How do I pass Auth Bearer token to Wapiti web application vulnerability scanner?

Question

I want to security test my web application as well as REST API'S but they require authenticated, How do I pass a Bearer token to it?

score 1 · Answer 1 · answered May 29 '20 at 20:12

1

You can pass this as a header with the -H flag. So -H 'Bearer: [token]'

answered May 29 '20 at 20:12

ebuntu

Thank you, I tried but still its showing scanned only 4 URL's, I passed it like wapiti -u myurl/ -H 'Bearer myauthtoken' – Harvindar Singh Garcha Jun 04 '20 at 18:58
Just to make sure, is the api hosted on the same domain? I assume the application may need to crawl the site in some way. If the app is a single page JavaScript app, it may not have the ability to find all the API endpoints. Does that sound like a possibility? Usually web scanner need to effectively "crawl" an application to learn which pages to scan. Perhaps that part is where it's failing here? You may also want to check out something like BurpSuite which will show you all the URLs in scope before scanning. – ebuntu Jun 04 '20 at 23:13

1 Answers1