OnWorks favicon

wapiti - Online in the Cloud

Run wapiti in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command wapiti that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



Wapiti - A web application vulnerability scanner in Python.




Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application
but will scans the webpages of the deployed webapp, looking for scripts and forms where it
can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script
is vulnerable.


-s, --start=URL
To specify an url to start with. This option can be called several times.
Wapiti will browse these links to fond more URLs even if the specified link is not
in the scope.

-x, --exclude=URL
To exclude an url from the scan (for example logout scripts). This option can be
called several times to exclude several URLs.
Wildcards (*) can be used in URLs as basic regex.
Example :
-x "http://server/base/?page=*&module=test"
-x http://server/base/admin/* to exclude a directory

-b, --scope=SCOPE
Set the scope of the scan:
page : to analyse only the page given as the root URL.
folder : to analyse all the URLs under the root URL passed to Wapiti
domain : to analyse all the links to the pages which are in the same domain
as the URL passed to Wapiti.

-p, --proxy=PROXY_URL
To specify a proxy. Currently supported proxies are HTTP and HTTPS.
This option can be called twice to specify the HTTP and the HTTPS proxies.
-p http://proxy:port/

-c, --cookie=COOKIE
To import cookies to use for the scan. The COOKIE file must be in JSON format.
Cookies can be grabbed using the cookie.py and getcookie.py utilities (net

-t, --timeout=TIMEOUT
Set the timeout (maximum time in seconds to wait for the server to send a

Set credentials for HTTP authentication ('%' is used as a separator).

If the server requires an authentication, set the authentication method to use.
Currently supported methods are (some require additional modules to install):

-r, --remove=PARAM
Automatically remove the parameter PARAM (and its values) from the URLs.

-n, --nice=LIMIT
Define a limit of URLs to browse with the same pattern (ie, the maximum number of
unique values for the same parameter).
Use this option to prevent endless loops during scan. LIMIT must be greater than 0.

-m, --module=MODULE_OPTIONS
Set the modules (and HTTP methods for each module) to use for attacks.
Prefix a module name with a dash to deactivate the related module.
To only browse the target (without sending any payloads), deactivate every module
with -m "-all".
If you don't specify the HTTP methods, GET and POST will be used.
-m "-all,xss:get,exec:post"

-i, --continue=FILE
This parameter indicates to Wapiti to resume the previous scan saved in the
specified XML status file.
The file name is optional, if it is not specified, Wapiti takes the default file
from the "scans" folder.

-k, --attack=FILE
This parameter indicates to Wapiti to resume the attacks without scanning again,
loading the scan status from the specified XML status file.
The file name is optional, if it is not specified, Wapiti takes the default file
from the "scans" folder.

-u, --color
Use colors to highlight vulnerabilities and anomalies in output.

-v, --verbose=LEVEL
Set the verbosity level to LEVEL.
0: quiet (default), 1: print each URL, 2: print every attack.

-f, --format=TYPE
Set the format type for the report to TYPE. Currently supported formats are :
json: Report in JSON format
html : Report in HTML format (default)
openvas : Report in OpenVAS XML format
txt : Report un plain text (UTF-8)
vulneranet: Report in VulneraNET XML format
xml : Report in XML format

-o, --output=FILE
Write the report to FILE.
If the selected report format is "html", this parameter will be used as a directory

This parameter indicates whether Wapiti must check SSL certificats.
Default is to verify certificates.

-h, --help
To print this usage message.


Wapiti is covered by the GNU General Public License (GPL), version 2.
Please read the COPYING file for more information.


Copyright (c) 2006-2013 Nicolas Surribas.


Nicolas Surribas
David del Pozo
Alberto Pastor


If you find a bug in Wapiti please report it to

Use wapiti online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    VBA-M (Archived - Now on Github)
    VBA-M (Archived - Now on Github)
    Project has moved to
    Features:Cheat creationsave statesmulti
    system, supports gba, gbc, gb, sgb,
    Download VBA-M (Archived - Now on Github)
  • 2
    Linux System Optimizer and Monitoring
    Github Repository:
    Audience: End Users/Desktop. User
    interface: Qt. Programming La...
    Download Stacer
  • 3
    Fork of TeamWinRecoveryProject(TWRP)
    with many additional functions, redesign
    and more Features:Supports Treble and
    non-Treble ROMsUp-to-date Oreo kernel,
    Download OrangeFox
  • 4
    itop - ITSM  CMDB OpenSource
    itop - ITSM CMDB OpenSource
    IT Operations Portal: a complete open
    source, ITIL, web based service
    management tool including a fully
    customizable CMDB, a helpdesk system and
    a document man...
    Download itop - ITSM CMDB OpenSource
  • 5
    Clementine is a multi-platform music
    player and library organizer inspired by
    Amarok 1.4. It has a fast and
    easy-to-use interface, and allows you to
    search and ...
    Download Clementine
  • 6
    ATTENTION: Cumulative update 2.4.3 has
    been released!! The update works for any
    previous 2.x.x version. If upgrading
    from version v1.x.x, please download and
    Download XISMuS
  • 7
    Modular headtracking program that
    supports multiple face-trackers, filters
    and game-protocols. Among the trackers
    are the SM FaceAPI, AIC Inertial Head
    Tracker ...
    Download facetracknoir
  • More »

Linux commands