Wapiti is an open-source web application vulnerability scanner written in Python that performs black-box testing by crawling web pages and injecting payloads to discover security flaws.
With 1,600+ GitHub stars, 249 forks, and 31 contributors, Wapiti has established itself as a reliable choice for Python-based security testing. The project maintains active development with version 3.2.10 released in November 2025.
What is Wapiti?
Wapiti is a command-line web vulnerability scanner that works as a fuzzer, injecting payloads into HTTP parameters to discover security vulnerabilities.
Unlike source code analyzers, Wapiti does not study application code but instead crawls deployed web applications and attacks them like an external attacker would.
The scanner extracts links and forms from web pages, then sends malicious payloads through GET and POST parameters, cookies, and HTTP headers.
By analyzing responses, Wapiti identifies vulnerabilities including SQL injection, cross-site scripting, command execution, and more.
Written in Python 3, Wapiti is actively maintained and included in Kali Linux.
The scanner also supports Swagger/OpenAPI specifications for automated API security testing, extending its capabilities beyond traditional web page crawling.
Its modular architecture allows security researchers to extend it with custom attack modules while the core provides reliable crawling and injection capabilities.
Key Features
Comprehensive Vulnerability Detection
Wapiti detects a wide range of web application vulnerabilities:
- SQL Injection: Error-based, blind, and time-based detection for MySQL, PostgreSQL, MSSQL, Oracle
- Cross-Site Scripting (XSS): Both reflected and stored/persistent variants
- File Inclusion: Local and remote file inclusion vulnerabilities
- Command Execution: OS command injection detection
- XXE: XML External Entity injection
- SSRF: Server-Side Request Forgery
- CRLF Injection: HTTP header injection
- Path Traversal: Directory traversal attacks
- Open Redirect: Unvalidated redirects
- Backup File Discovery: Common backup file extensions
- HTTP Security Headers: Missing or misconfigured headers
XSS Differentiation
Wapiti distinguishes between reflected and stored XSS vulnerabilities:
# Wapiti tests for stored XSS by:
# 1. Injecting payloads into forms
# 2. Crawling other pages to see if payload appears
# 3. Reporting persistent XSS when payload is found elsewhere
wapiti -u https://example.com --module xss --detailed-report
This approach catches dangerous stored XSS that affects other users visiting different pages.
Flexible Authentication
Support for multiple authentication mechanisms:
- HTTP Basic and Digest authentication
- NTLM authentication
- Form-based login with custom parameters
- Cookie import from Chrome or Firefox browsers
- Session token handling
Multiple Output Formats
Generate reports suitable for different use cases:
- HTML: Visual reports for human review
- JSON: Structured data for tool integration
- XML: Standard format for vulnerability management
- TXT: Simple text output for quick review
Installation
pip Installation (Recommended)
# Requires Python 3.12 or 3.13
pip install wapiti3
Kali Linux
Wapiti is included in Kali Linux repositories:
sudo apt update
sudo apt install wapiti
From Source
# Clone the repository
git clone https://github.com/wapiti-scanner/wapiti.git
cd wapiti
# Install dependencies
pip install -r requirements.txt
# Install wapiti
pip install .
# Verify installation
wapiti --version
Docker
# Build the Docker image
docker build -t wapiti .
# Run a scan
docker run --rm wapiti -u https://example.com
How to Use Wapiti
Basic Scan
# Scan a website with default settings
wapiti -u https://example.com
# Scan with verbose output
wapiti -u https://example.com -v 2
Targeted Module Scanning
# Run only specific attack modules
wapiti -u https://example.com --module sql,xss,xxe
# List available modules
wapiti --list-modules
# Available modules include:
# - sql (SQL injection)
# - xss (Cross-site scripting)
# - file (File inclusion)
# - exec (Command execution)
# - xxe (XML External Entity)
# - ssrf (Server-Side Request Forgery)
# - crlf (CRLF injection)
# - redirect (Open redirects)
# - backup (Backup file discovery)
# - htaccess (htaccess bypass)
# - cookieflags (Insecure cookies)
# - csp (Content Security Policy)
# - permanentxss (Stored XSS)
Authentication Configuration
# HTTP Basic authentication
wapiti -u https://example.com --auth-user admin --auth-password secret
# Form-based authentication
wapiti -u https://example.com \
--form-url https://example.com/login \
--form-data "username=admin&password=secret" \
--form-enctype application/x-www-form-urlencoded
# Import cookies from browser
wapiti -u https://example.com --cookie "session=abc123; csrf=xyz789"
# Import cookies from Firefox profile
wapiti -u https://example.com --cookie-from-browser firefox
Proxy Configuration
# Use HTTP proxy
wapiti -u https://example.com --proxy http://localhost:8080
# Use SOCKS5 proxy
wapiti -u https://example.com --proxy socks5://localhost:9050
# Use Tor
wapiti -u https://example.com --proxy socks5://127.0.0.1:9050
Output and Reporting
# Generate HTML report
wapiti -u https://example.com -f html -o wapiti-report
# Generate JSON report
wapiti -u https://example.com -f json -o wapiti-report.json
# Generate multiple formats
wapiti -u https://example.com -f html,json,xml -o wapiti-report
Scan Scope Control
# Limit crawl depth
wapiti -u https://example.com --depth 3
# Exclude URLs matching pattern
wapiti -u https://example.com --exclude-url "logout|admin"
# Limit to specific scope
wapiti -u https://example.com --scope url # Only scan the exact URL
wapiti -u https://example.com --scope folder # Scan URL and subdirectories
wapiti -u https://example.com --scope domain # Scan entire domain
Integration
CI/CD Pipeline Integration
# GitHub Actions example
name: Web Security Scan
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 3 * * 0' # Weekly Sunday 3am
jobs:
wapiti-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start application
run: docker-compose up -d
- name: Wait for application
run: sleep 30
- name: Install Wapiti
run: pip install wapiti3
- name: Run Wapiti scan
run: |
wapiti -u http://localhost:8080 \
--module sql,xss,xxe,ssrf \
--depth 3 \
-f json \
-o wapiti-results.json
continue-on-error: true
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: wapiti-security-report
path: wapiti-results.json
- name: Check for critical findings
run: |
if [ -f wapiti-results.json ]; then
CRITICAL=$(python3 -c "
import json
with open('wapiti-results.json') as f:
data = json.load(f)
vulns = data.get('vulnerabilities', {})
critical = sum(len(v) for k, v in vulns.items() if k in ['SQL Injection', 'Command execution'])
print(critical)
")
if [ "$CRITICAL" -gt 0 ]; then
echo "Found $CRITICAL critical vulnerabilities"
exit 1
fi
fi
# GitLab CI example
stages:
- build
- security
wapiti-scan:
stage: security
image: python:3.12
before_script:
- pip install wapiti3
script:
- |
wapiti -u $STAGING_URL \
--module sql,xss,xxe \
-f json \
-o wapiti-report.json
artifacts:
paths:
- wapiti-report.json
expire_in: 1 week
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_PIPELINE_SOURCE == "web"
Combining with Other Tools
Use Wapiti as part of a comprehensive security testing workflow:
#!/bin/bash
# security-scan.sh - Run multiple scanners
TARGET="https://example.com"
REPORT_DIR="./security-reports"
mkdir -p $REPORT_DIR
# 1. Run Wapiti for web vulnerability scanning
echo "Running Wapiti..."
wapiti -u $TARGET --module sql,xss,xxe,ssrf -f json -o $REPORT_DIR/wapiti.json
# 2. Run Nikto for server configuration
echo "Running Nikto..."
nikto -h $TARGET -o $REPORT_DIR/nikto.html -Format html
# 3. Run Nuclei for CVE checking
echo "Running Nuclei..."
nuclei -u $TARGET -t cves/ -j > $REPORT_DIR/nuclei.json
# Combine results
echo "Scans complete. Reports in $REPORT_DIR"
DefectDojo Integration
Import Wapiti results into DefectDojo for vulnerability management:
# Generate Wapiti XML report
wapiti -u https://example.com -f xml -o wapiti-report.xml
# Import to DefectDojo via API
curl -X POST "https://defectdojo.example.com/api/v2/import-scan/" \
-H "Authorization: Token $DEFECTDOJO_TOKEN" \
-F "scan_type=Wapiti Scan" \
-F "file=@wapiti-report.xml" \
-F "engagement=$ENGAGEMENT_ID"
When to Use Wapiti
Use Wapiti when:
- You need a free, open-source web vulnerability scanner
- Scanning Python 3 compatible environments
- You want a command-line tool for scripting and automation
- Testing for common web vulnerabilities (SQLi, XSS, command injection)
- You need to import browser sessions for authenticated scanning
- Including security scanning in CI/CD pipelines without licensing costs
Consider alternatives when:
- You need JavaScript rendering for modern SPAs (use ZAP or commercial tools)
- You require API-first scanning with OpenAPI support (use ZAP or commercial tools)
- You need enterprise features like scheduling and portfolio management
- Business logic testing is required beyond parameter fuzzing
Wapiti fills an important niche as a straightforward, effective command-line scanner.
Its focus on black-box fuzzing makes it reliable for finding injection vulnerabilities, while its Python codebase makes it approachable for security researchers who want to extend its capabilities.