I would like to test our web application with the Wapiti scanner. In my scenario, I am assuming the attacker would be an authenticated user. How do I configure Wapiti to use a specific username and password on our login form so I can test the pages behind it?
Note: this is not http or domain based authentication.
You need to use wapiti-getcookie first to collect the cookies associated with logging in. These typically get collected to a file, which can then be passed on subsequent runs to wapiti.
The following is verbatim from the Wapiti example on the site.
First, I use wapiti-getcookie to login in the restricted area and get the cookie in cookies.json:
$ python bin/wapiti-getcookie /tmp/cookies.json http://127.0.0.1/vuln/login.php
<Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/>
Please enter values for the following form:
url = http://127.0.0.1/vuln/login.php
username (default) : admin
password (letmein) : secret
<Cookie PHPSESSID=OLPNLIEBPEFELBIFGMKJEKOD for 127.0.0.1/>
It can also be done with wapiti-cookie this way:
$ python bin/wapiti-cookie /tmp/cookies.json \
http://127.0.0.1/vuln/login.php username=admin password=secret
Then, I scan the vulnerable website using the cookie and excluding the logout script:
$ wapiti http://127.0.0.1/vuln/ -c cookies.json -x http://127.0.0.1/vuln/logout.php
You can use the cookie.py or getcookie.py script from Wapiti to authenticate and save the cookies.
If you're on Ubuntu, look in /usr/share/wapiti for these files.
Once you have the cookies saved somewhere, you can pass them to Wapiti as an option with -c /path/to/cookie
