session:endevents have been introduced in the event bus to allow agents to perform bootstrap and cleanup tasks if needed
- A temporary user directory is now created for the Chrome/Chromium process and additional command line flags have been added to increase compartmentalization
- Production versions of Vue.js and Vue Router are now used in the HTML report for increased performance
- List of user agents have been updated to current list of most common user agents
- The pagination logic in the new HTML report would skip the page or cluster at index 0 as the
v-forfunction on an integer value in Vue.js starts from 1 and not 0
- Session data will now be written to output directory as
url_hostname_resolveragent that resolves page's hostnames to IP addresses
url_page_title_extractorthat extracts HTML page titles from responsive pages
- New command line flag
-template-pathto specify a custom template to use for the HTML report
- New command line flag
-sessionto load a previous Aquatone session file and generate a report on its data
- Aquatone is now compiled for ARM64 in
- Bigger refactoring of session and pages
- New Vue.js powered HTML report with lots of new cool stuff:
- New look and feel
- Pages can now be viewed in different modes:
- By Similarity: Pages are displayed in clusters by their HTML structure similarity
- By Hostname: Pages are displayed in clusters by their hostname
- Single Pages: Pages are shown one-by-one with bigger screenshots and response headers (oldschool Aquatone style)
- Vis.js powered network graph view to see relations between pages, IP addresses and technologies
- Page clusters are now rendered in a paginated carousel view instead of horizontally scrollable lanes
- Clusters and pages are paginated to improve performance on large reports
- Page titles are now shown for pages
url_loggeragent (no longer needed)
NOTE: This release changes the base file names for screenshots, headers and HTML files to include a partial hash of the URL path and fragment in order to support multiple URLs on the same host. Beware of this if you do any automation with files generated by Aquatone!
- The Nmap/Masscan XML report parser did not ignore closed/filtered ports. It now only works on ports with state
- Support for processing of multiple URLs on the same host by appending hash of URL path and fragment to file names
- Support for defining default output directory in
- Automatic SSL/TLS detection on non-standard ports
- URL Screenshotter agent now takes extra steps to ensure that the browser process is killed after use
- Version flag to output current version (woah!!!)
- Packages and other dependencies have been updated to latest versions
- User-Agent list has been updated to current most common agents
- Wappalyzer technology fingerprints have been updated
The Sub Resource Integrity check on the external CSS resource caused it to not load as the file had unexpectedly changed. This broke the HTML report generated by Aquatone. This version removes the SRI attribute to make sure the resource is always loaded.
- Responsive URLs are now written to
aquatone_urls.txt. Thanks eur0pa!
- A warning is printed when older versions of Chromium is detected which has known problems with screenshotting HTTPS URLs
- Aquatone had trouble processing a single or very few targets. A small delay has been added to give agents time to emit all their events
Fixes a bug where the random User-Agent and other spoofing request headers where not properly set when requesting URLs.
Web technology in use on websites are now detected and displayed in reports. Detection of domain takeover vulnerabilities is now also detected across 20 different services.
Aquatone has been simplified and rewritten in Golang. Read about it here.