Wapiti 2.3.0 - the python-powered web-application vulnerability scanner

[Nicolas Surribas <nicolas.surribas () gmail com>]

Hello full-disclosure subscribers !

I'm proud to announce the release of a new version of Wapiti, the
web-application vulnerability scanner.


What's new in version 2.3.0 ?

* Wapiti now use the python-requests module for HTTP instead of httplib2.

* More pythonic code. A HTTPResource class was created to simplify module
writing.

* New template for the HTML report generator.

* Uses an up-to-date Nikto database for the mod_nikto module.

* New payloads for almost every attack modules (includes payloads for XXE
and NoSQL injection ).

* New detection strings for error-based attacks.

* Major improvements on the crawler (lswww). Wapiti reached a 48%
exploration rate on Wivet.

* Replaced the XML based cookie storage format for JSON.

* Removed SOCKS proxy support (due to migration to python-requests). You
will have to use proxies like Polipo to tunnel requests through SOCKS.

* Parameters from the query-string are now attacked in POST based attacks
too (not only the parameters in the POST body).

* Can now attack upload scripts (multipart forms) : payloads are injected
in filenames.

* Simpler and less buggy colored output in the terminal (-u option).

* For every successful attack, a cURL command-line is given (fast PoC).

* HTTP request of successul attacks are also given in the report (instead
of just the URL, parameter and payload).

* More browser-like behavior for crawling : No more parameters reordening
in URLs. Parameters repetition is also handled. Empty parameters are kept.

* New report formats : JSON and OpenVAS XML.

* Improved SSL support. A new option can deactivate certificates
verification.

* The mod_xss attack module can now escape noscript tags.

* mod_crlf is now deactivated by default.

* First URLs to scan (passed through the -s option) will be fetched even if
out of the scan scope.

* Added proxy support for the wapiti-cookie and wapiti-getcookie utilities.

* Wapiti is translated in English, French, German, Spanish and Malay.

* Includes a home-made SWF parser to extract URLs from Flash animations.

* Includes the very beginning of a home-made JS interpreter based on
PyNarcissus (JS parser).

* New logo and webpage.

* A standalone archive (no installation required) is available for Windows
users.

More informations and downloads can be found on the project webpage :
http://wapiti.sf.net/

Kind regards

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/