Wapiti is a command-line tool; open a Terminal in Kali Linux and be sure you are running the vulnerable VM before starting:
- In the Terminal, execute wapiti http://192.168.56.11/peruggia/ -o wapiti_result -f html -m "-blindsql" to scan the Peruggia application in our vulnerable VM, save the output in HTML format inside the wapiti_result directory, and skip the blind SQL injection tests.
- Wait for the scan to finish and open the report's directory and then the index.html file; then, you will see something like this:

Here, we can see that Wapiti has found 12 XSS and five file-handling vulnerabilities.
- Now, click on Cross Site ...