Link To GitLab Project: https://gitlab.com/reznok/WART
WART is a tool that I initially created to help me get some sweet sweet bug bounty money. An issue I kept running into on *.*.com targets was the overwhelming amount of web pages that needed to be audited. My original process went something like:
- Gather all target domains
- Discover sub-domains (Amass ftw)
- Load up each page 1 by 1 to see if they look promising
It was step 3 that was by far the most frustrating. When you’ve done bounties or web penetration testing for a while, you develop a “sixth-sense” for what look like vulnerable website. This is akin to “code smell” in programming where you just know something is wrong, even if you can’t put your finger on it. I just needed an easier way to gather the websites for a sniff test.
The easiest way to do this was to just grab screenshots of each target. Of course, this could be done with existing tools like EyeWitness. But what if I wanted to grab additional information, such as the robots.txt, or maybe try to fingerprint the underlying software stack with Wappalyzer? What if I wanted to easily process this information in some kind of central aggregation tool? The possibilities started accumulating enough that I decided it was time to just write my own tool that works and outputs exactly the way I want.
And so began WART. A recon tool that doesn’t necessarily do anything new or revolutionary, but functions exactly how I want it to. A modular, plugin-based recon tool that can be easily expanded to do just about anything. A tool that is still very much in its infancy, but has already proven to be extremely useful to me and has directly earned me ~15k in bounties to date.
At the time of writing, there’s really very limited functionality. It supports screenshots, Wappalyzer, grabbing robots.txt, and grabbing the site title and HTTP response headers. Look at any one of those plugins and they’re all laughably simple pieces of code. However, even with basic functionality, it’s proven its self enough that I plan on continuing development whenever I think of a useful enough plugin.