Wapiti Command Guide

Wapiti is a web application vulnerability scanner. It performs "black-box" scans (it doesn't study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Top 10 Useful Commands

1. Basic Scan

wapiti -u http://example.com

Explanation: Standard scan.

2. Scope

wapiti -u http://example.com -s folder

Explanation: Limit scope to the URL folder.

3. Modules

wapiti -u http://example.com -m xss,sql_blind

Explanation: Only test for XSS and Blind SQLi.

4. Auth

wapiti -u http://example.com -a user%password

Explanation: Basic authentication.

5. Cookie

wapiti -u http://example.com -c cookie.json

Explanation: Load cookies from file.

6. Exclude URL

wapiti -u http://example.com -x http://example.com/logout

Explanation: Do not scan logout page.

7. Output Format

wapiti -u http://example.com -f html -o report.html

Explanation: Generate HTML report.

8. Timeout

wapiti -u http://example.com --timeout 10

Explanation: Set request timeout.

9. Level (Depth)

wapiti -u http://example.com -d 5

Explanation: Crawling depth.

10. Verify SSL

wapiti -u https://example.com --verify-ssl 0

Explanation: Disable SSL verification.

The Most Powerful Command

wapiti -u http://target.com -m all -f html -o report.html --color

Explanation: Full module scan with a readable HTML report output.