Here’s a comprehensive explanation of the Wapiti Web Application Scanner, a powerful tool for web security auditing:

🕷️ What Is Wapiti?

Wapiti is a black-box web vulnerability scanner written in Python. It helps security professionals and developers audit the security of web applications by scanning deployed websites—without needing access to the source code.

• It crawls the site to find inputs like forms, URLs, and parameters.
• Then it injects payloads to test for vulnerabilities such as:
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Command Injection
  • File Disclosure
  • Server-Side Request Forgery (SSRF)
  • XML External Entity (XXE) attacks.

🧠 How Wapiti Works

Wapiti operates in two main phases:

1. Crawling: It explores the target website to discover all reachable pages and inputs.
2. Fuzzing: It injects test data into those inputs to detect exploitable flaws.

It performs black-box testing, meaning it doesn’t analyze the source code but instead interacts with the live application like a real attacker would.

🛠️ Key Features

• ✅ Supports HTTP, HTTPS, and SOCKS5 proxies
• 🔐 Handles HTTP authentication and form-based login
• 🧭 Customizable scan scope: URL, page, folder, subdomain, or domain
• 🧪 Payload injection for fuzzing
• 📄 Generates reports in HTML, XML, JSON, and plain text
• 🧱 Safeguards against endless loops and redundant scanning

🚀 Basic Usage

To start a scan:

wapiti -u  http://example.com 

To define scan scope:

wapiti -u  http://example.com/archive/  --scope folder

To enable verbose output:

wapiti -u  http://example.com  -v 2

You can also configure authentication, proxy settings, and output formats. For a full guide, check out the Wapiti Wiki on GitHub.