Headless Verification
Eliminate false positives with real-browser automated validation.
Why Verification Matters
Automated scanners often report "Possible XSS" based on simple string reflection in a response. WSHawk takes it a step further by verifying if the injected script actually executes in a DOM environment.
Playwright Integration
When a potential injection is detected, WSHawk spins up a headless Chromium instance via Playwright. It renders the reflected content and monitors for dialog triggers (like alert()) or DOM mutations.
1[*] Potential XSS detected in message #452 [*] Launching Headless Verification Engine... [*] Loading payload: <img src=x onerror=alert(1)> [+] Alert triggered! Message: '1' [SUCCESS] XSS Confirmed via Headless BrowserDOM Mutation Analysis
In cases where simple alerts are blocked, WSHawk analyzes the DOM for unexpected script tags or event handlers added by the payload. This allows for detection of sophisticated DOM-based XSS that might not have immediate visible symptoms.
Stealth Mode
Verification happens in an isolated environment, ensuring that the target server doesn't see extra traffic from the browser instance, maintaining the scan's efficiency.
False Positive Reduction
By combining heuristic analysis with headless verification, WSHawk achieves an industry-leading low false positive rate. If it's in the report, it's a real vulnerability.
1# Verification result structure { 'vulnerable': True, 'evidence': 'Alert executed: 1', 'confidence': 'CRITICAL', 'screenshot_path': 'reports/screenshots/vuln_01.png' }