methodwebtest

methodwebtest is designed as a simple, easy to use web application testing tool that security teams can use to automate the testing of their web applications. Designed with data-modeling and data-integration needs in mind, methodwebtest can be used on its own as an interactive CLI, orchestrated as part of a broader data pipeline, or leveraged from within the Method Platform.

The types of scans that methodwebtest can conduct are constantly growing. For the most up to date listing, please see the documentation here

To learn more about methodwebtest, please see the Documentation site for the most detailed information.

Quick Start

Get methodwebtest

For the full list of available installation options, please see the Installation page. For convenience, here are some of the most commonly used options:

• docker run methodsecurity/methodwebtest
• docker run ghcr.io/method-security/methodwebtest
• Download the latest binary from the Github Releases page
• Installation documentation

Examples

Setup (SSTI Fuzzing)

methodwebtest pentest dast --vuln-types SSTI --targets https://0ad400c9035b8f508075e9e200180071.web-security-academy.net/ --params ewogICJwYXJhbXMiOiBbCiAgICB7CiAgICAgICJsb2NhdGlvbiI6ICJxdWVyeSIsCiAgICAgICJuYW1lIjogIm1lc3NhZ2UiLAogICAgICAidmFsdWUiOiAiJXMiCiAgICB9CiAgXQp9 --http-methods GET

Params Base64-encoded JSON

{
  "params": [
    {
      "location": "query",
      "name": "message",
      "value": "%s"
    }
  ]
}

• Sign up for a free account with PortSwigger and launch the following lab - replace URL in example with lab URL and fire!

  PortSwigger Web Security Academy SSTI Lab

Setup (CVEs 2023,2024,2025)

methodwebtest pentest scan --scan-types cve --targets https://example.com --modules 2023,2024,2025

Building a Statically Compiled Container for Local Testing

(Reference reusable-build.yaml)

1. Build ARM64 builder image: docker buildx build . --platform linux/arm64 --load --tag armbuilder -f Dockerfile.builder

2. Build ARM64 image: docker run -v .:/app/methodwebtest -e GOARCH=arm64 -e GOOS=linux --rm armbuilder goreleaser build --single-target -f .goreleaser/goreleaser-build.yml --snapshot --clean

3. cp dist/linux_arm64/build-linux_linux_arm64/methodwebtest .

4. docker buildx build . --platform linux/arm64 --load --tag methodwebtest:local -f Dockerfile

5. Open shell: docker run -it --rm --entrypoint /bin/bash methodwebtest:local

6. OR run command without shell example: docker run methodwebtest:local TODO

Note:

This tool runs on a headless-shell base image to support chrome/chromium browser automation. The dockerfile uses debian-based install tools.

Contributing

Interested in contributing to methodwebtest? Please see our organization wide Contribution page.

Want More?

If you're looking for an easy way to tie methodwebtest into your broader cybersecurity workflows, or want to leverage some autonomy to improve your overall security posture, you'll love the broader Method Platform.

For more information, visit us here

Community

methodwebtest is a Method Security open source project.

Learn more about Method's open source source work by checking out our other projects here or our organization wide documentation here.

Have an idea for a Tool to contribute? Open a Discussion here.