The web vulnerability scanning tool known as Wapiti is an open source tool available to anyone who downloads it and can get it to work. But unfortunately, you may be challenged to get it to work on your Windows or Mac machines. Adding to the initial frustration was that I thought I could install it in the cloud on a virtual server in AWS. That one did work….until it didn’t. Only to learn that AWS stops vulnerability scans that it does not expect for security on their end. There are ways to get the authorization to perform these scans when necessary, but not when you are simply testing software for the sake of testing.
Recently, I set up my new gaming Windows laptop into a dual boot computer with Kali Linux as the new bootable option. Upon opening it for the first time, I was like a child in a candy shop.
Wapiti
Wapiti is a web application vulnerability scanner. The following is taken directly from their website:
“Wapiti allows you to audit the security of your websites or web applications.”
Wapiti performs “black-box” scans of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
The Artifact Research Institute Website
Artifact Research Institute is one of my several websites focused on ancient artifacts and family museums. The website is hosted on WordPress on one of the well known cloud platforms. This is what the results were of the first scan.
The original scan was done on Monday. But I was called away not able to get to the fixes until Wednesday. All of the fixes needed to eliminate the vulnerabilities for this WordPress website took place in the .htaccess file.
Original .htaccess file was an untampered .htaccess file from a default WordPress installation:
Fortunately, no code fixes were needed. All fixes were taken care of here in this modified .htaccess file:
Now this will not work for every WordPress installation as the Content Security Policy Configuration may be different based on themes, plugins, and content. For now, the website at https://artifactresearchinstitute.com passes the Wapiti vulnerability scan.
Let me know if you need your website scanned and patched up too.
The scan is free. If vulnerabilities are found, request a quote to fix the issues. Call Brian Nettles at 520-373-3224.