3.2.1

What's Changed

• Bump aiohttp from 3.9.4 to 3.10.2 by @dependabot in #610
• crawler: fix empty enctype case by @devl00p in #614
• Fix integration tests by @devl00p in #615
• remove stale dependency on "six" by @a-detiste in #616
• Fix documentation by @devl00p in #620
• doc: fix wiki link in readme file by @devl00p in #622
• Remove the need for the asyncio stop Event on attacks by @devl00p in #626
• fix a step of the dns endpoint dockerfile for integration tests by @devl00p in #627
• Prepare v3.2.1 by @devl00p in #628

New Contributors

• @a-detiste made their first contribution in #616

Full Changelog: 3.2.0...3.2.1

v3.2.0:

• Update mod_nikto, mod_wapp databases
• Search known CVEs for software versions versions found by mod_wapp
• Add --cookie-value option to easily pass cookies to the crawler
• Add a mod_ldap module for error-based and boolean-based LDAP injection
• mod_ssl is now based on the sslcan binary, install it on our own
• Improvements on mod_network_device (detect Citrix, CheckPoint, FortiWeb, FortiNet, Harbor, etc)
• Scan APIs given a Swagger (OpenAPI) file
• Add capabilities to inject payloads inside JSON bodies
• Add Wordpress module and theme enumeration
• Add Drupal, SPIP, Joomla, PrestaShop enumeration module

3.1.8

mod_spring4shell: New Module to detect the Spring4Shell vulnerability
mod_upload: New module to detect unrestricted file uploads (attempt to upload PHP code)
mod_https_redirect: New module to detect lack of redirect-to-https behavior
mod_crlf: Fix double-encoding errors
mod_methods: In-depth check of methods allowed by a web server
mod_permanentxss: Fix several bugs
mod_xss: Detect if HTML injection is allowed when XSS injection failed
mod_wapp: several improvements like CPE versions added to output
mod_log4shell: Add Ubiquiti UniFi to targets
mod_buster: Discovered assets are added to the generated report
Core: make module errors more verbose
Core: add a Dockerfile to quickly set up your own PHP endpoint
CLI: renamed some authentication options

3.1.7

Support Python 3.11

3.1.6

31/01/2023
Wapiti 3.1.6
Wappalyze: improve detection with DOM rules
Core: fix proxy option

3.1.5

LFI: adds a payload for loknop technique (chaining PHP filters)
mod_cookie: Fix bad WSTG code for bad cookie attribute
Core: use proxy settings for updating
Core: fix creds options
Core: update most dependencies

3.1.4

Wapiti 3.1.4

• Crawler: Adds support for Firefox headless (using the new --headless option)
• Core: improve authentication. You can now pass HTTP auth (basic, ntml, etc) AND login by sending creds to an HTML form
• Core: remove internationalization

Authentication related optionshave changed, check the manual page for information

3.1.3

09/07/2022: Wapiti 3.1.3

• Reports: Add a new --detailed-report option that will put HTTP responses (headers and bodies) in the report.
• Crawler: Add a new --mitm-port option that will replace the crawler with an intercepting proxy (mitmproxy)
• Core: Dropped support of Python 3.7

Fix crash after scan

Fix a crash that may occur after the crawling and before laucnhing attacks (connection pool was closed)

3.1.1

Wapiti 3.1.1
Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example)
Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability
XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed
CLI: --update option will only update chosen modules
CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string.