Free Web Application Scanner - Metasploit's WMAP
WMAP is a lightweight web application security scanner available in the Metasploit framework, which helps identify web vulnerabilities.
Metasploit framework is preinstalled in Kali Linux. You can download Kali Linux virtual machine or virtual box from the below link:
After completing the setup of Kali, open the terminal and type the below command to initialize the database to create a default database.
#msfdb init
Start PostgreSQL service by using the below command
#service postgresql start
Start Metasploit by using the below command
#msfconsole
Must check database status to see whether it is loaded or not
msf > db_status
Now initialize WMAP scanner
msf > load wmap
Listing help options
msf > help
Add a website into WMAP to start web application security scanning
msf > wmap_sites http://192.168.198.130/ msf > wmap_sites -l
Add a target to wmap
msf > wmap_targets -t http://192.168.198.130 msf > wmap_targets -l
Now, run a vulnerability scan against the target and you will get an output similar to a below terminal snap
msf > wmap_run -t
You can launch a scanner by using the below command
msf > wmap_run -e
List out identified vulnerabilities by using the below command:
msf > wmap_vulns -l
Conclusion
Definitely, WMAP is a good vulnerability scanner to identify less severe issues in an application. However, this tool does not replace your primary scanner and manual effort to identify high-severity security issues.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
