All-in-one web security scanner for pentesting, bug bounty, and security audits.
Scan any target with a single command and get a structured report with findings prioritized by severity. Modular — run the full suite or pick individual steps.
# Quick scan (recon, fingerprint, secrets, header scoring, report)
scripts/webscan.sh example.com --quick
# Full scan (all 12 steps)
scripts/webscan.sh example.com
# Full scan with JSON output and screenshot
scripts/webscan.sh example.com --json --screenshot
# Resume a crashed scan (skips completed steps)
scripts/webscan.sh example.com --resume
# Single step
scripts/webscan.sh example.com recon
scripts/webscan.sh example.com vulns
# Secrets scan only
scripts/titus-web.sh https://example.com
Output: ~/.openclaw/workspace/recon/
| Flag | Description |
|---|---|
| ------ | ------------ |
--quick | Light scan: recon, fingerprint, secrets, vulns, report |
--full | All steps (default) |
--json | Generate results.json alongside markdown report |
--screenshot | Capture homepage screenshot |
--resume | Skip steps that already have output files |
| Variable | Purpose |
|---|---|
| ---------- | --------- |
SHODAN_API_KEY | Shodan API key for infrastructure intel (falls back to CLI) |
OUTDIR | Override output directory |
| Step | What it does | Tools |
|---|---|---|
| ------ | ------------- | ------- |
recon | DNS records, IP geolocation, port scan, Shodan, Wayback URLs | nmap, dig, Shodan |
fingerprint | HTTP headers, tech stack, WAF detection, CMS check | WhatWeb, wafw00f |
subdomains | Subdomain enumeration + live probing | Subfinder, Amass, httpx |
dirs | Directory and file bruteforce | Gobuster, ffuf |
secrets | Secrets scan + sensitive file checks (30+ paths) | Titus (459 rules) |
vulns | Security header scoring, CORS check, SSL analysis, vulnerability scan | Nikto, custom |
wpscan | WordPress-specific vulnerabilities (auto-skips if not WP) | WPScan |
nuclei | Template-based CVE scanning | Nuclei |
ssl | Full SSL/TLS analysis | testssl |
screenshot | Homepage capture | cutycapt/chromium |
report | Markdown + JSON report generation | — |
Scores 10 security headers by severity:
| Severity | Points | Headers |
|---|---|---|
| ---------- | -------- | --------- |
| Critical | 30 | Strict-Transport-Security, Content-Security-Policy |
| High | 20 | X-Frame-Options |
| Medium | 10 | X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
| Low | 5 | X-XSS-Protection, COOP, CORP, COEP |
Rating: 🟢 ≥80% · 🟡 ≥50% · 🟠 ≥25% · 🔴 <25%
~/.openclaw/workspace/recon/<domain>/
├── results.md # Markdown report with executive summary
├── results.json # Machine-readable report (--json)
├── screenshot.png # Homepage capture (--screenshot)
├── dns.txt / geo.json # DNS records, IP geolocation
├── ports.txt # nmap port scan results
├── shodan.json # Shodan infrastructure data
├── header-score.txt # Security header score card
├── cors.txt # CORS misconfiguration check
├── whatweb.txt / waf.txt # Tech fingerprint, WAF detection
├── subdomains-live.txt # Discovered live subdomains
├── dirs.txt # Discovered directories/files
├── sensitive-files.txt # Exposed config/backup files
├── titus.txt # Leaked secrets/API keys
├── nikto.txt / nuclei.txt # Vulnerability findings
├── ssl.txt # SSL/TLS analysis
└── wpscan.txt # WordPress scan (if applicable)
See references/tools.md for install instructions. Scripts skip missing tools gracefully — you don't need everything installed to get useful results.
See references/wordlists.md. Auto-selects medium wordlists, falls back to smaller if unavailable.
共 2 个版本