wapiti - Man Page

A web application vulnerability scanner in Python


wapiti -u BASE_URL [options]


Wapiti allows you to audit the security of your web applications.

It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti is useful only to discover vulnerabilities : it is not an exploitation tools. Some well known applications can be used for the exploitation part like the recommanded sqlmap.

Options Summary

Here is a summary of options. It is essentially what you will get when you launch Wapiti without any argument. More detail on each option can be found in the following sections.

Target Specification:

Attack Specification:

Proxy and Authentication Options:

Session Options:

Scan and Attacks Tuning:

HTTP and Network Options:

Output Options:

Report Options:

Other Options:

Target Specification

Attack Specification

Proxy and Authentication Options

Session Options

Since Wapiti 3.0.0, scanned URLs, discovered vulnerabilities and attacks status are stored in sqlite3 databases used as Wapiti session files.
Default behavior when a previous scan session exists for the given base URL and scope is to resume the scan and attack status.
Following options allows you to bypass this behavior/

Scan and Attacks Tuning

HTTP and Network Options

Output Options

Wapiti prints its status to standard output. The two following options allow to tune the output.

Report Options

Wapiti will generate a report at the end of the attack process. Several formats of reports are available.

Other Options


Wapiti is covered by the GNU General Public License (GPL), version 2. Please read the COPYING file for more information.


Nicolas Surribas is the main author, but the whole list of contributors is found in the separate AUTHORS file.



Bug Reports

If you find a bug in Wapiti please report it to https://sourceforge.net/p/wapiti/bugs/

See Also

The INSTALL.md file that comes with Wapiti contains every information required to install Wapiti.


September 2019