GitPedia

Sitadel

Web Application Security Scanner

From shenril·Updated June 25, 2026·View on GitHub·

Sitadel is basically an update for WAScan making it compatible for python >= 3.4 It allows more flexibility for you to write new modules and implement new features : The project is written primarily in Python, distributed under the GNU General Public License v3.0 license, first published in 2018. Key topics include: penetration-testing, python3, scanner-web, security.

Sitadel - Web Application Security Scanner

bash
   _   _   _         _____ _                 _       _
  | |_| |_| |      / _____|_)  _            | |     | |
  |         |     ( (____  _ _| |_ _____  __| |_____| |
  |    _    |      \____ \| (_   _|____ |/ _  | ___ | |
  |   |_|   |      _____) ) | | |_/ ___ ( (_| | ____| |
  |         |     (______/|_|  \__)_____|\____|_____)\_)

python3 Build Status license

Sitadel is basically an update for WAScan making it compatible for python >= 3.4
It allows more flexibility for you to write new modules and implement new features :

  • Frontend framework detection
  • Content Delivery Network detection
  • Define Risk Level to allow for scans
  • Plugin system
  • Docker image available to build and run

Table of Contents

Requirement Warning

This project ONLY supports python >= 3.4. There will be no backport to 2.7

Installation

bash
git clone https://github.com/shenril/Sitadel.git
cd Sitadel
pip3 install .
python sitadel.py --help

Features

  • Fingerprints

    • Server
    • Web Frameworks (CakePHP,CherryPy,...)
    • Frontend Frameworks (AngularJS,MeteorJS,VueJS,...)
    • Web Application Firewall (Waf)
    • Content Management System (CMS)
    • Operating System (Linux,Unix,..)
    • Language (PHP,Ruby,...)
    • Cookie Security
    • Content Delivery Networks (CDN)

  • Attacks:

    • Bruteforce

      • Admin Interface
      • Common Backdoors
      • Common Backup Directory
      • Common Backup File
      • Common Directory
      • Common File
      • Log File

    • Injection

      • HTML Injection
      • SQL Injection
      • LDAP Injection
      • XPath Injection
      • Cross Site Scripting (XSS)
      • Remote File Inclusion (RFI)
      • PHP Code Injection

    • Other

      • HTTP Allow Methods
      • HTML Object
      • Multiple Index
      • Robots Paths
      • Web Dav
      • Cross Site Tracing (XST)
      • PHPINFO
      • .Listing

    • Vulnerabilities

      • ShellShock
      • Anonymous Cipher (CVE-2007-1858)
      • Crime (SPDY) (CVE-2012-4929)
      • Struts-Shock

Usage

bash
sitadel.py [-h] [-r {0,1,2}] [-ua USER_AGENT] [--redirect]
           [--no-redirect] [-t TIMEOUT] [-c COOKIE] [-p PROXY]
           [-f FINGERPRINT [MODULE ...]] [-a ATTACK [MODULE ...]]
           [--config CONFIG] [-v] [--version]
           TARGET_URL
ARGUMENTDESCRIPTION
-h, --helpDisplay help
-r, --risk {0,1,2}Decide the risk level you want Sitadel to run (some attacks won't be executed)
-ua, --user-agentUser agent used for the HTTP request of the attacks
--redirectIndicates to Sitadel to follow the 302 request for page redirection
--no-redirectIndicates to Sitadel NOT to follow the 302 request for page redirection
-t, --timeoutSpecify the timeout for the HTTP requests to the website
-c, --cookieAllows to specify the cookie to send with the attack requests
-p, --proxyAllows to specify a proxy to perform the HTTP requests
-f, --fingerprintSpecify the fingerprint modules to activate to scan the website {cdn,cms,framework,frontend,header,lang,server,system,waf}
-a, --attackSpecify the attack modules to activate to scan the website {bruteforce, injection, vulns, other}
-c, --configSpecify the config file for Sitadel scan, default one is in config/config.yml
-v, --verbosityIncrease the default verbosity of the logs, for instance: -v , -vv, -vvv
--versionShow Sitadel version

Modules list

FINGERPRINTMODULE DESCRIPTION
cdnTry to guess if the target uses Content Delivery Network (fastly, akamai,cloudflare...)
cmsTry to guess if the target uses a Content Management System (drupal,wordpress,magento...)
frameworkTry to guess if the target uses a backend framework (cakephp, rails, symfony...)
frontendTry to guess if the target uses a frontend framework (angularjs, jquery, vuejs...)
headerInspect the headers exchanged with the target
langTry to guess the server language used by the target (asp, python, php...)
serverTry to guess the server technology used by the target (nginx,apache...)
systemTry to guess the Operation System used by the target (linux,windows...)
wafTry to guess if the target uses a Web Application Firewall (barracuda, bigip,paloalto...)
ATTACKMODULE DESCRIPTION
bruteforceTry to bruteforce the location of multiple files (backup files, admin consoles...)
injectionTry to perform injection on various language (SQL,html,ldap, javascript...)
vulnsTry to test for some known vulnerabilities (crime,shellshock)
otherTry to probe for various interesting resources (DAV, htmlobjects,phpinfo,robots.txt...)

Examples

Simple run

python3 sitadel http://website.com

Run with risk level at DANGEROUS and do not follow redirections

python3 sitadel http://website.com -r 2 --no-redirect

Run specifics modules only and full verbosity

python3 sitadel http://website.com -a bruteforce -f header server -v

Run with docker

docker build -t sitadel .

docker run sitadel http://example.com

Contributors

Showing top 3 contributors by commit count.

shenril

shenril

121 commits

KathanP19

KathanP19

1 commits

cclauss

cclauss

1 commits

View all contributors on GitHub →

This article is auto-generated from shenril/Sitadel via the GitHub API.Last fetched: 6/28/2026