Skip to content
Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time

Sitadel - Web Application Security Scanner

   _   _   _         _____ _                 _       _
  | |_| |_| |      / _____|_)  _            | |     | |
  |         |     ( (____  _ _| |_ _____  __| |_____| |
  |    _    |      \____ \| (_   _|____ |/ _  | ___ | |
  |   |_|   |      _____) ) | | |_/ ___ ( (_| | ____| |
  |         |     (______/|_|  \__)_____|\____|_____)\_) 

python3 Build Status license

Sitadel is basically an update for WAScan making it compatible for python >= 3.4 It allows more flexibility for you to write new modules and implement new features :

  • Frontend framework detection
  • Content Delivery Network detection
  • Define Risk Level to allow for scans
  • Plugin system
  • Docker image available to build and run

Table of Contents

Requirement Warning

This project ONLY supports python >= 3.4. There will be no backport to 2.7


git clone
cd Sitadel
pip3 install .
python --help


  • Fingerprints

    • Server
    • Web Frameworks (CakePHP,CherryPy,...)
    • Frontend Frameworks (AngularJS,MeteorJS,VueJS,...)
    • Web Application Firewall (Waf)
    • Content Management System (CMS)
    • Operating System (Linux,Unix,..)
    • Language (PHP,Ruby,...)
    • Cookie Security
    • Content Delivery Networks (CDN)
  • Attacks:

    • Bruteforce

      • Admin Interface
      • Common Backdoors
      • Common Backup Directory
      • Common Backup File
      • Common Directory
      • Common File
      • Log File
    • Injection

      • HTML Injection
      • SQL Injection
      • LDAP Injection
      • XPath Injection
      • Cross Site Scripting (XSS)
      • Remote File Inclusion (RFI)
      • PHP Code Injection
    • Other

      • HTTP Allow Methods
      • HTML Object
      • Multiple Index
      • Robots Paths
      • Web Dav
      • Cross Site Tracing (XST)
      • PHPINFO
      • .Listing
    • Vulnerabilities

      • ShellShock
      • Anonymous Cipher (CVE-2007-1858)
      • Crime (SPDY) (CVE-2012-4929)
      • Struts-Shock

Usage [-h] [-r {0,1,2}] [-ua USER_AGENT] [--redirect]
           [--no-redirect] [-t TIMEOUT] [-c COOKIE] [-p PROXY]
           [-f FINGERPRINT [MODULE ...]] [-a ATTACK [MODULE ...]]
           [--config CONFIG] [-v] [--version]
-h, --help Display help
-r, --risk {0,1,2} Decide the risk level you want Sitadel to run (some attacks won't be executed)
-ua, --user-agent User agent used for the HTTP request of the attacks
--redirect Indicates to Sitadel to follow the 302 request for page redirection
--no-redirect Indicates to Sitadel NOT to follow the 302 request for page redirection
-t, --timeout Specify the timeout for the HTTP requests to the website
-c, --cookie Allows to specify the cookie to send with the attack requests
-p, --proxy Allows to specify a proxy to perform the HTTP requests
-f, --fingerprint Specify the fingerprint modules to activate to scan the website {cdn,cms,framework,frontend,header,lang,server,system,waf}
-a, --attack Specify the attack modules to activate to scan the website {bruteforce, injection, vulns, other}
-c, --config Specify the config file for Sitadel scan, default one is in config/config.yml
-v, --verbosity Increase the default verbosity of the logs, for instance: -v , -vv, -vvv
--version Show Sitadel version

Modules list

cdn Try to guess if the target uses Content Delivery Network (fastly, akamai,cloudflare...)
cms Try to guess if the target uses a Content Management System (drupal,wordpress,magento...)
framework Try to guess if the target uses a backend framework (cakephp, rails, symfony...)
frontend Try to guess if the target uses a frontend framework (angularjs, jquery, vuejs...)
header Inspect the headers exchanged with the target
lang Try to guess the server language used by the target (asp, python, php...)
server Try to guess the server technology used by the target (nginx,apache...)
system Try to guess the Operation System used by the target (linux,windows...)
waf Try to guess if the target uses a Web Application Firewall (barracuda, bigip,paloalto...)
bruteforce Try to bruteforce the location of multiple files (backup files, admin consoles...)
injection Try to perform injection on various language (SQL,html,ldap, javascript...)
vulns Try to test for some known vulnerabilities (crime,shellshock)
other Try to probe for various interesting resources (DAV, htmlobjects,phpinfo,robots.txt...)


Simple run

python3 sitadel

Run with risk level at DANGEROUS and do not follow redirections

python3 sitadel -r 2 --no-redirect

Run specifics modules only and full verbosity

python3 sitadel -a bruteforce -f header server -v

Run with docker

docker build -t sitadel .

docker run sitadel