Skip to content
/ waymap Public

Waymap is a fast and optimized web vulnerability scanner built for penetration testers. It helps in identifying vulnerabilities by testing against various payloads.

waymapscanner.github.io/

License

GPL-3.0 license
112 stars 20 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TrixSec/waymap

BranchesTags

Repository files navigation

Waymap v7.2.0 - Web Vulnerability Scanner & Web Application Security Toolkit

Current Version: 7.2.0

Waymap is a fast, practical web vulnerability scanner and web application security testing toolkit for:

  • SQL Injection (SQLi) testing (Boolean-based, Error-based, Time-based)
  • XSS scanning (reflected payload testing)
  • Command Injection / RCE scanning (safe marker-based checks)
  • LFI, CRLF Injection, CORS misconfiguration, Open Redirect
  • API Security Testing for REST and GraphQL (auth checks, introspection, basic abuse checks)
  • WordPress vulnerability scanning (WPScan API batch lookups for core/plugins/themes)

Waymap focuses on automation-friendly scanning with consistent output, session-based result saving, and secrets management.

What’s New in v7.2.0

Discovery & Target Acquisition (Google Dorking)

  • SearchAPI-powered Google dork discovery via --dork
  • Pagination support (page parameter) to fetch all available result pages
  • Domain blacklist support using config/waymap/domain_blacklist.txt
  • Saves only parameterized URLs (must include ? and =) for scan-ready targets

Secrets Management (API Keys)

Waymap supports storing secrets outside code:

  • config/waymap/secrets.json
    • searchapi_api_key
    • wpscan_api_token

Keys can be supplied via:

  • CLI (ex: --dork-api-key, --wpscan-token)
  • env vars (ex: SEARCHAPI_API_KEY, WPSCAN_API_TOKEN)
  • secrets file (preferred)

WordPress Vulnerability Profile (WPScan API)

  • Single profile: --profile wordpress
  • Lightweight WordPress detection gate before calling WPScan
  • Uses WPScan API v3 batch (POST /batch) with multiple lookup items
  • Saves output (including failures) to sessions/<domain>/waymap_full_results.json

RCE / Command Injection Scanner

  • New scan type: --scan rce
  • Safe marker-based payloads (no destructive commands)
  • Works on parameterized URLs
  • Saves results to sessions/<domain>/waymap_full_results.json

Installation

pip install -r requirements.txt

Quick Start

1) Scan a target (standard web vulnerability scanning)

python waymap.py --target https://example.com --scan xss --crawl 2

2) RCE / Command Injection scan

python waymap.py --target "https://example.com/page.php?id=1" --scan rce

3) WordPress vulnerability scan (WPScan profile)

python waymap.py --target https://example.com --profile wordpress

4) Discover targets using Google dorks (SearchAPI)

python waymap.py --dork "inurl:.php?id="

By default results are saved to dork_targets.txt (or to a domain session if --target is also provided).

Full CLI Usage

See usage.md for every CLI option and example commands.

Configuration

Secrets file

Create/edit:

config/waymap/secrets.json

{
  "searchapi_api_key": "",
  "wpscan_api_token": ""
}

Domain blacklist for discovery

Edit:

config/waymap/domain_blacklist.txt

One domain per line (subdomains are matched too).

Supported Scan Types

Use --scan with one of:

  • sqli
  • xss
  • cmdi
  • rce
  • ssti
  • lfi
  • open-redirect
  • crlf
  • cors
  • api
  • all
  • recon
  • misconfig
  • redirect
  • injection-advanced
  • graphql-suite
  • auth-logic
  • cache-smuggling
  • wordpress-extras
  • optional

Vulnerability Coverage (What Waymap Actually Checks)

Waymap is designed as a practical HTTP scanner. Many checks are best-effort and depend on:

  • Target behavior
  • Response content
  • Available endpoints
  • Whether a URL has parameters (?a=b) where required

All findings are saved per target domain to:

  • sessions/<domain>/waymap_full_results.json

--scan recon (Foundation Recon)

Recon is focused on identifying technologies, attack surface, and low-effort exposure signals.

  • Tech fingerprinting
    • Server and framework hints from headers (ex: Server, X-Powered-By, generator tags)
  • CMS fingerprinting
    • Pattern matching for common CMS assets (ex: WordPress/Joomla/Drupal/Magento)
  • Robots + sitemap enumeration
    • Fetches robots.txt and common sitemap endpoints and extracts listed paths/URLs
  • Sitemap endpoint enumeration
    • Tries common sitemap locations to discover hidden endpoints
  • Parameter mining
    • Extracts and deduplicates query parameter names from crawled URLs
  • Content discovery (wordlist-lite)
    • Probes common paths for exposed resources
  • Virtual host fuzzing (best-effort)
    • Sends requests with a crafted Host header and compares response similarity
  • Subdomain takeover signals (best-effort)
    • Matches common takeover error fingerprints in HTML
  • Open bucket detection (best-effort)
    • Looks for bucket listing responses and directory-index patterns
  • DNS zone transfer checks (best-effort)
    • Runs limited nslookup checks to detect transfer-like responses

--scan misconfig (Misconfiguration & Exposure)

Misconfig scans are aimed at common, high-impact web hardening issues.

  • Security headers audit
    • Detects missing headers such as CSP/HSTS/XFO/XCTO/Referrer-Policy/Permissions-Policy
  • CSP analysis
    • Records CSP presence/value for review
  • HSTS audit
    • Records HSTS presence/value
  • Clickjacking signals
    • Flags missing X-Frame-Options and missing frame-ancestors in CSP
  • Cookie security flags
    • Extracts Set-Cookie and reports Secure/HttpOnly/SameSite presence per cookie
  • Version disclosure
    • Flags version-like patterns in headers such as Server, X-Powered-By, X-AspNet-Version
  • Admin panel discovery
    • Probes common admin/login paths
  • Debug endpoint discovery
    • Probes common debug/status/profiler/phpinfo endpoints
  • Sensitive file exposure
    • Probes common secrets/config paths (ex: /.git/config, /.env, wp-config.php, composer.lock)
  • Secrets exposure (aggregated)
    • Records hits from sensitive files and env exposure under a shared secrets key
  • Backup file exposure
    • Probes common backup/archive filenames
  • Directory listing checks
    • Detects directory index patterns (ex: “Index of /”)
  • Swagger/OpenAPI exposure
    • Probes common swagger.json, openapi.json, swagger-ui/ locations
  • SOAP/WSDL exposure
    • Probes common ?wsdl / /wsdl endpoints
  • CSRF token presence (heuristic)
    • If the page contains forms but no obvious CSRF token field names
  • CORS (advanced quick check)
    • Sends an OPTIONS request with an attacker Origin and flags permissive allow-origin + credentials
  • TLS/SSL audit (best-effort)
    • Captures TLS version and cipher for HTTPS targets
  • TRACE method exposure (best-effort)
    • Attempts a TRACE request and records 200 responses
  • File upload form discovery (heuristic)
    • Detects HTML <input type="file"> fields (useful for prioritizing upload testing)

--scan redirect (Redirect / Header Injection)

  • Host header injection (best-effort)
    • Sends a crafted Host and checks for reflection via Location or response body
  • Open redirect (advanced quick check)
    • For parameterized URLs, replaces common parameters and checks Location reflection
  • CRLF injection / HTTP response splitting (best-effort)
    • Injects CRLF payloads and checks for injected header reflection
  • Request splitting (best-effort)
    • Recorded when CRLF/header injection signals are detected

--scan injection-advanced (Advanced Injection Expansion)

  • SSRF
    • Tests common internal targets (localhost/127.0.0.1/cloud metadata) and looks for response keywords
  • Cloud metadata SSRF
    • Special-cases metadata endpoints and stores separately when detected
  • XXE (best-effort)
    • Attempts a basic XML payload on URLs that look XML-related and matches file-content keywords
  • HTTP Parameter Pollution (HPP) (heuristic)
    • Compares baseline response length vs polluted values for large deltas
  • HTTP method tampering (best-effort)
    • Reads Allow header from OPTIONS and flags risky methods
  • HTTP PUT upload / WebDAV hints (best-effort)
    • Flags if methods suggest upload capability; records DAV headers
  • Path traversal
    • Tests common traversal payloads and matches OS file markers
  • Remote File Inclusion (RFI) (heuristic)
    • Attempts a safe external include marker and checks for expected content
  • SSTI (advanced heuristic)
    • Injects simple expressions and checks for evaluation signals
  • RCE (advanced marker-based)
    • Injects safe echo markers and checks for reflection
  • LFI -> RCE chain (best-effort)
    • Attempts /proc/self/environ style inclusion with a UA marker
  • NoSQL injection (heuristic)
    • Injects a simple $ne payload and flags large response deltas
  • Prototype pollution (heuristic)
    • Tries __proto__ payloads and looks for simple reflection signals
  • Email header injection / SMTP injection (best-effort)
    • Targets email-like parameters with CRLF payloads and checks reflection
  • Reflected file download (best-effort)
    • Looks for attacker-controlled filenames reflected in Content-Disposition

--scan graphql-suite (GraphQL Security Suite)

  • Endpoint discovery
    • Probes common GraphQL paths
  • Introspection exposure
    • Attempts introspection queries and flags successful schema responses
  • Unauthenticated access signals
    • Records if GraphQL responds successfully without auth
  • Batching checks (best-effort)
    • Attempts basic batching behavior probes
  • Depth/complexity signals (best-effort)
    • Tries deeper queries and records error/success signals
  • Schema dump (best-effort)
    • Stores returned schema payloads when available
  • Subscriptions checks (best-effort)
    • Probes subscription capability signals

--scan auth-logic (Auth & API Logic)

Logic checks focus on patterns indicating missing authorization or broken access control.

  • IDOR (heuristic)
    • Flags endpoints/parameters that look like object identifiers for prioritization
  • Broken access control signals (heuristic)
    • Records suspicious patterns in responses and endpoint behavior
  • Mass assignment signals (heuristic)
    • Records endpoints that likely accept JSON bodies for model binding
  • NoSQL injection signals (heuristic)
    • Lightweight payload testing for common NoSQL patterns
  • OAuth misconfiguration signals (best-effort)
    • Attempts to detect obvious OAuth endpoint patterns
  • JWT checks (best-effort)
    • Detects obvious JWT usage patterns and records configuration hints
  • Basic auth bruteforce safety (non-destructive)
    • Only reports presence/signals; does not perform aggressive brute force

--scan cache-smuggling (Cache & Request Smuggling)

  • Cache poisoning signals (best-effort)
    • Sends header variants and checks for caching-related response differences
  • Cache deception signals (best-effort)
    • Probes cacheable-looking paths and records caching behavior hints
  • Web cache routing signals (best-effort)
    • Probes for routing headers and caching indicators
  • HTTP desync/smuggling indicators (best-effort)
    • Performs lightweight probes and records suspicious responses

--scan wordpress-extras (WordPress Add-ons)

  • User enumeration (best-effort)
    • Checks common enum patterns (ex: author archives)
  • XML-RPC exposure
    • Detects if xmlrpc.php is reachable and provides capability hints
  • Readme exposure
    • Checks common WP readme endpoints
  • Backup/config exposure
    • Probes WP-specific config/backup filenames
  • Plugin/theme enumeration (best-effort)
    • Tries to identify common plugin/theme paths
  • Hardening audit (best-effort)
    • Records presence/absence of common security controls for WP targets

--scan optional (Optional Checks)

  • WebSocket security checks (best-effort)
    • Detects websocket endpoints/signals
  • WAF detection (extended)
    • Records WAF fingerprints and blocking behavior
  • Redirect chain inspection
    • Records redirect sequences that may hide endpoint transitions

API Security Testing (REST / GraphQL)

python waymap.py --target https://api.example.com --scan api --api-type rest
python waymap.py --target https://api.example.com/graphql --scan api --api-type graphql

Optional:

  • --api-endpoints /users,/login (REST)

Authentication Support

Supported --auth-type values:

  • form
  • basic
  • digest
  • bearer
  • api_key

Example:

python waymap.py --target https://example.com --auth-type bearer --token "YOUR_TOKEN" --scan all

Reporting

python waymap.py --target https://example.com --scan all --report-format html,csv,markdown --output-dir reports

Results / Output Files

Waymap stores scan output per target domain:

  • sessions/<domain>/waymap_full_results.json

This includes findings from:

  • Standard vulnerability scans
  • WordPress profile scans
  • RCE scan

Help

python waymap.py --help

Legal / Disclaimer

Waymap is intended for authorized security testing and educational use only.

Support

Issues: https://github.com/TrixSec/waymap/issues

JOIN US ON TELEGRAM

Telegram

About

Waymap is a fast and optimized web vulnerability scanner built for penetration testers. It helps in identifying vulnerabilities by testing against various payloads.

waymapscanner.github.io/

Topics

python scanner hacking waf command-line-tool bypass sqlmap exploitation-framework xss-detection sql-scanner sqlinjection command-injection lfi-exploitation ssti open-redirect-detection sqli-scanner command-injection-scanner waymap trixsec website-hacking-tool

Resources

Readme

License

GPL-3.0 license
Activity

Stars

112 stars

Watchers

5 watching

Forks

20 forks
Report repository

Releases 13

Waymap v7.2.0 - Web Vulnerability Scanner & Web Application Security Toolkit Current Version: 7.2.0 Latest
Jan 25, 2026
+ 12 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages