- Wapiti quietly turned 20 this year.
- The free, GPL-licensed Python scanner now ships 30+ attack modules, Playwright-powered JS rendering, and Swagger/OpenAPI API scanning — all from a single CLI that drops into any CI/CD pipeline.
TL;DR
Wapiti 3.2.10 landed on November 13, 2025 — a milestone release for a project that has been quietly shipping since 2006. It is a black-box, command-line web vulnerability scanner written in Python 3, packing 30+ attack modules that fuzz SQL injection, XSS (reflected and stored), SSRF, XXE, RCE, Log4Shell, Spring4Shell and more — without ever touching your source code. Free, GPL v2, bundled in Kali Linux, and fully scriptable for CI/CD.
What's new in 3.2.10
The November 2025 release focused on speed and reporting:
- Parallelism across attack modules — scans finish noticeably faster on targets with many forms and endpoints.
- Reworked HTML report — cleaner layout, better severity grouping, easier to hand off to dev teams.
- Playwright replaces wapiti-arsenic (landed in 3.2.9) for headless Firefox rendering, fixing a long tail of JS crawling edge cases.
- Legacy cruft dropped — SWF/Flash parsing removed, old loguru and six dependencies gone.
The ActiveScanner refactor earlier in the 3.2.x line also cleanly separates attack management from orchestration, making it easier to add or fork modules.
Why it matters
Commercial DAST platforms cost four to five figures per year. Many small teams cannot justify that — so their CI has no security scanning at all. Wapiti closes the gap: one pip install wapiti3, one command, and a GitHub Actions job now fuzzes every pull request for injection flaws. The false-positive rate is higher than Invicti or Acunetix, but for internal apps and traditional server-rendered stacks it catches the exact bugs attackers still exploit every day.
It also differentiates itself with one capability most free scanners skip: stored/permanent XSS detection. After the xss module runs, Wapiti re-crawls the entire target and checks whether injected payloads persist on other pages — exactly how a real attacker would weaponize a review form or a comment box.
Technical facts
| Property | Value |
|---|---|
| Latest version | 3.2.10 (Nov 13, 2025) |
| Attack modules | 30+ |
| Language | Python 3.12 / 3.13 / 3.14 |
| License | GPL v2 |
| GitHub stars | 1,600+ (247 forks, 31 contributors) |
| Report formats | HTML, JSON, XML, CSV, TXT |
| HTTP methods | GET, POST (multipart, filename, JSON body) |
| Auth | Basic, Digest, NTLM, form-based, Chrome/Firefox cookie import |
| Proxies | HTTP, HTTPS, SOCKS5 |
| API testing | Swagger / OpenAPI ingestion |
| JS rendering | Headless Firefox via Playwright |
| Session | SQLite3 (suspend & resume) |
| Platforms | Linux, macOS native; Windows via WSL |
The full module set includes sql, timesql, xss, permanentxss, exec, file, xxe, ssrf, crlf, ldap, log4shell, spring4shell, shellshock, csrf, csp, cookieflags, http_header, https_redirect, redirect, methods, takeover, upload, brute_login_form, buster, cms, wp_enum, wapp, htp, htaccess, backup, network_device, nikto, and ssl.
Comparison vs other scanners
| Tool | Strength | Where Wapiti fits |
|---|---|---|
| OWASP ZAP | GUI proxy, strong SPA support, huge plugin ecosystem | Heavier; Wapiti is the CLI-first alternative for pipelines |
| Burp Suite | Commercial, deep manual pentest workflows | Different tier — Wapiti is free, not a proxy |
| Nikto | Server misconfig + known-file scanning | Complementary — Wapiti actually uses the Nikto DB internally |
| SQLmap | Deep SQLi exploitation | Classic combo: Wapiti detects, SQLmap exploits |
Use cases
CI/CD pipelines. Drop it into GitHub Actions or GitLab CI on every PR and fail the build on high-severity findings. Integrates with DefectDojo for tracking.
Pentest recon. Run it as the first pass on a target; triage high-signal findings, then hand SQLi leads to SQLmap and manual testing.
Bug bounty on traditional apps. Catches low-hanging injection and file inclusion on server-rendered targets where modern SPA scanners struggle.
Daily sysadmin hygiene. Schedule weekly HTML reports against production URLs to catch drift before attackers do.
Quickstart:
pip install wapiti3
wapiti -u https://example.com # full default scan
wapiti -u https://example.com -v 2 # verbose output
wapiti -u https://example.com --module sql,xss,xxe # focused modules
wapiti -u https://example.com -f html -o report # HTML report
wapiti -u https://api.example.com --swagger openapi.json # API scanLimitations & pricing
Cost: $0. GPL v2, no usage limits, no telemetry calls home.
Trade-offs to know going in:
- False positives — higher than commercial DAST; build triage into your workflow.
- Modern JS-heavy SPAs — Playwright helps but it is still primarily a fuzzer, not a browser. ZAP or Burp handle complex SPAs better.
- API depth — Swagger/OpenAPI support is functional, but dedicated API scanners dig deeper into auth flows and schema coercion.
- No business-logic testing — it tests injection points, not workflows.
- SSRF/XXE modules rely on an external oracle at
wapiti3.ovh; both scanner host and target must reach it. - Windows requires WSL. Native Windows shows flaky behavior.
What's next
Nicolas Surribas, the sole maintainer for nearly two decades, is openly soliciting help on several fronts: more attack modules, more report templates, a GUI (none exists today), and a tool to convert PCAP files into Wapiti's SQLite3 session format for replay-based scanning. The Python 3.14 support already in place plus the recent Playwright migration suggest the next phase is deeper modern-stack coverage.
For security teams tired of paying per-seat DAST licenses to cover the same OWASP Top 10 basics a fuzzer solves, Wapiti 3.2.10 is a 793 KB wheel file that does the job — and has been doing it since before Twitter existed.
Sources: wapiti-scanner/wapiti on GitHub, wapiti-scanner.github.io, release notes, AppSec Santa review, Kali Linux Tools.
