loading
loading
Discovery
A website screenshot utility that drives headless Chrome to capture web interfaces.
overview
gowitness points headless Chrome at every target in a list and saves a screenshot of what loads. A picture of each site is the quickest way to triage a wide attack surface: you spot login portals, default vendor panels, error screens, and forgotten admin apps at a glance, without reading through status codes and titles line by line.
It runs several Chrome workers at once, can probe a list of ports per host, and stores what it finds in more than one place: screenshots on disk plus a SQLite, Postgres, or MySQL database, CSV, or JSON lines. Full-page capture, a custom window size, a proxy, a spoofed user agent, and an injectable JavaScript hook control how each page renders before the shutter fires.
In a Trickest workflow, gowitness sits after subdomain discovery and HTTP probing so it only screenshots hosts that answer. It reads a file of targets and writes a folder of captures and metadata, which you review as a gallery to decide which hosts are worth testing by hand.
use cases
Screenshot thousands of hosts so an analyst can scan the gallery for login pages, default panels, and oddities far faster than reading raw probe output.
Capture every live interface to surface staging dashboards, vendor default pages, and exposed consoles that text-only probing hides.
Probe a port list per target so web apps on non-standard ports get captured alongside the usual 80 and 443.
Write to a SQLite or Postgres database, CSV, or JSON lines so the screenshot run becomes a queryable record the team can revisit.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| file | FILE | --file | A file of targets to screenshot. |
| port | STRING | --port | Ports on targets to scan (default 80, 443; repeatable). |
| screenshot-path | STRING | --screenshot-path | Folder to store screenshots in (default ./screenshots). |
| threads | STRING | --threads | Concurrent Chrome workers to run (default 6). |
| screenshot-fullpage | BOOLEAN | --screenshot-fullpage | Capture the full page rather than just the viewport. |
| write-db | BOOLEAN | --write-db | Write results to a SQLite database. |
| write-jsonl | BOOLEAN | --write-jsonl | Write results as JSON lines. |
| chrome-proxy | STRING | --chrome-proxy | Route requests through an HTTP or SOCKS5 proxy. |
Showing key inputs. gowitness exposes 37 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| file | FILE | --file | A file with targets to scan |
| port | STRING | --port | Ports on targets to scan. Supports multiple --port flags (default [80,443]) |
| delay | STRING | --delay | Number of seconds delay between navigation and screenshotting (default 3) |
| quiet | BOOLEAN | --quiet | Silence (almost all) logging |
| driver | STRING | --driver | The scan driver to use. Can be one of [gorod, chromedp] (default "chromedp") |
| no-http | BOOLEAN | --no-http | Do not add 'http://' to targets where missing |
| threads | STRING | --threads | Number of concurrent threads (goroutines) to use (default 6) |
| timeout | STRING | --timeout | Number of seconds before considering a page timed out (default 60) |
| no-https | BOOLEAN | --no-https | Do not add 'https://' to targets where missing |
| write-db | BOOLEAN | --write-db | Write results to a SQLite database |
| debug-log | BOOLEAN | --debug-log | Enable debug logging |
| skip-html | BOOLEAN | --skip-html | Don't include the first request's HTML response when writing results |
| write-csv | BOOLEAN | --write-csv | Write results as CSV (has limited columns) |
| javascript | STRING | --javascript | A JavaScript function to evaluate on every page, before a screenshot. Note: It must be a JavaScript function! e.g., () => console.log('gowitness'); |
| uri-filter | STRING | --uri-filter | Valid URIs to pass to the scanning process (default [http,https]) |
| write-none | BOOLEAN | --write-none | Use an empty writer to silence warnings |
| ports-large | BOOLEAN | --ports-large | Include a large ports list when scanning targets |
| ports-small | BOOLEAN | --ports-small | Include a small ports list when scanning targets |
| write-jsonl | BOOLEAN | --write-jsonl | Write results as JSON lines |
| chrome-proxy | STRING | --chrome-proxy | An HTTP/SOCKS5 proxy server to use. Specify the proxy using this format: proto://address:port |
| ports-medium | BOOLEAN | --ports-medium | Include a medium ports list when scanning targets |
| save-content | BOOLEAN | --save-content | Save content from network requests to the configured writers. WARNING: This flag has the potential to make your storage explode in size |
| write-db-uri | STRING | --write-db-uri | The database URI to use. Supports SQLite, Postgres, and MySQL (e.g., postgres://user:pass@host:port/db) (default "sqlite://gowitness.sqlite3") |
| write-stdout | BOOLEAN | --write-stdout | Write successful results to stdout (usefull in a shell pipeline) |
| chrome-header | STRING | --chrome-header | Extra headers to add to requests. Supports multiple --header flags |
| chrome-wss-url | STRING | --chrome-wss-url | A websocket URL to connect to a remote, already running Chrome DevTools instance (i.e., Chrome started with --remote-debugging-port) |
| chrome-window-x | STRING | --chrome-window-x | The Chrome browser window width, in pixels (default 1920) |
| chrome-window-y | STRING | --chrome-window-y | The Chrome browser window height, in pixels (default 1080) |
| javascript-file | FILE | --javascript-file | A file containing a JavaScript function to evaluate on every page, before a screenshot. See --javascript |
| log-scan-errors | BOOLEAN | --log-scan-errors | Log scan errors (timeouts, DNS errors, etc.) to stderr (warning: can be verbose!) |
| screenshot-path | STRING | --screenshot-path | Path to store screenshots (default "./screenshots") |
| chrome-user-agent | STRING | --chrome-user-agent | The user-agent string to use (default "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36") |
| screenshot-format | STRING | --screenshot-format | Format to save screenshots as. Valid formats are: jpeg, png (default "jpeg") |
| write-screenshots | BOOLEAN | --write-screenshots | Store screenshots with writers in addition to filesystem storage |
| screenshot-fullpage | BOOLEAN | --screenshot-fullpage | Do full-page screenshots, instead of just the viewport |
| screenshot-skip-save | BOOLEAN | --screenshot-skip-save | Do not save screenshots to the screenshot-path (useful together with --write-screenshots) |
| write-db-enable-debug | BOOLEAN | --write-db-enable-debug | Enable database query debug logging (warning: verbose!) |
example
# screenshot every URL in a file, full page, 10 workers, into a foldergowitness scan file -f urls.txt --screenshot-path ./screenshots --screenshot-fullpage --threads 10INF starting scan threads=6 timeout=60INF result url=https://example.com status-code=200 title="Example Domain"INF result url=https://www.example.com status-code=200 title="Example Domain"INF result url=https://app.example.com status-code=302 title=""INF result url=https://admin.example.com status-code=401 title="Sign in"INF result url=https://dev.example.com status-code=200 title="Staging Environment"INF result url=https://api.example.com status-code=404 title="404 Not Found"INF scan complete results=6 screenshots=./screenshotsguidance
Use gowitness to visually triage a live web surface at scale with headless Chrome. Screenshot after discovery and HTTP probing so you only capture hosts that answer. For results straight into a SQLite database, use gowitness-db; to feed it nmap XML, use gowitness-nmap.
gowitness variant that outputs a SQLite database. Use it when you want results in a queryable db from the start.
Screenshots hosts and builds an HTML report. gowitness leans on headless Chrome with richer storage options.
Feeds gowitness an nmap XML file so it screenshots discovered web services directly.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A host list is probed by httpx, then gowitness screenshots the live interfaces and writes the captures as a queryable output.
Facts on this page come from the live Trickest tool library.