Full Disclosure mailing list archives
Wapiti 2.3.0 - the python-powered web-application vulnerability scanner
From: Nicolas Surribas <nicolas.surribas () gmail com>
Date: Wed, 27 Nov 2013 23:10:48 +0100
Hello full-disclosure subscribers ! I'm proud to announce the release of a new version of Wapiti, the web-application vulnerability scanner. What's new in version 2.3.0 ? * Wapiti now use the python-requests module for HTTP instead of httplib2. * More pythonic code. A HTTPResource class was created to simplify module writing. * New template for the HTML report generator. * Uses an up-to-date Nikto database for the mod_nikto module. * New payloads for almost every attack modules (includes payloads for XXE and NoSQL injection ). * New detection strings for error-based attacks. * Major improvements on the crawler (lswww). Wapiti reached a 48% exploration rate on Wivet. * Replaced the XML based cookie storage format for JSON. * Removed SOCKS proxy support (due to migration to python-requests). You will have to use proxies like Polipo to tunnel requests through SOCKS. * Parameters from the query-string are now attacked in POST based attacks too (not only the parameters in the POST body). * Can now attack upload scripts (multipart forms) : payloads are injected in filenames. * Simpler and less buggy colored output in the terminal (-u option). * For every successful attack, a cURL command-line is given (fast PoC). * HTTP request of successul attacks are also given in the report (instead of just the URL, parameter and payload). * More browser-like behavior for crawling : No more parameters reordening in URLs. Parameters repetition is also handled. Empty parameters are kept. * New report formats : JSON and OpenVAS XML. * Improved SSL support. A new option can deactivate certificates verification. * The mod_xss attack module can now escape noscript tags. * mod_crlf is now deactivated by default. * First URLs to scan (passed through the -s option) will be fetched even if out of the scan scope. * Added proxy support for the wapiti-cookie and wapiti-getcookie utilities. * Wapiti is translated in English, French, German, Spanish and Malay. * Includes a home-made SWF parser to extract URLs from Flash animations. * Includes the very beginning of a home-made JS interpreter based on PyNarcissus (JS parser). * New logo and webpage. * A standalone archive (no installation required) is available for Windows users. More informations and downloads can be found on the project webpage : http://wapiti.sf.net/ Kind regards
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wapiti 2.3.0 - the python-powered web-application vulnerability scanner Nicolas Surribas (Nov 27)