zoukankan      html  css  js  c++  java
  • Wapiti

    Wapiti

    Web application vulnerability scanner / security auditor


    Presentation

    Wapiti allows you to audit the security of your web applications.
    It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
    Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

    Wapiti can detect the following vulnerabilities :

    • File Handling Errors (Local and remote include/require, fopen, readfile...)
    • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
    • XSS (Cross Site Scripting) Injection
    • LDAP Injection
    • Command Execution detection (eval(), system(), passtru()...)
    • CRLF Injection (HTTP Response Splitting, session fixation...)

    Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities.
    Wapiti prints a warning everytime it founds a script allowing HTTP uploads.
    A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS)
    Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications.
    It does not provide a GUI for the moment and you must use it from a terminal.
    Here is an exemple of output against a vulnerable web application.
    Take a look at the README file.

    Download

    >> Download Wapiti here <<


    Usage

    Wapiti-2.2.1 - A web application vulnerability scanner   
                                                           
    Usage: python wapiti.py http://server.com/base/url/ [options] 
                                                                   
    Supported options are:                                        
    -s <url>                                                      
    --start <url>                                                 
    	To specify an url to start with                        
                                                                   
    -x <url>                                                      
    --exclude <url>                                               
            To exclude an url from the scan (for example logout scripts) 
            You can also use a wildcard (*)                              
            Example : -x http://server/base/?page=*&module=test          
            or -x http://server/base/admin/* to exclude a directory      
                                                                         
    -p <url_proxy>                                                      
    --proxy <url_proxy>                                                 
            To specify a proxy                                           
            Example: -p http://proxy:port/                               
                                                                         
    -c <cookie_file>                                                    
    --cookie <cookie_file>                                              
            To use a cookie                                              
                                                                         
    -t <timeout> 
  • 相关阅读:
    操作系统进程
    Lowest Common Ancestor of a Binary Search Tree
    Java并发编程实践之对象的组合
    字典序排序-求全排列(元素有重复)
    计算机网络基础知识
    多线程的基础知识
    多线程编程题
    Flask安装
    appium使用实例
    调用Excel或Oracle数据,数据加载,selenium等使用实例
  • 原文地址:https://www.cnblogs.com/lexus/p/2495904.html
Copyright © 2011-2022 走看看