GoVWS is a high-speed, multi-threaded DAST (Dynamic Application Security Testing) scanner. GoVWS behaves like a real-world attacker: it autonomously crawls the target to map the attack surface and uses behavioral heuristics to detect vulnerabilities that signature-based scanners might often miss.
It combines an intelligent crawling engine with a parallelized fuzzing core to identify SQLi, XSS, and LFI through structural analysis and response-time anomalies.
- Efficient Crawling: Powered by Colly
- Interactive UX: Seamless CLI experience using Survey
- Real-time Feedback: Visual progress tracking with Spinner
- Injection Discovery: Automatic form-based injection point discovery
- Parallel payload dispatching
- Channel-based module communication
- HTML report generation (
scan_report.html) - Detection of:
- Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Local File Inclusion (LFI)
- Missing security headers detection
GoVWS is composed of two main modules that communicate via Go channels for efficient parallelization.
- Crawls a target URL up to a specified depth
- Identifies forms and injection points
- Extracts form attributes (
action,method,id) - Detects missing security headers
- Loads payloads from user-provided files
- Dispatches payloads across multiple goroutines
- Evaluates whether injection attempts are successful
To have a general idea of the performance, the scanner takes 35 seconds to do a full crawl + scan + report on the following url : http://testphp.vulnweb.com (this website is dedicated to cybersecurity training)
With the following info :
- All types of scan (SQLi, XSS and LFI)
- At depth 3
- With 13 Injection points retrieved and 1792 payloads sent per injection points (23 296 payloads in total)
git clone https://github.com/MaelHub27/GoVWS.git && cd GoVWS
From the project root:
go build -o govws cmd/scanner/main.goOr, if make is configured:
make./govwsYou will thus be prompted to provide the following information:
- A target URL — Default:
empty - Detection type(s) — SQLi, XSS, LFI, Default:
SQLi & XSS - Path to payloads — Default:
empty - Crawling depth — between 1 and 5, Default:
3
💡 All values above will then be cached in a json files to allow faster relaunch if necessary
Once the scan completes, a scan_report.html file is generated in the current directory and automatically opened in your browser.
./govws -v # Displays visited URLs and payload activity
./govws -V # Displays detailed scan information (forms, JS files, headers, scan points, analysis info)The report is a security assessment overview of the base url. It provides the following information :
- Total number of vulnerabilities found (payloads that triggered an error/unmanaged behavior)
- Amount of URLs with missing Security Headers and the missing headers displayed in critical-matching color (red is critical, orange is highly important, yellow is important and gray is not mendatory)
- JS files discovered and endpoints if needed (not as for now, currently in development)
- Vulnerabilities found with the affected url & paramter and the method used (GET/POST)
This tool is intended for educational purposes and authorized security testing only.
Users are solely responsible for complying with applicable laws and obtaining proper authorization before scanning any target. The author assumes no liability for misuse.
This project is licensed under the BSD 3-Clause License — see the LICENSE file for details.
This project uses the following open-source libraries:
-
Colly : Copyright © 2018 Adam Tauber
Licensed under the Apache License 2.0
http://www.apache.org/licenses/LICENSE-2.0 -
Survey : Copyright © 2018 Alec Aivazis
Licensed under the MIT License
https://opensource.org/licenses/MIT -
Spinner : Copyright © Brian Downs
Licensed under the Apache License 2.0
http://www.apache.org/licenses/LICENSE-2.0