From e4c7719d34345634367c58f5e53388b856aac7c5 Mon Sep 17 00:00:00 2001 From: Yigit Sever Date: Mon, 23 Jan 2023 23:59:13 +0300 Subject: Deleted package: wapiti --- wapiti/ChangeLog | 398 ------------------------------------------------------- 1 file changed, 398 deletions(-) delete mode 100644 wapiti/ChangeLog (limited to 'wapiti/ChangeLog') diff --git a/wapiti/ChangeLog b/wapiti/ChangeLog deleted file mode 100644 index ff8f2a5..0000000 --- a/wapiti/ChangeLog +++ /dev/null @@ -1,398 +0,0 @@ -09/07/2022 - Wapiti 3.1.3 - Reports: Add a new --detailed-report option that will put HTTP responses (headers and bodies) in the report. - Crawler: Add a new --mitm-port option that will replace the crawler with an intercepting proxy (mitmproxy) - Core: Dropped support of Python 3.7 - -13/05/2022 - Wapiti 3.1.2 - mod_http_headers: Deprecate X-XSS-Protection header - mod_drupal_enum: Reduce false positives - mod_csp: Rework some WSTG categories - Crawler: Fix crash caused by unclosed async httpx responses - -23/02/2022 - Wapiti 3.1.1 - Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example) - Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability - XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed - CLI: --update option will only update chosen modules - CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string. - -06/02/2022 - Wapiti 3.1.0 - Crawler: Fix passing named "button" tags in HTML forms - Modules: Skip modules that fails to load properly (missing dependencies, code error, etc) - Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr) - CSRF: Django anti-CSRF token added to the whitelist - Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports - Crawler: Improved the parsing of HTML redirections (meta refresh) - HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files. - Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed. - Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto) - Core: Load correctly resources if Wapiti is running from an egg file. - -15/12/2021 - Wapiti 3.0.9 - CLI: New "passive" module option allows to use less aggressives modules only - WP_ENUM: Improve detection of Wordpress - SSL: New module to check TLS/SSL configuration, powered by SSLyze - Log4Shell: New attack module to detect the infamous vulnerability - -18/11/2021 - Wapiti 3.0.8 - CLI: prevent users from using -a without specifying --auth-type (and vice versa) - Crawler: Upgrade HTTP related dependencies (httpx, httpcore, httpx-socks) - -14/10/2021 - Wapiti 3.0.7 - Crawler: Extract URLs from AngularJS based websites - Crawler: Support HTTP responses compressed with Brotli - Crawler: Fix handling of upload forms (due to moving to httpx), handling of button fields having a value - CLI: Added option to log output to a file - Modules: Increased speed of modules Nikto, buster, drupal_enum, brute_login_form thank to concurrency - Modules: Added a module to detect subdomain takeovers - XSS: Removed references to wapiti3.ovh for XSS payloads - Modules: Fixed some false positives in modules backup, Nikto and SQL - Modules: Upgrade Wappalyzer module - Crawler: Upgrade HTTP related dependencies (httpx, httpcore) - -13/05/2021 - Wapiti 3.0.5 - SQL: boolean based blind SQL injection support added - Report: added CSV as output format - Cookie: you can drop cookies from HTTP responses with --drop-set-cookie - Cookie: you can load cookies from your browser with -c - Session: fixed an issue that could cause URLs being rescanned when resuming a session - CMS: New modules to detect versions and installed modules for Wordpress and Drupal - Fingerprinting: several issues fixed on mod_wapp - Crawler: HTTP requests are processed concurrently for faster crawling. Check the new --tasks option. - -20/02/2021 - Wapiti 3.0.4 - XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them - XSS: greatly reduced number of false negatives while slightly reducing false positives - XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present - XSS: reduced memory and CPU consumption - XSS: added more payloads to bypass filters and WAF - Exec: added a few more payloads - SQL: more heuristics to detect DBMS used on the target - Wappalyzer module allows to detect software used by a website, along with versions - New module to check the security settings of Cookies (HttpOnly, secure, etc) - New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc) - New module to check the security settings for Content-Security-Policy - New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented) - New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc) - New --update option allows to get last updates for detections databases (Wappalyzer and Nikto) - New --max-attack-time options allows to limit the execution time of each attack module - New --store-config options allows to set the path for Wapiti configuration files (detection databases) - Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie - Removed jQuery dependency - Fixed several issues with endpoints - -20/02/2020 - Wapiti 3.0.3 - An important work was made to reduce false positives in XSS detections. - That research involved scanning more than 1 million websites to discover those issues. - More details here: http://devloop.users.sourceforge.net/index.php?article217/one-crazy-month-of-web-vulnerability-scanning - -02/09/2019 - Wapiti 3.0.2 - New XXE module cans end payloads in parameters, query string, file uploads and raw body. - New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based). - Fixed domain scope scanning. - Reduced false positives in attack modules (specially time based ones). - Reduced invalid links generated by js analysis and ignore obviously malformed HTML links. - Do not crawl CSS files and remove query strings from JS files when crawling. - Improved and changed existing payloads. - Improved extracting forms from HTML pages (radio buttons / select, ...) - Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe) - --store-session option allow to specify a path where .db and .pkl files are stored. - --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target - Authentications options can now be used with wapiti-getcookie. - Js parser can now deal with HTML comments. - More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit) - Fixed lot of bugs thank to received crash dumps. - -11/05/2018 - Wapiti 3.0.1 - New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc) - New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access) - Improved mod_xss and mod_permanentxss modules to reduce false positives. - Changed some XSS payloads for something more visual (banner at top the the webpage). - Changed bug reporting URL. - Fixed issue #54 in lamejs JS parser. - Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings. - -03/01/2017 - Release of Wapiti 3.0.0 - -02/01/2018 - Added --list-modules and --resume-crawl options. - -23/12/2017 - Ported to Python3. - Persister rewritten to use sqlite3 databases (for session management). - Added ascii-art because you know... it's an attack tool so it's required feature. - Changed output format (stdout) to something more like sqlmap output. - python-lxml and libxml2 are required dependencies unless you opt-out with --with-html5lib at setup. - SOCKS5 proxy support is back. - New -u mandatory option must be use to specify the base URL. - Added -d (--depth) option to limit the maximum depth of links following. - Added -H (--header) option to add HTTP headers to every request. - Added -A (--user-agent) option to set the User-Agent string. - Added --skip option to skip parameters during attacks. - Added -S (--scan-force) option to control the ammount of requests sent for attacks. - Added --max-parameters to not attack URLs anf forms having more than X input parameters. - Added -l (--level) option to allow attacking query strings without parameters. - Added --max-scan-time option to stop the scan after the given amount of minutes. - Added a buster module for directory and file busting. - Added a Shellshock detection module. - Added buitin list of well known parameters to skip during attack. - More control on execution flow when KeyboardInterrupt is triggered. - Reduced false-positives situations on time-based attacks (mainly blind_sql) - Replace getopt for argparse. - Fixed bugs related to obtaining user's locale (issue #20). - Enhancement to support new CVE notation [issue 37). - Can now report minor issues (notices) besides anomalies and vulnerabilities. - Added mod_delay module to report time consuming webpages. - Renamed some options (should be easier to remember). - More exec, file, xss payloads. - Fixed a bug with JSON cookie management for IPv6 addresses and custom ports. - XSS attack module can escape HTML comments for payload generation. - Fixed -r issue on URLs having only one parameter. - No SSL/TLS check by default (--verify-ssl behavior). - Added a Mutator class for easy payload injection in parameters. - Rewrote report generators, added Mako as a dependency for HTML reports. Less JS. - Crash report are send to a website, opt-out with --no-bugreport. - Improvements on backup, sql and exec modules submitted by Milan Bartos. - Payload files can now include special flags that will be interpreted by Wapiti. - wapiti-cookie and wapiti-getcookie were merged in a new wapiti-getcookie tool. - - -20/10/2013 - Version 2.3.0 - Fixed a colosseum of bugs, especially related to unicode. - Software is much more stable. - New report template for HTML (using Kube CSS). - Using v2.1.5 of Nikto database for mod_nikto. - Replaced httplib2 with (python-)requests for everything related to HTTP. - Remove BeautifulSoup from package. It is still required however. - Core rewrite (PEP8 + more Pythonic) - New payloads for the backup, XSS, blind SQL, exec and file modules + more - detection rules. - So many improvements on lswww (crawler) that I can't make a list here. But - Wapiti reached 48% on Wivet. - Wapiti cookie format is now based on JSON. - Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy). - Added a HTTPResource class for easier module creation. - Code restructuration for better setup. - Attack of parameters in query string even for HTTP POST requests. - Attack on file uploads (injection in file names). - Simpler (and less buggy) colored output with -c. - A CURL PoC is given for each vulnerability/anomaly found + raw HTTP - request representation in reports. - No more parameter reordering + can handle parameters repetition. - Added a JSON report generator + fixed the HTML report generator. - Added an option to not check SSL certificates. - mod_xss : noscipt tag escaping. - Can work on parameters that don't have a value in query string. - mod_crlf is not activated by default anymore (must call it with -m). - Startings URLs (-s) will be fetched even if out of scope. - Proxy support for wapiti-getcookie. and wapiti-cookie. - Attempt to bring an OpenVAS report generator. - Added an home-made SWF parser to extract URLs from flash files. - Added an home-made (and more than basic) JS interpreter based on the - pynarcissus parser. Lot of work still needs to be done on this. - New logo and webpage at wapiti.sf.net. - Added german and malaysian translations. - Added a script to create standalone archive for Windows (with py2exe). - -29/12/2009 - Version 2.2.1 (already) - Bugfixes only - Fixed a bug in lswww if root url is not given complete. - Fixed a bug in lswww with a call to BeautifulSoup made on non text files. - Fixed a bug that occured when verbosity = 2. Unicode error on stderr. - Check the document's content-type and extension before attacking files on - the query string. - Added a timeout check in the nikto module when downloading the database. - -28/12/2009 - Version 2.2.0 - Added a manpage. - Internationalization : translations of Wapiti in spanish and french. - Options -k and -i allow the scan to be saved and restored later. - Added option -b to set the scope of the scan based on the root url given. - Wrote a library to save handle cookies and save them in XML format. - Modules are now loaded dynamically with a dependency system. - Rewrote the -m option used to activate / deactivate attack modules. - New module to search for backup files of scripts on the target webserver. - New module to search for weakly configured .htaccess. - New module to search dangerous files based on the Nikto database. - Differ "raw" XSS from "urlencoded" XSS. - Updated BeautifulSoup to version 3.0.8. - Better encoding support for webpages (convert to Unicode) - Added "resource consumption" as a vulnerability type. - Fixed bug ID 2779441 "Python Version 2.5 required?" - Fixed bug with special characters in HTML reports. - -05/04/2008 - Added more patterns for file handling vulnerabilities in PHP. - Added GET_SQL and POST_SQL as modules (-m) for attacks. - Modifier getcookie.py and cookie.py so they try to get the cookies - even if cookielib fails. - -27/03/2007 - Updated ChangeLogs - -26/03/2009 - Fixed bug ID 2433127. Comparison was made with HTTP error codes - on numeric values but httplib2 return the status code as a string. - Forbid httplib2 to handle HTTP redirections. Wapiti and lswww will - take care of this (more checks on urls...) - Fixed a bug with Blind SQL attacks (the same attack could be launched - several times) - Fixed an error in blindSQLPayloads.txt. - Changed the error message when Wapiti don't get any data from lswww. - Verifications to be sure blind SQL attacks won't be launched if "standard" - SQL attacks works. - -25/03/2009 - Exported blind SQL payloads from the code. Now in config file - blindSQLPayloads.txt. - Set timeout for time-based BSQL attacks to timetout used for HTTP - requests + 1 second. - Added Blind SQL as a type of vulnerability in the report generator. - More verbosity for permanent XSS scan. - More docstrings. - Updated the REAME. - -24/03/2009 - Added some docstring to the code. - Removed warnign on alpha code. - First Blind SQL Injection implementation in Wapiti. - Fixed some timeout errors. - -22/03/2009 - Fixed character encoding error in sql injection module. - Changed the md5 and sha1 import in httplib2 to hashlib. - -28/11/2008 - Google Charts API is added to generate the charts of the reports. - -15/11/2008 - Re-integration of standard HTTP proxies in httplib2. - Integration of HTTP CONNECT tunneling in Wapiti. - Fixed bug ID 2257654 "getcookie.py error missing action in html form" - -02/11/2008 - Integraded the proxy implementation of httplib2 in Wapiti. - Can now use SOCKSv5 and SOCKSv4 proxies. - -22/10/2008 - Fixed a bug with Cookie headers. - -19/10/2008 - Remplaced urllib2 by httplib2. - Wapiti now use persistent HTTP connections, speed up the scan. - Included a python SOCKS library. - -09/10/2008 - Version 2.0.0-beta - Added the possibility to generate reports of the vulnerabilities found - in HTML, XML or plain-text format. See options -o and -f. - HTTP authentification now works. - Added the option -n (or --nice) to prevent endless loops during scanning. - More patterns for SQL vulnerability detection - Code refactoring : more clear and more object-oriented - New XSS function is now fully implemented - The payloads have been separated from the code into configuration files. - Updated BeautifulSoup - -15/09/2008 - Version 1.1.7-alpha - Use GET method if not specified in "method" tag - Keep an history of XSS payloads - New XSS engine for GET method using a list of payloads to bypass filters - New module HTTP.py for http requests - Added fpassthru to file handling warnings - Added a new new detection string for MS-SQL, submitted by Joe McCray - -28/01/2007 - Version 1.1.6 - New version of lswww - -24/10/2006 - Version 1.1.5 - Wildcard exclusion with -x (--exclude) option - -22/10/2006 - Fixed a typo in wapiti.py (setAuthCreddentials : one 'd' is enough) - Fixed a bug with set_auth_credentials. - -07/10/2006 - Version 1.1.4 - Some modifications have been made on getccokie.py so it can work - on Webmin (and probably more web applications) - Added -t (--timeout) option to set the timeout in seconds - Added -v (--verbose) option to set the verbosity. Three available - modes : - 0: only print found vulnerabilities - 1: print current attacked urls (existing urls) - 2: print every attack payload and url (very much information... good - for debugging) - Wapiti is much more modular and comes with some functions to set scan - and attack options... look the code ;) - Some defaults options are available as "modules" with option -m - (--module) : - GET_XSS: only scan for XSS with HTTP GET method (no post) - POST_XSS: XSS attacks using POST and not GET - GET_ALL: every attack without POST requests - -12/08/2006 - Version 1.1.3 - Fixed the timeout bug with chunked responses - (ID = 1536565 on SourceForge) - -09/08/2006 - Version 1.1.2 - Fixed a bug with HTTP 500 and POST attacks - -05/08/2006 - Version 1.1.1 - Fixed the UnboundLocalError due to socket timeouts - (bug ID = 1534415 on SourceForge) - -27/07/2006 - Version 1.1.0 with urllib2 - Detection string for mysql_error() - Changed the mysql payload (see http://shiflett.org/archive/184 ) - Modification of the README file - -22/07/2006 - Added CRLF Injection. - -20/07/2006 - Added LDAP Injection and Command Execution (eval, system, passthru...) - -11/07/2006 - -r (--remove) option to remove parameters from URLs - Support for Basic HTTP Auth added but don't work with Python 2.4. - Proxy support. - Now use cookie files (option "-c file" or "--cookie file") - -u (--underline) option to highlight vulnerable parameter in URL - Detect more vulnerabilities. - -04/07/2006: - Now attacks scripts using QUERY_STRING as a parameter - (i.e. http://server/script?attackme) - -23/06/2006: - Version 1.0.1 - Can now use cookies !! (use -c var=data or --cookie var=data) - Two utilities added : getcookie.py (interactive) and cookie.py (command line) to get a cookie. - Now on Sourceforge - -25/04/2006: - Version 1.0.0 -- cgit v1.2.3-70-g09d2