3.1.8

mod_spring4shell: New Module to detect the Spring4Shell vulnerability
mod_upload: New module to detect unrestricted file uploads (attempt to upload PHP code)
mod_https_redirect: New module to detect lack of redirect-to-https behavior
mod_crlf: Fix double-encoding errors
mod_methods: In-depth check of methods allowed by a web server
mod_permanentxss: Fix several bugs
mod_xss: Detect if HTML injection is allowed when XSS injection failed
mod_wapp: several improvements like CPE versions added to output
mod_log4shell: Add Ubiquiti UniFi to targets
mod_buster: Discovered assets are added to the generated report
Core: make module errors more verbose
Core: add a Dockerfile to quickly set up your own PHP endpoint
CLI: renamed some authentication options

3.1.7

Support Python 3.11

3.1.6

31/01/2023
Wapiti 3.1.6
Wappalyze: improve detection with DOM rules
Core: fix proxy option

3.1.5

LFI: adds a payload for loknop technique (chaining PHP filters)
mod_cookie: Fix bad WSTG code for bad cookie attribute
Core: use proxy settings for updating
Core: fix creds options
Core: update most dependencies

3.1.4

Wapiti 3.1.4

• Crawler: Adds support for Firefox headless (using the new --headless option)
• Core: improve authentication. You can now pass HTTP auth (basic, ntml, etc) AND login by sending creds to an HTML form
• Core: remove internationalization

Authentication related optionshave changed, check the manual page for information

3.1.3

09/07/2022: Wapiti 3.1.3

• Reports: Add a new --detailed-report option that will put HTTP responses (headers and bodies) in the report.
• Crawler: Add a new --mitm-port option that will replace the crawler with an intercepting proxy (mitmproxy)
• Core: Dropped support of Python 3.7

Fix crash after scan

Fix a crash that may occur after the crawling and before laucnhing attacks (connection pool was closed)

3.1.1

Wapiti 3.1.1
Crawler: Fix a bug preventing Wapiti to scan websites with bad ciphers (SSL 3, TLS 1.0 for example)
Report: Add some unicode emojis in the HTML report to indicate the criticality of each vulnerability
XXE: more payloads to target non-PHP applications + raise a warning when the DTD file was reached by the target but exfiltration didn't succeed
CLI: --update option will only update chosen modules
CLI: New --data option allows to launch attacks on a single POST request. This option expect a url-encoded string.

3.1.0

Wapiti 3.1.0
Crawler: Fix passing named "button" tags in HTML forms
Modules: Skip modules that fails to load properly (missing dependencies, code error, etc)
Log4Shell: Attack POST parameters too, support for attacks on VMWare vSphere and some Apache products (Struts, Druid and Solr)
CSRF: Django anti-CSRF token added to the whitelist
Modules: Added references to WSTG code for each supported attack, separate Reflected XSS from Stored XSS in reports
Crawler: Improved the parsing of HTML redirections (meta refresh)
HashThePlanet: Added a new module to detect technologies and software versions based on the hashes of files.
Crawler: Removed httpx-socks dependencies in favor of builtin SOCKS support in httpx. SOCKS support is fixed.
Crawler: Upgraded httpcore to latest version in order to fix the ValueError exception that could occur on modules with high concurrency (buster, nikto)
Core: Load correctly resources if Wapiti is running from an egg file.