Making the OWASP Wapiti module
From OWASP Live CD 2008
Contents |
Get the Source for OWASP Wapiti
Go to the OWASP Wapiti website and find the link to the Sourceforge repository. Get the most recent release which at this time is wapiti-2.0.0-beta.tar.gz
Create the needed directories in fakeroot
Eventually, we'll use dir2lzm to make the module, so lets get the directories created that we need:
$ mkdir -p ./fakeroot/opt/owasp/ $ mkdir -p ./fakeroot/usr/bin $ mkdir -p ./fakeroot/usr/share/aplications $ mkdir -p ./fakeroot/usr/share/pixmaps
Create and put the module's files into the fakeroot directory
Since we are getting Python code which is interpreted, lets get the application file where it needs to go.
# scp mtesauro@my-box.example.com:/home/mtesauro/projects/wapiti-2.0.0-beta.tar.gz ./ # tar -xzvf apiti-2.0.0-beta.tar.gz # mv apiti-2.0.0-beta fakeroot/opt/owasp/wapiti
Next, well need a script to start OWASP Wapiti in fakeroot/usr/bin. This one is very easy:
$ vi fakeroot/usr/bin/wapiti [create script] $ cat fakeroot/usr/bin/wapiti #!/bin/sh cd /opt/owasp/wapiti/src python ./wapiti.py "$@" $ chmod 775 fakeroot/usr/bin/wapiti
Because Wapiti is a command line tool, we're going to create two startup scripts to be used by the menu item:
$ vi fakeroot/usr/bin/startup-wapiti [create script] # cat fakeroot/usr/bin/startup-wapiti #/bin/sh echo " _ _ _ " echo " _____ ____ _ ___ _ __ __ ____ _ _ __ (_) |_(_) " echo " / _ \ \ /\ / / _\` / __| '_ \ \ \ /\ / / _\` | '_ \| | __| | " echo " | (_) \ V V / (_| \__ \ |_) | \ V V / (_| | |_) | | |_| | " echo " \___/ \_/\_/ \__,_|___/ .__/ \_/\_/ \__,_| .__/|_|\__|_| " echo " |_| |_| " echo " " echo " v.2.0.0-beta " echo " Web application vulnerability scanner / security auditor " echo " " echo " Try \"wapiti -h\" for help which is quite long or " echo " do \"wapiti -h | les\" to allow easy scrolling " echo " " echo " e.g. wapiti http://www.example.com --verbose 2 --nice 3 " echo " --exclude \"http://www.example.com/*.pdf\" " echo " --exclude \"http://www.example.com/press-releases/*\" " echo " " $ chmod 775 fakeroot/usr/bin/startup-wapiti
Creating Wapiti's menu file is rather simple. Use a text editor and create the file wapiti.desktop
$ vi fakeroot/usr/share/applications/wapiti.desktop [create the file] $ cat fakeroot/usr/share/applications/wapiti.desktop [Desktop Entry] Encoding=UTF-8 Exec=startup-wapiti; bash Icon=/usr/share/pixmaps/wapiti-icon.png Type=Application Categories=Application;Network; Name=Web Scanner/Auditor Terminal=1 TerminalOptions=-T "OWASP Wapiti - Web application vulnerability scanner / auditor" GenericName=Wapiti MimeType= X-KDE-StartupNotify=true
The icon was a bit interesting. I decided to use the animal image from the website and then applied some Gimp-foo. I then moved that into fakeroot.
cp ./temp/wapiti-icon.png ./fakeroot/usr/share/pixmaps/
Everything is in place to create the modules, a quick final check:
find fakeroot fakeroot/ fakeroot/opt fakeroot/opt/owasp fakeroot/opt/owasp/wapiti ...
Generate the .lzm module
This is the easy part.
$ ./dir2lzm ./fakeroot wapiti-2.0.0-beta.lzm
Add the modules to the ISO build directory
Also cake
$ cp -i wapiti-2.0.0-beta.lzm ../contents/slax/base/ $ chmod 775 ../contents/slax/base/wapiti-2.0.0-beta.lzm
Test the new module
I like scp'ing the new modules into a running Live CD and using the Module Manager to Add modules to a running system. I typically have the Live CD running in a VM while I create modules so its already up and ready.
You can also gen a new ISO and run it in a VM of your choice.
$ cd ../contents/slax/ $ ./make_iso.sh /home/mtesauro/isos/new-owasp.iso
If anything doesn't work as expected, make the changes needed to ./fakeroot and try again.
Clean up and archive
Once you've got a working module, lets clean up a bit.
$ $ mkdir ./completed_modules/wapiti $ mv wapiti-2.0.0-beta.lzm ./completed_modules/watapiti/ $ mv temp/wapiti-2.0.0-beta.tar.gz ./completed_modules/watapiti/ $ rm -rf ./temp/*
I usually delete anything under ./fakeroot also.
$ rm -rf ./fakeroot/*
