### Example Docker Compose Setup Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md This is a typical docker-compose.setup.yml file for defining services and extensions for an integration test scenario. It includes default setups for PHP, web server healthchecks, and MySQL. ```YAML x-default_php_setup: &default_php_setup image: php${PHP_HASH} networks: - test-network x-healthcheck_web: &healthcheck_web healthcheck: test: ${DEFAULT_WEB_HEALTHCHECK_COMMAND} interval: ${DEFAULT_HEALTHCHECKS_INTERVAL} timeout: ${DEFAULT_HEALTHCHECKS_TIMEOUT} start_period: ${DEFAULT_HEALTHCHECKS_START_PERIOD} retries: ${DEFAULT_HEALTHCHECKS_RETRIES} x-default_mysql_setup: &default_mysql_setup image: mysql${MYSQL_HASH} networks: - test-network x-healthcheck_mysql: &healthcheck_mysql healthcheck: test: ${DEFAULT_MYSQL_HEALTHCHECK_COMMAND} start_period: ${DEFAULT_HEALTHCHECKS_START_PERIOD} interval: ${DEFAULT_HEALTHCHECKS_INTERVAL} timeout: ${DEFAULT_HEALTHCHECKS_TIMEOUT} retries: ${DEFAULT_HEALTHCHECKS_RETRIES} services: # Write your services here wapiti: build: context: "../../" dockerfile: "./tests/integration/wapiti/Dockerfile.integration" no_cache: true container_name: wapiti volumes: - ./.test:/home/ networks: - test-network command: "${TESTS}" depends_on: # Make wapiti depends on your services (service_healthy) # Don't forget to add anything volume related if you work with it ``` -------------------------------- ### Install Wapiti from source Source: https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md Installs Wapiti from a downloaded source archive or cloned repository. ```sh pip install . ``` -------------------------------- ### Install Wapiti using Makefile Source: https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md Installs Wapiti using the provided Makefile. ```sh make install ``` -------------------------------- ### HTTP Request Example Source: https://github.com/wapiti-scanner/wapiti/blob/master/tests/reports/data/report.html An example of an HTTP GET request used to fingerprint web technologies. ```http GET /?foo=bar HTTP/1.1 ``` -------------------------------- ### Perform a Basic Website Scan Source: https://github.com/wapiti-scanner/wapiti/wiki/Home Start scanning a website with Wapiti using a simple command. Replace 'http://example.com' with the target URL. ```bash wapiti -u http://example.com ``` -------------------------------- ### Install Wapiti using pip Source: https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md Installs the latest stable version of Wapiti from the Python Package Index. ```sh pip install wapiti3 ``` -------------------------------- ### Wapiti GET Request Example Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Example of a GET request to test for SQL injection vulnerabilities. This request targets a specific URL and includes a payload designed to trigger a time-based SQL injection. ```text GET /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1 Host: wackopicko ``` -------------------------------- ### Dummy Raw Output Example Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md An example of a raw output from the Wapiti scanner, demonstrating the structure of vulnerabilities and info sections. ```json { "vulnerabilities": { "A dummy vuln":{ "wanted_data": 34, "wanted_array": [ { "wanted_array_data": "blablabla", "bloat_array_data": 455 }, { "wanted_array_data": "blebleble", "bloat_array_data": 456 }, { "wanted_array_data": "bliblibli", "bloat_array_data": 457 } ], "bloat_data": "blablabla" } }, "info":{ "value1": 1, "value2": 2, "value3": 3, "value4": 4, "value5": 5 } } ``` -------------------------------- ### Catching BaseException in mod_takeover.py (First Instance) Source: https://github.com/wapiti-scanner/wapiti/blob/master/pylint-ignore.md This example from mod_takeover.py demonstrates catching a broad 'except BaseException:'. The intention is to continue processing if an exception occurs during DNS resolution. ```python except BaseException: continue ``` -------------------------------- ### Run Wapiti from source for developers Source: https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md Allows developers to run Wapiti directly from the source code without a full installation, provided dependencies are met. ```sh python3 bin/wapiti -u http://example.com/ ``` -------------------------------- ### Wapiti POST Request Example Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Example of a POST request to test for vulnerabilities. This request includes authentication credentials and a payload in the body, targeting a login page. ```text POST /users/WackoPicko/website/admin/index.php?page=sleep%287%29%231 HTTP/1.1 Host: wackopicko Referer: http://wackopicko/admin/index.php?page=login Content-Type: application/x-www-form-urlencoded adminname=default&password=letmein ``` -------------------------------- ### Execute Scan with Common and XXE Modules Source: https://github.com/wapiti-scanner/wapiti/wiki/Choosing-attack-modules This is a practical example of running a Wapiti scan against a target URL, utilizing both common attack modules and the XXE module. ```bash wapiti -u http://example.com -m common,xxe ``` -------------------------------- ### Hotjar Initialization Script Source: https://github.com/wapiti-scanner/wapiti/blob/master/tests/data/js_links.html This script initializes the Hotjar tracking service for website analytics. It should be included in the page's head section to ensure proper tracking setup. ```javascript ( function(h,o,t,j,a,r){ h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)}; h._hjSettings={hjid:1284127,hjsv:6}; a=o.getElementsByTagName('head')[0]; r=o.createElement('script');r.async=1; r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv; a.appendChild(r); } )( window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=' ); ``` -------------------------------- ### Wapiti Command-Line with Browser Cookies Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Example of launching Wapiti using the command line, specifying a target URL, an exclusion URL, and reusing cookies from a Firefox browser session. Only 'chrome' and 'firefox' are supported browser values. ```bash wapiti -u http://wackopicko/ -x http://wackopicko/users/logout.php -c firefox ``` -------------------------------- ### Example Python Auth Script for Juice Shop Login Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/cookies_and_scripts_auth.md This script demonstrates how to log into juice-shop by forging a login request, extracting a token from the JSON response, creating a cookie, and setting it on the crawler configuration. It then verifies the login and overwrites the crawler configuration's cookies. ```Python import json from http.cookiejar import Cookie from wapitiCore.net import Request from wapitiCore.net.crawler import AsyncCrawler from wapitiCore.net.classes import CrawlerConfiguration async def run(crawler_configuration: CrawlerConfiguration, auth_url: str,headless: str = "no"): # Instantiate an AsyncCrawler async with AsyncCrawler.with_configuration(crawler_configuration) as crawler: # Forge the login request request = Request( "https://juice-shop.herokuapp.com/rest/user/login", post_params='{"email":"toto@toto.com","password":"123456"}', enctype="application/json" ) # Send it response = await crawler.async_send(request) data = response.json if not data: print("authentication failed") exit() # Extract the token from the JSON response token = data["authentication"]["token"] print(f"token is {token}") # Create a cookie with the token found in JSON data cookie = Cookie( version=0, name="token", value=token, port=None, port_specified=False, domain="juice-shop.herokuapp.com", domain_specified=True, domain_initial_dot=False, path="/", path_specified=True, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={'HttpOnly': None}, rfc2109=False ) # Set it on the current crawler crawler.cookie_jar.set_cookie(cookie) # Try it request = Request( "https://juice-shop.herokuapp.com/rest/user/whoami", ) response = await crawler.async_get( request, ) try: print(f'Login successful with user ID {response.json["user"]["id"]}') except KeyError: print("Authentication failed") exit() # Overwrite cookies on crawler configuration so Wapiti can use them for scanning and attacks crawler_configuration.cookies = crawler.cookie_jar ``` -------------------------------- ### Example behavior.json for Wapiti Integration Tests Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md Defines the behavior of Wapiti for integration tests, including modules, supplementary arguments, report filters, and multiple targets. ```JSON { "test_dummy_name": { "modules": "dummy", "supplementary_argument": "--auth-method digest", "report_filter_tree": {}, "targets": [ { "name": "http://dummy_target/endpoint1/index.php" }, { "name": "http://dummy_target/endpoint2/index.php", "supplementary_argument": "--endpoint http://endpoint/" }, { "name": "http://built_dummy_target", "supplementary_argument": "--auth-method basic", "erase_global_supplementary": true } ] } } ``` -------------------------------- ### Semi-Automated JavaScript Crawling with mitmproxy Source: https://github.com/wapiti-scanner/wapiti/wiki/Advanced-Crawling Run Wapiti with `--mitm-port` to launch an intercepting proxy. Configure your browser to use this proxy to crawl JavaScript-heavy sites. Requires mitmproxy installation. ```bash wapiti -u "http://target.tld" --mitm-port 8080 ``` -------------------------------- ### Add Starting URLs for Wapiti Scan Source: https://github.com/wapiti-scanner/wapiti/wiki/Adding-and-excluding-URLs Use the -s option to add specific URLs or a file containing URLs to the initial scan. These URLs are treated with a depth of 0 and are scanned even if they are outside the specified scope. ```bash wapiti -u http://example.com -s http://example.com/login -s urls.txt ``` -------------------------------- ### Display Basic Usage Help Source: https://github.com/wapiti-scanner/wapiti/blob/master/README.rst Use this command in the prompt to display the basic usage instructions for Wapiti. ```bash wapiti -h ``` -------------------------------- ### Reflected Cross Site Scripting PoC Source: https://github.com/wapiti-scanner/wapiti/blob/master/tests/reports/data/report.txt Example of a malicious GET request to trigger reflected cross-site scripting. This can be used to test for input validation vulnerabilities. ```text GET /riri?foo=bar HTTP/1.1 ``` ```bash curl "http://perdu.com/riri?foo=bar" ``` -------------------------------- ### Reflected Cross Site Scripting Evil Request Source: https://github.com/wapiti-scanner/wapiti/blob/master/tests/reports/data/report_level1.md This snippet shows an example of an HTTP GET request that could be used to exploit a Reflected Cross Site Scripting vulnerability. It targets a specific parameter 'foo'. ```http GET /riri?foo=bar HTTP/1.1 ``` -------------------------------- ### Initialize Integration Tests Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md Use this script to set up default integration tests. It creates a folder, assertion folder, symlink to check.sh, behavior.json, and docker-compose.setup.yml. You can supply multiple test names as arguments. ```Bash ./init_test.sh test_dummy_1 test_dummy_2 test_dummy_3 ``` -------------------------------- ### HTTP Authentication with Username, Password, and Method Source: https://github.com/wapiti-scanner/wapiti/wiki/HTTP--and-web-authentication Configure username, password, and the authentication method (basic, digest, or ntlm) for HTTP authentication. ```bash wapiti --auth-user admin --auth-password pass123 --auth-method basic ``` -------------------------------- ### Vue.js App Creation and Mounting Source: https://github.com/wapiti-scanner/wapiti/blob/master/tests/integration/test_mod_wapp/websites/vuejs/index.html This snippet demonstrates how to create a Vue.js application instance and mount it to an HTML element. It initializes data with a message that will be displayed in the template. ```javascript const { createApp } = Vue createApp({ data() { return { message: 'Hello Vue!', } } }).mount('#app') ``` -------------------------------- ### List Available Attack Modules Source: https://github.com/wapiti-scanner/wapiti/wiki/Home Run this command to see an exhaustive list of supported attack modules in Wapiti. ```bash wapiti --list-modules ``` -------------------------------- ### Get Cookies with Wapiti-getcookie Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Use `wapiti-getcookie` to log in to a website and save authentication cookies to a file. This is useful for authenticated scans. ```bash wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json ``` ```bash wapiti-getcookie -u http://wackopicko/users/login.php -c cookies.json -d "username=wanda&password=wanda" ``` -------------------------------- ### Create a virtual environment Source: https://github.com/wapiti-scanner/wapiti/blob/master/INSTALL.md Creates a new virtual environment for Wapiti to avoid system dependency conflicts. ```sh python -m venv wapiti3_env ``` -------------------------------- ### Custom Wapiti Report Filter Example Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md A custom filter designed to retain specific data ('wanted_data', 'wanted_array') from vulnerabilities and all 'info' entries, while excluding 'bloat_data'. ```json { "vulnerabilities":{ "A dummy vuln":{ "wanted_data": 0, "wanted_array":[ { "wanted_array_data": "" } ] } }, "info":{} } ``` -------------------------------- ### Run Integration Tests Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md Executes the integration tests. This command generates reports in the `.test` directory. ```Bash ./run.sh ``` -------------------------------- ### Scan API using local Swagger file Source: https://github.com/wapiti-scanner/wapiti/wiki/Attacking-APIs Use this command to initiate a scan using a local Swagger JSON file. Ensure the file path is correct. ```bash wapiti -u "http://target.tld" --swagger /path/to/swagger.json ``` -------------------------------- ### Internal Server Error Evil Request Source: https://github.com/wapiti-scanner/wapiti/blob/master/tests/reports/data/report.md This snippet shows an HTTP GET request that may trigger an Internal Server Error. It is used to identify potential server-side issues. ```http GET /fifi HTTP/1.1 ``` -------------------------------- ### Creating a Symbolic Link for check.sh Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md When creating a new integration test scenario, you can either use the default check.sh script by creating a symbolic link, or write your own custom check script. ```Bash # Admitting you are at the root of the git project : ln -s ../../check.sh tests/integrations/test_dummy_name/assertions/check.sh ``` -------------------------------- ### Wapiti Scan Output: SQL Module Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Example of Wapiti's output when the 'sql' module is run, showing detected SQL injection vulnerabilities via injection in the 'page' parameter. ```text [*] Launching module sql --- Received a HTTP 500 error in http://wackopicko/admin/index.php Evil request: GET /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1 Host: wackopicko --- --- Received a HTTP 500 error in http://wackopicko/admin/index.php Evil request: POST /users/WackoPicko/website/admin/index.php?page=%C2%BF%27%22%28 HTTP/1.1 Host: wackopicko Referer: http://wackopicko/admin/index.php?page=login Content-Type: application/x-www-form-urlencoded adminname=default&password=letmein --- ``` -------------------------------- ### Wapiti Scan Output: File Module Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Example of Wapiti's output when the 'file' module is run, indicating a detected remote inclusion vulnerability via injection in the 'page' parameter. ```text [*] Launching module file --- Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page Evil request: GET /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1 Host: wackopicko --- --- Remote inclusion vulnerability in http://wackopicko/admin/index.php via injection in the parameter page Evil request: POST /users/WackoPicko/website/admin/index.php?page=http%3A%2F%2Fwww.google.fr%2F%3F HTTP/1.1 Host: wackopicko Referer: http://wackopicko/admin/index.php?page=login Content-Type: application/x-www-form-urlencoded adminname=default&password=letmein --- ``` -------------------------------- ### Integration Test Runner Usage Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/integration_system.md This is the main entrypoint for running integration tests. It accepts several options to control the test execution and build process. ```Bash Entrypoint to run integration tests Usage: ./run.sh [options] Options: --help Display this message and exit --docker-clean Kill containers, remove and prune all docker images, volumes, and system, be carefull when using this option --verbose-build Print the build messages before running the tests --debug-containers Attach all containers to the STDOUT ``` -------------------------------- ### Wapiti Scan Output: Exec Module Source: https://github.com/wapiti-scanner/wapiti/blob/master/doc/example.txt Example of Wapiti's output when the 'exec' module is run, showing a detected PHP evaluation vulnerability via injection in the 'page' parameter. ```text [*] Launching module exec --- Received a HTTP 500 error in http://wackopicko/admin/index.php Evil request: GET /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1 Host: wackopicko --- --- PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page Evil request: GET /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1 Host: wackopicko --- --- Received a HTTP 500 error in http://wackopicko/admin/index.php Evil request: POST /users/WackoPicko/website/admin/index.php?page=%3Benv HTTP/1.1 Host: wackopicko Referer: http://wackopicko/admin/index.php?page=login Content-Type: application/x-www-form-urlencoded adminname=default&password=letmein --- --- PHP evaluation in http://wackopicko/admin/index.php via injection in the parameter page Evil request: POST /users/WackoPicko/website/admin/index.php?page=data%3A%3Bbase64%2CPD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA%2FPg%3D%3D HTTP/1.1 Host: wackopicko Referer: http://wackopicko/admin/index.php?page=login Content-Type: application/x-www-form-urlencoded adminname=default&password=letmein --- ```