I'm using this command:
wapiti.exe http://localhost/mysite/mypage.asp -v 2 -c blah.json
And I get this output:
Wapiti-2.3.0 (wapiti.sourceforge.net)
Exception in lswww.browse: 'NoneType' object is not iterable
Note
========
This scan has been saved in the file C:\Users\Michael\.wapiti\scans/localhost.xml
You can use it to perform attacks without scanning again the web site with the "-k" parameter
[*] Loading modules:
mod_crlf, mod_exec, mod_file, mod_sql, mod_xss, mod_backup, mod_htaccess, mod_blindsql, mod_permanentxss, mod_nikto
[+] Launching module exec
[+] Launching module file
[+] Launching module sql
[+] Launching module xss
[+] Launching module blindsql
[+] Launching module permanentxss
Report
------
A report has been generated in the file C:\Users\Michael\.wapiti\generated_report
Open C:\Users\Michael\.wapiti\generated_report/index.html with a browser to see this report.
The report is basically empty because Wapiti doesn't do anything due to the exception.
If I leave off the -c parameter (i.e. the cookie file) it does a scan, but I presume isn't ever going to see anything deeper than the logon page because our app uses forms authentication and has basically no public content.
I had previously used wapiti-getcookie.exe to do a successful authentication to our app and then save the cookies to blah.json - it appears to be filled with useful stuff, so I'm a bit puzzled.
Time to learn how to debug Python?
