Web Application Scanner
loginThis tool actively probes a target for vulnerabilities. Running it without verifying the user owns or has permission to test the target is indistinguishable from attack tooling, so it requires authorization.
This tool isn't available in the anonymous view. Sign in to access it.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What vulnerabilities does Wapiti detect?
Wapiti actively probes for: SQL injection, XSS (reflected and permanent), XML external entity (XXE), file disclosure, CRLF injection, command injection, open redirects, SSRF, and weak HTTP methods. It crawls the application first, then fuzzes each parameter it finds.
How is Wapiti different from OWASP ZAP?
Both are DAST tools that crawl and probe web applications. ZAP is more feature-rich with a GUI, proxy mode, and extensive plugin ecosystem. Wapiti is a lightweight CLI tool with no proxy requirement — better for scripted, automated scanning in CI pipelines. Both require authorisation.