diff options
Diffstat (limited to 'wapiti/ChangeLog')
-rw-r--r-- | wapiti/ChangeLog | 392 |
1 files changed, 392 insertions, 0 deletions
diff --git a/wapiti/ChangeLog b/wapiti/ChangeLog new file mode 100644 index 0000000..645c857 --- /dev/null +++ b/wapiti/ChangeLog | |||
@@ -0,0 +1,392 @@ | |||
1 | 13/05/2022 | ||
2 | Wapiti 3.1.2 | ||
3 | mod_http_headers: Deprecate X-XSS-Protection header | ||
4 | mod_drupal_enum: Reduce false positives | ||
5 | mod_csp: Rework some WSTG categories | ||
6 | Crawler: Fix crash caused by unclosed async httpx responses | ||
7 | |||
8 | 23/02/2022 | ||
9 | Wapiti 3.1.1 | ||
10 | Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example) | ||
11 | Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability | ||
12 | XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed | ||
13 | CLI: --update option will only update chosen modules | ||
14 | CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string. | ||
15 | |||
16 | 06/02/2022 | ||
17 | Wapiti 3.1.0 | ||
18 | Crawler: Fix passing named "button" tags in HTML forms | ||
19 | Modules: Skip modules that fails to load properly (missing dependencies, code error, etc) | ||
20 | Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr) | ||
21 | CSRF: Django anti-CSRF token added to the whitelist | ||
22 | Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports | ||
23 | Crawler: Improved the parsing of HTML redirections (meta refresh) | ||
24 | HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files. | ||
25 | Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed. | ||
26 | Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto) | ||
27 | Core: Load correctly resources if Wapiti is running from an egg file. | ||
28 | |||
29 | 15/12/2021 | ||
30 | Wapiti 3.0.9 | ||
31 | CLI: New "passive" module option allows to use less aggressives modules only | ||
32 | WP_ENUM: Improve detection of Wordpress | ||
33 | SSL: New module to check TLS/SSL configuration, powered by SSLyze | ||
34 | Log4Shell: New attack module to detect the infamous vulnerability | ||
35 | |||
36 | 18/11/2021 | ||
37 | Wapiti 3.0.8 | ||
38 | CLI: prevent users from using -a without specifying --auth-type (and vice versa) | ||
39 | Crawler: Upgrade HTTP related dependencies (httpx, httpcore, httpx-socks) | ||
40 | |||
41 | 14/10/2021 | ||
42 | Wapiti 3.0.7 | ||
43 | Crawler: Extract URLs from AngularJS based websites | ||
44 | Crawler: Support HTTP responses compressed with Brotli | ||
45 | Crawler: Fix handling of upload forms (due to moving to httpx), handling of button fields having a value | ||
46 | CLI: Added option to log output to a file | ||
47 | Modules: Increased speed of modules Nikto, buster, drupal_enum, brute_login_form thank to concurrency | ||
48 | Modules: Added a module to detect subdomain takeovers | ||
49 | XSS: Removed references to wapiti3.ovh for XSS payloads | ||
50 | Modules: Fixed some false positives in modules backup, Nikto and SQL | ||
51 | Modules: Upgrade Wappalyzer module | ||
52 | Crawler: Upgrade HTTP related dependencies (httpx, httpcore) | ||
53 | |||
54 | 13/05/2021 | ||
55 | Wapiti 3.0.5 | ||
56 | SQL: boolean based blind SQL injection support added | ||
57 | Report: added CSV as output format | ||
58 | Cookie: you can drop cookies from HTTP responses with --drop-set-cookie | ||
59 | Cookie: you can load cookies from your browser with -c <chrome or firefox> | ||
60 | Session: fixed an issue that could cause URLs being rescanned when resuming a session | ||
61 | CMS: New modules to detect versions and installed modules for Wordpress and Drupal | ||
62 | Fingerprinting: several issues fixed on mod_wapp | ||
63 | Crawler: HTTP requests are processed concurrently for faster crawling. Check the new --tasks option. | ||
64 | |||
65 | 20/02/2021 | ||
66 | Wapiti 3.0.4 | ||
67 | XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them | ||
68 | XSS: greatly reduced number of false negatives while slightly reducing false positives | ||
69 | XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present | ||
70 | XSS: reduced memory and CPU consumption | ||
71 | XSS: added more payloads to bypass filters and WAF | ||
72 | Exec: added a few more payloads | ||
73 | SQL: more heuristics to detect DBMS used on the target | ||
74 | Wappalyzer module allows to detect software used by a website, along with versions | ||
75 | New module to check the security settings of Cookies (HttpOnly, secure, etc) | ||
76 | New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc) | ||
77 | New module to check the security settings for Content-Security-Policy | ||
78 | New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented) | ||
79 | New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc) | ||
80 | New --update option allows to get last updates for detections databases (Wappalyzer and Nikto) | ||
81 | New --max-attack-time options allows to limit the execution time of each attack module | ||
82 | New --store-config options allows to set the path for Wapiti configuration files (detection databases) | ||
83 | Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie | ||
84 | Removed jQuery dependency | ||
85 | Fixed several issues with endpoints | ||
86 | |||
87 | 20/02/2020 | ||
88 | Wapiti 3.0.3 | ||
89 | An important work was made to reduce false positives in XSS detections. | ||
90 | That research involved scanning more than 1 million websites to discover those issues. | ||
91 | More details here: http://devloop.users.sourceforge.net/index.php?article217/one-crazy-month-of-web-vulnerability-scanning | ||
92 | |||
93 | 02/09/2019 | ||
94 | Wapiti 3.0.2 | ||
95 | New XXE module cans end payloads in parameters, query string, file uploads and raw body. | ||
96 | New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based). | ||
97 | Fixed domain scope scanning. | ||
98 | Reduced false positives in attack modules (specially time based ones). | ||
99 | Reduced invalid links generated by js analysis and ignore obviously malformed HTML links. | ||
100 | Do not crawl CSS files and remove query strings from JS files when crawling. | ||
101 | Improved and changed existing payloads. | ||
102 | Improved extracting forms from HTML pages (radio buttons / select, ...) | ||
103 | Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe) | ||
104 | --store-session option allow to specify a path where .db and .pkl files are stored. | ||
105 | --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target | ||
106 | Authentications options can now be used with wapiti-getcookie. | ||
107 | Js parser can now deal with HTML comments. | ||
108 | More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit) | ||
109 | Fixed lot of bugs thank to received crash dumps. | ||
110 | |||
111 | 11/05/2018 | ||
112 | Wapiti 3.0.1 | ||
113 | New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc) | ||
114 | New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access) | ||
115 | Improved mod_xss and mod_permanentxss modules to reduce false positives. | ||
116 | Changed some XSS payloads for something more visual (banner at top the the webpage). | ||
117 | Changed bug reporting URL. | ||
118 | Fixed issue #54 in lamejs JS parser. | ||
119 | Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings. | ||
120 | |||
121 | 03/01/2017 | ||
122 | Release of Wapiti 3.0.0 | ||
123 | |||
124 | 02/01/2018 | ||
125 | Added --list-modules and --resume-crawl options. | ||
126 | |||
127 | 23/12/2017 | ||
128 | Ported to Python3. | ||
129 | Persister rewritten to use sqlite3 databases (for session management). | ||
130 | Added ascii-art because you know... it's an attack tool so it's required feature. | ||
131 | Changed output format (stdout) to something more like sqlmap output. | ||
132 | python-lxml and libxml2 are required dependencies unless you opt-out with --with-html5lib at setup. | ||
133 | SOCKS5 proxy support is back. | ||
134 | New -u mandatory option must be use to specify the base URL. | ||
135 | Added -d (--depth) option to limit the maximum depth of links following. | ||
136 | Added -H (--header) option to add HTTP headers to every request. | ||
137 | Added -A (--user-agent) option to set the User-Agent string. | ||
138 | Added --skip option to skip parameters during attacks. | ||
139 | Added -S (--scan-force) option to control the ammount of requests sent for attacks. | ||
140 | Added --max-parameters to not attack URLs anf forms having more than X input parameters. | ||
141 | Added -l (--level) option to allow attacking query strings without parameters. | ||
142 | Added --max-scan-time option to stop the scan after the given amount of minutes. | ||
143 | Added a buster module for directory and file busting. | ||
144 | Added a Shellshock detection module. | ||
145 | Added buitin list of well known parameters to skip during attack. | ||
146 | More control on execution flow when KeyboardInterrupt is triggered. | ||
147 | Reduced false-positives situations on time-based attacks (mainly blind_sql) | ||
148 | Replace getopt for argparse. | ||
149 | Fixed bugs related to obtaining user's locale (issue #20). | ||
150 | Enhancement to support new CVE notation [issue 37). | ||
151 | Can now report minor issues (notices) besides anomalies and vulnerabilities. | ||
152 | Added mod_delay module to report time consuming webpages. | ||
153 | Renamed some options (should be easier to remember). | ||
154 | More exec, file, xss payloads. | ||
155 | Fixed a bug with JSON cookie management for IPv6 addresses and custom ports. | ||
156 | XSS attack module can escape HTML comments for payload generation. | ||
157 | Fixed -r issue on URLs having only one parameter. | ||
158 | No SSL/TLS check by default (--verify-ssl behavior). | ||
159 | Added a Mutator class for easy payload injection in parameters. | ||
160 | Rewrote report generators, added Mako as a dependency for HTML reports. Less JS. | ||
161 | Crash report are send to a website, opt-out with --no-bugreport. | ||
162 | Improvements on backup, sql and exec modules submitted by Milan Bartos. | ||
163 | Payload files can now include special flags that will be interpreted by Wapiti. | ||
164 | wapiti-cookie and wapiti-getcookie were merged in a new wapiti-getcookie tool. | ||
165 | |||
166 | |||
167 | 20/10/2013 | ||
168 | Version 2.3.0 | ||
169 | Fixed a colosseum of bugs, especially related to unicode. | ||
170 | Software is much more stable. | ||
171 | New report template for HTML (using Kube CSS). | ||
172 | Using v2.1.5 of Nikto database for mod_nikto. | ||
173 | Replaced httplib2 with (python-)requests for everything related to HTTP. | ||
174 | Remove BeautifulSoup from package. It is still required however. | ||
175 | Core rewrite (PEP8 + more Pythonic) | ||
176 | New payloads for the backup, XSS, blind SQL, exec and file modules + more | ||
177 | detection rules. | ||
178 | So many improvements on lswww (crawler) that I can't make a list here. But | ||
179 | Wapiti reached 48% on Wivet. | ||
180 | Wapiti cookie format is now based on JSON. | ||
181 | Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy). | ||
182 | Added a HTTPResource class for easier module creation. | ||
183 | Code restructuration for better setup. | ||
184 | Attack of parameters in query string even for HTTP POST requests. | ||
185 | Attack on file uploads (injection in file names). | ||
186 | Simpler (and less buggy) colored output with -c. | ||
187 | A CURL PoC is given for each vulnerability/anomaly found + raw HTTP | ||
188 | request representation in reports. | ||
189 | No more parameter reordering + can handle parameters repetition. | ||
190 | Added a JSON report generator + fixed the HTML report generator. | ||
191 | Added an option to not check SSL certificates. | ||
192 | mod_xss : noscipt tag escaping. | ||
193 | Can work on parameters that don't have a value in query string. | ||
194 | mod_crlf is not activated by default anymore (must call it with -m). | ||
195 | Startings URLs (-s) will be fetched even if out of scope. | ||
196 | Proxy support for wapiti-getcookie. and wapiti-cookie. | ||
197 | Attempt to bring an OpenVAS report generator. | ||
198 | Added an home-made SWF parser to extract URLs from flash files. | ||
199 | Added an home-made (and more than basic) JS interpreter based on the | ||
200 | pynarcissus parser. Lot of work still needs to be done on this. | ||
201 | New logo and webpage at wapiti.sf.net. | ||
202 | Added german and malaysian translations. | ||
203 | Added a script to create standalone archive for Windows (with py2exe). | ||
204 | |||
205 | 29/12/2009 | ||
206 | Version 2.2.1 (already) | ||
207 | Bugfixes only | ||
208 | Fixed a bug in lswww if root url is not given complete. | ||
209 | Fixed a bug in lswww with a call to BeautifulSoup made on non text files. | ||
210 | Fixed a bug that occured when verbosity = 2. Unicode error on stderr. | ||
211 | Check the document's content-type and extension before attacking files on | ||
212 | the query string. | ||
213 | Added a timeout check in the nikto module when downloading the database. | ||
214 | |||
215 | 28/12/2009 | ||
216 | Version 2.2.0 | ||
217 | Added a manpage. | ||
218 | Internationalization : translations of Wapiti in spanish and french. | ||
219 | Options -k and -i allow the scan to be saved and restored later. | ||
220 | Added option -b to set the scope of the scan based on the root url given. | ||
221 | Wrote a library to save handle cookies and save them in XML format. | ||
222 | Modules are now loaded dynamically with a dependency system. | ||
223 | Rewrote the -m option used to activate / deactivate attack modules. | ||
224 | New module to search for backup files of scripts on the target webserver. | ||
225 | New module to search for weakly configured .htaccess. | ||
226 | New module to search dangerous files based on the Nikto database. | ||
227 | Differ "raw" XSS from "urlencoded" XSS. | ||
228 | Updated BeautifulSoup to version 3.0.8. | ||
229 | Better encoding support for webpages (convert to Unicode) | ||
230 | Added "resource consumption" as a vulnerability type. | ||
231 | Fixed bug ID 2779441 "Python Version 2.5 required?" | ||
232 | Fixed bug with special characters in HTML reports. | ||
233 | |||
234 | 05/04/2008 | ||
235 | Added more patterns for file handling vulnerabilities in PHP. | ||
236 | Added GET_SQL and POST_SQL as modules (-m) for attacks. | ||
237 | Modifier getcookie.py and cookie.py so they try to get the cookies | ||
238 | even if cookielib fails. | ||
239 | |||
240 | 27/03/2007 | ||
241 | Updated ChangeLogs | ||
242 | |||
243 | 26/03/2009 | ||
244 | Fixed bug ID 2433127. Comparison was made with HTTP error codes | ||
245 | on numeric values but httplib2 return the status code as a string. | ||
246 | Forbid httplib2 to handle HTTP redirections. Wapiti and lswww will | ||
247 | take care of this (more checks on urls...) | ||
248 | Fixed a bug with Blind SQL attacks (the same attack could be launched | ||
249 | several times) | ||
250 | Fixed an error in blindSQLPayloads.txt. | ||
251 | Changed the error message when Wapiti don't get any data from lswww. | ||
252 | Verifications to be sure blind SQL attacks won't be launched if "standard" | ||
253 | SQL attacks works. | ||
254 | |||
255 | 25/03/2009 | ||
256 | Exported blind SQL payloads from the code. Now in config file | ||
257 | blindSQLPayloads.txt. | ||
258 | Set timeout for time-based BSQL attacks to timetout used for HTTP | ||
259 | requests + 1 second. | ||
260 | Added Blind SQL as a type of vulnerability in the report generator. | ||
261 | More verbosity for permanent XSS scan. | ||
262 | More docstrings. | ||
263 | Updated the REAME. | ||
264 | |||
265 | 24/03/2009 | ||
266 | Added some docstring to the code. | ||
267 | Removed warnign on alpha code. | ||
268 | First Blind SQL Injection implementation in Wapiti. | ||
269 | Fixed some timeout errors. | ||
270 | |||
271 | 22/03/2009 | ||
272 | Fixed character encoding error in sql injection module. | ||
273 | Changed the md5 and sha1 import in httplib2 to hashlib. | ||
274 | |||
275 | 28/11/2008 | ||
276 | Google Charts API is added to generate the charts of the reports. | ||
277 | |||
278 | 15/11/2008 | ||
279 | Re-integration of standard HTTP proxies in httplib2. | ||
280 | Integration of HTTP CONNECT tunneling in Wapiti. | ||
281 | Fixed bug ID 2257654 "getcookie.py error missing action in html form" | ||
282 | |||
283 | 02/11/2008 | ||
284 | Integraded the proxy implementation of httplib2 in Wapiti. | ||
285 | Can now use SOCKSv5 and SOCKSv4 proxies. | ||
286 | |||
287 | 22/10/2008 | ||
288 | Fixed a bug with Cookie headers. | ||
289 | |||
290 | 19/10/2008 | ||
291 | Remplaced urllib2 by httplib2. | ||
292 | Wapiti now use persistent HTTP connections, speed up the scan. | ||
293 | Included a python SOCKS library. | ||
294 | |||
295 | 09/10/2008 | ||
296 | Version 2.0.0-beta | ||
297 | Added the possibility to generate reports of the vulnerabilities found | ||
298 | in HTML, XML or plain-text format. See options -o and -f. | ||
299 | HTTP authentification now works. | ||
300 | Added the option -n (or --nice) to prevent endless loops during scanning. | ||
301 | More patterns for SQL vulnerability detection | ||
302 | Code refactoring : more clear and more object-oriented | ||
303 | New XSS function is now fully implemented | ||
304 | The payloads have been separated from the code into configuration files. | ||
305 | Updated BeautifulSoup | ||
306 | |||
307 | 15/09/2008 | ||
308 | Version 1.1.7-alpha | ||
309 | Use GET method if not specified in "method" tag | ||
310 | Keep an history of XSS payloads | ||
311 | New XSS engine for GET method using a list of payloads to bypass filters | ||
312 | New module HTTP.py for http requests | ||
313 | Added fpassthru to file handling warnings | ||
314 | Added a new new detection string for MS-SQL, submitted by Joe McCray | ||
315 | |||
316 | 28/01/2007 | ||
317 | Version 1.1.6 | ||
318 | New version of lswww | ||
319 | |||
320 | 24/10/2006 | ||
321 | Version 1.1.5 | ||
322 | Wildcard exclusion with -x (--exclude) option | ||
323 | |||
324 | 22/10/2006 | ||
325 | Fixed a typo in wapiti.py (setAuthCreddentials : one 'd' is enough) | ||
326 | Fixed a bug with set_auth_credentials. | ||
327 | |||
328 | 07/10/2006 | ||
329 | Version 1.1.4 | ||
330 | Some modifications have been made on getccokie.py so it can work | ||
331 | on Webmin (and probably more web applications) | ||
332 | Added -t (--timeout) option to set the timeout in seconds | ||
333 | Added -v (--verbose) option to set the verbosity. Three available | ||
334 | modes : | ||
335 | 0: only print found vulnerabilities | ||
336 | 1: print current attacked urls (existing urls) | ||
337 | 2: print every attack payload and url (very much information... good | ||
338 | for debugging) | ||
339 | Wapiti is much more modular and comes with some functions to set scan | ||
340 | and attack options... look the code ;) | ||
341 | Some defaults options are available as "modules" with option -m | ||
342 | (--module) : | ||
343 | GET_XSS: only scan for XSS with HTTP GET method (no post) | ||
344 | POST_XSS: XSS attacks using POST and not GET | ||
345 | GET_ALL: every attack without POST requests | ||
346 | |||
347 | 12/08/2006 | ||
348 | Version 1.1.3 | ||
349 | Fixed the timeout bug with chunked responses | ||
350 | (ID = 1536565 on SourceForge) | ||
351 | |||
352 | 09/08/2006 | ||
353 | Version 1.1.2 | ||
354 | Fixed a bug with HTTP 500 and POST attacks | ||
355 | |||
356 | 05/08/2006 | ||
357 | Version 1.1.1 | ||
358 | Fixed the UnboundLocalError due to socket timeouts | ||
359 | (bug ID = 1534415 on SourceForge) | ||
360 | |||
361 | 27/07/2006 | ||
362 | Version 1.1.0 with urllib2 | ||
363 | Detection string for mysql_error() | ||
364 | Changed the mysql payload (see http://shiflett.org/archive/184 ) | ||
365 | Modification of the README file | ||
366 | |||
367 | 22/07/2006 | ||
368 | Added CRLF Injection. | ||
369 | |||
370 | 20/07/2006 | ||
371 | Added LDAP Injection and Command Execution (eval, system, passthru...) | ||
372 | |||
373 | 11/07/2006 | ||
374 | -r (--remove) option to remove parameters from URLs | ||
375 | Support for Basic HTTP Auth added but don't work with Python 2.4. | ||
376 | Proxy support. | ||
377 | Now use cookie files (option "-c file" or "--cookie file") | ||
378 | -u (--underline) option to highlight vulnerable parameter in URL | ||
379 | Detect more vulnerabilities. | ||
380 | |||
381 | 04/07/2006: | ||
382 | Now attacks scripts using QUERY_STRING as a parameter | ||
383 | (i.e. http://server/script?attackme) | ||
384 | |||
385 | 23/06/2006: | ||
386 | Version 1.0.1 | ||
387 | Can now use cookies !! (use -c var=data or --cookie var=data) | ||
388 | Two utilities added : getcookie.py (interactive) and cookie.py (command line) to get a cookie. | ||
389 | Now on Sourceforge | ||
390 | |||
391 | 25/04/2006: | ||
392 | Version 1.0.0 | ||