loading
loading
Scanners
An open-source black-box web application security scanner.
overview
WAScan tests a web application without reading its source. It crawls the deployed app, pulls out every link and form, then fuzzes each parameter with payloads and watches the responses for the error messages and disclosures that mark an exploitable input.
One scan-option flag sets the depth, from a quick fingerprint to an attack pass, an audit, brute force, disclosure checks, or a full run. You can route it through a proxy, set custom headers, cookies, and Basic Auth, and switch between GET and POST so it reaches forms behind a login.
On Trickest, WAScan runs as a Scanners node that takes a target URL and writes a folder and a file of findings. Reach for it once a prober confirms the host answers, then pick the scan option that matches how deep the assessment needs to go.
use cases
Crawl the target, extract its forms, and send payloads to each parameter to surface injection, XSS, and disclosure flaws through black-box probing.
Set the scan-option flag to run a fast fingerprint, a focused attack pass, an audit, a brute-force sweep, a disclosure check, or a full scan as the engagement requires.
Supply Basic Auth credentials, a cookie, and custom headers so the scanner reaches forms that sit behind a login instead of stopping at the front door.
Send every request through an intercepting proxy to log payloads, debug findings, or keep the scan inside an approved egress path.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-url | STRING | -u | Target URL to crawl and scan. |
| scan-option | STRING | -s | 0 Fingerprint, 1 Attacks, 2 Audit, 3 Bruteforce, 4 Disclosure, 5 Full scan. |
| http-method | STRING | -m | HTTP method to use, GET or POST. |
| data | STRING | -d | Body data to send with a POST request. |
| auth | STRING | -a | HTTP Basic Authentication, user:pass. |
| cookie | STRING | -c | HTTP Cookie header value for authenticated scans. |
| proxy | STRING | -p | Route requests through a proxy, host:port. |
| headers | STRING | -H | Extra request headers (e.g. "Host:site.com"). |
Showing key inputs. wascan exposes 16 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| auth | STRING | -a | HTTP Basic Authentication (user:pass). |
| data | STRING | -d | Data to be sent via POST method. |
| host | STRING | -h | HTTP Host header value. |
| proxy | STRING | -p | Use a proxy (host:port). |
| cookie | STRING | -c | HTTP Cookie header value. |
| headers | STRING | -H | Extra headers (e.g. "Host:site.com"). |
| referer | STRING | -R | HTTP Referer header value. |
| timeout | STRING | -t | Seconds to wait before the connection times out. |
| redirect | STRING | -n | Set redirect target URL to False (default True). |
| bruteforce | BOOLEAN | -b | Bruteforce hidden parameters. |
| proxy-auth | STRING | -P | Proxy authentication (user:pass). |
| target-url | STRING | -u | Target URL to crawl and scan. |
| user-agent | STRING | -A | HTTP User-agent header value. |
| http-method | STRING | -m | HTTP method, GET or POST. |
| scan-option | STRING | -s | Scan option: 0 Fingerprint, 1 Attacks, 2 Audit, 3 Bruteforce, 4 Disclosure, 5 Full scan. |
| random-agent | BOOLEAN | -r | Use a random User-agent header value. |
example
# full black-box scan of a single target, routed through a local proxywascan -u https://example.com -s 5 -c 'session=abc123' -p 127.0.0.1:8080[*] Target : https://example.com/[*] Scan : 5 - Full scan[*] Crawling target, extracting links and forms... [!] SQL Injection GET param=id payload=id=1' /product.php?id=1'[!] Cross-Site Scripting POST param=q payload=<script>alert(1)</script> /search.php[+] Fingerprint Server: nginx | X-Powered-By: PHP/8.2[+] Disclosure Verbose SQL error exposed on /product.php[*] Done. 2 vulnerabilities, report saved to output/example.com/guidance
Use WAScan for a quick black-box fuzz of a single web app's forms and parameters. It is lightweight and option-driven. For broader module coverage and active maintenance, prefer Wapiti; for template-based CVE checks, use nuclei.
Black-box scanner with a larger, better-maintained module set. The fuller alternative to WAScan.
Template-driven scanner for known CVEs and misconfigurations rather than generic fuzzing.
A raw fuzzing engine when you want to control the FUZZ point and filtering yourself.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A target is probed live by httpx, then WAScan crawls and fuzzes its forms before the findings land as a queryable output.
Facts on this page come from the live Trickest tool library.