Quick and Easy Vulnerability Testing with Wapiti

What is Vulnerability Testing?

Testing that identifies security issues (or vulnerabilities) with a website or web application.

Vulnerability Scanners

There are a large number of vulnerability scanners that a person can use to automatically evaluate a website. Today we’ll be using a tool called Wapiti that we can run from the command line. There are plenty of other great tools out there of course.

WARNING - Don’t use these tools on websites you do not own or have permission to test. You very well could be breaking laws if you do.

Wapiti scans for the following: (as stated on their site)

• File disclosure (Local and remote include/require, fopen, readfile…)
• Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
• XSS (Cross Site Scripting) injection (reflected and permanent)
• Command Execution detection (eval(), system(), passtru()…)
• CRLF Injection (HTTP Response Splitting, session fixation…)
• XXE (XmleXternal Entity) injection
• Use of know potentially dangerous files (thanks to the Nikto database)
• Weak .htaccess configurations that can be bypassed
• Presence of backup files giving sensitive information (source code disclosure)

Installing Wapiti

This is actually very straight forward on Linux. Fire up that command line.

sudo apt-get install wapiti

If you are running Mac OSX, download the zip file. Once it’s downloaded, extract the files. Navigate to that folder in your command line and run the following command to install:

sudo python setup.py install

Shouldn’t take long and it will be fully installed. Other install options are available as well. This should work on certain Raspberry Pi setups, but the scan would take a significant amount of time.

Run The Scanner

Now that it’s installed, the word ‘wapiti’ is now a command. So to run the scanner just type the command followed by the website you want to scan.

wapiti http://websiteyouwanttoscan.com

Once the program gets going it will provide updates on what testing modules it has currently engaged. It usually takes a while to run depending on the size and complexity of the site/app.

##Read The Report The program will end by tell you that a generated report was created. Locate the folder, ‘gernated_report’ and open the index.html. This report will list out the security issues that the scanner picked up on.

Boom! Now you know more about how secure your website or web application actually is.

Update: Unix Command for Optimizing the Scanner

You’ll want to specify some things in the command so the scan runs quicker and more reliably. (parts of command explained below) The reason for this is because sometimes the scan can get caught in a loop, so its best to set some limits.

sudo wapiti http://websiteyouwanttoscan.com -n 10 -f html -o /wapiti_reports

-n 10 (prevents infinite loops by setting a URL depth)

-f html (declares what report type, could use ‘txt’ for example or even OpenVAS format)

-o /Desktop/wapiti_reports (declares report destination)