v4.0.0 Released

WebSocket and Web App Testing for Stateful Targets

WSHawk v4.0.0 is an open-source platform for authorized WebSocket security testing, replay, AuthZ diffing, race testing, browser pairing, evidence export, and desktop web pentest workflows.

Install WSHawkRead v4 Docs
wshawk desktop

$ wshawk ws://target.example/ws

[*] WSHawk v4.0.0

[*] Establishing baseline connection and capturing frame families...

[+] Project record created for realtime-saas

[*] Browser companion paired for app.realtime.test

[+] Replay completed with stored identity context

[!] AuthZ diff surfaced a cross-tenant data path

[!] Race test accepted a duplicate state-changing action

[*] Evidence bundle prepared for local export

Current Capabilities

WSHawk v4 focuses on stateful web and realtime application testing, not generic marketing noise.

๐Ÿ–ฅ๏ธ

Desktop-First Workflows

Electron plus Python operator surface for projects, traffic, replay, evidence, and web pentest operations.

๐Ÿ”

WebSocket Replay

Reproduce captured frames against live targets with stored handshake and identity context instead of one-shot payload guesses.

โš–๏ธ

AuthZ Diff

Compare the same HTTP or WebSocket action across saved identities to expose cross-role and cross-tenant behavior gaps.

๐Ÿ

Race Testing

Run repeated or parallel attacks against state-changing actions to find replay-before-invalidation and duplicate execution windows.

๐Ÿงฉ

Browser Companion Pairing

Scoped browser pairing for handshake capture and browser-authenticated workflows without a long-lived extension bridge token.

๐ŸŒ

Web Pentest Workspace

Crawler, request tooling, fuzzing, headers, redirects, SSRF, TLS, and related HTTP checks in the same local project.

๐Ÿ“ฆ

Evidence Bundles

Project-backed findings, notes, traffic, provenance, and tamper-evident export metadata designed for later review and handoff.

๐Ÿงช

Validation Labs

Local realtime SaaS labs for full-stack WebSocket, Socket.IO, and GraphQL subscription scenarios used for regression proof.

๐Ÿ”Œ

CLI and Integrations

Compatibility CLI, web surfaces, JSON and report exports, plus Jira, DefectDojo, and webhook handoff when you need them.

v4 Workflows

WSHawk In Practice

These are the operations the current release is actually built around.

/usr/bin/wshawk --console
โ— READY
// WORKFLOW: PROJECT SETUP
javascript
1# Start a project-backed workflow
2POST /platform/projects
3POST /api/extension/pair
4 
5[+] Project created: realtime-saas
6[+] Browser companion paired for app.realtime.test
7[+] Handshake context stored in project timeline
WSHawk v4.0.0Execution: READY

Start with v4

The quickest path is still the CLI. The strongest path is the desktop app plus project-backed workflows and local validation labs.

CLI Quick Pass

$ pip install wshawk$ wshawk ws://target.example/ws$ wshawk-interactive

Validation Labs

$ git clone https://github.com/regaan/wshawk$ cd wshawk$ ./venv/bin/python validation/run_validation.py

Frequently Asked Questions

What is WSHawk v4.0.0?

WSHawk v4.0.0 is an open-source WebSocket security testing and web pentest platform. The current release centers on desktop workflows, project-backed storage, replay, AuthZ diffing, race testing, browser pairing, evidence export, and local validation labs.

Is the desktop app now the main workflow?

Yes. The CLI still exists and remains useful, but the most complete v4 workflow lives in the desktop app plus the local bridge, project store, and validation labs.

What does the browser companion do?

The browser companion pairs with the local bridge for scoped handshake capture. It helps bring browser-authenticated WebSocket context into the same local project without exposing a long-lived bridge token inside the extension.

Can WSHawk test HTTP as well as WebSocket targets?

Yes. v4 keeps HTTP request tooling, replay, AuthZ diff, race testing, and web pentest checks in the same project as WebSocket workflows so stateful apps can be tested end to end.

How should I interpret WSHawk's browser-side XSS evidence path?

No honest tool should promise that. WSHawk can collect Playwright-assisted browser evidence for reflected and DOM-style payloads, but the current v4 docs describe this as evidence collection that still needs operator review, not as a blanket zero-false-positive guarantee.

Does the release include validation targets?

Yes. The repo includes local validation labs for full-stack realtime SaaS, Socket.IO, and GraphQL subscription scenarios so the platform can be regression-tested against known flows.

Can findings be pushed into other systems?

WSHawk includes exports and integration paths for Jira, DefectDojo, and webhooks. The local evidence bundle is still the primary source of truth because it keeps replay context, identities, notes, and timeline data together.

What license does WSHawk use?

The current project is released under AGPL-3.0.

WebSocket Security Testing for Stateful Applications

WSHawk v4.0.0 is built for applications where state, identity, asynchronous behavior, and browser-authenticated context matter more than one-shot payload reflection. That makes it useful for chat systems, collaboration platforms, trading interfaces, internal dashboards, subscription APIs, and other realtime SaaS targets.

Desktop Workflows Instead of Disposable Scans

The current release is centered on the desktop app and local project store. Instead of treating each test as an isolated scan, WSHawk keeps identities, traffic, findings, notes, and exports inside one reusable project record. Replay, AuthZ diffing, and race testing all build on that same local context.

HTTP and WebSocket in the Same Operation Record

Many modern targets mix browser bootstrapping, HTTP APIs, and live WebSocket actions. WSHawk v4 keeps those paths together so operators can capture traffic, replay requests, compare cross-identity behavior, and export evidence from the same workflow instead of bouncing between unrelated tools.

Validation Labs and Evidence Exports

The repository ships with local validation labs for full-stack realtime SaaS, Socket.IO, and GraphQL subscription scenarios. Export bundles include evidence and provenance data so later review is easier and tampering is easier to detect.

Honest Positioning

WSHawk is an offensive web and realtime application security tool. It is not a general purpose C2 framework or a promise of perfect automated verification. The strongest value in v4 comes from stateful replay, comparison, race testing, and evidence-backed review.

Key Capabilities

  • Desktop-first project workflows for WebSocket and HTTP targets
  • WebSocket replay, AuthZ diff, and race testing
  • HTTP replay, request forging, and web pentest workspace tooling
  • Scoped browser companion pairing for handshake capture
  • Playwright-assisted browser evidence collection for XSS review
  • Local validation labs for websocket, Socket.IO, and GraphQL flows
  • Project-backed notes, timeline data, and evidence exports
  • Integrations for Jira, DefectDojo, webhooks, and structured exports
Keywords: WSHawk v4, WebSocket security testing, web pentest toolkit, WebSocket replay, AuthZ diff, race testing, browser companion, validation labs, evidence bundle, Playwright browser evidence, realtime SaaS security, stateful application testing.