Skip to main content

Advanced Web Application Security Scanner

Project description

Waymap v7.2.1 — Web Vulnerability Scanner & Security Toolkit

Current Version: 7.2.1
Author: Trix Cyrus (Vicky)
License: GPLv3

Waymap is a fast, practical web vulnerability scanner for authorized security testing. It automates SQLi, XSS, RCE, LFI, CORS, CRLF, open redirect, API, recon, misconfiguration, and WordPress checks—with session-based results, multi-threading, crawling, authentication, reporting, and Google dork discovery.


What’s New in v7.2.1

Stability & Security Hardening

  • Thread-safe result saving — New ResultManager with file locking; all injection, recon, and profile modules now save findings safely under concurrent scans.
  • Fixed SQLi payload injection — Boolean SQLi correctly injects into URL parameters instead of appending to the URL.
  • Fixed error-based SQLi — Removed logic that stripped single quotes from payloads.
  • Fixed config paths — Data/session paths resolve relative to the project root, not the current working directory.
  • Secure XML parsing — SQLi and CMDi modules use defusedxml to prevent XXE.
  • Time-based SQLi baseline — Baseline request timing reduces false positives.
  • CRLF detection — Checks both response headers and body for injected markers.
  • Open redirect — Uses requests instead of curl (works on Windows without external tools).
  • CMDi URL building — Proper query-string reconstruction instead of fragile string replace.
  • Report loading fixed — Session JSON is correctly parsed for HTML/CSV/Markdown/PDF reports.
  • WAF module import fixed--check-waf uses the correct module path.
  • Windows Unicode fix — Banner and UI render correctly on Windows terminals.
  • Dependency checkdefusedxml is required and listed in requirements.txt.

Scanner Modules Updated in v7.2.1

All of the following now use ResultManager:

sqli · xss · lfi · cmdi · rce · ssti · cors · crlf · open-redirect · advanced · wpscan · recon/misconfig


What’s New in v7.2.0 (Previous Release)

  • SearchAPI Google dork discovery (--dork)
  • WPScan API WordPress profile (--profile wordpress)
  • RCE / command injection scan (--scan rce)
  • Secrets file support (config/waymap/secrets.json)
  • Domain blacklist for dork discovery

Installation

git clone https://github.com/TrixSec/waymap.git
cd waymap
pip install -r requirements.txt

Verify installation:

python waymap.py --version
python waymap.py --help

Quick Start

# Single URL — XSS scan with crawl
python waymap.py --target https://example.com --scan xss --crawl 2

# Parameterized URL — SQLi (all techniques)
python waymap.py --target "https://example.com/page.php?id=1" --scan sqli

# Full scan — no prompts, 4 threads, reports
python waymap.py --target https://example.com --scan all --crawl 2 --threads 4 --no-prompt \
  --report-format html,csv,markdown --output-dir reports

# Interactive mode (no arguments)
python waymap.py

CLI Reference

Target

Flag Short Description
--target -t Single target URL
--multi-target -mt File with one URL per line

Scan Configuration

Flag Short Description
--scan -s Scan type (see Scan Types)
--crawl -c Crawl depth 0–10 (finds parameterized URLs)
--technique -k SQLi techniques: B boolean, E error, T time (e.g. BET)
--profile -p Scan profile: wordpress
--threads Worker threads (default: 1, max: 10)
--no-prompt Skip interactive prompts (CI/automation)
--verbose -v Verbose output

Utilities

Flag Description
--check-waf Detect WAF on --target
--waf URL Detect WAF on a specific URL
--check-updates Check GitHub for new version
--version Print version and exit

Reporting

Flag Description
--report-format Comma-separated: html, csv, markdown, pdf
--output-dir Report output directory (default: reports)

Authentication

Flag Short Description
--auth-type form, basic, digest, bearer, api_key
--auth-url Login URL (form auth)
--username -u Username
--password -pw Password
--token Bearer token or API key
--auth-header API key header name (default: X-API-Key)

API Scanning

Flag Description
--api-type rest (default) or graphql
--api-endpoints Comma-separated REST paths (e.g. /users,/login)

Discovery (SearchAPI)

Flag Description
--dork Google dork query
--dork-api-key SearchAPI key (or SEARCHAPI_API_KEY env)
--dork-output Save discovered URLs to file

WPScan

Flag Description
--wpscan-token WPScan API token (or WPSCAN_API_TOKEN env)

Scan Types

Use with --scan / -s:

Scan Description
sqli SQL injection (boolean, error, time-based)
xss Cross-site scripting (basic + optional bypass payloads)
cmdi Command injection (error-based)
rce Remote code execution (marker-based, safe)
ssti Server-side template injection
lfi Local file inclusion
open-redirect Open redirect
crlf CRLF / header injection
cors CORS misconfiguration
api REST or GraphQL API security
all Run every standard vulnerability scan
recon Technology fingerprinting, sitemap, DNS, buckets
misconfig Security headers, admin panels, sensitive files
redirect Host header injection, redirect, CRLF
injection-advanced SSRF, XXE, HPP, NoSQL, prototype pollution, etc.
graphql-suite GraphQL introspection, batching, depth checks
auth-logic IDOR, JWT, OAuth, access control signals
cache-smuggling Cache poisoning, HTTP desync indicators
wordpress-extras WP user enum, xmlrpc, readme exposure
optional WebSocket, extended WAF, redirect chains

Usage Examples

Basic vulnerability scans

Each command below can be combined with --threads N, --no-prompt, and -v / --verbose.

# SQL injection — all techniques (default)
python waymap.py -t "https://example.com/item?id=1" -s sqli

# SQL injection — specific techniques
python waymap.py -t "https://example.com/item?id=1" -s sqli -k B      # boolean only
python waymap.py -t "https://example.com/item?id=1" -s sqli -k E      # error only
python waymap.py -t "https://example.com/item?id=1" -s sqli -k T      # time-based only
python waymap.py -t "https://example.com/item?id=1" -s sqli -k BE     # boolean + error
python waymap.py -t "https://example.com/item?id=1" -s sqli -k BET    # all three

# XSS
python waymap.py -t "https://example.com/search?q=test" -s xss

# Command injection
python waymap.py -t "https://example.com/ping?host=127.0.0.1" -s cmdi

# RCE (safe marker-based)
python waymap.py -t "https://example.com/exec?cmd=whoami" -s rce

# SSTI
python waymap.py -t "https://example.com/render?name=test" -s ssti

# LFI
python waymap.py -t "https://example.com/view?file=index.php" -s lfi

# Open redirect
python waymap.py -t "https://example.com/redirect?url=https://example.com" -s open-redirect

# CRLF injection
python waymap.py -t "https://example.com/redirect?path=/home" -s crlf

# CORS misconfiguration
python waymap.py -t "https://example.com/api/data" -s cors

Crawling + scanning

When the target has no query parameters, use --crawl to discover parameterized URLs first.

# Crawl depth 1–3 is typical for single-app scans
python waymap.py -t https://example.com -s xss -c 1
python waymap.py -t https://example.com -s sqli -c 2 -k BET
python waymap.py -t https://example.com -s all -c 3 --threads 4

# Crawl + specific scan + automation
python waymap.py -t https://example.com -s lfi -c 2 --threads 6 --no-prompt -v

Multi-threading combinations

python waymap.py -t "https://example.com/page?id=1" -s sqli --threads 2
python waymap.py -t "https://example.com/page?id=1" -s xss  --threads 4
python waymap.py -t https://example.com -s all -c 2 --threads 8 --no-prompt

Full / comprehensive scans

# Every injection + recon module (excludes --scan api)
python waymap.py -t https://example.com -s all -c 2

# Recon + misconfig + advanced (manual pipeline)
python waymap.py -t https://example.com -s recon
python waymap.py -t https://example.com -s misconfig
python waymap.py -t https://example.com -s injection-advanced -c 1

# Redirect / header injection bundle
python waymap.py -t https://example.com -s redirect -c 1

Multi-target scanning

# targets.txt — one URL per line
python waymap.py --multi-target targets.txt -s sqli --no-prompt
python waymap.py --multi-target targets.txt -s xss  -c 1 --threads 4
python waymap.py --multi-target targets.txt -s all  -c 2 --threads 4 --no-prompt

API security testing

# REST API (default)
python waymap.py -t https://api.example.com -s api --api-type rest

# REST with explicit endpoints
python waymap.py -t https://api.example.com -s api --api-type rest \
  --api-endpoints /users,/login,/admin

# GraphQL
python waymap.py -t https://api.example.com/graphql -s api --api-type graphql

# GraphQL suite (standalone scan type)
python waymap.py -t https://api.example.com/graphql -s graphql-suite

# Auth logic checks on API URLs
python waymap.py -t https://api.example.com -s auth-logic

Authentication + scanning

# Bearer token
python waymap.py -t https://example.com -s all --auth-type bearer --token "YOUR_JWT" --no-prompt

# API key header
python waymap.py -t https://api.example.com -s api --auth-type api_key \
  --token "YOUR_KEY" --auth-header "X-API-Key"

# HTTP Basic
python waymap.py -t https://example.com -s xss --auth-type basic \
  -u admin -pw "password" --no-prompt

# Form login
python waymap.py -t https://example.com -s all --auth-type form \
  -u admin -pw "password" --auth-url https://example.com/login --no-prompt

WordPress

# WPScan API profile (core, plugins, themes CVE lookup)
python waymap.py -t https://wordpress-site.com --profile wordpress

# With explicit token
python waymap.py -t https://wordpress-site.com --profile wordpress \
  --wpscan-token "YOUR_WPSCAN_TOKEN"

# WordPress-specific extras (xmlrpc, user enum, etc.)
python waymap.py -t https://wordpress-site.com -s wordpress-extras -c 1

Google dork discovery

# Discover parameterized URLs via SearchAPI
python waymap.py --dork "inurl:.php?id=" --dork-api-key "YOUR_KEY"

# Save to custom file
python waymap.py --dork "inurl:product.php?cat=" --dork-output discovered.txt

# Dork + auto SQLi scan on discovered URLs
python waymap.py --dork "inurl:.php?id=" --dork-api-key "YOUR_KEY" -s sqli --no-prompt

WAF detection

python waymap.py --check-waf -t https://example.com
python waymap.py --waf https://example.com/login

Reporting combinations

# HTML only
python waymap.py -t https://example.com -s all -c 1 \
  --report-format html --output-dir reports

# All formats
python waymap.py -t https://example.com -s all -c 2 --no-prompt \
  --report-format html,csv,markdown,pdf --output-dir reports

# Scan + report (reports load from session JSON automatically)
python waymap.py -t https://example.com -s sqli -k BET \
  --report-format html,csv --output-dir ./scan-results

Recommended real-world combinations

# Bug bounty — fast parameterized URL test
python waymap.py -t "https://target.com/vuln?id=1" -s sqli -k BET --threads 4 --no-prompt -v

# Internal pentest — crawl + full scan + reports
python waymap.py -t https://app.internal -s all -c 3 --threads 6 --no-prompt \
  --report-format html,markdown,pdf --output-dir pentest-reports

# CI/CD pipeline (non-interactive)
python waymap.py -t "$TARGET_URL" -s sqli -k BE --threads 2 --no-prompt \
  --report-format csv --output-dir ci-artifacts

# API assessment
python waymap.py -t https://api.target.com -s api --api-type rest \
  --auth-type bearer --token "$API_TOKEN" --no-prompt -v

# WordPress engagement
python waymap.py -t https://client-wp.com --profile wordpress --wpscan-token "$WPSCAN_TOKEN"
python waymap.py -t https://client-wp.com -s wordpress-extras -c 1 --no-prompt

Configuration

Secrets file

Create config/waymap/secrets.json:

{
  "searchapi_api_key": "YOUR_SEARCHAPI_KEY",
  "wpscan_api_token": "YOUR_WPSCAN_TOKEN"
}

Environment variables (override secrets file):

Variable Used by
SEARCHAPI_API_KEY --dork discovery
WPSCAN_API_TOKEN --profile wordpress
WAYMAP_NO_PROMPT Set automatically with --no-prompt

Domain blacklist (dork discovery)

Edit config/waymap/domain_blacklist.txt — one domain per line.

Payloads & wordlists

Located in data/ (e.g. basicxsspayload.txt, cmdipayload.txt, lfipayload.txt, sstipayload.txt).


Results & Output

All findings are saved per domain:

sessions/<domain>/waymap_full_results.json

Reports (when --report-format is set) are written to --output-dir (default: reports/).

Result structure:

{
  "scans": [
    { "XSS": { "Findings": [ { "url": "...", "parameter": "...", "payload": "..." } ] } },
    { "SQL Injection": { "Technique: Boolean": [ ... ] } },
    { "rce": [ ... ] }
  ]
}

Project Structure

waymap/
├── waymap.py              # Main CLI entry point
├── VERSION                # Current version (7.2.1)
├── requirements.txt
├── data/                  # Payloads and wordlists
├── config/waymap/         # Secrets, blacklist, mode config
├── sessions/              # Per-domain scan results
├── lib/
│   ├── injection/         # XSS, SQLi, RCE, LFI, etc.
│   ├── recon/             # Recon, misconfig, redirects
│   ├── api/               # REST/GraphQL/auth logic
│   ├── core/              # Config, ResultManager, reporting
│   └── scanner/           # WaymapScanner orchestrator
└── reports/               # Generated reports (default)

Requirements

  • Python 3.8+
  • See requirements.txt for packages (requests, beautifulsoup4, defusedxml, etc.)

Help & Updates

python waymap.py --help
python waymap.py --version
python waymap.py --check-updates

Legal / Disclaimer

Waymap is intended for authorized security testing and educational use only. Only scan systems you own or have explicit permission to test. The authors are not responsible for misuse.


Support


Changelog Summary

Version Highlights
7.2.1 Thread-safe results, SQLi/CMDi/CRLF fixes, defusedxml, Windows UI fix, report loading fix
7.2.0 Google dork discovery, WPScan profile, RCE scan, secrets management
7.1.0 API scanning, auth support, HTML/CSV/Markdown/PDF reports

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

waymap-7.2.1.tar.gz (1.3 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

waymap-7.2.1-py3-none-any.whl (1.1 MB view details)

Uploaded Python 3

File details

Details for the file waymap-7.2.1.tar.gz.

File metadata

  • Download URL: waymap-7.2.1.tar.gz
  • Upload date:
  • Size: 1.3 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.0

File hashes

Hashes for waymap-7.2.1.tar.gz
Algorithm Hash digest
SHA256 4819c9e2756c1101eaa81d50d8034992dbd5530dd5c4f9db88e5782a7c9743c5
MD5 77f4e8060becfd59d73c9a278ff760f2
BLAKE2b-256 abb0f4481ddcc029b3e22b543f38fe7b4587f1f106fcb9ef4861c80f72930245

See more details on using hashes here.

File details

Details for the file waymap-7.2.1-py3-none-any.whl.

File metadata

  • Download URL: waymap-7.2.1-py3-none-any.whl
  • Upload date:
  • Size: 1.1 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.0

File hashes

Hashes for waymap-7.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5fbee086fe87bb597261b2fec1b0285aca10b1c185ef4267537ed6be2367c16f
MD5 fc44d479a50b7cf835799f618abecf24
BLAKE2b-256 aa9e2df38d1dc45f49b70b8680454c129d9a4cdabd38ffc1c2f2ab003c9e647c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page