Wapiti

Wapiti is a web vulnerability scanner for finding security issues in deployed websites and web applications. It works as a black-box tool, crawling pages, extracting links and forms, and attacking them with payloads to detect XSS, SQL and LDAP injection, file disclosure, command execution, XXE, SSRF, and more.

Reports can be generated in HTML, XML, JSON, TXT, CSV, and Markdown. Scans can be suspended and resumed using sqlite3 session data, and options cover proxies, authentication, scope limits, custom headers, concurrent requests, cookie import, OpenAPI-based REST API scans, and a Firefox headless browser for crawling.

Attacks are organized into modules you can switch on or off, including checks for Log4Shell, Spring4Shell, CMS enumeration, and subdomain takeovers. It installs with pip and runs on Python, with Windows supported through WSL.