Pentest#
The webscan pentest command performs various pentest scans to identify vulnerabilities and security issues in web applications.
Usage#
webscan pentest [command]
Available Commands#
- application: Dynamic Application Security Testing (DAST) and vulnerability scanning
- cms: Content Management System vulnerability detection
- route: Route-specific vulnerability testing
- waf: Web Application Firewall detection and analysis
Commands#
Application Commands#
DAST (Dynamic Application Security Testing)#
Usage#
webscan pentest application dast --targets https://example.com
Help Text#
webscan pentest application dast -h
Dast targets to discover previously unknown vulnerabilities
Usage:
webscan pentest application dast [flags]
Flags:
--dast-categories strings Dast Categories (ie. XSS, SQLI, RFI, etc.)
--dast-request-params string Base64 JSON blob of request parameters that will be fuzzed
--global-rate-limit int Global rate limit in requests per second (default 10)
--global-timeout int Maximum total scan time in seconds
-h, --help help for dast
--http-methods strings HTTP methods to use (e.g. GET,POST,PUT) (default [GET,POST,PUT])
--proxy string Optional HTTP proxy URL
--targets strings Targets to be scanned
--threads int Number of threads (default 10)
--timeout int Timeout per request in seconds (default 30)
--verbose-logs Verbose logs
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output
CVE Scan#
Usage#
webscan pentest application scan cve --targets https://example.com
Help Text#
webscan pentest application scan cve -h
Scan targets for CVEs
Usage:
webscan pentest application scan cve [flags]
Flags:
--global-rate-limit int Global rate limit in requests per second (default 10)
--global-timeout int Maximum total scan time in seconds
-h, --help help for cve
--proxy string Optional HTTP proxy URL
--targets strings Targets to be scanned
--threads int Number of threads (default 10)
--timeout int Timeout per request in seconds (default 30)
--verbose-logs Verbose logs
--years strings Restrict CVE scans to particular years
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output
Misconfiguration Scan#
Usage#
webscan pentest application scan misconfiguration --targets https://example.com
Help Text#
webscan pentest application scan misconfiguration -h
Scan targets for security misconfigurations using nuclei templates.
Usage:
webscan pentest application scan misconfiguration [flags]
Flags:
--global-rate-limit int Global rate limit in requests per second (default 25)
--global-timeout int Maximum total scan time in seconds (default 650)
-h, --help help for misconfiguration
--misconfiguration-categories strings Categories of misconfigurations to scan for
--proxy string Optional HTTP proxy URL
--targets strings Targets to be scanned
--threads int Number of threads (default 25)
--timeout int Timeout per request in seconds (default 30)
--verbose-logs Verbose logs
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output
Technology Scan#
Usage#
webscan pentest application scan technology --targets https://example.com
Help Text#
webscan pentest application scan technology -h
Scan targets for technology-specific vulnerabilities using nuclei templates.
Usage:
webscan pentest application scan technology [flags]
Flags:
--global-rate-limit int Global rate limit in requests per second
--global-timeout int Maximum total scan time in seconds
-h, --help help for technology
--proxy string Optional HTTP proxy URL
--targets strings Targets to be scanned
--technology-types strings Technologies to scan for
--threads int Number of threads (default 10)
--timeout int Timeout per request in seconds (default 30)
--verbose-logs Verbose logs
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output
CMS Commands#
Analyze CMS Applications to detect potential vulnerabilities.
WordPress#
Analyze WordPress to detect potential vulnerabilities.
XMLRPC Functions Exposed#
Usage#
webscan pentest cms wordpress xmlrpc-functions-exposed --targets https://example.com
Help Text#
webscan pentest cms wordpress xmlrpc-functions-exposed -h
Perform xmlrpc functions exposed tests against a target
Usage:
webscan pentest cms wordpress xmlrpc-functions-exposed [flags]
Flags:
-h, --help help for xmlrpc-functions-exposed
--retries int Number of times to retry a request if it fails
--sleep int Number of seconds to sleep between requests
--successful-only Only include successful results in the report
--targets strings Targets to be scanned
--timeout int Timeout per request in seconds (default 30)
--verify-tls Verify TLS certificates when making HTTPS requests
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output
Route Commands#
Analyze routes to detect potential vulnerabilities.
Static Asset Takeover#
Usage#
webscan pentest route static-asset-takeover --targets https://example.com
Help Text#
webscan pentest route static-asset-takeover -h
Analyze webpages to detect potential takeover vulnerabilities through misconfigured CDNs or storage services.
Usage:
webscan pentest route static-asset-takeover [flags]
Flags:
--browserbase-countries strings List of countries to use for Browserbase proxy
--browserbase-project string Browserbase project ID
--browserbase-proxy Use Browserbase proxy for requests
--browserbase-token string Browserbase API token for cloud browser access
--detect-404-responses Detect 404 responses as potential takeover responses
--fingerprint-file-paths strings Paths to fingerprint definition files
--headless-path string Path to headless browser executable
-h, --help help for static-asset-takeover
--max-redirects int Maximum number of redirects to follow (default 10)
--min-dom-stabalize-time int Minimum time to wait for DOM stabilization in seconds (default 20)
--request-method string Request method to use (standard, headless, browserbase) (default "HEADLESS")
--successful-only Only show successful takeover attempts
--target string URL target to analyze for static asset takeover
--threads int Number of concurrent threads for scanning (default 100)
--timeout int Timeout per request in seconds (default 30)
--verify-tls Verify TLS certificates when making HTTPS requests
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output
WAF Commands#
Detect and analyze Web Application Firewalls (WAFs) protecting web applications.
Detect#
Usage#
webscan pentest waf detect --targets https://example.com
Help Text#
webscan pentest waf detect -h
Actively detect and identify Web Application Firewalls (WAFs) protecting web applications.
Usage:
webscan pentest waf detect [flags]
Flags:
--global-rate-limit int Global rate limit in requests per second
--global-timeout int Maximum total scan time in seconds
-h, --help help for detect
--http-methods strings HTTP methods to use (e.g. GET,POST,PUT) (default [GET])
--proxy string Optional HTTP proxy URL
--route-request-params string Base64 JSON blob of request parameters that will be injected
--targets strings Targets to be scanned
--threads int Number of threads (default 25)
--timeout int Timeout per request in seconds (default 5)
--verbose-logs Verbose logs
Global Flags:
-o, --output string Output format (signal, json, yaml). Default value is signal (default "signal")
-f, --output-file string Path to output file. If blank, will output to STDOUT
-q, --quiet Suppress output
-v, --verbose Verbose output