Aj keď sa bezpečnosti venujem posledné roky minimálne, tak raz za čas sa mi hodí mať po ruke skener zraniteľností webových aplikácií. Pre svoju komplexnosť ale najmä jednoduchosť som som si obľúbil Wapiti, ktorý je dostupný ako open-source.

Wapiti toho pokrýva celkom veľa:

  • SQL Injections (Error based, boolean based, time based) and XPath Injections
  • Cross Site Scripting (XSS) reflected and permanent
  • File disclosure detection (local and remote include, require, fopen, readfile...)
  • Command Execution detection (eval(), system(), passtru()...)
  • XXE (Xml eXternal Entity) injection
  • CRLF Injection
  • Bypass of weak htaccess configurations
  • Search for copies (backup) of scripts on the server
  • Shellshock
  • Folder and file enumeration (DirBuster like)
  • Server Side Request Forgery (through use of an external Wapiti website)
  • Open Redirects
  • Detection of uncommon HTTP methods (like PUT)
  • Basic CSP Evaluator
  • Brute Force login form (using a dictionary list)
  • Checking HTTP security headers
  • Checking cookie security flags (secure and httponly flags)
  • Cross Site Request Forgery (CSRF) basic detection
  • Fingerprinting of web applications using the Wappalyzer database
  • Enumeration of popular CMS (Drupal, Joomla, Prestashop, SPIP, Wordpress)
  • Detection of subdomain takeovers vulnerabilities
  • Log4Shell vulnerability detection (CVE-2021-44228)
  • Check for TLS misconfiguration and vulnerabilities (thanks to SSLyze)
  • Wapiti supports both GET and POST HTTP methods for attacks.

Ide o CLI nástroj, ktorý sa dá pomerne jednoducho nainštalovať pomocou PIP:

pip install wapiti3

Ja ho však oveľa radšej používam ako Docker kontajner:

docker run --rm -it -v $(pwd):/root/.wapiti/generated_report cyberwatch/wapiti -u https://example.com

 ██╗    ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗
 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗
 ██║ █╗ ██║███████║██████╔╝██║   ██║   ██║ █████╔╝
 ██║███╗██║██╔══██║██╔═══╝ ██║   ██║   ██║ ╚═══██╗
 ╚███╔███╔╝██║  ██║██║     ██║   ██║   ██║██████╔╝
  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝   ╚═╝   ╚═╝╚═════╝
Wapiti 3.2.0 (wapiti-scanner.github.io)
usage: wapiti [-h] [-u URL] [--swagger URI] [--data data]
              [--scope {url,page,folder,subdomain,domain,punk}] [-m MODULES_LIST]
              [--list-modules] [-l LEVEL] [-p PROXY_URL] [--tor] [--mitm-port PORT]
              [--headless {no,hidden,visible}] [--wait TIME] [-a CREDENTIALS]
              [--auth-user USERNAME] [--auth-password PASSWORD]
              [--auth-method {basic,digest,ntlm}] [--form-cred CREDENTIALS]
              [--form-user USERNAME] [--form-password PASSWORD] [--form-url URL]
              [--form-data DATA] [--form-enctype DATA] [--form-script FILENAME]
              [-c COOKIE_FILE] [-sf SIDE_FILE] [-C COOKIE_VALUE] [--drop-set-cookie]
              [--skip-crawl] [--resume-crawl] [--flush-attacks] [--flush-session]
              [--store-session PATH] [--store-config PATH] [-s URL] [-x URL]
              [-r PARAMETER] [--skip PARAMETER] [-d DEPTH] [--max-links-per-page MAX]
              [--max-files-per-dir MAX] [--max-scan-time SECONDS]
              [--max-attack-time SECONDS] [--max-parameters MAX] [-S FORCE]
              [--tasks tasks] [--external-endpoint EXTERNAL_ENDPOINT_URL]
              [--internal-endpoint INTERNAL_ENDPOINT_URL] [--endpoint ENDPOINT_URL]
              [--dns-endpoint DNS_ENDPOINT_DOMAIN] [-t SECONDS] [-H HEADER]
              [-A AGENT] [--verify-ssl {0,1}] [--color] [-v LEVEL]
              [--log OUTPUT_PATH] [-f FORMAT] [-o OUTPUT_PATH]
              [-dr DETAILED_REPORT_LEVEL] [--no-bugreport] [--update] [--version]
              [--cms CMS_LIST] [--wapp-url WAPP_URL] [--wapp-dir WAPP_DIR]

Projekt nájdete na webe wapiti-scanner.github.io.

Ja som sa k nemu dostal tak, že som hľadal najúspešnejších lovcov Bug Bounty programu a autor Wapiti ako bezpečnostný konzultant je na prvom mieste.