penetration-testingwapiti

How to pass user credentials through Wapiti Web Application Vulnerability Scanner


I would like to test our web application with the Wapiti scanner. In my scenario, I am assuming the attacker would be an authenticated user. How do I configure Wapiti to use a specific username and password on our login form so I can test the pages behind it?

Note: this is not http or domain based authentication.


Solution

  • You need to use wapiti-getcookie first to collect the cookies associated with logging in. These typically get collected to a file, which can then be passed on subsequent runs to wapiti.

    The following is verbatim from the Wapiti example on the site.

    Example

    First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json:

    $ python bin/wapiti-getcookie /tmp/cookies.json http://127.0.0.1/vuln/login.php
    <Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/>
    Please enter values for the following form: 
    url = http://127.0.0.1/vuln/login.php
    username (default) : admin
    password (letmein) : secret
    <Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/>
    

    It can also be done with wapiti-cookie this way:

    $ python bin/wapiti-cookie /tmp/cookies.json \
           http://127.0.0.1/vuln/login.php username=admin password=secret
    

    Then, I scan the vulnerable website using the cookie and excluding the logout script:

    $ wapiti http://127.0.0.1/vuln/ -c cookies.json -x http://127.0.0.1/vuln/logout.php
    

    References

    Wapiti Example