13/05/2022 Wapiti 3.1.2 mod_http_headers: Deprecate X-XSS-Protection header mod_drupal_enum: Reduce false positives mod_csp: Rework some WSTG categories Crawler: Fix crash caused by unclosed async httpx responses 23/02/2022 Wapiti 3.1.1 Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example) Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed CLI: --update option will only update chosen modules CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string. 06/02/2022 Wapiti 3.1.0 Crawler: Fix passing named "button" tags in HTML forms Modules: Skip modules that fails to load properly (missing dependencies, code error, etc) Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr) CSRF: Django anti-CSRF token added to the whitelist Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports Crawler: Improved the parsing of HTML redirections (meta refresh) HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files. Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed. Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto) Core: Load correctly resources if Wapiti is running from an egg file. 15/12/2021 Wapiti 3.0.9 CLI: New "passive" module option allows to use less aggressives modules only WP_ENUM: Improve detection of Wordpress SSL: New module to check TLS/SSL configuration, powered by SSLyze Log4Shell: New attack module to detect the infamous vulnerability 18/11/2021 Wapiti 3.0.8 CLI: prevent users from using -a without specifying --auth-type (and vice versa) Crawler: Upgrade HTTP related dependencies (httpx, httpcore, httpx-socks) 14/10/2021 Wapiti 3.0.7 Crawler: Extract URLs from AngularJS based websites Crawler: Support HTTP responses compressed with Brotli Crawler: Fix handling of upload forms (due to moving to httpx), handling of button fields having a value CLI: Added option to log output to a file Modules: Increased speed of modules Nikto, buster, drupal_enum, brute_login_form thank to concurrency Modules: Added a module to detect subdomain takeovers XSS: Removed references to wapiti3.ovh for XSS payloads Modules: Fixed some false positives in modules backup, Nikto and SQL Modules: Upgrade Wappalyzer module Crawler: Upgrade HTTP related dependencies (httpx, httpcore) 13/05/2021 Wapiti 3.0.5 SQL: boolean based blind SQL injection support added Report: added CSV as output format Cookie: you can drop cookies from HTTP responses with --drop-set-cookie Cookie: you can load cookies from your browser with -c Session: fixed an issue that could cause URLs being rescanned when resuming a session CMS: New modules to detect versions and installed modules for Wordpress and Drupal Fingerprinting: several issues fixed on mod_wapp Crawler: HTTP requests are processed concurrently for faster crawling. Check the new --tasks option. 20/02/2021 Wapiti 3.0.4 XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them XSS: greatly reduced number of false negatives while slightly reducing false positives XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present XSS: reduced memory and CPU consumption XSS: added more payloads to bypass filters and WAF Exec: added a few more payloads SQL: more heuristics to detect DBMS used on the target Wappalyzer module allows to detect software used by a website, along with versions New module to check the security settings of Cookies (HttpOnly, secure, etc) New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc) New module to check the security settings for Content-Security-Policy New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented) New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc) New --update option allows to get last updates for detections databases (Wappalyzer and Nikto) New --max-attack-time options allows to limit the execution time of each attack module New --store-config options allows to set the path for Wapiti configuration files (detection databases) Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie Removed jQuery dependency Fixed several issues with endpoints 20/02/2020 Wapiti 3.0.3 An important work was made to reduce false positives in XSS detections. That research involved scanning more than 1 million websites to discover those issues. More details here: http://devloop.users.sourceforge.net/index.php?article217/one-crazy-month-of-web-vulnerability-scanning 02/09/2019 Wapiti 3.0.2 New XXE module cans end payloads in parameters, query string, file uploads and raw body. New module for detection Open Redirect vulnerabilities (header based our HTML meta based or JS based). Fixed domain scope scanning. Reduced false positives in attack modules (specially time based ones). Reduced invalid links generated by js analysis and ignore obviously malformed HTML links. Do not crawl CSS files and remove query strings from JS files when crawling. Improved and changed existing payloads. Improved extracting forms from HTML pages (radio buttons / select, ...) Support for more POST enctypes (sending XML or JSON for example, currently only leveraged by mod_xxe) --store-session option allow to specify a path where .db and .pkl files are stored. --endpoint --internal-endpoint --external-endpoint options to set your own endpoint and receive requests from target Authentications options can now be used with wapiti-getcookie. Js parser can now deal with HTML comments. More comprehensive choices when doing Ctrl+C during scan (eg: 'c' to continue, 'q' to quit) Fixed lot of bugs thank to received crash dumps. 11/05/2018 Wapiti 3.0.1 New module mod_methods to detect interesting methods which might be allowed by scripts (PUT, PROPFIND, etc) New module mod_ssrf to detect Server Side Request Forgery vulnerabilities (requires Internet access) Improved mod_xss and mod_permanentxss modules to reduce false positives. Changed some XSS payloads for something more visual (banner at top the the webpage). Changed bug reporting URL. Fixed issue #54 in lamejs JS parser. Removed lxml and libxml2 as a dependency. That parser have difficulties to parse exotic encodings. 03/01/2017 Release of Wapiti 3.0.0 02/01/2018 Added --list-modules and --resume-crawl options. 23/12/2017 Ported to Python3. Persister rewritten to use sqlite3 databases (for session management). Added ascii-art because you know... it's an attack tool so it's required feature. Changed output format (stdout) to something more like sqlmap output. python-lxml and libxml2 are required dependencies unless you opt-out with --with-html5lib at setup. SOCKS5 proxy support is back. New -u mandatory option must be use to specify the base URL. Added -d (--depth) option to limit the maximum depth of links following. Added -H (--header) option to add HTTP headers to every request. Added -A (--user-agent) option to set the User-Agent string. Added --skip option to skip parameters during attacks. Added -S (--scan-force) option to control the ammount of requests sent for attacks. Added --max-parameters to not attack URLs anf forms having more than X input parameters. Added -l (--level) option to allow attacking query strings without parameters. Added --max-scan-time option to stop the scan after the given amount of minutes. Added a buster module for directory and file busting. Added a Shellshock detection module. Added buitin list of well known parameters to skip during attack. More control on execution flow when KeyboardInterrupt is triggered. Reduced false-positives situations on time-based attacks (mainly blind_sql) Replace getopt for argparse. Fixed bugs related to obtaining user's locale (issue #20). Enhancement to support new CVE notation [issue 37). Can now report minor issues (notices) besides anomalies and vulnerabilities. Added mod_delay module to report time consuming webpages. Renamed some options (should be easier to remember). More exec, file, xss payloads. Fixed a bug with JSON cookie management for IPv6 addresses and custom ports. XSS attack module can escape HTML comments for payload generation. Fixed -r issue on URLs having only one parameter. No SSL/TLS check by default (--verify-ssl behavior). Added a Mutator class for easy payload injection in parameters. Rewrote report generators, added Mako as a dependency for HTML reports. Less JS. Crash report are send to a website, opt-out with --no-bugreport. Improvements on backup, sql and exec modules submitted by Milan Bartos. Payload files can now include special flags that will be interpreted by Wapiti. wapiti-cookie and wapiti-getcookie were merged in a new wapiti-getcookie tool. 20/10/2013 Version 2.3.0 Fixed a colosseum of bugs, especially related to unicode. Software is much more stable. New report template for HTML (using Kube CSS). Using v2.1.5 of Nikto database for mod_nikto. Replaced httplib2 with (python-)requests for everything related to HTTP. Remove BeautifulSoup from package. It is still required however. Core rewrite (PEP8 + more Pythonic) New payloads for the backup, XSS, blind SQL, exec and file modules + more detection rules. So many improvements on lswww (crawler) that I can't make a list here. But Wapiti reached 48% on Wivet. Wapiti cookie format is now based on JSON. Removed SOCKS proxy support (you will have to use a HTTP to SOCKS proxy). Added a HTTPResource class for easier module creation. Code restructuration for better setup. Attack of parameters in query string even for HTTP POST requests. Attack on file uploads (injection in file names). Simpler (and less buggy) colored output with -c. A CURL PoC is given for each vulnerability/anomaly found + raw HTTP request representation in reports. No more parameter reordering + can handle parameters repetition. Added a JSON report generator + fixed the HTML report generator. Added an option to not check SSL certificates. mod_xss : noscipt tag escaping. Can work on parameters that don't have a value in query string. mod_crlf is not activated by default anymore (must call it with -m). Startings URLs (-s) will be fetched even if out of scope. Proxy support for wapiti-getcookie. and wapiti-cookie. Attempt to bring an OpenVAS report generator. Added an home-made SWF parser to extract URLs from flash files. Added an home-made (and more than basic) JS interpreter based on the pynarcissus parser. Lot of work still needs to be done on this. New logo and webpage at wapiti.sf.net. Added german and malaysian translations. Added a script to create standalone archive for Windows (with py2exe). 29/12/2009 Version 2.2.1 (already) Bugfixes only Fixed a bug in lswww if root url is not given complete. Fixed a bug in lswww with a call to BeautifulSoup made on non text files. Fixed a bug that occured when verbosity = 2. Unicode error on stderr. Check the document's content-type and extension before attacking files on the query string. Added a timeout check in the nikto module when downloading the database. 28/12/2009 Version 2.2.0 Added a manpage. Internationalization : translations of Wapiti in spanish and french. Options -k and -i allow the scan to be saved and restored later. Added option -b to set the scope of the scan based on the root url given. Wrote a library to save handle cookies and save them in XML format. Modules are now loaded dynamically with a dependency system. Rewrote the -m option used to activate / deactivate attack modules. New module to search for backup files of scripts on the target webserver. New module to search for weakly configured .htaccess. New module to search dangerous files based on the Nikto database. Differ "raw" XSS from "urlencoded" XSS. Updated BeautifulSoup to version 3.0.8. Better encoding support for webpages (convert to Unicode) Added "resource consumption" as a vulnerability type. Fixed bug ID 2779441 "Python Version 2.5 required?" Fixed bug with special characters in HTML reports. 05/04/2008 Added more patterns for file handling vulnerabilities in PHP. Added GET_SQL and POST_SQL as modules (-m) for attacks. Modifier getcookie.py and cookie.py so they try to get the cookies even if cookielib fails. 27/03/2007 Updated ChangeLogs 26/03/2009 Fixed bug ID 2433127. Comparison was made with HTTP error codes on numeric values but httplib2 return the status code as a string. Forbid httplib2 to handle HTTP redirections. Wapiti and lswww will take care of this (more checks on urls...) Fixed a bug with Blind SQL attacks (the same attack could be launched several times) Fixed an error in blindSQLPayloads.txt. Changed the error message when Wapiti don't get any data from lswww. Verifications to be sure blind SQL attacks won't be launched if "standard" SQL attacks works. 25/03/2009 Exported blind SQL payloads from the code. Now in config file blindSQLPayloads.txt. Set timeout for time-based BSQL attacks to timetout used for HTTP requests + 1 second. Added Blind SQL as a type of vulnerability in the report generator. More verbosity for permanent XSS scan. More docstrings. Updated the REAME. 24/03/2009 Added some docstring to the code. Removed warnign on alpha code. First Blind SQL Injection implementation in Wapiti. Fixed some timeout errors. 22/03/2009 Fixed character encoding error in sql injection module. Changed the md5 and sha1 import in httplib2 to hashlib. 28/11/2008 Google Charts API is added to generate the charts of the reports. 15/11/2008 Re-integration of standard HTTP proxies in httplib2. Integration of HTTP CONNECT tunneling in Wapiti. Fixed bug ID 2257654 "getcookie.py error missing action in html form" 02/11/2008 Integraded the proxy implementation of httplib2 in Wapiti. Can now use SOCKSv5 and SOCKSv4 proxies. 22/10/2008 Fixed a bug with Cookie headers. 19/10/2008 Remplaced urllib2 by httplib2. Wapiti now use persistent HTTP connections, speed up the scan. Included a python SOCKS library. 09/10/2008 Version 2.0.0-beta Added the possibility to generate reports of the vulnerabilities found in HTML, XML or plain-text format. See options -o and -f. HTTP authentification now works. Added the option -n (or --nice) to prevent endless loops during scanning. More patterns for SQL vulnerability detection Code refactoring : more clear and more object-oriented New XSS function is now fully implemented The payloads have been separated from the code into configuration files. Updated BeautifulSoup 15/09/2008 Version 1.1.7-alpha Use GET method if not specified in "method" tag Keep an history of XSS payloads New XSS engine for GET method using a list of payloads to bypass filters New module HTTP.py for http requests Added fpassthru to file handling warnings Added a new new detection string for MS-SQL, submitted by Joe McCray 28/01/2007 Version 1.1.6 New version of lswww 24/10/2006 Version 1.1.5 Wildcard exclusion with -x (--exclude) option 22/10/2006 Fixed a typo in wapiti.py (setAuthCreddentials : one 'd' is enough) Fixed a bug with set_auth_credentials. 07/10/2006 Version 1.1.4 Some modifications have been made on getccokie.py so it can work on Webmin (and probably more web applications) Added -t (--timeout) option to set the timeout in seconds Added -v (--verbose) option to set the verbosity. Three available modes : 0: only print found vulnerabilities 1: print current attacked urls (existing urls) 2: print every attack payload and url (very much information... good for debugging) Wapiti is much more modular and comes with some functions to set scan and attack options... look the code ;) Some defaults options are available as "modules" with option -m (--module) : GET_XSS: only scan for XSS with HTTP GET method (no post) POST_XSS: XSS attacks using POST and not GET GET_ALL: every attack without POST requests 12/08/2006 Version 1.1.3 Fixed the timeout bug with chunked responses (ID = 1536565 on SourceForge) 09/08/2006 Version 1.1.2 Fixed a bug with HTTP 500 and POST attacks 05/08/2006 Version 1.1.1 Fixed the UnboundLocalError due to socket timeouts (bug ID = 1534415 on SourceForge) 27/07/2006 Version 1.1.0 with urllib2 Detection string for mysql_error() Changed the mysql payload (see http://shiflett.org/archive/184 ) Modification of the README file 22/07/2006 Added CRLF Injection. 20/07/2006 Added LDAP Injection and Command Execution (eval, system, passthru...) 11/07/2006 -r (--remove) option to remove parameters from URLs Support for Basic HTTP Auth added but don't work with Python 2.4. Proxy support. Now use cookie files (option "-c file" or "--cookie file") -u (--underline) option to highlight vulnerable parameter in URL Detect more vulnerabilities. 04/07/2006: Now attacks scripts using QUERY_STRING as a parameter (i.e. http://server/script?attackme) 23/06/2006: Version 1.0.1 Can now use cookies !! (use -c var=data or --cookie var=data) Two utilities added : getcookie.py (interactive) and cookie.py (command line) to get a cookie. Now on Sourceforge 25/04/2006: Version 1.0.0