lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKS6U3suKgLGzZfk3MkEzfhUWgtUAXjNfyHpYK9eCGjBLwaPYA@mail.gmail.com>
Date: Wed, 27 Nov 2013 23:10:48 +0100
From: Nicolas Surribas <nicolas.surribas@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Wapiti 2.3.0 - the python-powered web-application
	vulnerability scanner

Hello full-disclosure subscribers !

I'm proud to announce the release of a new version of Wapiti, the
web-application vulnerability scanner.


What's new in version 2.3.0 ?

* Wapiti now use the python-requests module for HTTP instead of httplib2.

* More pythonic code. A HTTPResource class was created to simplify module
writing.

* New template for the HTML report generator.

* Uses an up-to-date Nikto database for the mod_nikto module.

* New payloads for almost every attack modules (includes payloads for XXE
and NoSQL injection ).

* New detection strings for error-based attacks.

* Major improvements on the crawler (lswww). Wapiti reached a 48%
exploration rate on Wivet.

* Replaced the XML based cookie storage format for JSON.

* Removed SOCKS proxy support (due to migration to python-requests). You
will have to use proxies like Polipo to tunnel requests through SOCKS.

* Parameters from the query-string are now attacked in POST based attacks
too (not only the parameters in the POST body).

* Can now attack upload scripts (multipart forms) : payloads are injected
in filenames.

* Simpler and less buggy colored output in the terminal (-u option).

* For every successful attack, a cURL command-line is given (fast PoC).

* HTTP request of successul attacks are also given in the report (instead
of just the URL, parameter and payload).

* More browser-like behavior for crawling : No more parameters reordening
in URLs. Parameters repetition is also handled. Empty parameters are kept.

* New report formats : JSON and OpenVAS XML.

* Improved SSL support. A new option can deactivate certificates
verification.

* The mod_xss attack module can now escape noscript tags.

* mod_crlf is now deactivated by default.

* First URLs to scan (passed through the -s option) will be fetched even if
out of the scan scope.

* Added proxy support for the wapiti-cookie and wapiti-getcookie utilities.

* Wapiti is translated in English, French, German, Spanish and Malay.

* Includes a home-made SWF parser to extract URLs from Flash animations.

* Includes the very beginning of a home-made JS interpreter based on
PyNarcissus (JS parser).

* New logo and webpage.

* A standalone archive (no installation required) is available for Windows
users.

More informations and downloads can be found on the project webpage :
http://wapiti.sf.net/

Kind regards

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ