Wapiti チートシート
## 概要
Wapitiは、Webアプリケーションのブラックボックステストを実行するWebアプリケーション脆弱性スキャナです。Webページをクロールし、データを注入できるスクリプトやフォームを探します。URLsとフォーム、その入力のリストを取得すると、Wapitiはファジングのように動作し、スクリプトが脆弱かどうかを確認するためにペイロードを注入します。Wapitiは、SQLインジェクション、XSS、ファイルインクルージョン、コマンド実行などの様々な脆弱性を検出できます。
⚠️ 警告: Wapitiは、所有しているアプリケーションまたは明示的な許可を得たアプリケーションに対してのみ使用してください。無許可のテストは、サービス利用規約や地域の法律に違反する可能性があります。
インストール
Pythonパッケージのインストール
システムパッケージのインストール
Dockerインストール
手動インストール
基本的な使用方法
シンプルな脆弱性スキャン
クロールオプション
認証
脆弱性モジュール
利用可能なモジュール
モジュール固有のスキャン
詳細設定
プロキシとネットワーク設定
クロール設定
出力とレポート
特殊なスキャン
APIテスト
フォームベースのテスト
セッション管理
カスタムペイロードとルール
カスタムペイロードファイル
設定ファイル
カスタム攻撃モジュール
自動化スクリプト
包括的なスキャンスクリプト
Note: Since specific command or code details were not provided in the original text, I’ve translated the section headers and overview text. The actual translations for specific commands or code would require the complete text.```bash
Install via pip
pip install wapiti3
Install with all dependencies
pip install wapiti3[complete]
Install development version
pip install git+https://github.com/wapiti-scanner/wapiti.git
Verify installation
wapiti —version
### System Package Installation
```bash
# Ubuntu/Debian
sudo apt update
sudo apt install wapiti
# CentOS/RHEL/Fedora
sudo yum install wapiti
# or
sudo dnf install wapiti
# Arch Linux
sudo pacman -S wapiti
# macOS with Homebrew
brew install wapitiDocker Installation
# Pull Docker image
docker pull wapiti/wapiti:latest
# Run with Docker
docker run --rm -it wapiti/wapiti:latest --help
# Create alias for easier usage
echo 'alias wapiti="docker run --rm -it -v $(pwd):/data wapiti/wapiti:latest"' >> ~/.bashrc
source ~/.bashrcManual Installation
# Clone repository
git clone https://github.com/wapiti-scanner/wapiti.git
cd wapiti
# Install dependencies
pip install -r requirements.txt
# Install
python setup.py install
# Or run directly
python wapiti.py --helpBasic Usage
Simple Vulnerability Scan
# Basic scan
wapiti -u http://target.com
# Scan with specific modules
wapiti -u http://target.com -m sql,xss,file
# Scan with all modules
wapiti -u http://target.com -m all
# Verbose scan
wapiti -u http://target.com -v 2
# Quiet scan
wapiti -u http://target.com -qCrawling Options
# Set crawling depth
wapiti -u http://target.com --depth 3
# Set maximum pages to crawl
wapiti -u http://target.com --max-pages 100
# Set crawling scope
wapiti -u http://target.com --scope domain
# Include/exclude specific paths
wapiti -u http://target.com --skip-crawl "/admin,/test"
# Follow external links
wapiti -u http://target.com --scope urlAuthentication
# Basic authentication
wapiti -u http://target.com --auth-user admin --auth-password secret
# Cookie-based authentication
wapiti -u http://target.com --cookie "PHPSESSID=abc123; auth=true"
# Custom headers
wapiti -u http://target.com --headers "Authorization: Bearer token123"
# Login form authentication
wapiti -u http://target.com --auth-method form --auth-url http://target.com/login --auth-user admin --auth-password secretVulnerability Modules
Available Modules
# List all available modules
wapiti --list-modules
# SQL injection detection
wapiti -u http://target.com -m sql
# Cross-site scripting (XSS)
wapiti -u http://target.com -m xss
# File inclusion vulnerabilities
wapiti -u http://target.com -m file
# Command execution
wapiti -u http://target.com -m exec
# Cross-site request forgery (CSRF)
wapiti -u http://target.com -m csrf
# Server-side request forgery (SSRF)
wapiti -u http://target.com -m ssrf
# XML external entity (XXE)
wapiti -u http://target.com -m xxe
# Backup file detection
wapiti -u http://target.com -m backup
# Directory traversal
wapiti -u http://target.com -m traversal
# HTTP security headers
wapiti -u http://target.com -m headersModule-Specific Scans
# Comprehensive SQL injection scan
wapiti -u http://target.com -m sql --level 2
# XSS with custom payloads
wapiti -u http://target.com -m xss --payload-file xss_payloads.txt
# File inclusion with time delay
wapiti -u http://target.com -m file --timeout 10
# Command execution with specific OS
wapiti -u http://target.com -m exec --os linux
# Multiple modules
wapiti -u http://target.com -m "sql,xss,file,exec"Advanced Configuration
Proxy and Network Settings
# Use HTTP proxy
wapiti -u http://target.com --proxy http://127.0.0.1:8080
# Use SOCKS proxy
wapiti -u http://target.com --proxy socks5://127.0.0.1:9050
# Set timeout
wapiti -u http://target.com --timeout 30
# Set delay between requests
wapiti -u http://target.com --delay 2
# Set user agent
wapiti -u http://target.com --user-agent "Custom Scanner 1.0"
# Ignore SSL certificate errors
wapiti -u https://target.com --verify-ssl 0Crawling Configuration
# Set maximum crawling time
wapiti -u http://target.com --max-scan-time 3600
# Set maximum parameters per page
wapiti -u http://target.com --max-parameters 20
# Set maximum attack time per URL
wapiti -u http://target.com --max-attack-time 300
# Exclude specific file types
wapiti -u http://target.com --exclude "*.pdf,*.jpg,*.png"
# Include only specific file types
wapiti -u http://target.com --include "*.php,*.asp,*.jsp"
# Set crawling rules
wapiti -u http://target.com --crawl-rules "follow_redirects,parse_robots"Output and Reporting
# Generate HTML report
wapiti -u http://target.com -f html -o /tmp/wapiti_report.html
# Generate XML report
wapiti -u http://target.com -f xml -o /tmp/wapiti_report.xml
# Generate JSON report
wapiti -u http://target.com -f json -o /tmp/wapiti_report.json
# Generate TXT report
wapiti -u http://target.com -f txt -o /tmp/wapiti_report.txt
# Multiple output formats
wapiti -u http://target.com -f html,xml,json -o /tmp/wapiti_reportSpecialized Scanning
API Testing
# Scan REST API
wapiti -u http://api.target.com/v1 --scope domain -m "sql,xss,xxe"
# Scan with API authentication
wapiti -u http://api.target.com/v1 --headers "Authorization: Bearer token123" -m all
# Scan GraphQL endpoints
wapiti -u http://target.com/graphql -m "sql,xss" --level 2
# Scan with custom content type
wapiti -u http://api.target.com/v1 --headers "Content-Type: application/json" -m allForm-Based Testing
# Focus on forms only
wapiti -u http://target.com --attack-forms-only
# Skip GET parameters
wapiti -u http://target.com --skip-get-params
# Test specific form fields
wapiti -u http://target.com --form-data "username=admin&password=test"
# Upload file testing
wapiti -u http://target.com --upload-dir /tmp/uploads -m fileSession Management
# Use session file
wapiti -u http://target.com --session-file session.json
# Save session for later use
wapiti -u http://target.com --save-session session.json
# Resume previous scan
wapiti -u http://target.com --resume-session session.json
# Clear session data
wapiti -u http://target.com --clear-sessionCustom Payloads and Rules
Custom Payload Files
# Create custom SQL injection payloads
cat > sql_payloads.txt << 'EOF'
' OR '1'='1
' UNION SELECT NULL--
'; DROP TABLE users--
' AND SLEEP(5)--
' OR 1=1#
EOF
# Use custom payloads
wapiti -u http://target.com -m sql --payload-file sql_payloads.txt
# Create custom XSS payloads
cat > xss_payloads.txt << 'EOF'
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
javascript:alert('XSS')
<svg onload=alert('XSS')>
EOF
wapiti -u http://target.com -m xss --payload-file xss_payloads.txtConfiguration Files
# Create configuration file
cat > wapiti.conf << 'EOF'
[general]
timeout = 30
delay = 1
max_pages = 200
max_scan_time = 7200
[crawling]
depth = 3
scope = domain
follow_redirects = true
[modules]
sql = true
xss = true
file = true
exec = false
csrf = true
[output]
format = html,json
output_dir = /tmp/wapiti_reports
EOF
# Use configuration file
wapiti -u http://target.com --config wapiti.confCustom Attack Modules
#!/usr/bin/env python3
# Custom Wapiti module example
from wapitiCore.attack.attack import Attack
from wapitiCore.language.vulnerability import Vulnerability
class CustomAttack(Attack):
"""Custom attack module for Wapiti"""
name = "custom"
description = "Custom vulnerability detection"
def __init__(self, crawler, persister, logger, attack_options):
super().__init__(crawler, persister, logger, attack_options)
self.payloads = [
"custom_payload_1",
"custom_payload_2",
"custom_payload_3"
]
def attack(self, http_res):
"""Main attack method"""
url = http_res.url
for payload in self.payloads:
# Inject payload and test response
test_url = f"\\\\{url\\\\}?test=\\\\{payload\\\\}"
try:
response = self.crawler.get(test_url)
if self.is_vulnerable(response):
vuln = Vulnerability(
category="Custom Vulnerability",
level=Vulnerability.HIGH_LEVEL,
request=response.http_request,
info="Custom vulnerability detected"
)
self.add_vuln(vuln)
except Exception as e:
self.logger.error(f"Error testing \\\\{test_url\\\\}: \\\\{e\\\\}")
def is_vulnerable(self, response):
"""Check if response indicates vulnerability"""
indicators = ["error", "exception", "debug"]
return any(indicator in response.content.lower() for indicator in indicators)Automation Scripts
Comprehensive Scanning Script
#!/bin/bash
# Comprehensive web application security scan
TARGET="$1"
OUTPUT_DIR="wapiti_scan_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET" ]; then
echo "Usage: $0 <target_url>"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[+] Starting comprehensive scan for: $TARGET"
# Basic vulnerability scan
echo "[+] Running basic vulnerability scan..."
wapiti -u "$TARGET" \
-m "sql,xss,file,exec,csrf,ssrf" \
-f html,json \
-o "$OUTPUT_DIR/basic_scan" \
--level 2 \
--timeout 30 \
--max-pages 500
# Deep SQL injection scan
echo "[+] Running deep SQL injection scan..."
wapiti -u "$TARGET" \
-m sql \
-f json \
-o "$OUTPUT_DIR/sql_scan.json" \
--level 3 \
--timeout 60
# XSS focused scan
echo "[+] Running XSS focused scan..."
wapiti -u "$TARGET" \
-m xss \
-f json \
-o "$OUTPUT_DIR/xss_scan.json" \
--level 2 \
--timeout 30
# File inclusion scan
echo "[+] Running file inclusion scan..."
wapiti -u "$TARGET" \
-m file \
-f json \
-o "$OUTPUT_DIR/file_scan.json" \
--level 2
# Backup file detection
echo "[+] Running backup file detection..."
wapiti -u "$TARGET" \
-m backup \
-f json \
-o "$OUTPUT_DIR/backup_scan.json"
# Security headers check
echo "[+] Checking security headers..."
wapiti -u "$TARGET" \
-m headers \
-f json \
-o "$OUTPUT_DIR/headers_scan.json"
echo "[+] Scan completed. Results saved to: $OUTPUT_DIR"
# Generate summary
python3 ``<< EOF
import json
import os
from collections import defaultdict
results_dir = "$OUTPUT_DIR"
vulnerabilities = defaultdict(list)
for filename in os.listdir(results_dir):
if filename.endswith('.json'):
filepath = os.path.join(results_dir, filename)
try:
with open(filepath, 'r') as f:
data = json.load(f)
if 'vulnerabilities' in data:
for vuln in data['vulnerabilities']:
vuln_type = vuln.get('type', 'Unknown')
vulnerabilities[vuln_type].append(vuln)
except Exception as e:
print(f"Error processing \\\{filename\\\}: \\\{e\\\}")
print("\\n=== VULNERABILITY SUMMARY ===")
total_vulns = 0
for vuln_type, vulns in vulnerabilities.items():
count = len(vulns)
total_vulns += count
print(f"\\\{vuln_type\\\}: \\\{count\\\}")
print(f"\\nTotal vulnerabilities found: \\\{total_vulns\\\}")
# Save summary
summary = \\\{
'total_vulnerabilities': total_vulns,
'by_type': \\\{k: len(v) for k, v in vulnerabilities.items()\\\}
\\\}
with open(os.path.join(results_dir, 'summary.json'), 'w') as f:
json.dump(summary, f, indent=2)
EOF
```### 継続的モニタリングスクリプト
```bash
#!/bin/bash
# Continuous web application monitoring
CONFIG_FILE="monitor_config.conf"
LOG_FILE="wapiti_monitor.log"
# Configuration
TARGETS=(
"https://app1.example.com"
"https://app2.example.com"
"https://api.example.com"
)
SCAN_INTERVAL=86400 # 24 hours
ALERT_EMAIL="security@example.com"
log_message() \\\{
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"|tee -a "$LOG_FILE"
\\\}
send_alert() \\\{
local target="$1"
local vuln_count="$2"
local report_file="$3"
if [ "$vuln_count" -gt 0 ]; then
log_message "ALERT: $vuln_count vulnerabilities found in $target"
# Send email alert (requires mail command)
if command -v mail >``/dev/null 2>&1; then
echo "Wapiti scan found $vuln_count vulnerabilities in $target. See attached report."|\
mail -s "Security Alert: Vulnerabilities Detected" -A "$report_file" "$ALERT_EMAIL"
fi
fi
\\\\}
scan_target() \\\\{
local target="$1"
local timestamp=$(date +%Y%m%d_%H%M%S)
local output_dir="monitor_$\\\\{timestamp\\\\}"
local report_file="$\\\\{output_dir\\\\}/scan_report.json"
log_message "Starting scan for: $target"
mkdir -p "$output_dir"
# Run Wapiti scan
wapiti -u "$target" \
-m "sql,xss,file,exec,csrf" \
-f json \
-o "$report_file" \
--timeout 30 \
--max-pages 200 \
--level 1 \
2>>"$LOG_FILE"
if [ -f "$report_file" ]; then
# Count vulnerabilities
vuln_count=$(python3 -c "
import json
try:
with open('$report_file', 'r') as f:
data = json.load(f)
print(len(data.get('vulnerabilities', [])))
except:
print(0)
")
log_message "Scan completed for $target. Found $vuln_count vulnerabilities."
send_alert "$target" "$vuln_count" "$report_file"
# Cleanup old reports (keep last 10)
ls -t monitor_*/scan_report.json 2>/dev/null|tail -n +11|xargs rm -f 2>/dev/null
else
log_message "ERROR: Scan failed for $target"
fi
\\\\}
# Main monitoring loop
while true; do
log_message "Starting monitoring cycle"
for target in "$\\\\{TARGETS[@]\\\\}"; do
scan_target "$target"
sleep 60 # Wait between targets
done
log_message "Monitoring cycle completed. Sleeping for $SCAN_INTERVAL seconds."
sleep "$SCAN_INTERVAL"
done
```### CI/CD 統合スクリプト
```bash
#!/bin/bash
# CI/CD pipeline integration script
set -e
TARGET_URL="$1"
FAIL_ON_VULN="$\\\\{2:-true\\\\}"
OUTPUT_DIR="wapiti_ci_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET_URL" ]; then
echo "Usage: $0 <target_url> [fail_on_vulnerabilities]"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "Starting security scan for: $TARGET_URL"
# Run Wapiti scan
wapiti -u "$TARGET_URL" \
-m "sql,xss,file,exec,csrf" \
-f json,html \
-o "$OUTPUT_DIR/security_scan" \
--timeout 30 \
--max-pages 100 \
--level 1
# Process results
REPORT_FILE="$OUTPUT_DIR/security_scan.json"
if [ -f "$REPORT_FILE" ]; then
# Count vulnerabilities by severity
python3 << EOF
import json
import sys
with open('$REPORT_FILE', 'r') as f:
data = json.load(f)
vulnerabilities = data.get('vulnerabilities', [])
total = len(vulnerabilities)
severity_counts = \\\\{'high': 0, 'medium': 0, 'low': 0\\\\}
for vuln in vulnerabilities:
severity = vuln.get('level', 'low').lower()
if severity in severity_counts:
severity_counts[severity] += 1
print(f"Security Scan Results:")
print(f"Total vulnerabilities: \\\\{total\\\\}")
print(f"High severity: \\\\{severity_counts['high']\\\\}")
print(f"Medium severity: \\\\{severity_counts['medium']\\\\}")
print(f"Low severity: \\\\{severity_counts['low']\\\\}")
# Exit with error code if vulnerabilities found and fail_on_vuln is true
if '$FAIL_ON_VULN' == 'true' and total > 0:
print("\\nSecurity vulnerabilities detected. Failing build.")
sys.exit(1)
else:
print("\\nSecurity scan completed successfully.")
sys.exit(0)
EOF
else
echo "ERROR: Scan report not found"
exit 1
fi
```## 他のツールとの統合
```bash
# Use Burp as proxy for Wapiti
wapiti -u http://target.com --proxy http://127.0.0.1:8080
# Export discovered URLs to Burp
wapiti -u http://target.com --crawl-only -f txt -o burp_targets.txt
```### Burp Suite 統合
```bash
# Use ZAP as proxy
wapiti -u http://target.com --proxy http://127.0.0.1:8080
# Generate ZAP-compatible report
wapiti -u http://target.com -f xml -o zap_import.xml
```### OWASP ZAP 統合
```bash
# Extract URLs for Nuclei
wapiti -u http://target.com --crawl-only --format txt|grep -E '^http' > nuclei_targets.txt
# Run Nuclei on discovered URLs
nuclei -l nuclei_targets.txt -t /path/to/nuclei-templates/
```### Nuclei 統合
```bash
# Increase crawling timeout
wapiti -u http://target.com --timeout 60
# Reduce crawling depth
wapiti -u http://target.com --depth 1
# Skip problematic URLs
wapiti -u http://target.com --skip-crawl "/problematic-path"
# Use different user agent
wapiti -u http://target.com --user-agent "Mozilla/5.0 (compatible; Scanner)"
```#### クローリングの問題
```bash
# Debug authentication
wapiti -u http://target.com --auth-user admin --auth-password secret -v 2
# Use cookie authentication instead
wapiti -u http://target.com --cookie "session=valid_session_id"
# Test authentication manually first
curl -u admin:secret http://target.com/protected
```#### 認証の問題
```bash
# Reduce scan scope
wapiti -u http://target.com --max-pages 50
# Increase delays
wapiti -u http://target.com --delay 3
# Use fewer modules
wapiti -u http://target.com -m "sql,xss"
# Set scan time limit
wapiti -u http://target.com --max-scan-time 1800
```#### パフォーマンスの問題
```bash
# Disable SSL verification
wapiti -u https://target.com --verify-ssl 0
# Use specific SSL version
wapiti -u https://target.com --ssl-version TLSv1.2
# Debug SSL issues
wapiti -u https://target.com -v 2 --verify-ssl 0
```#### SSL/TLS の問題
```bash
# Enable verbose logging
wapiti -u http://target.com -v 2
# Save debug information
wapiti -u http://target.com -v 2 2>&1|tee wapiti_debug.log
# Test specific module
wapiti -u http://target.com -m sql -v 2
# Dry run (crawl only)
wapiti -u http://target.com --crawl-only -v 1
```### デバッグとログ記録
https://wapiti-scanner.github.io/- [公式 Wapiti ドキュメント](
https://github.com/wapiti-scanner/wapiti- [Wapiti GitHub リポジトリ](
https://owasp.org/www-project-web-security-testing-guide/- [OWASP Web セキュリティテストガイド](
https://owasp.org/www-community/Vulnerability_Scanning_Tools- [Web アプリケーションセキュリティスキャナー評価](
https://docs.python.org/3/library/security_warnings.html- [Python セキュリティテスト](
https://www.sans.org/white-papers/2178/- [Web アプリケーション侵入テスト](
https://owasp.org/www-community/controls/Static_Code_Analysis- [自動セキュリティテスト](
---
*このチートシートは、Web アプリケーションの脆弱性スキャンに Wapiti を使用するための包括的なリファレンスを提供します。このツールを任意の環境で使用する前に、必ず適切な承認を得てください。*