Bug hunters and web security experts are always on the lookout for tools to optimize their work and uncover vulnerabilities, and there’s a newcomer that’s poised to make waves: WebCopilot!
Open source, this automation tool combines the functionalities of dozens of other renowned tools like Subfinder, Nuclei, Amass, and SQLMap to save you precious time by handling from A to Z the repetitive and time-consuming tasks of enumerating subdomains, filtering risky parameters, and scanning the most critical vulnerabilities.
To do this, simply launch WebCopilot on a target domain, and it takes care of everything:
- Enumerating subdomains via a battery of tools (Assetfinder, Sublist3r, Amass, Findomainβ¦)
- Crawling all endpoints of identified subdomains
- Filtering potentially vulnerable parameters to XSS, SQLi, LFI, SSRF, Open Redirect⦠using tool patterns like gf
- And finally, vulnerability scanning via tools like Nuclei, Dalfox, kxss, SQLMap, or crlfuzz.
You’ll then receive a comprehensive report listing all interesting entry points.
No more hours spent launching dozens of commands and correlating results. Now you can focus on vulnerability analysis.
In terms of usage, it’s super simple. Just clone the Github repo, install the dependenciesβ¦
git clone https://github.com/h4r5h1t/webcopilot && cd webcopilot/ && chmod +x webcopilot install.sh && mv webcopilot /usr/bin/ && ./install.sh
β¦and you can launch scans in just one command:
webcopilot -d domain.com -o rapport
And if you want to further customize the configuration, no problem! WebCopilot offers a bunch of handy options like:
- -s to only perform subdomain enumeration
- -x to exclude certain domains from the scan
- -b to specify an external “blind XSS” server
- -t to adjust the number of threads and speed up scans
In short, it’s the handy tool to further streamline your bug bounty process.