Usage
Welcome to WRock - In this guide, we will walk you through the process of using WRock for comprehensive web scanning. Additionally, we will explore various advanced options.
-t TARGET or --target=TARGET: Specifies the target URL or domain of the web application you want to assess.
Example:
python3 webrock.py -t http://example.com
Replace http://example.com with the URL or domain of the target web application you want to assess. This command will trigger WRock to perform a comprehensive scan using the default scanning mode (-m s or -m scan). WRock will automatically detect potential security weaknesses and vulnerabilities in the specified web application.
WRock offers a wide range of advanced options to fine-tune your security assessments. Let's explore some examples:
Setting Mode: '-m' MODE or '--mode=MODE': Sets the mode for WRock. Options include:
-
rorrecon: Recon mode for subdomain enumeration. -
sorscan: Default scan mode for web scanning. -
corcrawl: Crawl mode for web crawling. -
aorjsanalyze: JavaScript analysis mode to identify potential vulnerabilities and sensitive data leak. -
forfuzz: Fuzz mode for advanced web application fuzzing.
Examples: Run in scan mode:
python3 webrock.py -t http://example.com -m scan
python3 webrock.py -t http://example.com -m recon
The -T or --threads option in WRock allows you to set the number of threads to be used during the scan. Threads are concurrent units of execution that enable WRock to process multiple tasks simultaneously, effectively reducing the time taken to complete the assessment.
Example:
python3 webrock.py -t http://example.com -T 10
In the example, we set the thread count to 10. Increasing threads enables faster and more efficient scans by distributing the workload. However, finding the right balance is crucial to avoid overloading the target server or network.
The optimal thread count depends on factors like target capacity, network bandwidth, and system resources. Experiment with different values to find the best fit for your scan.
The -H or --headers option enables you to specify custom headers for your HTTP requests. This allows you to simulate different user agents, set cookies, or add authentication tokens as needed to perform a more targeted and accurate assessment of the web application's security.
Example:
python3 webrock.py -t http://example.com -H "Authorization: Bearer mytoken;;User-Agent: MyCustomAgent"
In this example, WRock will send HTTP requests to "http://example.com/" with the custom headers "Authorization" and "User-Agent." This can be useful for testing specific authorization mechanisms and emulating different user agents during the assessment.
python3 webrock.py -t http://example.com --headers "Cookie: session=12345;;X-Forwarded-For: 192.168.1.1"
In this example, WRock will send HTTP requests to "http://example.com/" with the custom headers "Authorization" and "User-Agent." This can be useful for testing specific authorization mechanisms and emulating different user agents during the assessment.
-i INCLUDED_MODULES or --include=INCLUDED_MODULES: Includes specified vulnerabilities for scanning. You can focus on specific vulnerabilities of interest, such as SQL injection (sqli) or server-side request forgery (ssrf).
python3 webrock.py -t http://example.com -i sqli,ssrf
also you can exclude some vulnerabilities that WRock will searching for vulnerabilities except what you choose by using -i "-xss,-lfi"
Example:
python3 webrock.py -t http://target.com/ -i "-xss"
-p POST or --post-params=POST: Specifies POST parameters for web applications that require them. This is crucial for applications that use POST requests to transmit data.
python3 webrock.py -t http://example.com -p "username=admin&password=123456"
-f FORMAT or --format=FORMAT: Sets the output format for the scan results, allowing you to choose from different formats such as text or json.
python3 webrock.py -t http://example.com -f json -o output.json
The -o or --output option allows you to specify the file name to save the output of your web security assessment. By using this option, you can easily review and share the results with other team members or stakeholders, making it convenient for collaboration and documentation - available (txt - json).
python3 webrock.py -t http://example.com -o output.txt
python3 webrock.py -t http://example.com -f json -o output.json
In this example, WRock will perform a web security assessment on the target domain "http://example.com/." The -o option specifies that the output of the assessment should be saved to a file named "output.txt" for further analysis and reporting.
-v or --verbose: Increase the verbosity level of the scan results, providing more detailed information.
Example:
python3 webrock.py -t http://example.com -v
Another example but with using -l LEVEL or --level=LEVEL: Set the verbosity level, ranging from 1 to 3. Higher levels provide more detailed information.
Example:
python3 webrock.py -t http://example.com -l 3
python3 webrock.py -t http://example.com --level 3
--burp-collaborator=COLLABORATOR: Sets the Collaborator server host for detecting blind vulnerabilities.
Example:
python3 webrock.py -t http://example.com --burp-collaborator=host.burpcollaborator.net
The --sqlmap-format option allows WRock to save the output of vulnerable URLs in a format compatible with SQLMap. This feature simplifies the process of integrating WRock's scan results with SQLMap, a popular tool for automated SQL injection exploitation.
python3 webrock.py -t http://example.com --sqlmap-format
By adding the --sqlmap-format option to the command, WRock will save the URLs identified as vulnerable to SQL injection in a format that can be readily utilized by SQLMap. This seamless integration streamlines the process of further investigating and exploiting SQL injection vulnerabilities.
The --xsshunter option in WRock allows you to set the XSSHunter URL for detecting Cross-Site Scripting (XSS) vulnerabilities. XSSHunter is a platform designed to identify and test for XSS vulnerabilities in web applications.
python3 webrock.py -t http://example.com --xsshunter=https://hacker.xss.ht
The --depth option is used during web crawling to specify the depth of the scan. It determines how many levels of links WRock will follow while scanning. By setting the depth, you can control how far the crawler will explore the website's link structure, providing you with a flexible approach to assess the web assets at different levels.
Example:
python3 webrock.py -t http://example.com --mode=c --depth=3
In this example, WRock will perform a web crawling scan on the target domain "http://example.com/" with a depth of 3, meaning it will follow links up to three levels deep to discover and assess web assets.
The --subs option instructs the web crawler to include subdomains during the scanning process. This expands the scope of the assessment, enabling WRock to cover additional web assets associated with the target domain. Subdomains are commonly used to host various web applications and services, and including them in the scan helps to identify potential security weaknesses across the entire domain.
Example:
python3 webrock.py -t http://example.com --mode=c --subs
python3 webrock.py -t http://target.com/ -m c --depth 2 --subs -o urls.txt
In this example, WRock will perform a web crawling scan on the target domain "http://example.com/" and include subdomains in the scan. This allows WRock to explore and assess web assets on subdomains like "app.example.com," "api.example.com," and more.
The --insecure option disables TLS verification during scanning. This is particularly useful when dealing with websites that have self-signed or invalid SSL certificates.
Example:
python3 webrock.py -t https://example.com --insecure
The --no-crawl option disables the web crawler during scanning or JavaScript analysis. When used, WRock will skip the crawling phase and directly scan the main URL provided with the -t option. This is helpful when you want to scan a specific page or when you have already gathered URLs and don't need the crawler to discover additional links.
python3 webrock.py -t http://example.com --mode=s --no-crawl
In this example, WRock will perform a scan on the target domain "http://example.com/" without crawling other links. This allows WRock to focus solely on scanning the main URL.
The --get-sc option retrieves the status code of crawled URLs during the crawling process. It provides valuable information about the availability and response status of various web assets, helping you identify broken links, 404 pages, and other status code-related issues.
python3 webrock.py -t http://example.com --mode=c --get-sc
In this example, WRock will perform a web crawling scan on the target domain "http://example.com/" and retrieve the status codes of crawled URLs. This enables you to analyze the health and accessibility of different web assets.
The --no-outofscope option excludes out-of-scope pages from the scan. using this option ensures that WRock only assesses web assets relevant to the target domain, helping you stay focused on your defined scope.
python3 webrock.py -t http://example.com --mode=c --no-outofscope
In this example, WRock will perform a web crawling scan on the target domain "http://example.com/" while excluding any out-of-scope pages defined by the user. This allows you to concentrate on the specific areas you intend to assess.
--sources=SOURCES Allows custom selection of enumeration sources to tailor the subdomain enumeration process.
Example:
python3 webrock.py -t http://example.com --mode recon --sources crt,bufferover --timeout 60
In this example, the scanner will use both the "crt" and "bufferover" sources for subdomain enumeration with a timeout of 60 seconds.
Another Example:
python3 webrock.py -t http://example.com --mode recon --sources crt,alienvault,threatcrowd -o output.txt
Here, the enumerator uses the "crt," "alienvault," and "threatcrowd" sources for subdomain enumeration, and saves the output in a file called "output.txt".
--timeout=TIMEOUT Specifies the timeout duration for the subdomain enumeration process.
Example:
python3 webrock.py -t http://example.com --mode recon --timeout 10
Setting a specific timeout ensures that the subdomain enumeration process does not take too long to complete, preventing unnecessary delays in your assessments.
Note: Time out (default = 30)
--subfinder-apis=SUBFINDER_APIS Allows using custom APIs with Subfinder for subdomain enumeration.
Example:
python3 webrock.py -t http://example.com --mode recon --subfinder-apis "Source1:API1+API2,Source2:API1"
And also you can pass the APIs in a yaml file as subfinder.
Example:
python3 webrock.py -t http://example.com --mode recon --subfinder-apis path/to/apis.yaml
--subfinder-all BenefitInstructs the scanner to use all available sources supported by Subfinder.
Example:
python3 webrock.py -t http://example.com --mode recon --subfinder-all
By using all available sources, you can comprehensively collect subdomains associated with the target domain, ensuring a thorough assessment.
--maxEnumerationTime=MAXENUMERATIONTIME Specifies the maximum time in minutes for subdomain enumeration.
Example:
python3 webrock.py -t http://example.com --mode recon --maxEnumerationTime 10
This option allows you to control the duration of the enumeration process, preventing it from running indefinitely and efficiently managing resources.
--recursive Enables recursive collection of subdomains, exploring each subdomain for additional ones.
Example:
python3 webrock.py -t http://example.com --mode recon --recursive
With recursive subdomain collection, you can discover subdomains that might not be directly linked to the main domain, expanding your attack surface.
--sublist3r Uses Sublist3r as an enumeration source for additional subdomain discovery.
Example:
python3 webrock.py -t http://example.com --mode recon --sublist3r
Sublist3r is a powerful tool that complements other sources, providing a more comprehensive view of subdomains.
--revip Performs reverse IP lookup on all collected subdomains.
Example:
python3 webrock.py -t http://example.com --mode recon --revip
Reverse IP lookup enhances reconnaissance by identifying other domains hosted on the same IP address, which can uncover related assets or shared infrastructure.
python3 webrock.py -t target.com -m r+s
python3 webrock.py -t target.com -m r+s -o results.txt
--by-platform=BY_PLATFORMS:
Specify specific extractors based on comma-separated platforms to perform in-depth analysis of JavaScript files.
Example:
python3 webrock.py -t https://target.com/ -m a --by-platform Google,GitHub,General
--by-key=BY_KEYS
Choose specific extractors based on comma-separated keys to identify potential vulnerabilities in JavaScript files.
Example:
python3 webrock.py -t http://example.com -m a --by-key=APIKey,OAuth,JWT
These JS Analyzer options allow you to fine-tune the analysis of JavaScript files, enabling you to focus on specific platforms or keys that may be critical for your web security assessments. With WRock's advanced JS Analyzer, you can efficiently detect vulnerabilities and security issues hidden within JavaScript code, providing you with comprehensive insights to fortify your web assets.
| Matcher Name | Description |
|---|---|
| mc | Match HTTP status codes, or "all" for everything. (Default: 200, 204, 301, 302, 307, 401, 403, 405, 500) |
| ml | Match the amount of lines in the response. |
| mr | Match a regular expression in the response. |
| ms | Match the HTTP response size. |
| mt | Match how many milliseconds to the first response byte, either greater or less than. (E.g., >100 or <100) |
| mw | Match the amount of words in the response. |
| Filter Name | Description |
|---|---|
| fc | Filter HTTP status codes from the response. Use a comma-separated list of codes and ranges. |
| fl | Filter by the amount of lines in the response. Use a comma-separated list of line counts and ranges. |
| fr | Filter using a regular expression. |
| fs | Filter HTTP response size. Use a comma-separated list of sizes and ranges. |
| ft | Filter by the number of milliseconds to the first response byte, either greater or less than. (E.g., >100 or <100) |
| fw | Filter by the amount of words in the response. Use a comma-separated list of word counts and ranges. |
python3 webrock.py -t http://example.com -m f --matchers "matcherName:value1,value2-matcherName2:value"
and then you will replace the value1 and value2 and the mathchername2 with the :value with the option you want that shown in the mentioned table
Option: --wordlists=WORDLISTS
The --wordlists option allows you to specify the path to a wordlist file that WRock will use for fuzzing. Fuzzing involves injecting various input values (words) into specific parts of the URL, headers, cookies, and other parts of the HTTP request to identify potential vulnerabilities caused by unexpected input.
python3 webrock.py -t https://target.com/FUZZ -m fuzz --wordlists path/to/wordlist.txt
In this example, WRock will perform fuzzing using the words in the specified wordlist file /path/to/wordlist.txt, replacing the FUZZ keyword in the target URL with each word from the wordlist.
You can supply one or more wordlists on the command line, and in case you wish (or are using multiple wordlists) you can choose a custom FUZZ keyword for them. To do this, add a colon and the name after the wordlist filename (without whitespaces). Default is always FUZZ. A single keyword can also be used in multiple locations in the HTTP request.
python3 webrock.py -t https://target.com/CUSTOMKEYWORD -m fuzz --wordlists path/to/wordlist.txt:CUSTOMKEYWORD
Multiple wordlists
You can supply ffuf with multiple wordlists (remember to configure a custom keyword for them though!). The behavior differs from the operation mode selected.
python3 webrock.py -t https://WORD.DOMAIN/ -m fuzz --wordlists path/to/domains.txt:DOMAIN,path/to/words.txt:WORD --matchers mc:all
Option: --matchers=MATCHERS
The --matchers option allows you to define specific matchers that WRock will use to identify successful fuzzing results. Matchers are used to detect changes in the response based on the injected words, helping you identify potential vulnerabilities.
python3 webrock.py -t https://target.com/FUZZ -m f --wordlists path/to/wordlist.txt --matchers "mc:404,200-ms:469,5474" --matcher-mode and
Option: --matcher-mode
The --matcher-mode option lets you define the set operator for multiple matchers. You can choose between and and or to specify whether all matchers should pass (and) or at least one matcher should pass (or).
python3 webrock.py -t http://example.com/FUZZ -m f --wordlists /path/to/wordlist.txt --matchers mc:200-ms:867 --matcher-mode or
Option: --fuzz-recursion
The --fuzz-recursion option allows you to scan recursively, applying fuzzing to discovered FUZZ keyword(s) in the response. This is helpful when the initial fuzzing identifies potential injection points that require further fuzzing.
python3 webrock.py -t http://example.com/FUZZ --mode=f --wordlists /path/to/wordlist.txt --fuzz-recursion --recursion-depth 3
In this example, WRock will perform recursive fuzzing on discovered FUZZ keyword(s) in the response.
Option: --recursion-depth
Benefit: The --recursion-depth option sets the maximum recursion depth when using the --fuzz-recursion option. It determines how many levels of recursive fuzzing WRock will perform.
python3 webrock.py -t http://example.com/FUZZ --mode=f --wordlists /path/to/wordlist.txt --fuzz-recursion --recursion-depth 3
In this example, WRock will perform recursive fuzzing up to a depth of 3 levels.
Perform Brute forcing:
Enables the Brute Force mode for username and password enumeration.
Example:
python3 webrock.py -t "http://hostname/dvwa/vulnerabilities/brute/?username=USER&password=PASSWD&Login=Login" -m f --wordlists path/to/users.txt:USER,path/to/pass.txt:PASSWD --matchers mc:200 --filters fr:incorrect -H "Cookie: security=low; PHPSESSID=Value"
WRock is a powerful web security tool that offers a wide range of features for comprehensive assessments. With support for Go, C, and Python, it provides efficient scanning, crawling, and analysis. From subdomain enumeration to customizable headers and advanced fuzzing! 🚀💻🔒