Wapiti Review 2026: Free Python DAST Tested

Name: Wapiti
Availability: OnlineOnly

Wapiti is a free, open-source web vulnerability scanner written in Python. It crawls web applications and injects payloads through HTTP parameters to find injection vulnerabilities, misconfigurations, and known CVEs.

With 1,600+ GitHub stars, 247 forks, and 31 contributors, Wapiti has maintained active development since 2006. Version 3.2.10 was released in November 2025. The project is included in Kali Linux.

What is Wapiti?

Wapiti is a command-line black-box fuzzer. It does not read source code. Instead, it crawls a deployed web application, extracts links and forms, then sends attack payloads through GET and POST parameters, cookies, and HTTP headers. This approach aligns with the OWASP Testing Guide’s recommendation for runtime testing of deployed applications to complement static analysis.

It analyzes responses to identify vulnerabilities. When it injects an XSS payload into a form field and that payload shows up in the response HTML, it flags it. When a time-based SQL injection payload causes a delayed response, it reports that too.

The scanner ships 30+ attack modules covering injection flaws, known CVEs (Log4Shell, Spring4Shell, Shellshock), server misconfigurations, and more. It also supports Swagger/OpenAPI specs for API testing.

Written in Python 3, Wapiti requires version 3.12, 3.13, or 3.14. It runs on Linux and macOS natively, and on Windows through WSL.

Feature	Details
Language	Python 3.12 / 3.13 / 3.14
License	GPL v2
Attack modules	30+
GitHub stars	1,600+
Latest version	3.2.10 (November 2025)
Report formats	HTML, JSON, XML, CSV, TXT
Authentication	Basic, Digest, NTLM, form-based, browser cookie import
Proxy support	HTTP, HTTPS, SOCKS5
Session management	SQLite3 database (suspend/resume)
API testing	Swagger/OpenAPI
JS rendering	Headless Firefox
Platforms	Linux, macOS, Windows (WSL)

Key Features

30+ Attack Modules

SQL injection, XSS, file inclusion, command execution, XXE, SSRF, CRLF, Log4Shell, Spring4Shell, Shellshock, CSRF detection, subdomain takeover, CMS fingerprinting, and more.

Stored XSS Detection

Wapiti injects payloads into forms, then crawls other pages to check if the payload persists. When it finds the injected payload on a different page, it reports stored XSS — catching vulnerabilities that affect other users.

Session Suspend/Resume

Scans are backed by SQLite3 databases. You can stop a long-running scan and resume it later without losing progress. Useful for large applications that take hours to scan.

Vulnerability Coverage

Wapiti’s 30+ modules cover a wide range of DAST tools vulnerability categories:

SQL Injection: Error-based, boolean-based, and time-based for MySQL, PostgreSQL, MSSQL, Oracle
XSS: Both reflected and stored/persistent — Wapiti actually differentiates between them
File Inclusion: Local and remote file inclusion
Command Execution: OS command injection
XXE: XML External Entity injection
SSRF: Server-Side Request Forgery
CRLF Injection: HTTP header injection
Log4Shell: CVE-2021-44228 detection (tracked in the NIST National Vulnerability Database as a critical severity 10.0 flaw)
Spring4Shell: Spring Framework RCE detection
Shellshock: Bash vulnerability testing
CSRF: Cross-Site Request Forgery detection
Subdomain Takeover: Dangling DNS record detection
CMS Fingerprinting: WordPress, Drupal, Joomla detection
Security Headers: CSP evaluation, cookie flags, missing headers

Stored XSS Detection

Most DAST scanners only detect reflected XSS. Wapiti also catches stored XSS by injecting payloads in one location and checking whether they appear on other pages during the crawl. This catches the more dangerous persistent XSS variant.

Authentication

Wapiti supports several authentication methods:

HTTP Basic and Digest
NTLM
Form-based login with custom parameters
Cookie import from Chrome or Firefox browsers
Session token handling

The browser cookie import is handy — authenticate manually in your browser, export cookies, and Wapiti uses them to crawl protected pages.

Swagger/OpenAPI Support

Feed Wapiti a Swagger or OpenAPI specification file and it will test each defined endpoint for vulnerabilities. This extends Wapiti beyond traditional page crawling into API security testing.

Combine with Other Scanners

Wapiti is a focused injection fuzzer, not a full-featured DAST platform. It works well as part of a multi-tool workflow — run Wapiti for injection testing, Nikto for server misconfiguration, and ZAP for JavaScript-heavy SPA testing.

Installation

# pip (recommended)
pip install wapiti3

# Kali Linux
sudo apt update && sudo apt install wapiti

# From source
git clone https://github.com/wapiti-scanner/wapiti.git
cd wapiti && pip install .

# Docker
docker build -t wapiti .
docker run --rm wapiti -u https://example.com

# Verify
wapiti --version

Getting Started

Install Wapiti — pip install wapiti3 requires Python 3.12, 3.13, or 3.14. Also available on Kali Linux via apt or as a Docker container.

Run a basic scan — wapiti -u https://example.com crawls the target and runs all attack modules. Add -v 2 for verbose output.

Focus on specific modules — wapiti -u https://example.com --module sql,xss,xxe runs only the modules you care about. Use --list-modules to see all available modules.

Generate reports — wapiti -u https://example.com -f html -o report generates an HTML report. Also supports JSON, XML, CSV, and TXT formats.

Usage Examples

# Basic scan with all modules
wapiti -u https://example.com

# Target specific vulnerability types
wapiti -u https://example.com --module sql,xss,xxe,ssrf

# Authenticated scan with form login
wapiti -u https://example.com \
  --form-url https://example.com/login \
  --form-data "username=admin&password=secret" \
  --form-enctype application/x-www-form-urlencoded

# Import cookies from Firefox
wapiti -u https://example.com -c firefox

# Limit crawl depth and scope
wapiti -u https://example.com --depth 3 --scope domain

# Use through a proxy (useful with Burp Suite)
wapiti -u https://example.com --proxy http://localhost:8080

# Generate JSON report for automation
wapiti -u https://example.com -f json -o results.json

Integrations

Vulnerability Management

DefectDojo

GitHub Actions

GitLab CI

CI/CD Integration

# GitHub Actions example
name: Wapiti Security Scan
on:
  push:
    branches: [main]

jobs:
  wapiti-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Start application
        run: docker-compose up -d && sleep 30
      - name: Install and run Wapiti
        run: |
          pip install wapiti3
          wapiti -u http://localhost:8080 \
            --module sql,xss,xxe,ssrf \
            --depth 3 \
            -f json -o wapiti-results.json
        continue-on-error: true
      - uses: actions/upload-artifact@v4
        with:
          name: wapiti-report
          path: wapiti-results.json

When to Use Wapiti

Wapiti fills a specific niche: a free, command-line injection fuzzer that’s easy to script and automate. It’s not trying to be a full DAST platform.

Good fit for:

Teams needing a free scanner for CI/CD pipelines without licensing costs
Security researchers who want to extend modules in Python
Pentesters wanting a quick injection fuzzer alongside manual testing
Organizations on Kali Linux that want an included DAST tool
Scanning traditional server-rendered web applications

For a full list of free scanners, see our free DAST tools guide. To understand how Wapiti’s black-box approach compares with other testing methods, read SAST vs DAST vs IAST.

Not the best fit for:

Modern JavaScript SPAs — Wapiti has headless Firefox support but it’s limited compared to ZAP or commercial tools like Burp Suite
API-first architectures — Swagger/OpenAPI support exists but dedicated API scanners go deeper
Enterprise portfolio management — no scheduling, dashboards, or multi-user features
Business logic testing — Wapiti tests injection points, not application workflows

Frequently Asked Questions

What is Wapiti?

Wapiti is a free, open-source web vulnerability scanner written in Python. It performs black-box fuzzing by crawling web pages and injecting payloads to find SQL injection, XSS, XXE, SSRF, Log4Shell, and other flaws across 30+ attack modules.

Is Wapiti free?

Yes. Wapiti is completely free and open-source under the GPL v2 license. It requires Python 3.12, 3.13, or 3.14 and can be installed via pip, Kali Linux repositories, or Docker.

What vulnerabilities does Wapiti detect?

Wapiti’s 30+ modules detect SQL injection, XSS (reflected and stored), file inclusion, command execution, XXE, SSRF, CRLF injection, Log4Shell, Spring4Shell, Shellshock, CSRF, subdomain takeover, and weak security headers.

Does Wapiti support JavaScript rendering?

Wapiti uses headless Firefox for JavaScript rendering when needed. However, it is primarily a fuzzer focused on injection vulnerabilities rather than a full browser-based crawler like ZAP or commercial tools.

How does Wapiti compare to ZAP?

Wapiti is a command-line fuzzer focused on injection testing with 30+ modules. ZAP is a full-featured proxy with GUI, extensive plugin ecosystem, and better SPA support. Wapiti works well alongside ZAP or Nikto as part of a multi-scanner workflow.