Login Register

How to Use Wapiti for Web Application Vulnerability Scanning in Kali Linux

Install Wapiti

Wapiti is a web application vulnerability scanner that can be used to scan web applications for known vulnerabilities. It is available for download from the Kali Linux repository. To install Wapiti, open a terminal window and type the following command:

sudo apt-get install wapiti

Once the installation is complete, you can verify the installation by typing the following command:

wapiti --version

This will display the version of Wapiti that is installed. You can also check the Wapiti website here for more information about the latest version.

Configure Wapiti

Wapiti is a powerful web application vulnerability scanner that can be used to scan web applications for common vulnerabilities. In order to use Wapiti, it must first be installed and configured on Kali Linux. To install Wapiti, open a terminal window and type the following command: 

sudo apt-get install wapiti
Once Wapiti is installed, it must be configured. To do this, open the Wapiti configuration file located at /etc/wapiti/wapiti.conf and edit the following settings:

  • Set the target parameter to the URL of the web application you want to scan.
  • Set the scope parameter to the scope of the scan. This can be a single page, a directory, or the entire website.
  • Set the threads parameter to the number of threads you want to use for the scan.
  • Set the verbose parameter to yes to enable verbose output.
  • Set the timeout parameter to the maximum time you want the scan to take.
  • Set the user-agent parameter to the user agent you want to use for the scan.
  • Set the proxy parameter to the proxy you want to use for the scan.
  • Set the cookies parameter to the cookies you want to use for the scan.
  • Set the auth-type parameter to the authentication type you want to use for the scan.
  • Set the auth-cred parameter to the credentials you want to use for the scan.

Once you have configured the settings, save the configuration file and you are ready to run the scan.

Run the Scan

Now that Wapiti is installed and configured, it's time to run the scan. To do this, open a terminal window and type the following command: wapiti . This will start the scan and Wapiti will begin to look for vulnerabilities in the web application. You can also specify additional parameters such as the type of scan to perform, the number of threads to use, and the maximum number of requests to make. For more information on the available parameters, type wapiti --help in the terminal window. Once the scan is complete, Wapiti will generate a report containing the results of the scan.

It is important to note that Wapiti is not a perfect tool and may not detect all vulnerabilities. Therefore, it is important to review the report carefully and take action on any vulnerabilities that are found.

Review the Report

Once Wapiti has finished scanning your web application, it will generate a report. This report will contain a list of all the vulnerabilities that were found during the scan. It is important to review the report carefully and take action to fix any vulnerabilities that were found. The report will also contain information about the type of vulnerability, the severity of the vulnerability, and the URL where the vulnerability was found.

To review the report, open the file that was generated by Wapiti. This file will be located in the same directory as the Wapiti command that was used to run the scan. The file will be named wapiti_report.html. Once the file is open, you will be able to review the report and take action to fix any vulnerabilities that were found.

When reviewing the report, it is important to pay attention to the severity of the vulnerability. If the vulnerability is marked as high severity, it is important to take action to fix the vulnerability as soon as possible. If the vulnerability is marked as low severity, it is still important to take action to fix the vulnerability, but it may not be as urgent.

Once you have reviewed the report and taken action to fix any vulnerabilities that were found, it is important to re-run the scan to make sure that all of the vulnerabilities have been fixed. This will ensure that your web application is secure and free from any potential vulnerabilities.

Take Action

Once you have reviewed the report generated by Wapiti, it is time to take action. Depending on the type of vulnerability found, you may need to patch the application, update the software, or take other measures to secure the application. For example, if Wapiti finds an SQL injection vulnerability, you may need to update the application code to use parameterized queries. If Wapiti finds a cross-site scripting vulnerability, you may need to update the application code to properly sanitize user input. 
# Update application code
$ git pull

# Apply patches
$ patch -p1 < patch.diff

# Restart application
$ service apache2 restart
It is also important to keep track of the vulnerabilities found and the actions taken to address them. This will help you ensure that all vulnerabilities have been addressed and that the application remains secure.

Useful Links

Kali Linux for IoT Pen-Testing

Kali Linux for Virtualization and Cloud Pen-Testing

Kali Linux for Reverse Engineering and Malware Analysis

Kali Linux for Cryptography and Encryption Testing

Kali Linux for Physical Security Testing

Kali Linux for Compliance and Auditing

Kali Linux for Supply Chain and Industrial Control System Testing

Kali Linux for Insider Threat Detection and Prevention

Kali Linux for Vulnerability Management

Kali Linux for Threat Intelligence Gathering