[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKS6U3suKgLGzZfk3MkEzfhUWgtUAXjNfyHpYK9eCGjBLwaPYA@mail.gmail.com>
Date: Wed, 27 Nov 2013 23:10:48 +0100
From: Nicolas Surribas <nicolas.surribas@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Wapiti 2.3.0 - the python-powered web-application
vulnerability scanner
Hello full-disclosure subscribers !
I'm proud to announce the release of a new version of Wapiti, the
web-application vulnerability scanner.
What's new in version 2.3.0 ?
* Wapiti now use the python-requests module for HTTP instead of httplib2.
* More pythonic code. A HTTPResource class was created to simplify module
writing.
* New template for the HTML report generator.
* Uses an up-to-date Nikto database for the mod_nikto module.
* New payloads for almost every attack modules (includes payloads for XXE
and NoSQL injection ).
* New detection strings for error-based attacks.
* Major improvements on the crawler (lswww). Wapiti reached a 48%
exploration rate on Wivet.
* Replaced the XML based cookie storage format for JSON.
* Removed SOCKS proxy support (due to migration to python-requests). You
will have to use proxies like Polipo to tunnel requests through SOCKS.
* Parameters from the query-string are now attacked in POST based attacks
too (not only the parameters in the POST body).
* Can now attack upload scripts (multipart forms) : payloads are injected
in filenames.
* Simpler and less buggy colored output in the terminal (-u option).
* For every successful attack, a cURL command-line is given (fast PoC).
* HTTP request of successul attacks are also given in the report (instead
of just the URL, parameter and payload).
* More browser-like behavior for crawling : No more parameters reordening
in URLs. Parameters repetition is also handled. Empty parameters are kept.
* New report formats : JSON and OpenVAS XML.
* Improved SSL support. A new option can deactivate certificates
verification.
* The mod_xss attack module can now escape noscript tags.
* mod_crlf is now deactivated by default.
* First URLs to scan (passed through the -s option) will be fetched even if
out of the scan scope.
* Added proxy support for the wapiti-cookie and wapiti-getcookie utilities.
* Wapiti is translated in English, French, German, Spanish and Malay.
* Includes a home-made SWF parser to extract URLs from Flash animations.
* Includes the very beginning of a home-made JS interpreter based on
PyNarcissus (JS parser).
* New logo and webpage.
* A standalone archive (no installation required) is available for Windows
users.
More informations and downloads can be found on the project webpage :
http://wapiti.sf.net/
Kind regards
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists