Introduction
A manual for using Wingman. The goal of this manual is to help you familiarize yourself with Wingman by listing options and their possible combinations.
Usage
For a general overview of possible command-line options:
./wingman --help
output
Usage of ./wingman:
-allow-internal-hosts
Disable SSRF protection e.g. scan localhost (use with caution)
-b-no-cookies
Don't scan with cookies during the Chrome session
-b-no-source-mods
Stops modifying JS sources (may fix broken websites)
-b-passive
Only performs passive scans during the Chrome session (no HTTP requests)
-c-depth int
Sets crawler depth (default 3)
-c-threads int
Sets crawler threads (default 5)
-c-timeout int
Sets crawler timeout (when to abort HTTP requests) (default 5)
-chrome
Starts a Chrome instance for live scanning (while browsing)
-crawl
Crawls and scans given URLs
-d string
Form data to send with request
-exclude value
Scans to exclude, separated by comma (e.g. path,dom) (can be used more than once)
-h value
HTTP Header to send with request (can be used more than once)
-json
Output as JSON
-l string
List of URLs to scan
-license
Activate a license
-progress
Display progress every 10 seconds for long-lived processes such as crawling
-proxy value
Proxy URL to use
-t int
Amount of threads to use (default 5)
-timeout int
Scanner timeout (default 5)
-u string
URL to scan
-user
Displays info about the current licensed user
-v Enable verbose logging
-version
Shows version information
Modes
Single URL
Scan a single URL with the -u
flag:
./wingman -u https://example.com/
List of URLs
Scan from a list of URLs by providing the -l
flag or a file via stdin:
./wingman -l list.txt
or
cat list.txt | ./wingman
Chrome
Launch a Chrome session by specifying the --chrome
flag:
./wingman --chrome
Optionally this can be combined with the -u
flag to launch a window and immediately navigate to given URL.
Automatically logs JavaScript sink calls to the terminal
Will scan websites while browsing
Configuration
Chrome can be configured with any of the --b-
prefixed flags such as:
--b-no-cookies
- Do not scan with cookies during the Chrome session--b-no-source-mods
- Stops modifying JS sources (URL, Cookies and more)--b-passive
- Only performs passive (DOM XSS) scans while browsing
Crawler
The crawler can be enabled for both single and URL lists using the --crawl
flag:
./wingman -u https://example.com/ --crawl
Configuration
The crawler can be configured with any of the --c-
prefixed flags such as:
--c-depth
- Sets crawler depth (Note: can increase waiting times exponentially)--c-threads
- Set crawler threads--c-timeout
- Sets crawler timeout
Exclusions
Exclude scans by name:
./wingman -u https://example.com/ --exclude dom,path
Available scans are:
- Path - Scan directories in the URL path
- Query - Scan every query parameter
- DOM - Perform dynamic analysis on all executed JavaScript
- Body - Scan the HTTP POST body
Protection
Wingman includes built-in SSRF protection in order to protect you from potential abuse or accidental data loss. Scans for internal hosts must be explicitly allowed with --allow-internal-hosts
.
./wingman -u http://localhost/ --allow-internal-hosts
Requests
Manually craft requests that need to be scanned with flags such as:
-h
- Specify an HTTP header--data
- Form data to send with a request
or automate the process with a proxy.
Proxy
Proxy all network traffic:
./wingman -u http://example.com/ --proxy http://localhost:8080/
Can be combined with single URLs, URL lists, chrome, and crawler.
Output
Wingman follows the Unix philosophy and outputs no more than necessary in its default configuration.
Errors are outputted to stderr rather than stdin. This means that you can redirect errors and regular output to different files:
./wingman -u https://example.com/ -v 2> error 1> output
Verbose
Wingman does not provide verbose output by default, meaning errors will often be silenced. However, this can be disabled by enabling verbose mode: -v
Format
JSON
Switch to JSON output with the --json
flag. All output including errors and general information will be outputted in JSON.
Progress
Print a progress update on the screen every 10 seconds. Useful for when you want to make sure that the program is not stuck during larger scans.
./wingman -u https://example.com/ --crawl --progress