HTTP and web authentication

HTTP Authentication

Wapiti provides several options to authenticate using HTTP or web forms, allowing you to test authenticated areas of a website. You can use either basic/digest/NTLM authentication or handle web forms for login.

HTTP Authentication Options

• -a, --auth-cred
  (Deprecated)
  Set credentials to use for HTTP authentication on the target. The value should be in the form of login%password (where % is used as a separator).

  Example:

  wapiti --auth-cred user%password
  

• --auth-user
  Set the username for HTTP authentication.

• --auth-password
  Set the password for HTTP authentication.

• --auth-method
  Set the authentication mechanism to use. Valid choices are:

  • basic
  • digest
  • ntlm (may require installing an additional Python module)

  Example:

  wapiti --auth-user admin --auth-password pass123 --auth-method basic
  

Web Form Authentication Options

• --form-cred
  (Deprecated)
  Set credentials for web form authentication. The value should be in the form of login%password (where % is used as a separator).

• --form-user
  Set the username for web form authentication.

• --form-password
  Set the password for web form authentication.

• --form-url
  If --form-data is not provided, Wapiti will automatically extract and fill the login form at the given URL using the provided credentials.

  Example:

  wapiti --form-user admin --form-password pass123 --form-url https://example.com/login -u https://example.com/
  wapiti --form-data "uid=john&kpw=letmein&token=45854547" --form-url https://example.com/auth -u https://example.com/
  

• --form-enctype
  Send data specified with --form-data using the given content-type (default is "application/x-www-form-urlencoded").

• --form-script
  Use a custom Python authentication plugin (see some example here).

• --side-file
  Use a .side file generated using Selenium IDE to perform an authenticated scan.