Wapiti Performing a Security Audit
5 March, 2021 by
Wapiti Performing a Security Audit

It’s always a good idea to have a security check independent from your own opinion. For this purpose you can use a security auditing tool which scans for web vulnerabilities. There are many such tools, including commercial ones, and for a start you can use wapiti which is free and open source. Wapiti may lack some of the features of the more advanced tools, but it will give you the idea of what security auditing is.

You can install wapiti on Ubuntu via apt:

  • sudo apt-get install wapiti

Then start scanning your site with wapiti with the command:

  • wapiti http://example.org -n 10 -b folder

Make sure to replace example.org with the name of your site. We have given two additional arguments to the command. The first -n 10 limits the number of URLs with the same pattern to 10 so that endless loops are prevented. The second argument -b folder sets the scope of the scan only to the given domain.

After the scan completes you will have the results inside a directory called generated_report inside the directory from which you have run the scan. For best viewing, download this directory to your local computer and open the index.html file with a web browser.

Inside the report you will see the vulnerabilities sorted in 10 different categories: SQL Injection, Blind SQL Injection, File Handling, Cross Site Scripting, CRLF, Commands execution, Resource consumption, Htaccess Bypass, Backup file, and Potentially dangerous file.

Ideally, your report should look like this with no vulnerabilities found:

Wapiti Report

If there are vulnerabilities, you can expand the corresponding part of the scan for more information.

Make sure to run such scans frequently and with different tools to ensure to the most complete and thorough auditing of your Nginx and websites.