Desktop Web Pentest Toolkit

Desktop Web Pentest Toolkit

The following files were used as context for generating this wiki page:

Purpose and Scope

Starting with v3.0.1, the WSHawk Desktop application includes a complete web application penetration testing toolkit with 22 integrated HTTP security tools. This page documents each tool's capabilities, API routes, and engine implementations.

For the Desktop application architecture, see Desktop Application Architecture. For advanced features like the interceptor and payload blaster, see Desktop Advanced Features.

Sources: docs/DESKTOP_V3_GUIDE.md:430-600

Architecture Overview

All 22 tools follow the same pattern:

sequenceDiagram
    participant UI as renderer.js
    participant Bridge as gui_bridge.py
    participant Engine as web_pentest/<tool>.py

    UI->>Bridge: POST /web/<tool> {target, options}
    Bridge->>Engine: engine = WSHawk<Tool>(target)
    Bridge->>Engine: results = await engine.run()
    
    loop Each finding
        Engine-->>Bridge: yield result
        Bridge-->>UI: sio.emit('web_tool_result', result)
    end
    
    Bridge-->>UI: {status: "complete", total: N}

Each tool is implemented as a standalone async Python class in wshawk/web_pentest/. The gui_bridge.py registers REST routes for each tool and handles streaming results back to the renderer via Socket.IO.

Sources: wshawk/gui_bridge.py:700-1300

Phase 1: Discovery & Mapping

Web Crawler

Breadth-first spider that discovers pages, forms, and API endpoints from a target URL.

| Feature | Details | |---|---| | Algorithm | BFS with configurable max depth and max pages | | Form Extraction | Parses <form> elements, extracts action URLs, methods, and input fields | | Link Discovery | <a href>, <script src>, <link href>, inline JavaScript URLs | | Sitemap/Robots | Parses robots.txt and sitemap.xml for additional paths | | Filtering | Excludes external domains, media files, and duplicate URLs |

Route: POST /web/crawl Engine: WSHawkCrawlerwshawk/web_pentest/crawler.py

Request:

{
    "target": "https://example.com",
    "max_depth": 3,
    "max_pages": 100
}

Streamed Results: Each discovered URL is emitted as a Socket.IO event with its link type and source page.

Subdomain Finder

Discovers subdomains through passive enumeration and active DNS brute-forcing.

| Method | Source | Technique | |---|---|---| | Passive | crt.sh | Certificate Transparency log queries | | Passive | AlienVault OTX | Threat intelligence API | | Active | DNS brute-force | Resolves a wordlist of common subdomain prefixes |

Route: POST /web/subdomain Engine: WSHawkSubdomainFinderwshawk/web_pentest/subdomain_finder.py

The engine validates discovered subdomains by performing DNS A/AAAA resolution. Non-resolving subdomains are filtered out.

TCP Port Scanner

Async TCP connect scanner with service identification.

| Feature | Details | |---|---| | Scanning | Async asyncio.open_connection() with configurable timeout | | Presets | Top 100, Web (80, 443, 8080...), Database (3306, 5432...), Full (1-65535) | | Service ID | Banner grabbing and port-to-service mapping for 100+ common services | | Concurrency | Async semaphore-limited to prevent socket exhaustion |

Route: POST /web/portscan Engine: WSHawkPortScannerwshawk/web_pentest/port_scanner.py

Request:

{
    "target": "example.com",
    "ports": "top100",
    "timeout": 3
}

Streamed Results: Each open port is emitted immediately as discovered — users see results live rather than waiting for the full scan.

Technology Fingerprinter

Identifies server technologies by analyzing HTTP response metadata.

Detection Sources:

  • HTTP headers (Server, X-Powered-By, X-Generator)
  • Cookies (framework-specific names: PHPSESSID, connect.sid, JSESSIONID)
  • Response body content (wp-content, react-root, ng-version)
  • <meta generator> tags

Technology Database: 35+ signatures covering:

| Category | Examples | |---|---| | Server | Nginx, Apache, IIS, Caddy, LiteSpeed | | Framework | Express, Flask, Django, Spring, Rails, Laravel | | CMS | WordPress, Drupal, Joomla | | JS Library | React, Angular, Vue, jQuery | | CDN | Cloudflare, Fastly, Akamai, CloudFront | | Security | ModSecurity, Sucuri, Imperva |

Route: POST /web/fingerprint Engine: WSHawkTechFingerprinterwshawk/web_pentest/tech_fingerprint.py (176 lines)

DNS / WHOIS Lookup

Full DNS record enumeration and domain registration data retrieval.

DNS Records: A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA (9 record types) WHOIS Data: Registrar, creation date, expiry date, name servers, registrant info

Route: POST /web/dns Engine: WSHawkDNSLookupwshawk/web_pentest/dns_lookup.py

Sources: docs/DESKTOP_V3_GUIDE.md:440-520

Phase 2: Vulnerability Scanning

HTTP Fuzzer

Parameter fuzzer with position markers, encoding support, and heuristic vulnerability detection.

Key Features:

  • §FUZZ§ position markers in URL, headers, and body
  • Built-in wordlists (common params, SQL payloads, XSS vectors)
  • Encoding: URL encode, Base64, Hex, double URL encode
  • Response analysis: status code, size, timing, error pattern matching
  • Heuristic detection: SQL errors, XSS reflection, command output

Route: POST /web/fuzz Engine: WSHawkFuzzerwshawk/web_pentest/fuzzer.py

Request:

{
    "target": "https://example.com/search?q=§FUZZ§",
    "method": "GET",
    "wordlist": "common-params",
    "encoding": "none",
    "filter_status": [200, 302],
    "headers": {"Cookie": "session=abc123"}
}

Directory Scanner

Path brute-forcing with extension permutation and recursive scanning.

| Feature | Details | |---|---| | Wordlists | Built-in common paths, custom upload (up to 50K entries) | | Extensions | .php, .asp, .jsp, .html, .js, .txt, .bak, .old | | Recursive | Discovered directories can be recursively scanned | | Throttling | Configurable delay to evade WAF rate limiting | | Status Codes | Filters by response code (200, 301, 302, 403) |

Route: POST /web/dirscan Engine: WSHawkDirScannerwshawk/web_pentest/dir_scanner.py

Automated Vulnerability Scanner

Multi-phase orchestrator that chains five engines in sequence with auto-escalation.

graph TB
    A["Phase 1: Crawl"] -->|"Discovered pages"| B["Phase 2: Header Analysis"]
    B -->|"Security header findings"| C["Phase 3: Directory Scan"]
    C -->|"Hidden paths found"| D["Phase 4: Fuzz"]
    D -->|"Parameter injection results"| E["Phase 5: Sensitive Data Scan"]
    E --> F["Final Report"]

    D -->|"SQLi confirmed?"| G["Auto-escalate → LFI"]
    G --> F

    style A fill:#16213e,stroke:#0f3460,color:#fff
    style F fill:#1a1a2e,stroke:#e94560,color:#fff
    style G fill:#533483,stroke:#e94560,color:#fff

Auto-Escalation Logic: If SQL injection is confirmed during Phase 4, the scanner automatically attempts Local File Inclusion (LFI) escalation to demonstrate impact.

Route: POST /web/vulnscan, POST /web/vulnscan/stop Engine: WSHawkVulnScannerwshawk/web_pentest/vuln_scanner.py (453 lines)

Phase badges in the UI light up as each phase starts and completes. Results are displayed with a canvas-drawn severity donut chart.

Security Header Analyzer

Evaluates HTTP security headers with risk ratings.

| Header | Check | Risk if Missing | |---|---|---| | HSTS | Strict-Transport-Security presence and max-age | HIGH — MITM downgrade attacks | | CSP | Content-Security-Policy directives | HIGH — XSS amplification | | X-Frame-Options | DENY or SAMEORIGIN | MEDIUM — Clickjacking | | X-Content-Type-Options | nosniff value | LOW — MIME sniffing | | CORS | Access-Control-Allow-Origin wildcards | HIGH — Cross-origin data theft | | Server | Information leakage | INFO — Version disclosure | | X-Powered-By | Information leakage | INFO — Technology disclosure |

Route: POST /web/headers Engine: WSHawkHeaderAnalyzerwshawk/web_pentest/header_analyzer.py

Sensitive Data Finder

Regex-based scanner for leaked secrets in web page content.

Detection Patterns (30+ types):

| Category | Examples | |---|---| | Cloud Keys | AWS Access Key ID, AWS Secret Key, Google API Key, Azure Connection String | | Tokens | GitHub Token, Slack Webhook, Discord Token, JWT | | Credentials | password=, passwd=, secret=, database connection strings | | Private Keys | RSA/DSA/EC private key headers | | Internal | Internal IP addresses (10.x, 172.16.x, 192.168.x), localhost references |

Route: POST /web/sensitive Engine: WSHawkSensitiveFinderwshawk/web_pentest/sensitive_finder.py (151 lines)

Sources: docs/DESKTOP_V3_GUIDE.md:440-530

Phase 3: Recon & Intelligence

See Phase 1 for the Technology Fingerprinter, SSL/TLS Analyzer, and Sensitive Data Finder which are grouped under Phase 3 in the Vulnerability Scanner's orchestration pipeline but also available as standalone tools.

SSL/TLS Analyzer

Inspects certificate details and tests protocol security.

Certificate Inspection:

  • Subject, Issuer, Serial Number
  • Subject Alternative Names (SAN)
  • Validity period and expiry check
  • Cipher suite in use

Protocol Testing:

  • TLS 1.0, 1.1, 1.2, 1.3 version support
  • Weak cipher detection (< 128-bit)
  • Self-signed certificate detection
  • Deprecated protocol warnings

Implementation Note: All blocking SSL operations run in a thread pool via asyncio.to_thread() to prevent blocking the event loop.

Route: POST /web/ssl Engine: WSHawkSSLAnalyzerwshawk/web_pentest/ssl_analyzer.py (194 lines)

Phase 4: Offensive Tools

WAF Detector

Identifies Web Application Firewalls through passive and active fingerprinting.

Detection Methods:

  1. Passive: Analyzes response headers, cookies, and body content for WAF signatures
  2. Active: Sends malicious payloads and analyzes block responses

WAF Signature Database (15+):

| WAF | Detection Indicators | |---|---| | Cloudflare | cf-ray header, __cfduid cookie, challenge page patterns | | AWS WAF | x-amzn-RequestId header, 403 body patterns | | Akamai | AkamaiGHost server header, reference ID patterns | | Imperva | X-CDN header, incap_ses cookie | | Sucuri | X-Sucuri-ID header, sucuri block page | | ModSecurity | Error message patterns, Mod_Security references | | F5 BIG-IP | BigIP cookie, TS cookie prefix | | Barracuda | barra_counter_session cookie |

Route: POST /web/waf Engine: WSHawkWAFDetectorwshawk/web_pentest/waf_detector.py (221 lines)

CORS Misconfiguration Tester

Tests for CORS misconfigurations by sending six crafted Origin headers.

| Test | Origin Value | Risk | |---|---|---| | Arbitrary Origin | https://evil.com | CRITICAL — Full cross-origin access | | Null Origin | null | HIGH — Sandboxed iframe attack | | Subdomain Suffix | https://example.com.evil.com | HIGH — Domain confusion | | Subdomain Prefix | https://evil-example.com | MEDIUM — Prefix matching bypass | | Subdomain Reflection | https://sub.example.com | LOW — May be intentional | | HTTP Downgrade | http://example.com | MEDIUM — Protocol downgrade |

The tester checks whether Access-Control-Allow-Origin reflects each origin and whether Access-Control-Allow-Credentials: true is set — the critical misconfiguration that enables cookie theft.

Route: POST /web/cors Engine: WSHawkCORSTesterwshawk/web_pentest/cors_tester.py

SSRF Prober

Tests for Server-Side Request Forgery using 40+ payloads.

Payload Categories:

  • Cloud metadata endpoints (AWS 169.254.169.254, GCP, Azure)
  • Internal service probing (127.0.0.1, localhost, 0.0.0.0)
  • DNS rebinding attacks
  • URL parser confusion (@, #, encoded slashes)
  • IPv6 mapped addresses (::ffff:127.0.0.1)

Route: POST /web/ssrf Engine: WSHawkSSRFProberwshawk/web_pentest/ssrf_prober.py

Open Redirect Scanner

Tests for open redirects using 25+ bypass techniques.

Detection: Auto-detects common redirect parameter names (redirect, url, next, return, redir, continue, dest, goto, etc. — 20+ patterns).

Bypass Techniques:

  • Double URL encoding (%252f%252f)
  • Protocol-less (//evil.com)
  • Backslash substitution (\/\/evil.com)
  • Tab/newline injection
  • Unicode normalization
  • Data URI schemes

Route: POST /web/redirect Engine: WSHawkRedirectHunterwshawk/web_pentest/redirect_hunter.py

Prototype Pollution Tester

Tests JavaScript prototype pollution via query parameters and JSON bodies.

Injection Vectors:

  • ?__proto__[polluted]=true
  • ?constructor.prototype.polluted=true
  • JSON body: {"__proto__": {"polluted": true}}
  • Nested: {"constructor": {"prototype": {"polluted": true}}}

Detection: Sends a subsequent request to check if the pollution persists (server-side prototype pollution can affect all subsequent requests).

Route: POST /web/prototype Engine: WSHawkProtoPolluterwshawk/web_pentest/proto_polluter.py

Sources: docs/DESKTOP_V3_GUIDE.md:530-600

Phase 5: Exploit Generation & Chaining

CSRF Exploit Forge

Auto-generates proof-of-concept HTML pages for Cross-Site Request Forgery.

PoC Types:

| Type | Technique | Use Case | |---|---|---| | Auto-Submit Form | <form> with onload="submit()" | Standard POST CSRF | | Fetch API XHR | fetch() with credentials: 'include' | JSON API CSRF | | Multipart | Form with enctype="multipart/form-data" | File upload CSRF |

Token Detection: The engine crawls the target page to detect CSRF token fields (csrf_token, _token, authenticity_token, __RequestVerificationToken). If found, the PoC includes a note about token bypass requirements.

Route: POST /web/csrf Engine: WSHawkCSRFForgewshawk/web_pentest/csrf_forge.py

Attack Chainer

Multi-step HTTP attack sequencing with variable extraction and cross-request templating.

How It Works:

sequenceDiagram
    participant User as attacker.yaml
    participant Chainer as AttackChainer
    participant Target as Target Server

    User->>Chainer: Define steps 1-N

    loop For each step
        Chainer->>Chainer: Replace {{variables}} in request
        Chainer->>Target: Send HTTP request
        Target-->>Chainer: Response
        Chainer->>Chainer: Extract values via regex
        Chainer->>Chainer: Store as {{variable_name}}
    end

    Chainer-->>User: Final results + all extractions

Example chain:

  1. Step 1: POST /login → Extract Set-Cookie: session=XXX → Store as {{session}}
  2. Step 2: GET /admin with Cookie: {{session}} → Extract csrf_token → Store as {{token}}
  3. Step 3: POST /admin/delete?id=1 with Cookie: {{session}} and X-CSRF-Token: {{token}}

Route: POST /web/chain Engine: WSHawkAttackChainerwshawk/web_pentest/attack_chainer.py

Proxy CA Generator

Generates a self-signed Root Certificate Authority for HTTPS traffic interception.

| Property | Value | |---|---| | Key Algorithm | RSA 4096-bit | | Validity | 10 years | | Output | PEM certificate + private key | | Usage | Per-host certificate signing for MitM proxy |

The generated CA can be imported into the system trust store or browser to enable transparent HTTPS interception during security testing.

Route: POST /web/proxy-ca Engine: WSHawkProxyCAwshawk/web_pentest/proxy_ca.py

Report Generator

Produces professional security assessment reports.

| Format | Method | Description | |---|---|---| | HTML | generate_html() | Print-ready report with executive summary, severity charts, findings, and remediation guidance | | JSON | generate_json() | Structured data export for SIEM integration | | PDF | generate_pdf() | HTML-to-PDF via WeasyPrint | | CSV | — | Tabular findings export | | SARIF | — | GitHub Security tab compatible format |

Route: POST /web/report Engine: WSHawkReportGeneratorwshawk/web_pentest/report_gen.py (639 lines)

Sources: docs/DESKTOP_V3_GUIDE.md:555-610

Tool Engine Summary

| # | Tool | Engine Class | Lines | Route | |---|---|---|---|---| | 1 | Web Crawler | WSHawkCrawler | 285 | /web/crawl | | 2 | Subdomain Finder | WSHawkSubdomainFinder | 198 | /web/subdomain | | 3 | Port Scanner | WSHawkPortScanner | 243 | /web/portscan | | 4 | Tech Fingerprinter | WSHawkTechFingerprinter | 176 | /web/fingerprint | | 5 | DNS/WHOIS | WSHawkDNSLookup | 156 | /web/dns | | 6 | HTTP Fuzzer | WSHawkFuzzer | 312 | /web/fuzz | | 7 | Directory Scanner | WSHawkDirScanner | 267 | /web/dirscan | | 8 | Vuln Scanner | WSHawkVulnScanner | 453 | /web/vulnscan | | 9 | Header Analyzer | WSHawkHeaderAnalyzer | 134 | /web/headers | | 10 | Sensitive Finder | WSHawkSensitiveFinder | 151 | /web/sensitive | | 11 | WAF Detector | WSHawkWAFDetector | 221 | /web/waf | | 12 | CORS Tester | WSHawkCORSTester | 178 | /web/cors | | 13 | SSL/TLS Analyzer | WSHawkSSLAnalyzer | 194 | /web/ssl | | 14 | SSRF Prober | WSHawkSSRFProber | 234 | /web/ssrf | | 15 | Redirect Hunter | WSHawkRedirectHunter | 189 | /web/redirect | | 16 | Proto Polluter | WSHawkProtoPolluter | 156 | /web/prototype | | 17 | CSRF Forge | WSHawkCSRFForge | 278 | /web/csrf | | 18 | Attack Chainer | WSHawkAttackChainer | 312 | /web/chain | | 19 | Proxy CA | WSHawkProxyCA | 98 | /web/proxy-ca | | 20 | Report Generator | WSHawkReportGenerator | 639 | /web/report | | 21 | Request Forge | (in gui_bridge.py) | — | /forge/send | | 22 | HTTP Request Builder | (in gui_bridge.py) | — | /web/request |

Sources: docs/DESKTOP_V3_GUIDE.md:430-640

Related Documentation

Sources: docs/DESKTOP_V3_GUIDE.md:1-960