Wapiti is another terminal-based web vulnerability scanner, which sends GET and POST requests to target sites looking for the following vulnerabilities (http://wapiti.sourceforge.net/):
- File disclosure
- Database injection
- Cross-Site Scripting (XSS)
- Command execution detection
- CRLF injection
- XML External Entity (XXE) injection
- Use of known, potentially dangerous files
- Weak .htaccess configurations that can be bypassed
- Presence of backup files that give sensitive information (source code disclosure)
In this recipe, we will use Wapiti to discover vulnerabilities in one of our test applications and generate a report of the scan.
