CyberNode: Visual Attack Chaining
CyberNode: Visual Attack Chaining
The following files were used as context for generating this wiki page:
- desktop/src/index.html
- desktop/src/renderer.js
- desktop/src/style.css
- docs/V3.0.3_RELEASE_GUIDE.md
- CHANGELOG.md
Overview
CyberNode is the visual attack chaining canvas introduced in WSHawk v3.0.3. It replaces the manual process of copying output from one tool into another — pasting subdomain results into a directory scanner, then pasting 200 OK URLs into an auth builder — with a drag-and-drop graphical pipeline. Each tool in the WSHawk Desktop becomes a node. Nodes are connected by directional edges that carry the data flow. The entire canvas is saved and exported as a .hawkchain file that can be loaded on any WSHawk installation or shared with the community as a standardized exploit template.
The concept is directly analogous to Node-RED for industrial automation or Burp Suite's Bambda filters, extended to the full multi-phase penetration testing workflow.
For information about the individual tools that CyberNode chains together, see Desktop Web Pentest Toolkit. For information about running chains in a shared team context, see Multiplayer Red Team Mode.
Core Concepts
Nodes
A node represents a single WSHawk tool or logic gate. Each node has:
- Input port(s): Accept data from upstream nodes.
- Output port(s): Pass results to downstream nodes.
- Inline result panel: Scrollable, click-to-copy output rendered directly on the canvas.
- Status indicator: Idle, running, completed, or error state.
Available Tool Nodes:
| Node | Takes Input | Produces Output | |------|------------|----------------| | Subdomain Finder | Target root domain | List of discovered subdomains | | Directory Scanner | Target URL | 200 OK paths | | HTTP Fuzzer | Target URL + word list | Response results | | Port Scanner | Host or IP | Open port list | | Auth Builder | URL + credential config | Authenticated session headers | | Endpoint Mapper | Target URL | Discovered WebSocket endpoints | | Payload Blaster | WebSocket URL + session | Vulnerability results | | Sensitive Data Finder | URL | Detected secrets | | Report Generator | Vulnerability results | HTML/JSON report |
Available Logic Gate Nodes:
| Node | Purpose | |------|---------| | Filter | Keep only results matching a pattern (regex or substring) | | Grep | Extract a specific field from structured output | | Conditional | Branch pipeline based on whether a condition is met | | Merge | Combine output from two upstream nodes into one stream | | Delay | Pause pipeline execution for a specified number of seconds |
Edges
An edge connects one node's output port to another node's input port. Data flows directionally from source to destination. A single output port can connect to multiple downstream nodes to fan out the data. A merge node accepts input from two upstream sources.
Canvas Navigation
| Control | Action |
|---------|--------|
| Scroll wheel | Zoom in and out |
| Middle mouse drag | Pan the canvas |
| Minimap (bottom right) | Navigate large chains |
| Grid snapping | Nodes snap to grid when moved |
| Ctrl + A | Select all nodes |
| Ctrl + Z | Undo last change |
Building a Chain
Step 1: Open the CyberNode Tab
CyberNode appears as a dedicated tab in the WSHawk Desktop navigation bar. The tab opens with an empty canvas. A node palette is visible on the left sidebar containing all available tool and logic nodes.
Step 2: Place Nodes
Drag a node from the left palette onto the canvas. Each node renders as a card with its name, status indicator, input/output ports, and a collapsed result panel below.
Step 3: Connect Nodes
Hover over an output port on any node — the port highlights. Click and drag from the output port to the input port of a downstream node. Release to create an edge. The edge renders as a smooth curved line with a directional arrow.
Step 4: Configure Each Node
Double-click any node to open its configuration panel. This is identical to the configuration panel of the same tool in the sidebar — same fields, same options. For example, the Directory Scanner node has the same path list, extension, thread count, and response code filter options as the Directory Scanner sidebar tool.
Step 5: Execute the Chain
Click the Run Chain button in the toolbar. Nodes execute in topological order: a node only starts when all its upstream nodes have completed and their output has been delivered to its input port. Progress is visible in real-time — node status indicators update as each tool runs, and inline result panels fill with output as results arrive.
Step 6: Review Results
Each node's result panel is scrollable and rendered inline on the canvas. Clicking any row in a result panel copies the value to the clipboard. A summary badge on each node shows the result count: 14 subdomains, 3 endpoints, 2 findings.
Example: SSRF to AWS Metadata Token
This is a four-node chain that exploits an SSRF vulnerability in a WebSocket endpoint to capture AWS IAM credentials from the EC2 metadata service.
graph LR
A["Subdomain Finder\ntarget: corp.com"] -->|"subdomain list"| B
B["Directory Scanner\nfilter: 200 OK\npaths: /actuator/**"] -->|"200 OK URLs"| C
C["HTTP Fuzzer\npayloads: ssrf_aws.txt\nmarker: §HOST§"] -->|"responses with AKIA"| D
D["Sensitive Data Finder\npattern: AWS_ACCESS_KEY_ID"] -->|"credentials"| E
E["Report Generator\nformat: HTML + JSON"]
Chain walkthrough:
- Subdomain Finder enumerates
corp.comvia certificate transparency and DNS brute force. Findsadmin.corp.com,internal.corp.com,staging.corp.com. - Directory Scanner probes each subdomain for
/actuator/env,/actuator/configprops, and other Spring Boot management endpoints. Output: two 200 OK URLs. - HTTP Fuzzer sends SSRF payloads to the discovered actuator endpoints with the
§HOST§marker replaced by169.254.169.254(AWS metadata service address). Collects responses. - Sensitive Data Finder scans the fuzzer responses for the regex pattern
AKIA[0-9A-Z]{16}and extracts any matching AWS access key IDs. - Report Generator produces a complete HTML report including the chain execution log, all intermediate outputs, and the captured credentials.
Saved as: ssrf_to_aws_token.hawkchain
Example: WebSocket Auth Bypass Chain
A three-node chain targeting a WebSocket endpoint that appears to require authentication but can be bypassed by manipulating the handshake headers.
graph LR
A["Endpoint Mapper\ntarget: wss://app.corp.com"] -->|"WS endpoints"| B
B["Auth Builder\nremove header: Authorization\ntoken: null"] -->|"session config"| C
C["Payload Blaster\ncategory: CSWSH\nSPE: enabled"]
.hawkchain File Format
Chains are saved as .hawkchain files — structured JSON documents that describe the full canvas state.
{
"version": "3.0.3",
"name": "ssrf_to_aws_token",
"description": "SSRF via Spring Boot actuator -> AWS credential capture",
"created_at": "2026-03-01T18:30:00Z",
"author": "regaan",
"nodes": [
{
"id": "node_001",
"type": "SubdomainFinder",
"position": {"x": 120, "y": 200},
"config": {
"target": "corp.com",
"sources": ["crt.sh", "otx"],
"dns_bruteforce": true
}
},
{
"id": "node_002",
"type": "DirectoryScanner",
"position": {"x": 420, "y": 200},
"config": {
"paths": "/actuator/env,/actuator/configprops",
"filter_status": [200]
}
}
],
"edges": [
{
"from": "node_001",
"from_port": "output",
"to": "node_002",
"to_port": "target"
}
]
}
Sharing Chains:
.hawkchain files can be loaded by any WSHawk Desktop installation running v3.0.3 or later. They are designed to be shared as community exploit templates via GitHub gists, Discord, or the WSHawk GitHub discussions.
Conditional Logic Gates
Filter Node
The Filter node passes only results that match a specified condition. The configuration accepts:
- Type:
contains,regex,status_code,length_gt,length_lt - Pattern: The string, regex, or numeric threshold to evaluate
Example: Filter Directory Scanner output to only forward URLs where the status code is 200:
Type: status_code
Pattern: 200
Grep Node
The Grep node extracts a specific field from each structured result. For JSON-formatted tool output, it accepts a dot-notation key path.
Example: From Subdomain Finder results, extract only the hostname field to forward to the next tool:
Field: hostname
Conditional Node
The Conditional node branches the pipeline. It has two output ports: true and false. Upstream nodes connect to different downstream chains depending on whether a condition is met.
Example: If the Port Scanner finds port 6379 open, route to a Redis-specific attack chain. Otherwise, continue with HTTP discovery.
Cross-Population with Sidebar Tools
When a node completes execution, its results are automatically cross-populated into the corresponding sidebar tool tab. For example, when the Subdomain Finder node finishes, its results also appear in the Subdomain Finder tab on the left sidebar. This means operators can inspect detailed output in the full-width sidebar view while the chain continues executing downstream.
Cross-population is one-way: sidebar results do not flow back into the canvas. The canvas is always the authoritative execution environment.
Saving and Loading
Save: Ctrl + S saves the current canvas state as a .hawkchain file. The save dialog presents name, description, and author fields.
Save As: Opens the file dialog every time regardless of whether the chain has been saved before.
Load: Drag a .hawkchain file onto the canvas, or use File → Load Chain. The saved node positions, configurations, and edges are restored exactly.
Auto-save: The canvas auto-saves to a local recovery file every 60 seconds. If WSHawk Desktop is closed unexpectedly, the recovery file is offered on next launch.
Summary
CyberNode transforms the WSHawk Desktop from a collection of individual tools into a unified, visual execution platform for multi-stage attack chains. The drag-and-drop canvas, conditional logic gates, inline result panels, and .hawkchain export format reduce the manual overhead of running sequential attack sequences and enable security teams to standardize and share complex exploit chains across assessments.