Professional WebSocket security scanner with real vulnerability verification, session hijacking tests, and CVSS scoring

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for regaan from gravatar.com regaan

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Author: Regaan
  • Tags websocket , security , scanner , penetration-testing , bug-bounty , vulnerability , xss , sqli , session-hijacking , cvss , playwright , oast , waf-bypass
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

WSHawk v2.0 - Professional WebSocket Security Scanner

Python 3.8+ PyPI version License: MIT Playwright Status: Production

WSHawk v2.0 is a production-grade WebSocket security scanner with advanced features including real vulnerability verification, intelligent mutation, and comprehensive session security testing.

Why WSHawk?

WSHawk is the only open-source WebSocket scanner that provides:

  • Real browser XSS verification (Playwright) - Not just pattern matching
  • Blind vulnerability detection via OAST - Finds XXE, SSRF that others miss
  • Session hijacking analysis - 6 advanced session security tests
  • WAF-aware payload mutation - Intelligent evasion techniques
  • CVSS-based professional reporting - Industry-standard risk assessment

Features

  • 22,000+ Attack Payloads - Comprehensive vulnerability coverage
  • Real Vulnerability Verification - Confirms exploitability, not just reflection
  • Playwright XSS Verification - Actual browser-based script execution testing
  • OAST Integration - Detects blind vulnerabilities (XXE, SSRF)
  • Session Hijacking Tests - Token reuse, impersonation, privilege escalation
  • Intelligent Mutation Engine - WAF bypass with 8+ evasion strategies
  • CVSS v3.1 Scoring - Automatic vulnerability risk assessment
  • Professional HTML Reports - Screenshots, replay sequences, traffic logs
  • Adaptive Rate Limiting - Server-friendly scanning

Vulnerability Detection

SQL Injection • XSS • Command Injection • XXE • SSRF • NoSQL Injection • Path Traversal • LDAP Injection • SSTI • Open Redirect • Session Security Issues

Installation

pip install wshawk

# Optional: For browser-based XSS verification
playwright install chromium

Quick Start

WSHawk provides 3 easy ways to scan WebSocket applications:

Method 1: Quick Scan (Fastest)

wshawk ws://target.com

Perfect for CI/CD pipelines and quick security assessments.

Method 2: Interactive Menu (User-Friendly)

wshawk-interactive

Shows interactive menu to select specific tests. Best for learning and manual testing.

Method 3: Advanced CLI (Full Control)

# Basic scan
wshawk-advanced ws://target.com

# With Playwright XSS verification
wshawk-advanced ws://target.com --playwright

# Custom rate limiting
wshawk-advanced ws://target.com --rate 5

# All features enabled
wshawk-advanced ws://target.com --full

Command Comparison

Feature wshawk wshawk-interactive wshawk-advanced
Ease of Use ★★★ ★★★ ★★
Flexibility ★★ ★★★
All Features
Menu Selection
CLI Options
Best For Automation Learning Advanced Users

What You Get

All methods include:

  • Real vulnerability verification (not just pattern matching)
  • 22,000+ attack payloads
  • Intelligent mutation engine with WAF bypass
  • CVSS v3.1 scoring for all findings
  • Session hijacking tests (6 security tests)
  • Professional HTML reports
  • Adaptive rate limiting
  • OAST integration for blind vulnerabilities
  • Optional Playwright for browser-based XSS verification

Output

WSHawk generates comprehensive HTML reports with:

  • CVSS v3.1 scores for all vulnerabilities
  • Screenshots (for XSS browser verification)
  • Message replay sequences
  • Raw WebSocket traffic logs
  • Server fingerprints
  • Actionable remediation recommendations

Reports saved as: wshawk_report_YYYYMMDD_HHMMSS.html

Advanced Options

wshawk-advanced --help

Options:
  --playwright     Enable browser-based XSS verification
  --rate N         Set max requests per second (default: 10)
  --full           Enable ALL features
  --no-oast        Disable OAST testing

Documentation

Python API

For integration into custom scripts:

import asyncio
from wshawk.scanner_v2 import WSHawkV2

scanner = WSHawkV2("ws://target.com")
scanner.use_headless_browser = True
scanner.use_oast = True
asyncio.run(scanner.run_intelligent_scan())

See Advanced Usage for more examples.

Responsible Disclosure

WSHawk is designed for:

  • ✓ Authorized penetration testing
  • ✓ Bug bounty programs
  • ✓ Security research
  • ✓ Educational purposes

Always obtain proper authorization before testing.

License

MIT License - see LICENSE file

Author

Regaan (@noobforanonymous)

Contributing

Contributions welcome! See CONTRIBUTING.md

Support

WSHawk v2.0 - Professional WebSocket Security Scanner

Built for the security community

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for regaan from gravatar.com regaan

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Author: Regaan
  • Tags websocket , security , scanner , penetration-testing , bug-bounty , vulnerability , xss , sqli , session-hijacking , cvss , playwright , oast , waf-bypass
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

3.0.6

3.0.5

3.0.4

3.0.3

3.0.1

3.0.0

2.0.8

2.0.7

2.0.6

2.0.5

2.0.3

This version

2.0.2

2.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wshawk-2.0.2.tar.gz (235.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

wshawk-2.0.2-py3-none-any.whl (253.2 kB view details)

Uploaded Python 3

File details

Details for the file wshawk-2.0.2.tar.gz.

File metadata

  • Download URL: wshawk-2.0.2.tar.gz
  • Upload date:
  • Size: 235.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for wshawk-2.0.2.tar.gz
Algorithm Hash digest
SHA256 11cf30d83091e0f548bbd168802e86410434e454ad38db46e3ba8b497d31505c
MD5 af4f0f9ddd1bf2f891ea4651bca36a65
BLAKE2b-256 2dece943439c4b521d042623c7d61957884399a66d4a714abea037197f36ae9f

See more details on using hashes here.

Provenance

The following attestation bundles were made for wshawk-2.0.2.tar.gz:

Publisher: python-publish.yml on noobforanonymous/wshawk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file wshawk-2.0.2-py3-none-any.whl.

File metadata

  • Download URL: wshawk-2.0.2-py3-none-any.whl
  • Upload date:
  • Size: 253.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for wshawk-2.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 e73654399114070e4f47eb762eb93ab90bd4e3798ba9d7de27e141af905b619e
MD5 ee9f6c33b8062f76adf9f4e23205effc
BLAKE2b-256 4afcecbb55e445f4a4a6094c60ed2f05a5d7113b956d2da9f6f91ea1c1536f6c

See more details on using hashes here.

Provenance

The following attestation bundles were made for wshawk-2.0.2-py3-none-any.whl:

Publisher: python-publish.yml on noobforanonymous/wshawk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page