Version 4.0.0 · Author: Regaan (@regaan) Practical guide for using the WSHawk desktop app for WebSocket testing, web pentesting, replay, AuthZ diffing, race testing, and evidence collection.
- Overview
- What Changed in v4
- Installation & Launch
- Desktop Layout
- Projects & Persistence
- Standard Mode
- Advanced Mode
- Web Pentest Mode
- Browser Companion & Identity Capture
- Evidence Vault & Exports
- Security Model
- Keyboard Shortcuts
- Troubleshooting
WSHawk Desktop is the main operator interface for the project. It wraps the local Python sidecar in an Electron application and gives you one place to manage:
- WebSocket scanning
- live interception and traffic review
- project-backed HTTP and WebSocket replay
- identity capture and cross-identity comparison
- race testing
- evidence review and bundle export
- desktop web pentest tooling
The desktop app is intended for authorized manual assessments where you need more than a one-shot CLI scan. v4 shifts the focus from one-off sessions to reusable local projects that keep identities, traffic, findings, notes, and exports together.
- WebSocket dashboard, heuristic scan, and activity stream
- Request Forge with replay, AuthZ diff, and race controls
- Payload Blaster for repeated WebSocket payload execution
- Interceptor for frame-by-frame capture, forwarding, dropping, and editing
- Endpoint map, Auth Builder, Mutation Lab, Scheduler, Codec, Comparer, and Notes
- Web Pentest workspace with discovery, request, attack, and evidence flows
- Project-backed evidence timeline and tamper-evident export bundles
The v4 desktop is not just a skin refresh over the older desktop guide. The main changes are architectural and workflow-oriented:
- Projects are first-class and backed by the platform store
- identities are reusable across HTTP and WebSocket workflows
- replay, AuthZ diff, and race actions write into the same evidence trail
- browser companion capture is session-paired and scope-limited
- evidence exports now include provenance and integrity metadata
- the desktop runtime is sandboxed more aggressively than the older builds
If you used the v3 desktop, the main mental shift is this:
- create or open a project
- capture or build identities
- replay and compare stateful actions
- review evidence and export a bundle
- Python
3.8+ - Node.js
18+ - npm
- Playwright Chromium if you want browser-assisted XSS evidence collection
git clone https://github.com/regaan/wshawk
cd wshawk
pip install -e .
cd desktop
npm install
npm startplaywright install chromiumcd desktop
npm run smokeThis smoke run is lighter than a full headless E2E pass. It validates that the desktop window loads, the preload bridge is available, and the local sidecar becomes ready.
The repository also supports packaged desktop builds for Linux, Windows, and macOS through electron-builder. Packaged builds still rely on the bundled Python sidecar resource.
The app opens with a welcome overlay:
Create New ProjectOpen Existing Project
After the project is loaded, the desktop is split into:
- title bar with mode badge
- left navigation for tools and workspaces
- main content area for the active tool
- status widgets, logs, findings, and traffic panes depending on the view
| Area | Purpose |
|---|---|
| Overview | Dashboard and scan history |
| Advanced Tools | Interceptor, Request Forge, Attack Ops, Payload Blaster, utilities, and Evidence Vault |
| Web Pentest | Discovery, Requests, Attacks, and Evidence workspaces plus HTTP tooling |
| Mode | Best For |
|---|---|
| Standard | Starting a target, scanning, and reading results |
| Advanced | Manual WebSocket operations, interception, replay, and evidence work |
| Web Pentest | HTTP workflows tied to the same project and identities |
Projects are central in the v4 desktop.
- target URL
- local findings shown in the desktop
- system log history
- traffic rows and captured payloads
- linked platform project ID
- stored identities
- notes
- attack runs
- evidence records
Desktop project files are saved locally as .wshawk files. They are intended for saving and reopening desktop state safely.
Typical flow:
- open the desktop
- choose
Create New Project - set the target URL
- run a scan, capture traffic, or link a request workflow
- press
Ctrl+Sor the save button to write a.wshawkfile
Many advanced actions also ensure a local platform project behind the scenes. That project is where HTTP and WebSocket evidence, identities, and replay artifacts are stored for deeper workflows.
In practice:
- light desktop state is saved to the
.wshawkfile - structured offensive workflow data is saved into the local project store
Standard mode is the fastest way to get from a target URL to a first set of findings.
Use the dashboard to:
- set the target WebSocket URL
- launch the main scan
- watch vulnerability count and message count
- review live findings
- inspect the system log
Standard mode is the right choice when you want:
- initial WebSocket exposure mapping
- basic vulnerability discovery
- fast triage before moving into replay or interception
The scan history view is for reviewing previous local runs. It helps when you want to compare behavior over time or return to a target later without starting from zero.
- create a project
- enter the WebSocket target URL
- run the scan
- review findings and traffic
- move to Request Forge or Interceptor if the target looks stateful
Advanced mode is where the desktop becomes an operator tool instead of just a scanner UI.
Use this view to inspect captured frame history and review request or response content in order.
The interceptor is for live WebSocket manipulation.
Use it when you want to:
- inspect frames as they pass through
- drop or forward selected messages
- edit payloads before they hit the target
- observe server-side reactions in near real time
This is the right tool for protocol tampering, message sequencing checks, and workflow abuse testing that needs live control.
Request Forge is the main workspace for manual WebSocket operations.
Key actions:
- send crafted messages
- replay captured actions
- select a stored identity or stay anonymous
- run
AuthZ Diff - run
Race Attack - store a DOM-captured identity into the current project
Use Request Forge when you want to turn captured behavior into a repeatable operation.
Attack Ops collects project-backed offensive workflows and results. It is the place to review and organize replay-heavy work after you start using identities, AuthZ diffing, or race testing.
Payload Blaster is the high-volume WebSocket fuzzing surface in the desktop.
Use it when you want:
- repeated payload execution
- category-driven payload selection
- Smart Payload Evolution during longer runs
- browser-assisted evidence collection when applicable
This is stronger than a single scan when the target requires repetition, timing pressure, or repeated protocol interaction.
Endpoint Map helps with WebSocket surface discovery. It is useful when the target application hides socket endpoints behind front-end flows, generated scripts, or non-obvious upgrade paths.
Auth Builder helps you define multi-step authentication sequences with value extraction and substitution. Use it when a target requires:
- login before socket connection
- token refresh before replay
- multi-step bootstrap to obtain cookies or bearer tokens
Mutation Lab is for experimenting with payload transformations and bypass ideas before feeding them into a more structured attack workflow.
Use the scheduler for delayed or repeated task execution when you want to stage a test without constantly re-triggering it manually.
Codec is the utility view for encoding and decoding content during analysis.
Comparer is useful when you need to line up two payloads, two responses, or two workflow states and spot drift quickly.
Use notes to keep target-specific observations in the same project instead of scattering them across external files.
Evidence Vault is the review layer for structured project evidence. It shows recorded evidence items, replay recipes, and project summary information generated from attacks and findings.
Web Pentest mode extends the same project into HTTP-focused work. The important difference in v4 is that this is not a separate app inside the desktop. It shares:
- the current project
- stored identities
- evidence output
- request templates
- notes and findings context
The web workspace is split into four top-level boards:
| Workspace | Purpose |
|---|---|
| Discovery | Map targets, surface area, and reusable context |
| Requests | Build HTTP templates and run replay operations |
| Attacks | Run active HTTP abuse workflows such as AuthZ diff and race |
| Evidence | Review project evidence generated by HTTP workflows |
Use Discovery to bootstrap a target:
- crawl the application
- find endpoints
- analyze headers
- identify technologies
- inspect TLS posture
- gather inputs for later replay
This workspace is also where project telemetry becomes reusable intelligence instead of just one-off scan output.
The Requests workspace is centered on HTTP Forge and replay templates.
Typical use:
- build or paste a request
- attach a stored identity if needed
- create a replay template
- inject variables such as CSRF or workflow tokens
- replay the request against the target
The Attacks workspace is where stateful HTTP abuse happens.
Key actions:
ReplayAuthZ DiffRace
These actions are project-aware and can reuse stored identities to compare target behavior across tenants, roles, or sessions.
The desktop exposes a larger web pentest toolbox. The most important operator-facing tools are:
- Web Crawler
- HTTP Fuzzer
- Dir Scanner
- Header Analyzer
- Subdomain Finder
- SSL/TLS Analyzer
- Tech Fingerprint
- Sensitive Finder
- Port Scanner
- DNS / WHOIS
- WAF Detector
- CORS Tester
- SSRF Prober
- Redirect Hunter
- Proto Polluter
- CSRF Forge
- Attack Chainer
- Proxy CA
- Reports
- create or sync a project
- run discovery against the target origin
- build a useful request in HTTP Forge
- save or reuse an identity
- replay the request
- run AuthZ diff across at least two identities
- run race mode if the route changes state
- review Evidence and export a bundle
The browser companion is the easiest way to feed browser-authenticated context into the desktop without copying headers by hand.
- captures scoped WebSocket handshake metadata from the browser
- sends it to the local WSHawk bridge
- can attach capture to a project ID
- works with short-lived pairing instead of a long-lived bridge token
- start the desktop app so the local bridge is running
- open the browser companion popup
- leave
Auto-detect bridge on localhost:8080-8089enabled, or set the handshake URL manually - set
Capture Domains - optionally set a project ID
- press
AUTO-DETECT - browse the target application
- capture scopes are required
- pairing is session-based
- the extension is meant to ingest handshake context, not unrestricted browser traffic
- captured identities can later be reused in Request Forge or HTTP replay flows
If browser-assisted flows produce useful session material, the desktop can store that material into the current project identity vault so it becomes reusable for replay, AuthZ diff, and race workflows.
The Evidence Vault is the operator review surface for the project record.
- findings
- evidence records
- notes
- attack summaries
- replay recipes
- timeline summaries
From the desktop evidence flow, project bundle exports support:
- JSON
- Markdown
- HTML
Other parts of the platform also generate:
- HTML reports
- PDF reports
- JSON, CSV, and SARIF outputs for scanner/report workflows
v4 evidence bundles are intended to be more defensible than ad hoc screenshots. They include provenance and integrity metadata so the output is easier to review later or hand to another operator.
- keep all replay and attack work inside one project when possible
- store identities with clear aliases
- add notes while testing, not after
- export the project bundle when the workflow is complete
- keep the
.wshawkfile and the evidence export together for the engagement record
The desktop app is a local operator tool, but the runtime still follows some important boundaries:
- Electron renderer isolation is enabled
- Electron sandboxing is enabled for the renderer
- the local bridge is intended for loopback-only usage
- desktop and extension trust paths are separated
- extension pairing is explicit and short-lived
- secrets and local encryption keys are stored through a platform-aware secret backend
- project exports include integrity metadata
The practical takeaway is that the desktop is designed to support offensive workflows without treating the renderer, extension, or export path as implicitly trusted.
| Shortcut | Action |
|---|---|
Ctrl+S |
Save current project |
Ctrl+Enter |
Execute the active action in the current view |
Ctrl+K |
Open HawkSearch / global search |
Depending on the active view, additional local shortcuts may exist for specific widgets and inputs.
Check:
- Python dependencies are installed
- the local bridge port is free
- the sidecar binary exists if you are using a packaged build
For a fast health check:
cd desktop
npm run smokeCheck:
- the desktop app is running
- capture is enabled in the companion
Capture Domainsis set correctly- the socket target hostname matches the configured scope
- the bridge was detected and paired successfully
You likely need one of these:
- store a DOM identity into the project
- capture handshake context with the companion
- manually save or refresh identities tied to the current project
Try:
- increasing concurrency
- increasing waves
- reducing client-side throttling
- replaying with a fresher identity or token set
Evidence is strongest when the project is actually linked and the workflow writes structured data. Run replay, AuthZ diff, race, or project-backed web operations instead of staying only in passive discovery views.
WSHawk Desktop v4 is built for operators who need to move from initial discovery to reproducible abuse and defensible evidence without changing tools mid-engagement.