The Security Lifecycle

WSHawk begins by establishing a baseline connection. It monitors initial handshakes and outgoing messages to infer the message protocol (JSON, XML, Protobuf) and schema structure.

1[*] Initializing baseline connection to ws://target.com/api [*] Analyzed message: {'user_id': 101, 'action': 'get_profile'} [+] Format detected: JSON (Dynamic Schema)

Once fields are identified, the Payload Mutator generates thousands of variations. It doesn't just spray-and-pray; it adapts based on server response headers (like X-WAF-System) to bypass active filters.

For blind vulnerabilities, WSHawk deploys "Beacons" that trigger callbacks to our OAST provider. This allows detection of vulnerabilities that don't result in immediate console errors or status code changes.

1# WSHawk OAST Trigger # Payload: <img src='https://interact.sh/callback?id=XSS_123'> # Result: [ALERT] XSS Callback Received from Proxy IP 1.2.3.4

To eliminate false positives, suspected XSS or DOM injections are re-validated in a Playwright-driven headless browser. Only if the payload executes in a real browser environment is it reported as a vulnerability.