WebCopilot: Open-source automation tool enumerates subdomains, detects bugs

WebCopilot is an open-source automation tool that enumerates a target’s subdomains and discovers bugs using various free tools. It simplifies the application security workflow and reduces reliance on manual scripting.

WebCopilot

“I built this solution to streamline the application security process, specifically the repetitive tasks involved in reconnaissance. It consolidates several popular open-source tools into a single script, saving time and effort,” Harshit Raj Singh, the creator of WebCopilot, told Help Net Security.

WebCopilot automates tasks like:

  • Subdomain enumeration: It leverages tools like Assetfinder, Subfinder, Amass, and httpx to comprehensively discover subdomains.
  • Active subdomain enumeration: It employs Gobuster and Amass to identify live subdomains.
  • Extracting titles and taking screenshots: WebCopilot uses Aquatone and httpx to capture these details for each subdomain.
  • Filtering parameters: The script utilizes gf patterns to filter out parameters associated with vulnerabilities like XSS, SQLi, SSRF, and more across all discovered endpoints.
  • Vulnerability scanning: WebCopilot then deploys various open-source tools (like Dalfox, Nuclei, and Sqlmap) to scan these filtered parameters for potential exploits.

Future plans and download

Here’s a glimpse into the roadmap for WebCopilot v2.0:

  • It will check for pre-existing installations of required tools, downloading only those missing.
  • It will provide more informative logs to enhance the user experience during installation.
  • The integration of newer, well-regarded open-source tools while removing deprecated ones. Several pull requests for these changes are already in progress.
  • Users will have the option to choose between subdomain enumeration only, a full scan, or a custom scan tailored to their needs.

WebCopilot is available for free on GitHub.

Must read:

Don't miss