues.
+    More details here: http://devloop.users.sourceforge.net/index.php?article217/one-crazy-month-of-web-vulnerability-scanning
+
+02/09/2019
+    Wapiti 3.0.2
+    New XXE module cans end payloads in parameters, query string, file uploads and raw body.
+    New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based).
+    Fixed domain scope scanning.
+    Reduced false positives in attack modules (specially time based ones).
+    Reduced invalid links generated by js analysis and ignore obviously malformed HTML links.
+    Do not crawl CSS files and remove query strings from JS files when crawling.
+    Improved and changed existing payloads.
+    Improved extracting forms from HTML pages (radio buttons / select, ...)
+    Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe)
+    --store-session option allow to specify a path where .db and .pkl files are stored.
+    --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target
+    Authentications options can now be used with wapiti-getcookie.
+    Js parser can now deal with HTML comments.
+    More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit)
+    Fixed lot of bugs thank to received crash dumps.
+
+11/05/2018
+    Wapiti 3.0.1
+    New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc)
+    New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access)
+    Improved mod_xss and mod_permanentxss modules to reduce false positives.
+    Changed some XSS payloads for something more visual (banner at top the the webpage).
+    Changed bug reporting URL.
+    Fixed issue #54 in lamejs JS parser.
+    Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings.
+
+03/01/2017
+    Release of Wapiti 3.0.0
+
+02/01/2018
+    Added --list-modules and --resume-crawl options.
+
+23/12/2017
+    Ported to Python3.
+    Persister rewritten to use sqlite3 databases (for session management).
+    Added ascii-art because you know... it's an attack tool so it's required feature.
+    Changed output format (stdout) to something more like sqlmap output.
+    python-lxml and libxml2 are required dependencies unless you opt-out with --with-html5lib at setup.
+    SOCKS5 proxy support is back.
+    New -u mandatory option must be use to specify the base URL.
+    Added -d (--depth) option to limit the maximum depth of links following.
+    Added -H (--header) option to add HTTP headers to every request.
+    Added -A (--user-agent) option to set the User-Agent string.
+    Added --skip option to skip parameters during attacks.
+    Added -S (--scan-force) option to control the ammount of requests sent for attacks.
+    Added --max-parameters to not attack URLs anf forms having more than X input parameters.
+    Added -l (--level) option to allow attacking query strings without parameters.
+    Added --max-scan-time option to stop the scan after the given amount of minutes.
+    Added a buster module for directory and file busting.
+    Added a Shellshock detection module.
+    Added buitin list of well known parameters to skip during attack.
+    More control on execution flow when KeyboardInterrupt is triggered.
+    Reduced false-positives situations on time-based attacks (mainly blind_sql)
+    Replace getopt for argparse.
+    Fixed bugs related to obtaining user's locale (issue #20).
+    Enhancement to support new CVE notation [issue 37).
+    Can now report minor issues (notices) besides anomalies and vulnerabilities.
+    Added mod_delay module to report time consuming webpages.
+    Renamed some options (should be easier to remember).
+    More exec, file, xss payloads.
+    Fixed a bug with JSON cookie management for IPv6 addresses and custom ports.
+    XSS attack module can escape HTML comments for payload generation.
+    Fixed -r issue on URLs having only one parameter.
+    No SSL/TLS check by default (--verify-ssl behavior).
+    Added a Mutator class for easy payload injection in parameters.
+    Rewrote report generators, added Mako as a dependency for HTML reports. Less JS.
+    Crash report are send to a website, opt-out with --no-bugreport.
+    Improvements on backup, sql and exec modules submitted by Milan Bartos.
+    Payload files can now include special flags that will be interpreted by Wapiti.
+    wapiti-cookie and wapiti-getcookie were merged in a new wapiti-getcookie tool.
+
+
+20/10/2013
+        Version 2.3.0
+        Fixed a colosseum of bugs, especially related to unicode.
+        Software is much more stable.
+        New report template for HTML (using Kube CSS).
+        Using v2.1.5 of Nikto database for mod_nikto.
+        Replaced httplib2 with (python-)requests for everything related to HTTP.
+        Remove BeautifulSoup from package. It is still required however.
+        Core rewrite (PEP8 + more Pythonic)
+        New payloads for the backup, XSS, blind SQL, exec and file modules + more
+        detection rules.
+        So many improvements on lswww (crawler) that I can't make a list here. But
+        Wapiti reached 48% on Wivet.
+        Wapiti cookie format is now based on JSON.
+        Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy).
+        Added a HTTPResource class for easier module creation.
+        Code restructuration for better setup.
+        Attack of parameters in query string even for HTTP POST requests.
+        Attack on file uploads (injection in file names).
+        Simpler (and less buggy) colored output with -c.
+        A CURL PoC is given for each vulnerability/anomaly found + raw HTTP
+        request representation in reports.
+        No more parameter reordering + can handle parameters repetition.
+        Added a JSON report generator + fixed the HTML report generator.
+        Added an option to not check SSL certificates.
+        mod_xss : noscipt tag escaping.
+        Can work on parameters that don't have a value in query string.
+        mod_crlf is not activated by default anymore (must call it with -m).
+        Startings URLs (-s) will be fetched even if out of scope.
+        Proxy support for wapiti-getcookie. and wapiti-cookie.
+        Attempt to bring an OpenVAS report generator.
+        Added an home-made SWF parser to extract URLs from flash files.
+        Added an home-made (and more than basic) JS interpreter based on the
+        pynarcissus parser. Lot of work still needs to be done on this.
+        New logo and webpage at wapiti.sf.net.
+        Added german and malaysian translations.
+        Added a script to create standalone archive for Windows (with py2exe).
+
+29/12/2009
+    Version 2.2.1 (already)
+        Bugfixes only
+        Fixed a bug in lswww if root url is not given complete.
+        Fixed a bug in lswww with a call to BeautifulSoup made on non text files.
+        Fixed a bug that occured when verbosity = 2. Unicode error on stderr.
+        Check the document's content-type and extension before attacking files on
+        the query string.
+        Added a timeout check in the nikto module when downloading the database.
+
+28/12/2009
+        Version 2.2.0
+        Added a manpage.
+        Internationalization : translations of Wapiti in spanish and french.
+        Options -k and -i allow the scan to be saved and restored later.
+        Added option -b to set the scope of the scan based on the root url given.
+        Wrote a library to save handle cookies and save them in XML format.
+        Modules are now loaded dynamically with a dependency system.
+        Rewrote the -m option used to activate / deactivate attack modules.
+        New module to search for backup files of scripts on the target webserver.
+        New module to search for weakly configured .htaccess.
+        New module to search dangerous files based on the Nikto database.
+        Differ "raw" XSS from "urlencoded" XSS.
+        Updated BeautifulSoup to version 3.0.8.
+        Better encoding support for webpages (convert to Unicode)
+        Added "resource consumption" as a vulnerability type.
+        Fixed bug ID 2779441 "Python Version 2.5 required?"
+        Fixed bug with special characters in HTML reports.
+
+05/04/2008
+        Added more patterns for file handling vulnerabilities in PHP.
+        Added GET_SQL and POST_SQL as modules (-m) for attacks.
+        Modifier getcookie.py and cookie.py so they try to get the cookies
+        even if cookielib fails.
+
+27/03/2007
+        Updated ChangeLogs
+
+26/03/2009
+        Fixed bug ID 2433127. Comparison was made with HTTP error codes
+        on numeric values but httplib2 return the status code as a string.
+        Forbid httplib2 to handle HTTP redirections. Wapiti and lswww will
+        take care of this (more checks on urls...)
+        Fixed a bug with Blind SQL attacks (the same attack could be launched
+        several times)
+        Fixed an error in blindSQLPayloads.txt.
+        Changed the error message when Wapiti don't get any data from lswww.
+        Verifications to be sure blind SQL attacks won't be launched if "standard"
+        SQL attacks works.
+
+25/03/2009
+        Exported blind SQL payloads from the code. Now in config file
+        blindSQLPayloads.txt.
+        Set timeout for time-based BSQL attacks to timetout used for HTTP
+        requests + 1 second.
+        Added Blind SQL as a type of vulnerability in the report generator.
+        More verbosity for permanent XSS scan.
+        More docstrings.
+        Updated the REAME.
+
+24/03/2009
+        Added some docstring to the code.
+        Removed warnign on alpha code.
+        First Blind SQL Injection implementation in Wapiti.
+        Fixed some timeout errors.
+
+22/03/2009
+        Fixed character encoding error in sql injection module.
+        Changed the md5 and sha1 import in httplib2 to hashlib.
+
+28/11/2008
+        Google Charts API is added to generate the charts of the reports.
+
+15/11/2008
+        Re-integration of standard HTTP proxies in httplib2.
+        Integration of HTTP CONNECT tunneling in Wapiti.
+        Fixed bug ID 2257654 "getcookie.py error missing action in html form"
+
+02/11/2008
+        Integraded the proxy implementation of httplib2 in Wapiti.
+        Can now use SOCKSv5 and SOCKSv4 proxies.
+
+22/10/2008
+        Fixed a bug with Cookie headers.
+
+19/10/2008
+        Remplaced urllib2 by httplib2.
+        Wapiti now use persistent HTTP connections, speed up the scan.
+        Included a python SOCKS library.
+
+09/10/2008
+        Version 2.0.0-beta
+  Added the possibility to generate reports of the vulnerabilities found
+  in HTML, XML or plain-text format. See options -o and -f.
+        HTTP authentification now works.
+        Added the option -n (or --nice) to prevent endless loops during scanning.
+        More patterns for SQL vulnerability detection
+        Code refactoring : more clear and more object-oriented
+        New XSS function is now fully implemented
+  The payloads have been separated from the code into configuration files.
+        Updated BeautifulSoup
+
+15/09/2008
+  Version 1.1.7-alpha
+        Use GET method if not specified in "method" tag
+        Keep an history of XSS payloads
+        New XSS engine for GET method using a list of payloads to bypass filters
+        New module HTTP.py for http requests
+        Added fpassthru to file handling warnings
+        Added a new new detection string for MS-SQL, submitted by Joe McCray
+
+28/01/2007
+        Version 1.1.6
+        New version of lswww
+
+24/10/2006
+        Version 1.1.5
+        Wildcard exclusion with -x (--exclude) option
+
+22/10/2006
+        Fixed a typo in wapiti.py (setAuthCreddentials : one 'd' is enough)
+        Fixed a bug with set_auth_credentials.
+
+07/10/2006
+        Version 1.1.4
+        Some modifications have been made on getccokie.py so it can work
+        on Webmin (and probably more web applications)
+        Added -t (--timeout) option to set the timeout in seconds
+        Added -v (--verbose) option to set the verbosity. Three available
+        modes :
+        0: only print found vulnerabilities
+        1: print current attacked urls (existing urls)
+        2: print every attack payload and url (very much information... good
+        for debugging)
+        Wapiti is much more modular and comes with some functions to set scan
+        and attack options... look the code ;)
+        Some defaults options are available as "modules" with option -m
+        (--module) :
+        GET_XSS: only scan for XSS with HTTP GET method (no post)
+        POST_XSS: XSS attacks using POST and not GET
+        GET_ALL: every attack without POST requests
+        
+12/08/2006
+        Version 1.1.3
+        Fixed the timeout bug with chunked responses
+        (ID = 1536565 on SourceForge)
+
+09/08/2006
+        Version 1.1.2
+        Fixed a bug with HTTP 500 and POST attacks
+
+05/08/2006
+        Version 1.1.1
+        Fixed the UnboundLocalError due to socket timeouts
+        (bug ID = 1534415 on SourceForge)
+
+27/07/2006
+        Version 1.1.0 with urllib2
+        Detection string for mysql_error()
+        Changed the mysql payload (see http://shiflett.org/archive/184 )
+        Modification of the README file
+
+22/07/2006
+        Added CRLF Injection.
+
+20/07/2006
+        Added LDAP Injection and Command Execution (eval, system, passthru...)
+
+11/07/2006
+        -r (--remove) option to remove parameters from URLs
+        Support for Basic HTTP Auth added but don't work with Python 2.4.
+        Proxy support.
+        Now use cookie files (option "-c file" or "--cookie file")
+        -u (--underline) option to highlight vulnerable parameter in URL
+        Detect more vulnerabilities.
+
+04/07/2006:
+        Now attacks scripts using QUERY_STRING as a parameter
+        (i.e. http://server/script?attackme)
+
+23/06/2006:
+        Version 1.0.1
+        Can now use cookies !! (use -c var=data or --cookie var=data)
+        Two utilities added : getcookie.py (interactive) and cookie.py (command line) to get a cookie.
+        Now on Sourceforge
+
+25/04/2006:
+        Version 1.0.0
diff --git a/wapiti/PKGBUILD b/wapiti/PKGBUILD
new file mode 100644
index 0000000..5020cab
--- /dev/null
+++ b/wapiti/PKGBUILD
@@ -0,0 +1,44 @@
+# Maintainer :  Kr1ss $(echo \<kr1ss+x-yandex+com\>|sed s/\+/./g\;s/\-/@/)
+# Contributor : mickael9 <mickael9 at gmail dot com>
+
+
+pkgname=wapiti
+
+pkgver=3.1.2
+_name="$pkgname${pkgver:0:1}"
+pkgrel=1
+
+pkgdesc='Comprehensive web app vulnerability scanner written in Python'
+arch=('any')
+url="https://$pkgname-scanner.github.io"
+license=('GPL')
+
+makedepends=('python-setuptools')
+depends=('python' 'python-requests' 'python-beautifulsoup4' 'python-lxml' 'python-yaswfp'
+         'python-browser-cookie3' 'python-mako' 'python-python-socks' 'python-tld' 'python-httpx'
+         'python-aiocache' 'python-sqlalchemy')
+optdepends=('python-requests-kerberos: Kerberos authentication'
+            'python-requests-ntlm: NTLM authentication')
+
+options=('zipman')
+
+changelog=ChangeLog
+source=("https://github.com/$pkgname-scanner/$pkgname/releases/download/$pkgver/$_name-$pkgver.tar.gz")
+#source=("https://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname/$pkgname-$pkgver/$_name-$pkgver.tar.gz")
+sha256sums=('d10c51577792f949c9afa143043c9a25e6e86542cb48489d944ace45612aaea9')
+
+
+prepare() { rm -rf "$_name-$pkgver/tests"; }
+
+build() {
+  cd "$_name-$pkgver"
+  python setup.py build
+}
+
+package() {
+  cd "$_name-$pkgver"
+  PYTHONHASHSEED=0 python setup.py install --root="$pkgdir" --optimize=1 --skip-build
+}
+
+
+# vim: ts=2 sw=2 et ft=PKGBUILD: