Current Version: 7.2.0
Waymap is a fast, practical web vulnerability scanner and web application security testing toolkit for:
- SQL Injection (SQLi) testing (Boolean-based, Error-based, Time-based)
- XSS scanning (reflected payload testing)
- Command Injection / RCE scanning (safe marker-based checks)
- LFI, CRLF Injection, CORS misconfiguration, Open Redirect
- API Security Testing for REST and GraphQL (auth checks, introspection, basic abuse checks)
- WordPress vulnerability scanning (WPScan API batch lookups for core/plugins/themes)
Waymap focuses on automation-friendly scanning with consistent output, session-based result saving, and secrets management.
- SearchAPI-powered Google dork discovery via
--dork - Pagination support (
pageparameter) to fetch all available result pages - Domain blacklist support using
config/waymap/domain_blacklist.txt - Saves only parameterized URLs (must include
?and=) for scan-ready targets
Waymap supports storing secrets outside code:
config/waymap/secrets.jsonsearchapi_api_keywpscan_api_token
Keys can be supplied via:
- CLI (ex:
--dork-api-key,--wpscan-token) - env vars (ex:
SEARCHAPI_API_KEY,WPSCAN_API_TOKEN) - secrets file (preferred)
- Single profile:
--profile wordpress - Lightweight WordPress detection gate before calling WPScan
- Uses WPScan API v3 batch (
POST /batch) with multiple lookup items - Saves output (including failures) to
sessions/<domain>/waymap_full_results.json
- New scan type:
--scan rce - Safe marker-based payloads (no destructive commands)
- Works on parameterized URLs
- Saves results to
sessions/<domain>/waymap_full_results.json
pip install -r requirements.txtpython waymap.py --target https://example.com --scan xss --crawl 2python waymap.py --target "https://example.com/page.php?id=1" --scan rcepython waymap.py --target https://example.com --profile wordpresspython waymap.py --dork "inurl:.php?id="By default results are saved to dork_targets.txt (or to a domain session if --target is also provided).
See usage.md for every CLI option and example commands.
Create/edit:
config/waymap/secrets.json
{
"searchapi_api_key": "",
"wpscan_api_token": ""
}Edit:
config/waymap/domain_blacklist.txt
One domain per line (subdomains are matched too).
Use --scan with one of:
sqlixsscmdircesstilfiopen-redirectcrlfcorsapiallreconmisconfigredirectinjection-advancedgraphql-suiteauth-logiccache-smugglingwordpress-extrasoptional
Waymap is designed as a practical HTTP scanner. Many checks are best-effort and depend on:
- Target behavior
- Response content
- Available endpoints
- Whether a URL has parameters (
?a=b) where required
All findings are saved per target domain to:
sessions/<domain>/waymap_full_results.json
Recon is focused on identifying technologies, attack surface, and low-effort exposure signals.
- Tech fingerprinting
- Server and framework hints from headers (ex:
Server,X-Powered-By, generator tags)
- Server and framework hints from headers (ex:
- CMS fingerprinting
- Pattern matching for common CMS assets (ex: WordPress/Joomla/Drupal/Magento)
- Robots + sitemap enumeration
- Fetches
robots.txtand common sitemap endpoints and extracts listed paths/URLs
- Fetches
- Sitemap endpoint enumeration
- Tries common sitemap locations to discover hidden endpoints
- Parameter mining
- Extracts and deduplicates query parameter names from crawled URLs
- Content discovery (wordlist-lite)
- Probes common paths for exposed resources
- Virtual host fuzzing (best-effort)
- Sends requests with a crafted
Hostheader and compares response similarity
- Sends requests with a crafted
- Subdomain takeover signals (best-effort)
- Matches common takeover error fingerprints in HTML
- Open bucket detection (best-effort)
- Looks for bucket listing responses and directory-index patterns
- DNS zone transfer checks (best-effort)
- Runs limited
nslookupchecks to detect transfer-like responses
- Runs limited
Misconfig scans are aimed at common, high-impact web hardening issues.
- Security headers audit
- Detects missing headers such as CSP/HSTS/XFO/XCTO/Referrer-Policy/Permissions-Policy
- CSP analysis
- Records CSP presence/value for review
- HSTS audit
- Records HSTS presence/value
- Clickjacking signals
- Flags missing
X-Frame-Optionsand missingframe-ancestorsin CSP
- Flags missing
- Cookie security flags
- Extracts
Set-Cookieand reports Secure/HttpOnly/SameSite presence per cookie
- Extracts
- Version disclosure
- Flags version-like patterns in headers such as
Server,X-Powered-By,X-AspNet-Version
- Flags version-like patterns in headers such as
- Admin panel discovery
- Probes common admin/login paths
- Debug endpoint discovery
- Probes common debug/status/profiler/phpinfo endpoints
- Sensitive file exposure
- Probes common secrets/config paths (ex:
/.git/config,/.env,wp-config.php,composer.lock)
- Probes common secrets/config paths (ex:
- Secrets exposure (aggregated)
- Records hits from sensitive files and env exposure under a shared secrets key
- Backup file exposure
- Probes common backup/archive filenames
- Directory listing checks
- Detects directory index patterns (ex: “Index of /”)
- Swagger/OpenAPI exposure
- Probes common
swagger.json,openapi.json,swagger-ui/locations
- Probes common
- SOAP/WSDL exposure
- Probes common
?wsdl//wsdlendpoints
- Probes common
- CSRF token presence (heuristic)
- If the page contains forms but no obvious CSRF token field names
- CORS (advanced quick check)
- Sends an
OPTIONSrequest with an attacker Origin and flags permissive allow-origin + credentials
- Sends an
- TLS/SSL audit (best-effort)
- Captures TLS version and cipher for HTTPS targets
- TRACE method exposure (best-effort)
- Attempts a TRACE request and records 200 responses
- File upload form discovery (heuristic)
- Detects HTML
<input type="file">fields (useful for prioritizing upload testing)
- Detects HTML
- Host header injection (best-effort)
- Sends a crafted
Hostand checks for reflection viaLocationor response body
- Sends a crafted
- Open redirect (advanced quick check)
- For parameterized URLs, replaces common parameters and checks
Locationreflection
- For parameterized URLs, replaces common parameters and checks
- CRLF injection / HTTP response splitting (best-effort)
- Injects CRLF payloads and checks for injected header reflection
- Request splitting (best-effort)
- Recorded when CRLF/header injection signals are detected
- SSRF
- Tests common internal targets (localhost/127.0.0.1/cloud metadata) and looks for response keywords
- Cloud metadata SSRF
- Special-cases metadata endpoints and stores separately when detected
- XXE (best-effort)
- Attempts a basic XML payload on URLs that look XML-related and matches file-content keywords
- HTTP Parameter Pollution (HPP) (heuristic)
- Compares baseline response length vs polluted values for large deltas
- HTTP method tampering (best-effort)
- Reads
Allowheader from OPTIONS and flags risky methods
- Reads
- HTTP PUT upload / WebDAV hints (best-effort)
- Flags if methods suggest upload capability; records DAV headers
- Path traversal
- Tests common traversal payloads and matches OS file markers
- Remote File Inclusion (RFI) (heuristic)
- Attempts a safe external include marker and checks for expected content
- SSTI (advanced heuristic)
- Injects simple expressions and checks for evaluation signals
- RCE (advanced marker-based)
- Injects safe echo markers and checks for reflection
- LFI -> RCE chain (best-effort)
- Attempts
/proc/self/environstyle inclusion with a UA marker
- Attempts
- NoSQL injection (heuristic)
- Injects a simple
$nepayload and flags large response deltas
- Injects a simple
- Prototype pollution (heuristic)
- Tries
__proto__payloads and looks for simple reflection signals
- Tries
- Email header injection / SMTP injection (best-effort)
- Targets email-like parameters with CRLF payloads and checks reflection
- Reflected file download (best-effort)
- Looks for attacker-controlled filenames reflected in
Content-Disposition
- Looks for attacker-controlled filenames reflected in
- Endpoint discovery
- Probes common GraphQL paths
- Introspection exposure
- Attempts introspection queries and flags successful schema responses
- Unauthenticated access signals
- Records if GraphQL responds successfully without auth
- Batching checks (best-effort)
- Attempts basic batching behavior probes
- Depth/complexity signals (best-effort)
- Tries deeper queries and records error/success signals
- Schema dump (best-effort)
- Stores returned schema payloads when available
- Subscriptions checks (best-effort)
- Probes subscription capability signals
Logic checks focus on patterns indicating missing authorization or broken access control.
- IDOR (heuristic)
- Flags endpoints/parameters that look like object identifiers for prioritization
- Broken access control signals (heuristic)
- Records suspicious patterns in responses and endpoint behavior
- Mass assignment signals (heuristic)
- Records endpoints that likely accept JSON bodies for model binding
- NoSQL injection signals (heuristic)
- Lightweight payload testing for common NoSQL patterns
- OAuth misconfiguration signals (best-effort)
- Attempts to detect obvious OAuth endpoint patterns
- JWT checks (best-effort)
- Detects obvious JWT usage patterns and records configuration hints
- Basic auth bruteforce safety (non-destructive)
- Only reports presence/signals; does not perform aggressive brute force
- Cache poisoning signals (best-effort)
- Sends header variants and checks for caching-related response differences
- Cache deception signals (best-effort)
- Probes cacheable-looking paths and records caching behavior hints
- Web cache routing signals (best-effort)
- Probes for routing headers and caching indicators
- HTTP desync/smuggling indicators (best-effort)
- Performs lightweight probes and records suspicious responses
- User enumeration (best-effort)
- Checks common enum patterns (ex: author archives)
- XML-RPC exposure
- Detects if
xmlrpc.phpis reachable and provides capability hints
- Detects if
- Readme exposure
- Checks common WP readme endpoints
- Backup/config exposure
- Probes WP-specific config/backup filenames
- Plugin/theme enumeration (best-effort)
- Tries to identify common plugin/theme paths
- Hardening audit (best-effort)
- Records presence/absence of common security controls for WP targets
- WebSocket security checks (best-effort)
- Detects websocket endpoints/signals
- WAF detection (extended)
- Records WAF fingerprints and blocking behavior
- Redirect chain inspection
- Records redirect sequences that may hide endpoint transitions
python waymap.py --target https://api.example.com --scan api --api-type rest
python waymap.py --target https://api.example.com/graphql --scan api --api-type graphqlOptional:
--api-endpoints /users,/login(REST)
Supported --auth-type values:
formbasicdigestbearerapi_key
Example:
python waymap.py --target https://example.com --auth-type bearer --token "YOUR_TOKEN" --scan allpython waymap.py --target https://example.com --scan all --report-format html,csv,markdown --output-dir reportsWaymap stores scan output per target domain:
sessions/<domain>/waymap_full_results.json
This includes findings from:
- Standard vulnerability scans
- WordPress profile scans
- RCE scan
python waymap.py --helpWaymap is intended for authorized security testing and educational use only.
Issues: https://github.com/TrixSec/waymap/issues
