Introduction

A manual for using Wingman. The goal of this manual is to help you familiarize yourself with Wingman by listing options and their possible combinations.

Usage

For a general overview of possible command-line options:

./wingman --help

output

Usage of ./wingman:
  -allow-internal-hosts
        Disable SSRF protection e.g. scan localhost (use with caution)
  -b-no-cookies
        Don't scan with cookies during the Chrome session
  -b-no-source-mods
        Stops modifying JS sources (may fix broken websites)
  -b-passive
        Only performs passive scans during the Chrome session (no HTTP requests)
  -c-depth int
        Sets crawler depth (default 3)
  -c-threads int
        Sets crawler threads (default 5)
  -c-timeout int
        Sets crawler timeout (when to abort HTTP requests) (default 5)
  -chrome
        Starts a Chrome instance for live scanning (while browsing)
  -crawl
        Crawls and scans given URLs
  -d string
        Form data to send with request
  -exclude value
        Scans to exclude, separated by comma (e.g. path,dom) (can be used more than once)
  -h value
        HTTP Header to send with request (can be used more than once)
  -json
        Output as JSON
  -l string
        List of URLs to scan
  -license
        Activate a license
  -progress
        Display progress every 10 seconds for long-lived processes such as crawling
  -proxy value
        Proxy URL to use
  -t int
        Amount of threads to use (default 5)
  -timeout int
        Scanner timeout (default 5)
  -u string
        URL to scan
  -user
        Displays info about the current licensed user
  -v    Enable verbose logging
  -version
        Shows version information

Modes

Single URL

Scan a single URL with the -u flag:

./wingman -u https://example.com/

List of URLs

Scan from a list of URLs by providing the -l flag or a file via stdin:

./wingman -l list.txt

cat list.txt | ./wingman

Chrome

Launch a Chrome session by specifying the --chrome flag:

./wingman --chrome

Optionally this can be combined with the -u flag to launch a window and immediately navigate to given URL.

Automatically logs JavaScript sink calls to the terminal

Will scan websites while browsing

Configuration

Chrome can be configured with any of the --b- prefixed flags such as:

--b-no-cookies - Do not scan with cookies during the Chrome session
--b-no-source-mods - Stops modifying JS sources (URL, Cookies and more)
--b-passive - Only performs passive (DOM XSS) scans while browsing

Crawler

The crawler can be enabled for both single and URL lists using the --crawl flag:

./wingman -u https://example.com/ --crawl

Configuration

The crawler can be configured with any of the --c- prefixed flags such as:

--c-depth - Sets crawler depth (Note: can increase waiting times exponentially)
--c-threads - Set crawler threads
--c-timeout - Sets crawler timeout

Exclusions

Exclude scans by name:

./wingman -u https://example.com/ --exclude dom,path

Available scans are:

Path - Scan directories in the URL path
Query - Scan every query parameter
DOM - Perform dynamic analysis on all executed JavaScript
Body - Scan the HTTP POST body

Protection

Wingman includes built-in SSRF protection in order to protect you from potential abuse or accidental data loss. Scans for internal hosts must be explicitly allowed with --allow-internal-hosts.

./wingman -u http://localhost/ --allow-internal-hosts

Requests

Manually craft requests that need to be scanned with flags such as:

-h - Specify an HTTP header
--data - Form data to send with a request

or automate the process with a proxy.

Proxy

Proxy all network traffic:

./wingman -u http://example.com/ --proxy http://localhost:8080/

Can be combined with single URLs, URL lists, chrome, and crawler.

Output

Wingman follows the Unix philosophy and outputs no more than necessary in its default configuration.

Errors are outputted to stderr rather than stdin. This means that you can redirect errors and regular output to different files:

./wingman -u https://example.com/ -v 2> error 1> output

Verbose

Wingman does not provide verbose output by default, meaning errors will often be silenced. However, this can be disabled by enabling verbose mode: -v

Format

JSON

Switch to JSON output with the --json flag. All output including errors and general information will be outputted in JSON.

Progress

Print a progress update on the screen every 10 seconds. Useful for when you want to make sure that the program is not stuck during larger scans.

./wingman -u https://example.com/ --crawl --progress

Introduction#

Usage#

Modes#

Single URL#

List of URLs#

Chrome#

Configuration#

Crawler#

Configuration#

Exclusions#

Protection#

Requests#

Proxy#

Output#

Verbose#

Format#

JSON#

Progress#

Introduction

Usage

Modes

Single URL

List of URLs

Chrome

Configuration

Crawler

Configuration

Exclusions

Protection

Requests

Proxy

Output

Verbose

Format

JSON

Progress