A manual for using Wingman. The goal of this manual is to help you familiarize yourself with Wingman by listing options and their possible combinations.


For a general overview of possible command-line options:

./wingman --help

Usage of ./wingman:
        Disable SSRF protection e.g. scan localhost (use with caution)
        Don't scan with cookies during the Chrome session
        Stops modifying JS sources (may fix broken websites)
        Only performs passive scans during the Chrome session (no HTTP requests)
  -c-depth int
        Sets crawler depth (default 3)
  -c-threads int
        Sets crawler threads (default 5)
  -c-timeout int
        Sets crawler timeout (when to abort HTTP requests) (default 5)
        Starts a Chrome instance for live scanning (while browsing)
        Crawls and scans given URLs
  -d string
        Form data to send with request
  -exclude value
        Scans to exclude, separated by comma (e.g. path,dom) (can be used more than once)
  -h value
        HTTP Header to send with request (can be used more than once)
        Output as JSON
  -l string
        List of URLs to scan
        Activate a license
        Display progress every 10 seconds for long-lived processes such as crawling
  -proxy value
        Proxy URL to use
  -t int
        Amount of threads to use (default 5)
  -timeout int
        Scanner timeout (default 5)
  -u string
        URL to scan
        Displays info about the current licensed user
  -v    Enable verbose logging
        Shows version information


Single URL

Scan a single URL with the -u flag:

./wingman -u

List of URLs

Scan from a list of URLs by providing the -l flag or a file via stdin:

./wingman -l list.txt


cat list.txt | ./wingman


Launch a Chrome session by specifying the --chrome flag:

./wingman --chrome

Optionally this can be combined with the -u flag to launch a window and immediately navigate to given URL.

Automatically logs JavaScript sink calls to the terminal

Will scan websites while browsing


Chrome can be configured with any of the --b- prefixed flags such as:

  • --b-no-cookies - Do not scan with cookies during the Chrome session
  • --b-no-source-mods - Stops modifying JS sources (URL, Cookies and more)
  • --b-passive - Only performs passive (DOM XSS) scans while browsing


The crawler can be enabled for both single and URL lists using the --crawl flag:

./wingman -u --crawl


The crawler can be configured with any of the --c- prefixed flags such as:

  • --c-depth - Sets crawler depth (Note: can increase waiting times exponentially)
  • --c-threads - Set crawler threads
  • --c-timeout - Sets crawler timeout


Exclude scans by name:

./wingman -u --exclude dom,path

Available scans are:

  • Path - Scan directories in the URL path
  • Query - Scan every query parameter
  • DOM - Perform dynamic analysis on all executed JavaScript
  • Body - Scan the HTTP POST body


Wingman includes built-in SSRF protection in order to protect you from potential abuse or accidental data loss. Scans for internal hosts must be explicitly allowed with --allow-internal-hosts.

./wingman -u http://localhost/ --allow-internal-hosts


Manually craft requests that need to be scanned with flags such as:

  • -h - Specify an HTTP header
  • --data - Form data to send with a request

or automate the process with a proxy.


Proxy all network traffic:

./wingman -u --proxy http://localhost:8080/

Can be combined with single URLs, URL lists, chrome, and crawler.


Wingman follows the Unix philosophy and outputs no more than necessary in its default configuration.

Errors are outputted to stderr rather than stdin. This means that you can redirect errors and regular output to different files:

./wingman -u -v 2> error 1> output


Wingman does not provide verbose output by default, meaning errors will often be silenced. However, this can be disabled by enabling verbose mode: -v



Switch to JSON output with the --json flag. All output including errors and general information will be outputted in JSON.


Print a progress update on the screen every 10 seconds. Useful for when you want to make sure that the program is not stuck during larger scans.

./wingman -u --crawl --progress