Metadata-Version: 2.4
Name: wshawk
Version: 2.0.6
Summary: Professional WebSocket security scanner with real vulnerability verification, session hijacking tests, and CVSS scoring
Home-page: https://github.com/noobforanonymous/wshawk
Author: Regaan
Project-URL: Homepage, https://github.com/noobforanonymous/wshawk
Project-URL: Bug Reports, https://github.com/noobforanonymous/wshawk/issues
Project-URL: Source, https://github.com/noobforanonymous/wshawk
Keywords: websocket,security,scanner,penetration-testing,bug-bounty,vulnerability,xss,sqli,session-hijacking,cvss,playwright,oast,waf-bypass
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: websockets>=12.0
Requires-Dist: playwright>=1.40.0
Requires-Dist: aiohttp>=3.9.0
Requires-Dist: PyYAML>=6.0
Dynamic: home-page
Dynamic: license-file
Dynamic: requires-python

# WSHawk v2.0 - Professional WebSocket Security Scanner

# SECURITY WARNING: FAKE VERSIONS CIRCULATING

> **PLEASE READ CAREFULLY:**  
> Fake versions of WSHawk are being distributed on third-party download sites and linked in social media posts (e.g., LinkedIn). These versions may contain **MALWARE**.  
>  
> **OFFICIAL SOURCES ONLY:**  
> - **Official Website:** [`https://wshawk.rothackers.com`](https://wshawk.rothackers.com)
> - **GitHub:** [`https://github.com/noobforanonymous/wshawk`](https://github.com/noobforanonymous/wshawk)  
> - **PyPI:** `pip install wshawk`  
> - **Docker:** `docker pull rothackers/wshawk` or `ghcr.io/noobforanonymous/wshawk`  
>  
> **DO NOT DOWNLOAD** from any other website. If you see "WSHawk" on a "software download" site, it is likely fake/malicious.


[![Python 3.8+](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/)
[![PyPI version](https://badge.fury.io/py/wshawk.svg)](https://badge.fury.io/py/wshawk)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Playwright](https://img.shields.io/badge/Playwright-Supported-green.svg)](https://playwright.dev/)
[![Status: Production](https://img.shields.io/badge/status-production-green.svg)](https://github.com/noobforanonymous/wshawk)

**WSHawk v2.0** is a production-grade WebSocket security scanner with advanced features including real vulnerability verification, dynamic mutation, and comprehensive session security testing.

## Why WSHawk?

WSHawk is the only open-source WebSocket scanner that provides:
- **Real browser XSS verification** (Playwright) - Not just pattern matching
- **Blind vulnerability detection** via OAST - Finds XXE, SSRF that others miss
- **Session hijacking analysis** - 6 advanced session security tests
- **WAF-aware payload mutation** - Dynamic evasion techniques
- **CVSS-based professional reporting** - Industry-standard risk assessment

## Features

- **22,000+ Attack Payloads** - Comprehensive vulnerability coverage
- **Real Vulnerability Verification** - Confirms exploitability, not just reflection
- **Playwright XSS Verification** - Actual browser-based script execution testing
- **OAST Integration** - Detects blind vulnerabilities (XXE, SSRF)
- **Session Hijacking Tests** - Token reuse, impersonation, privilege escalation
- **Advanced Mutation Engine** - WAF bypass with 8+ evasion strategies
- **CVSS v3.1 Scoring** - Automatic vulnerability risk assessment
- **Professional HTML Reports** - Screenshots, replay sequences, traffic logs
- **Adaptive Rate Limiting** - Server-friendly scanning

### Vulnerability Detection
SQL Injection • XSS • Command Injection • XXE • SSRF • NoSQL Injection • Path Traversal • LDAP Injection • SSTI • Open Redirect • Session Security Issues

## Installation

### Option 1: pip (Recommended)

```bash
pip install wshawk

# Optional: For browser-based XSS verification
playwright install chromium
```

### Option 2: Docker

```bash
# From Docker Hub
docker pull rothackers/wshawk:latest

# Or from GitHub Container Registry
docker pull ghcr.io/noobforanonymous/wshawk:latest

# Run WSHawk
docker run --rm rothackers/wshawk ws://target.com

# Defensive validation
docker run --rm rothackers/wshawk wshawk-defensive ws://target.com
```

See [Docker Guide](docs/DOCKER.md) for detailed usage.

## Quick Start

WSHawk provides **3 easy ways** to scan WebSocket applications:

### Method 1: Quick Scan (Fastest)
```bash
wshawk ws://target.com
```
Perfect for CI/CD pipelines and quick security assessments.

### Method 2: Interactive Menu (User-Friendly)
```bash
wshawk-interactive
```
Shows interactive menu to select specific tests. Best for learning and manual testing.

### Method 3: Advanced CLI (Full Control)
```bash
# Basic scan
wshawk-advanced ws://target.com

# With Playwright XSS verification
wshawk-advanced ws://target.com --playwright

# Custom rate limiting
wshawk-advanced ws://target.com --rate 5

# All features enabled
wshawk-advanced ws://target.com --full
```

## Command Comparison

| Feature | `wshawk` | `wshawk-interactive` | `wshawk-advanced` |
|---------|----------|----------------------|-------------------|
| Ease of Use | High | High | Medium |
| Flexibility | Low | Medium | High |
| All Features | Yes | Yes | Yes |
| Menu Selection | No | Yes | No |
| CLI Options | No | No | Yes |
| Best For | Automation | Learning | Advanced Users |

## What You Get

All methods include:
- Real vulnerability verification (not just pattern matching)
- 22,000+ attack payloads
- Advanced mutation engine with WAF bypass
- CVSS v3.1 scoring for all findings
- Session hijacking tests (6 security tests)
- Professional HTML reports
- Adaptive rate limiting
- OAST integration for blind vulnerabilities
- Optional Playwright for browser-based XSS verification

## Output

WSHawk generates comprehensive HTML reports with:
- CVSS v3.1 scores for all vulnerabilities
- Screenshots (for XSS browser verification)
- Message replay sequences
- Raw WebSocket traffic logs
- Server fingerprints
- Actionable remediation recommendations

Reports saved as: `wshawk_report_YYYYMMDD_HHMMSS.html`

## Advanced Options

```bash
wshawk-advanced --help

Options:
  --playwright     Enable browser-based XSS verification
  --rate N         Set max requests per second (default: 10)
  --full           Enable ALL features
  --no-oast        Disable OAST testing
```

## Defensive Validation (NEW in v2.0.4)

WSHawk now includes a **Defensive Validation Module** designed for blue teams to validate their security controls.

```bash
# Run defensive validation tests
wshawk-defensive ws://your-server.com
```

### What It Tests

**1. DNS Exfiltration Prevention**
- Validates if DNS-based data exfiltration is blocked
- Tests egress filtering effectiveness
- Detects potential APT-style attack vectors

**2. Bot Detection Effectiveness**
- Tests if anti-bot measures detect headless browsers
- Validates resistance to evasion techniques
- Identifies gaps in bot protection

**3. CSWSH (Cross-Site WebSocket Hijacking)**
- Tests Origin header validation (216+ malicious origins)
- Validates CSRF token requirements
- Critical for preventing session hijacking

**4. WSS Protocol Security Validation**
- TLS version validation (detects deprecated SSLv2/v3, TLS 1.0/1.1)
- Weak cipher suite detection (RC4, DES, 3DES)
- Certificate validation (expiration, self-signed, chain integrity)
- Forward secrecy verification (ECDHE, DHE)
- Prevents MITM and protocol downgrade attacks

### Use Cases

- Validate security controls before production deployment
- Regular security posture assessment
- Compliance and audit requirements
- Blue team defensive capability testing

See [Defensive Validation Documentation](docs/DEFENSIVE_VALIDATION.md) for detailed usage and remediation guidance.


## Documentation

- [Getting Started Guide](docs/getting_started.md)
- [Advanced Usage](docs/advanced_usage.md)
- [Vulnerability Details](docs/vulnerabilities.md)
- [Session Security Tests](docs/session_tests.md)
- [Mutation Engine](docs/mutation_engine.md)
- [Architecture](docs/architecture.md)

## Python API

For integration into custom scripts:

```python
import asyncio
from wshawk.scanner_v2 import WSHawkV2

scanner = WSHawkV2("ws://target.com")
scanner.use_headless_browser = True
scanner.use_oast = True
asyncio.run(scanner.run_heuristic_scan())
```

See [Advanced Usage](docs/advanced_usage.md) for more examples.

## Responsible Disclosure

WSHawk is designed for:
- Authorized penetration testing
- Bug bounty programs
- Security research
- Educational purposes

**Always obtain proper authorization before testing.**

## License

MIT License - see [LICENSE](LICENSE) file

## Author

**Regaan** (@noobforanonymous)

## Contributing

Contributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md)

## Legal Disclaimer

**WSHawk is designed for security professionals, researchers, and developers for authorized testing only.**

- **Usage:** You must have explicit permission from the system owner before scanning.
- **Liability:** The author (Regaan) is **NOT** responsible for any damage caused by the misuse of this tool.
- **Malware:** WSHawk is a security scanner, NOT malware. Any repackaged version found on third-party sites containing malicious code is **NOT** associated with this project.

By using WSHawk, you agree to these terms and use it at your own risk.

## Support

- **Issues:** [GitHub Issues](https://github.com/noobforanonymous/wshawk/issues)
- **Documentation:** [docs/](docs/)
- **Examples:** [examples/](examples/)
- **Email:** support@rothackers.com

---

**WSHawk v2.0** - Professional WebSocket Security Scanner

*Built for the security community*
