An Interview with the Wapiti Web Vulnerability Scanner: Nicolas Surribas

For All Things IT Security Conference Related

Join Our Newsletter [Over 50K Subscribers]

Let us send you information on ticket discounts, speaking opportunities and a ton more!

Home / Blog / An Interview with the Wapiti Web Vulnerability Scanner: Nicolas Surribas

An Interview with the Wapiti Web Vulnerability Scanner: Nicolas Surribas

Tagged Under:

What will you learn in this post?
Over the last few months we’ve been interviewing hacking tools developers. So far we’ve interviewed Daniel Cid (co-founder of Sucuri) and his OSSEC HIDS Tool, the developer of the infamous THC Hydra Password Cracking Tool, cURL, and NetworkMiner – and this time we are really honored to have the “Wapiti Web Vulnerability Scanner” Developer (and inventor!): Nicolas Surribas.


In this post you’ll learn that Wapiti is awesome, and you’ll also learn first hand – from the developer – how and why he built it as well as advice about promoting security pentesting tools. We’ve filed Wapiti under “Multi Purpose Hacking Tools,” but it should probably be under “Web Vulnerability Scanners”. If you don’t know what it is we have a Wapiti Tutorial and info page here, but in essence it’s a framework that allows you to audit the security of your web applications. It performs “black-box” scans by trying to inject data into web application source code. Once a potential vulnerability has been discovered Wapiti behaves like a fuzzer, injecting payloads to see if a script is vulnerable to cyber attack! Wapiti can detect the following vulnerabilities:

  • File disclosure (Local and remote include/require, fopen, readfile)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) injection (reflected and permanent)
  • Command Execution detection (eval(), system(), passtru()
  • CRLF Injection (HTTP Response Splitting, session fixation)
  • XXE (XmleXternal Entity) injection
  • Use of know potentially dangerous files (thanks to the Nikto database)
  • Weak .htaccess configurations that can be bypassed
  • Presence of backup files giving sensitive information (source code disclosure)

Henry, Concise
Wapiti is an awesome web-application vulnerability scanner – what gave you the inspiration to develop this tool? Was it a fork of another project?

Nicolas Surribas, Wapiti Developer
Wapiti is an original project I started in 2006. At that time I didn’t really know where I was going with that tool. I was learning Python at the same time and it was a great opportunity to write a real software and improve rapidly my Python’s skills. I started with a simple script to extract links from a webpage, then I wrote a basic crawler and so on before adding payload injection and simple error based detection. Now the project is much bigger and the application can detect more types of vulnerabilities. It is still in development even if I don’t have much time to work on it recently. I regurlarly note new ideas to add to the project to improve it. The next big step will be to port it to Python 3.

Henry, Concise
I assume that you wrote Wapiti in Python, why did you choose this language over another?

Nicolas Surribas, Wapiti Developer
Before learning Python I was using C most of the time. Python looked great to me because it was an interpreted language and I think it is good for a programmer to master several kind of programming languages (compiled, interpreted, object-oriented or not, different paradigms). Plus it had a growing popularity at that time and was already present on almost every Linux distribution. I found the Python syntax to be clear enough. Coming from C I was first reluctant to using identation instead of curly brackets but now I don’t see the problem! I love Python and I use it every day in my job and spare time. What it lacks is easy packaging of software (making Linux packages or exes for Windows is still a pain). Another programming language that is looking promising in my opinion is Rust.

Henry, Concise
What advice would you give to someone who is trying to promote their hacking tool? Is there a resource or event that you’d recommend (perhaps Black Hat Arsenal?)

Nicolas Surribas, Wapiti Developer
I think events are great for new tools but less for new versions of a software except if that software is the big thing (Metasploit, Kali, etc). To get more users I think the best option is having your tool available in security-oriented Linux distributions like Kali, Pentoo, BackBox, etc. Writing tutorials or making videos is another great way to encourage people to use your tools. And finally just talking about your tool on a blog can help!

In summary
Thank you to Nicolas Surribas for sharing his invaluable advice! If you use Wapiti then we encourage you to donate to the project.

Leave a comment or reply below...thanks!