summaryrefslogtreecommitdiffstats
path: root/wapiti/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'wapiti/ChangeLog')
-rw-r--r--wapiti/ChangeLog392
1 files changed, 392 insertions, 0 deletions
diff --git a/wapiti/ChangeLog b/wapiti/ChangeLog
new file mode 100644
index 0000000..645c857
--- /dev/null
+++ b/wapiti/ChangeLog
@@ -0,0 +1,392 @@
113/05/2022
2 Wapiti 3.1.2
3 mod_http_headers: Deprecate X-XSS-Protection header
4 mod_drupal_enum: Reduce false positives
5 mod_csp: Rework some WSTG categories
6 Crawler: Fix crash caused by unclosed async httpx responses
7
823/02/2022
9 Wapiti 3.1.1
10 Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example)
11 Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability
12 XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed
13 CLI: --update option will only update chosen modules
14 CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string.
15
1606/02/2022
17 Wapiti 3.1.0
18 Crawler: Fix passing named "button" tags in HTML forms
19 Modules: Skip modules that fails to load properly (missing dependencies, code error, etc)
20 Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr)
21 CSRF: Django anti-CSRF token added to the whitelist
22 Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports
23 Crawler: Improved the parsing of HTML redirections (meta refresh)
24 HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files.
25 Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed.
26 Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto)
27 Core: Load correctly resources if Wapiti is running from an egg file.
28
2915/12/2021
30 Wapiti 3.0.9
31 CLI: New "passive" module option allows to use less aggressives modules only
32 WP_ENUM: Improve detection of Wordpress
33 SSL: New module to check TLS/SSL configuration, powered by SSLyze
34 Log4Shell: New attack module to detect the infamous vulnerability
35
3618/11/2021
37 Wapiti 3.0.8
38 CLI: prevent users from using -a without specifying --auth-type (and vice versa)
39 Crawler: Upgrade HTTP related dependencies (httpx, httpcore, httpx-socks)
40
4114/10/2021
42 Wapiti 3.0.7
43 Crawler: Extract URLs from AngularJS based websites
44 Crawler: Support HTTP responses compressed with Brotli
45 Crawler: Fix handling of upload forms (due to moving to httpx), handling of button fields having a value
46 CLI: Added option to log output to a file
47 Modules: Increased speed of modules Nikto, buster, drupal_enum, brute_login_form thank to concurrency
48 Modules: Added a module to detect subdomain takeovers
49 XSS: Removed references to wapiti3.ovh for XSS payloads
50 Modules: Fixed some false positives in modules backup, Nikto and SQL
51 Modules: Upgrade Wappalyzer module
52 Crawler: Upgrade HTTP related dependencies (httpx, httpcore)
53
5413/05/2021
55 Wapiti 3.0.5
56 SQL: boolean based blind SQL injection support added
57 Report: added CSV as output format
58 Cookie: you can drop cookies from HTTP responses with --drop-set-cookie
59 Cookie: you can load cookies from your browser with -c <chrome or firefox>
60 Session: fixed an issue that could cause URLs being rescanned when resuming a session
61 CMS: New modules to detect versions and installed modules for Wordpress and Drupal
62 Fingerprinting: several issues fixed on mod_wapp
63 Crawler: HTTP requests are processed concurrently for faster crawling. Check the new --tasks option.
64
6520/02/2021
66 Wapiti 3.0.4
67 XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them
68 XSS: greatly reduced number of false negatives while slightly reducing false positives
69 XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present
70 XSS: reduced memory and CPU consumption
71 XSS: added more payloads to bypass filters and WAF
72 Exec: added a few more payloads
73 SQL: more heuristics to detect DBMS used on the target
74 Wappalyzer module allows to detect software used by a website, along with versions
75 New module to check the security settings of Cookies (HttpOnly, secure, etc)
76 New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc)
77 New module to check the security settings for Content-Security-Policy
78 New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented)
79 New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc)
80 New --update option allows to get last updates for detections databases (Wappalyzer and Nikto)
81 New --max-attack-time options allows to limit the execution time of each attack module
82 New --store-config options allows to set the path for Wapiti configuration files (detection databases)
83 Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie
84 Removed jQuery dependency
85 Fixed several issues with endpoints
86
8720/02/2020
88 Wapiti 3.0.3
89 An important work was made to reduce false positives in XSS detections.
90 That research involved scanning more than 1 million websites to discover those issues.
91 More details here: http://devloop.users.sourceforge.net/index.php?article217/one-crazy-month-of-web-vulnerability-scanning
92
9302/09/2019
94 Wapiti 3.0.2
95 New XXE module cans end payloads in parameters, query string, file uploads and raw body.
96 New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based).
97 Fixed domain scope scanning.
98 Reduced false positives in attack modules (specially time based ones).
99 Reduced invalid links generated by js analysis and ignore obviously malformed HTML links.
100 Do not crawl CSS files and remove query strings from JS files when crawling.
101 Improved and changed existing payloads.
102 Improved extracting forms from HTML pages (radio buttons / select, ...)
103 Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe)
104 --store-session option allow to specify a path where .db and .pkl files are stored.
105 --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target
106 Authentications options can now be used with wapiti-getcookie.
107 Js parser can now deal with HTML comments.
108 More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit)
109 Fixed lot of bugs thank to received crash dumps.
110
11111/05/2018
112 Wapiti 3.0.1
113 New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc)
114 New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access)
115 Improved mod_xss and mod_permanentxss modules to reduce false positives.
116 Changed some XSS payloads for something more visual (banner at top the the webpage).
117 Changed bug reporting URL.
118 Fixed issue #54 in lamejs JS parser.
119 Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings.
120
12103/01/2017
122 Release of Wapiti 3.0.0
123
12402/01/2018
125 Added --list-modules and --resume-crawl options.
126
12723/12/2017
128 Ported to Python3.
129 Persister rewritten to use sqlite3 databases (for session management).
130 Added ascii-art because you know... it's an attack tool so it's required feature.
131 Changed output format (stdout) to something more like sqlmap output.
132 python-lxml and libxml2 are required dependencies unless you opt-out with --with-html5lib at setup.
133 SOCKS5 proxy support is back.
134 New -u mandatory option must be use to specify the base URL.
135 Added -d (--depth) option to limit the maximum depth of links following.
136 Added -H (--header) option to add HTTP headers to every request.
137 Added -A (--user-agent) option to set the User-Agent string.
138 Added --skip option to skip parameters during attacks.
139 Added -S (--scan-force) option to control the ammount of requests sent for attacks.
140 Added --max-parameters to not attack URLs anf forms having more than X input parameters.
141 Added -l (--level) option to allow attacking query strings without parameters.
142 Added --max-scan-time option to stop the scan after the given amount of minutes.
143 Added a buster module for directory and file busting.
144 Added a Shellshock detection module.
145 Added buitin list of well known parameters to skip during attack.
146 More control on execution flow when KeyboardInterrupt is triggered.
147 Reduced false-positives situations on time-based attacks (mainly blind_sql)
148 Replace getopt for argparse.
149 Fixed bugs related to obtaining user's locale (issue #20).
150 Enhancement to support new CVE notation [issue 37).
151 Can now report minor issues (notices) besides anomalies and vulnerabilities.
152 Added mod_delay module to report time consuming webpages.
153 Renamed some options (should be easier to remember).
154 More exec, file, xss payloads.
155 Fixed a bug with JSON cookie management for IPv6 addresses and custom ports.
156 XSS attack module can escape HTML comments for payload generation.
157 Fixed -r issue on URLs having only one parameter.
158 No SSL/TLS check by default (--verify-ssl behavior).
159 Added a Mutator class for easy payload injection in parameters.
160 Rewrote report generators, added Mako as a dependency for HTML reports. Less JS.
161 Crash report are send to a website, opt-out with --no-bugreport.
162 Improvements on backup, sql and exec modules submitted by Milan Bartos.
163 Payload files can now include special flags that will be interpreted by Wapiti.
164 wapiti-cookie and wapiti-getcookie were merged in a new wapiti-getcookie tool.
165
166
16720/10/2013
168 Version 2.3.0
169 Fixed a colosseum of bugs, especially related to unicode.
170 Software is much more stable.
171 New report template for HTML (using Kube CSS).
172 Using v2.1.5 of Nikto database for mod_nikto.
173 Replaced httplib2 with (python-)requests for everything related to HTTP.
174 Remove BeautifulSoup from package. It is still required however.
175 Core rewrite (PEP8 + more Pythonic)
176 New payloads for the backup, XSS, blind SQL, exec and file modules + more
177 detection rules.
178 So many improvements on lswww (crawler) that I can't make a list here. But
179 Wapiti reached 48% on Wivet.
180 Wapiti cookie format is now based on JSON.
181 Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy).
182 Added a HTTPResource class for easier module creation.
183 Code restructuration for better setup.
184 Attack of parameters in query string even for HTTP POST requests.
185 Attack on file uploads (injection in file names).
186 Simpler (and less buggy) colored output with -c.
187 A CURL PoC is given for each vulnerability/anomaly found + raw HTTP
188 request representation in reports.
189 No more parameter reordering + can handle parameters repetition.
190 Added a JSON report generator + fixed the HTML report generator.
191 Added an option to not check SSL certificates.
192 mod_xss : noscipt tag escaping.
193 Can work on parameters that don't have a value in query string.
194 mod_crlf is not activated by default anymore (must call it with -m).
195 Startings URLs (-s) will be fetched even if out of scope.
196 Proxy support for wapiti-getcookie. and wapiti-cookie.
197 Attempt to bring an OpenVAS report generator.
198 Added an home-made SWF parser to extract URLs from flash files.
199 Added an home-made (and more than basic) JS interpreter based on the
200 pynarcissus parser. Lot of work still needs to be done on this.
201 New logo and webpage at wapiti.sf.net.
202 Added german and malaysian translations.
203 Added a script to create standalone archive for Windows (with py2exe).
204
20529/12/2009
206 Version 2.2.1 (already)
207 Bugfixes only
208 Fixed a bug in lswww if root url is not given complete.
209 Fixed a bug in lswww with a call to BeautifulSoup made on non text files.
210 Fixed a bug that occured when verbosity = 2. Unicode error on stderr.
211 Check the document's content-type and extension before attacking files on
212 the query string.
213 Added a timeout check in the nikto module when downloading the database.
214
21528/12/2009
216 Version 2.2.0
217 Added a manpage.
218 Internationalization : translations of Wapiti in spanish and french.
219 Options -k and -i allow the scan to be saved and restored later.
220 Added option -b to set the scope of the scan based on the root url given.
221 Wrote a library to save handle cookies and save them in XML format.
222 Modules are now loaded dynamically with a dependency system.
223 Rewrote the -m option used to activate / deactivate attack modules.
224 New module to search for backup files of scripts on the target webserver.
225 New module to search for weakly configured .htaccess.
226 New module to search dangerous files based on the Nikto database.
227 Differ "raw" XSS from "urlencoded" XSS.
228 Updated BeautifulSoup to version 3.0.8.
229 Better encoding support for webpages (convert to Unicode)
230 Added "resource consumption" as a vulnerability type.
231 Fixed bug ID 2779441 "Python Version 2.5 required?"
232 Fixed bug with special characters in HTML reports.
233
23405/04/2008
235 Added more patterns for file handling vulnerabilities in PHP.
236 Added GET_SQL and POST_SQL as modules (-m) for attacks.
237 Modifier getcookie.py and cookie.py so they try to get the cookies
238 even if cookielib fails.
239
24027/03/2007
241 Updated ChangeLogs
242
24326/03/2009
244 Fixed bug ID 2433127. Comparison was made with HTTP error codes
245 on numeric values but httplib2 return the status code as a string.
246 Forbid httplib2 to handle HTTP redirections. Wapiti and lswww will
247 take care of this (more checks on urls...)
248 Fixed a bug with Blind SQL attacks (the same attack could be launched
249 several times)
250 Fixed an error in blindSQLPayloads.txt.
251 Changed the error message when Wapiti don't get any data from lswww.
252 Verifications to be sure blind SQL attacks won't be launched if "standard"
253 SQL attacks works.
254
25525/03/2009
256 Exported blind SQL payloads from the code. Now in config file
257 blindSQLPayloads.txt.
258 Set timeout for time-based BSQL attacks to timetout used for HTTP
259 requests + 1 second.
260 Added Blind SQL as a type of vulnerability in the report generator.
261 More verbosity for permanent XSS scan.
262 More docstrings.
263 Updated the REAME.
264
26524/03/2009
266 Added some docstring to the code.
267 Removed warnign on alpha code.
268 First Blind SQL Injection implementation in Wapiti.
269 Fixed some timeout errors.
270
27122/03/2009
272 Fixed character encoding error in sql injection module.
273 Changed the md5 and sha1 import in httplib2 to hashlib.
274
27528/11/2008
276 Google Charts API is added to generate the charts of the reports.
277
27815/11/2008
279 Re-integration of standard HTTP proxies in httplib2.
280 Integration of HTTP CONNECT tunneling in Wapiti.
281 Fixed bug ID 2257654 "getcookie.py error missing action in html form"
282
28302/11/2008
284 Integraded the proxy implementation of httplib2 in Wapiti.
285 Can now use SOCKSv5 and SOCKSv4 proxies.
286
28722/10/2008
288 Fixed a bug with Cookie headers.
289
29019/10/2008
291 Remplaced urllib2 by httplib2.
292 Wapiti now use persistent HTTP connections, speed up the scan.
293 Included a python SOCKS library.
294
29509/10/2008
296 Version 2.0.0-beta
297 Added the possibility to generate reports of the vulnerabilities found
298 in HTML, XML or plain-text format. See options -o and -f.
299 HTTP authentification now works.
300 Added the option -n (or --nice) to prevent endless loops during scanning.
301 More patterns for SQL vulnerability detection
302 Code refactoring : more clear and more object-oriented
303 New XSS function is now fully implemented
304 The payloads have been separated from the code into configuration files.
305 Updated BeautifulSoup
306
30715/09/2008
308 Version 1.1.7-alpha
309 Use GET method if not specified in "method" tag
310 Keep an history of XSS payloads
311 New XSS engine for GET method using a list of payloads to bypass filters
312 New module HTTP.py for http requests
313 Added fpassthru to file handling warnings
314 Added a new new detection string for MS-SQL, submitted by Joe McCray
315
31628/01/2007
317 Version 1.1.6
318 New version of lswww
319
32024/10/2006
321 Version 1.1.5
322 Wildcard exclusion with -x (--exclude) option
323
32422/10/2006
325 Fixed a typo in wapiti.py (setAuthCreddentials : one 'd' is enough)
326 Fixed a bug with set_auth_credentials.
327
32807/10/2006
329 Version 1.1.4
330 Some modifications have been made on getccokie.py so it can work
331 on Webmin (and probably more web applications)
332 Added -t (--timeout) option to set the timeout in seconds
333 Added -v (--verbose) option to set the verbosity. Three available
334 modes :
335 0: only print found vulnerabilities
336 1: print current attacked urls (existing urls)
337 2: print every attack payload and url (very much information... good
338 for debugging)
339 Wapiti is much more modular and comes with some functions to set scan
340 and attack options... look the code ;)
341 Some defaults options are available as "modules" with option -m
342 (--module) :
343 GET_XSS: only scan for XSS with HTTP GET method (no post)
344 POST_XSS: XSS attacks using POST and not GET
345 GET_ALL: every attack without POST requests
346
34712/08/2006
348 Version 1.1.3
349 Fixed the timeout bug with chunked responses
350 (ID = 1536565 on SourceForge)
351
35209/08/2006
353 Version 1.1.2
354 Fixed a bug with HTTP 500 and POST attacks
355
35605/08/2006
357 Version 1.1.1
358 Fixed the UnboundLocalError due to socket timeouts
359 (bug ID = 1534415 on SourceForge)
360
36127/07/2006
362 Version 1.1.0 with urllib2
363 Detection string for mysql_error()
364 Changed the mysql payload (see http://shiflett.org/archive/184 )
365 Modification of the README file
366
36722/07/2006
368 Added CRLF Injection.
369
37020/07/2006
371 Added LDAP Injection and Command Execution (eval, system, passthru...)
372
37311/07/2006
374 -r (--remove) option to remove parameters from URLs
375 Support for Basic HTTP Auth added but don't work with Python 2.4.
376 Proxy support.
377 Now use cookie files (option "-c file" or "--cookie file")
378 -u (--underline) option to highlight vulnerable parameter in URL
379 Detect more vulnerabilities.
380
38104/07/2006:
382 Now attacks scripts using QUERY_STRING as a parameter
383 (i.e. http://server/script?attackme)
384
38523/06/2006:
386 Version 1.0.1
387 Can now use cookies !! (use -c var=data or --cookie var=data)
388 Two utilities added : getcookie.py (interactive) and cookie.py (command line) to get a cookie.
389 Now on Sourceforge
390
39125/04/2006:
392 Version 1.0.0