What's Changed

• html a-tag unclosed bug fixed by @gorgiaxx in https://github.com/sensepost/gowitness/pull/187
• Fix database file path location parser by @mr-pmillz in https://github.com/sensepost/gowitness/pull/188
• fix: typo by @testwill in https://github.com/sensepost/gowitness/pull/201
• (fix) MarshalJSON spells with one "l" by @alexandear in https://github.com/sensepost/gowitness/pull/198
• Fixing the missing port issue with Nessus by @quentinpraz in https://github.com/sensepost/gowitness/pull/191

New Contributors

• @gorgiaxx made their first contribution in https://github.com/sensepost/gowitness/pull/187
• @mr-pmillz made their first contribution in https://github.com/sensepost/gowitness/pull/188
• @testwill made their first contribution in https://github.com/sensepost/gowitness/pull/201
• @alexandear made their first contribution in https://github.com/sensepost/gowitness/pull/198
• @quentinpraz made their first contribution in https://github.com/sensepost/gowitness/pull/191

Full Changelog: https://github.com/sensepost/gowitness/compare/2.5.0...2.5.1

1edfe2209731e68621006b3cc0376d6a4b97e85e  gowitness-2.5.1-darwin-amd64
3c817d57d704a3de1dcb084a59b77e684dddb154  gowitness-2.5.1-darwin-arm64
19c75086ac90ae2891f24fa89d76c84748eb3d06  gowitness-2.5.1-linux-amd64
105ecb560afccd5f29fe1d748c32862848f556df  gowitness-2.5.1-linux-arm64
e893957658f560911864eeecec606c0cd9ea8e05  gowitness-2.5.1-linux-armv7
32315a0b50ccd4e28b941a4b0121200b6625eb9e  gowitness-2.5.1-windows-amd64.exe

new

• Make URLs clickable in static report exports (thanks @initstring) (via #172)
• Add ability to execute externally introduced JavaScript via the new --js flag on screenshotted pages. (thanks @djallalzoldik) (via #180)
• Add PostgreSQL support (thanks @habitualdev) (via #166). You should now specify the database to use using a full URI. Eg: sqlite://gowitness.sqlite3 (the default), or postgres://user:pass@host/database.
• Add search API endpoint (docs: search (thanks @habitualdev) (via #166)
• Add ability to store screenshots in the database using a new flag --screenshot-db-store (thanks @habitualdev) (originally via #166 but refactored in https://github.com/sensepost/gowitness/commit/62d6de3d49dd5fa438e0ab38105f3bfb050da0ee). The report viewer will automatically fallback to the filesystem if database screenshots are not available.
• Add HTTP response code filtering, controlling which HTTP codes get screenshotted. (thanks @nickspring) (originally via #137 but implemented in https://github.com/sensepost/gowitness/commit/1503c5b8b0285f25d03f4893ae2c92674451bacc)

fixes

• Fix report server range selector. (thanks @randomactsofsecurity ) (via #163)
• Fix example nessus file syntax (thanks @brettgus) (via #170)
• Prevent duplicate file extensions added to filenames (thanks @maik-s) (via #183)

other

• Bump dependencies and Go version (in https://github.com/sensepost/gowitness/commit/4907ceacfa9edfc09f205deab5bfc47d800a8edf, https://github.com/sensepost/gowitness/commit/921811db51caea40ef6d062da685ca437f55b2a5, https://github.com/sensepost/gowitness/commit/a7941d8d68e049b4786aafd805222888020298bf)
• Remove deprecated use of io/ioutil (in https://github.com/sensepost/gowitness/commit/f939dec411a982f98d6b2e79555a14fd28039e00)

new contributors

• @brettgus made their first contribution in https://github.com/sensepost/gowitness/pull/170
• @initstring made their first contribution in https://github.com/sensepost/gowitness/pull/172
• @maik-s made their first contribution in https://github.com/sensepost/gowitness/pull/183
• @djallalzoldik made their first contribution in https://github.com/sensepost/gowitness/pull/180
• @habitualdev made their first contribution in https://github.com/sensepost/gowitness/pull/166

Full Changelog: https://github.com/sensepost/gowitness/compare/2.4.2...2.5.0

72f9578e558527bd5e8c6212d5e63b18867cd0b7  gowitness-2.5.0-darwin-amd64
d3fa213e6e0c8543256e26c1c3b3b71f23175485  gowitness-2.5.0-darwin-arm64
5f76bc689612b0b1ca5266834c76cb0c55a120b8  gowitness-2.5.0-linux-amd64
9c567241d9202689d395e704735fd8f3c1a47cfb  gowitness-2.5.0-linux-arm64
c8005cc40c8a7a9c1c690737e14853c829263acd  gowitness-2.5.0-linux-armv7
d906179afa9b59950a3ded496f9c0ede260c2cb7  gowitness-2.5.0-windows-amd64.exe

fixes

• Improve web UI reverse proxy support when served under a sub directory. A new wiki article was also added (in https://github.com/sensepost/gowitness/commit/e904933ab1d877beca7f88b14b513144c5c23ca0) (thanks @random-robbie for PR's prompting this).

other

• Bump dependencies and build with Go 1.19 (in https://github.com/sensepost/gowitness/commit/3b2acebe5d7ae126ffb9134ab08f932946c0da80)

8577bca1f581d7f163144b5c9068861fcf401524  gowitness-2.4.2-darwin-amd64
64b7469d97a511650f1efb74499878ad3ef8e76d  gowitness-2.4.2-darwin-arm64
e98b223ae71ef7a8df75ba0a6461b6b772a2176e  gowitness-2.4.2-linux-amd64
18556f2b0b856d90865ddae653c2e05182541e37  gowitness-2.4.2-linux-arm64
adb157143d84ff697c0cf965df3ce04ae34a5a48  gowitness-2.4.2-linux-armv7
6de652cf5ddf8f4f541f6172f127d23747353097  gowitness-2.4.2-windows-amd64.exe

new

• Add ability to specify additional headers when screenshotting via the HTTP api. See the API docs for a usage example (in https://github.com/sensepost/gowitness/commit/f5e2aeac99bf3e8096e25b2f9f2c38fad3037110).
• Add linux/arm and linux/armv7 targets to release binaries (in https://github.com/sensepost/gowitness/commit/12f01a95be815b7f3d0bc099bda50ae8ac005a49)

fixes

• Fix nmap command example documentation. (thanks @crypt0rr ) (via #138)

other

• Build release binaries with Go 1.18.4 (in https://github.com/sensepost/gowitness/commit/31c6e64c091746829d4d5ac57aa331f13da71d9c)
• Bump dependencies (in https://github.com/sensepost/gowitness/commit/2041445c78a6471482c3691713f31a5a2051dd0e)
• Fix internal flag name typo (in https://github.com/sensepost/gowitness/commit/86134ed639acc9d3debc7859a171a57aeca6c077)

8c5dfc2b7f5a66aec4d861522c2d78452e1950ac  gowitness-2.4.1-darwin-amd64
bd4026cad944b6143fbad90b0a9f2e41671509f6  gowitness-2.4.1-darwin-arm64
82c56c41caf8e1474adc851a90df48cb5b7c9ee1  gowitness-2.4.1-linux-amd64
b6391b19c6b5316e74c18f8c05dcec1987186170  gowitness-2.4.1-linux-arm64
9f79dfa11aaf6788a1150da41c12da03185e26af  gowitness-2.4.1-linux-armv7
5ec37979e14290200f0d0919006102cefa89edd2  gowitness-2.4.1-windows-amd64.exe

66 commits later, this is a major release of gowitness with many new features, fixes and overall polish. Some screenshots to see what the updated report server UI looks like is below, followed by the change log for this release. Enjoy!

The new Dashboard view

A dark themed, detailed view:

A light themed, detailed view:

new

• Add application technology identification using Wappalyzer (via #104 and #110 and #127) (in 3a80bf6db6e887180c4963d8e10b1dea175584e3 and e79214e3be016be04de8eac34ce694016c2d3143 and 65816c650f56e5bbe029077226f4ad7f4ef39019) (thanks guervild and Ice3man543 and terrabitz)
• Improve performance in HostsInCIDR() method (via #107) (in 71125b2b19f08b7bc87481c2d7a0c50aa8b6fbb0) (thanks NickChillClub)
• Add a Nessus parser (via #123) (in e1923bb92e4e0935142e331225f8b903c396d509) (thanks randomactsofsecurity)
• Add additional header support (via #124) (in c7b874ad63bf6198dcafc26531b51974ae6fa460) (thanks randomactsofsecurity)
• Refactor the webserver to make use of Gin (in 6fad6c3a9dac17305012e5119cf51baf2315607d)
• Various web UI dependency upgrades, fixes and layout updates (via 05f3c32086588f89b10937f7b303486705cb2d6d)
• Add new API endpoints. API documentation can be found in the Wiki here (via 49c87022eafa56749b36a5b358f76fd72c9b4e21 and 6769e88dfcc6e1bf1a89bf2055fab32f619c3517)
• Add a new dashboard view (via 00f939423095f5b16facae401783baa91bad4b72)
• Restore the ability to export static HTML reports again (via 3e459eb0a10d10c80f929c8a387bb9fbc8ff6683)
• Record both browser console logs and network events as emitted via Chrome. These fields are searchable and make it possible to see the IP's that hosts resolved to at the time of the screenshot (in 396de21ed5f8656b0cf940c43316d40320ec31e9 and 3efb7b0c5a2d04108e7c0e25362a2edd730f3663)
• Add a simple pager to the detail view (in 0c14e67980e87bc6af022c236f83fba0b8ac9e5e)
• Add a theme switcher for light mode or dark mode, defaulting to dark mode (in 0cbdafb4e574fe4eafbafa2f74bdbad6205965a7)
• Add the ability to dump and save the DOM (in 453a0fcfa2868c6498b1d3fb55559de456a01528)
• Significantly refactor the search feature to more agressively search through collected data. This includes URL's, DOM's, network events, console logs and more. (in 78303cb7aa7f71b9acbc7df59ea8c57f715b5879)
• Add the ability to save screenshots as PDF's instead of PNG's (in 2f87924f3431aceb08e49b61901dd5a5445fa57a)
• Add an example docker-compose.yml file to show how the report server could be used when exposed to a larger network.

fixes

• Improve reliability, dealing with some cases where Chrome may hang (via #132) (in 79c4f6e950715157a829560344daa15fdae85188) (thanks rtpt-jonaslieb and randomactsofsecurity)
• Prevent screenshot filenames from becoming overly long (in 19b4e15b57996a93827d14c602046a6bc68f79aa)

other

• build release binaries with Go 1.18.2 (186f57eb9ee1cd429d262b3603256423f75f13be) (8b88b472e673355530439067a5e5030690ffe82f) (19c182705b3d18ee9f7a774c863cca410184190d)
• build releases for macOS ARM (96df49e00361fdd9c15a720571176656f2d8d0f2)
• bump dependencies (3092a86d381076724fe69ec6724618494dd3fea7) (861543ed7e4c7279121e1bd4d23db8b9ed573a66) (01005bbfc76839054ca0684029adc97606ec3845) (af7a504f04fdf3f4964625ca8aeed78400a2849a) (c6da64d46657c01c7608fd41552dfca4ccf43aa3) (0002ef967a32eda866b34add071fa2e4240fe3ba)
• use github actions to build docker image (ff1241d986d8da542724efee08ceff957e86c3b8)
• replace vfsgen with native Golang embed for web assets (d98ae0ce3e054d4ffd5bd41a1f5cefef3bcc42fd)
• Bump the default User-Agent string used (via ec73fbb9fd3023b4da881f67c46a22560d269057)

76065c1c937630e44ecde32abfc0fd945cb20483  gowitness-2.4.0-darwin-amd64
b556b7f45a1b313a1686843f219cf8b045ad0e48  gowitness-2.4.0-darwin-arm64
d361fe3cdf738b0fe60b204a03017e3b4b38ffb5  gowitness-2.4.0-linux-amd64
0f91805c85dd665758e205dda8e8edf09dacb498  gowitness-2.4.0-windows-amd64.exe

This is primarily a security/hardening release.

fixes

• Limit the allowed URI's that may be submitted to the screenshot or report server to only those starting with http / https by default. You can use the new --allow-insecure-uri / -A flag to disable this. Take note that with the -A flag, it means someone could screenshot file:// URI's and read local files on the host filesystem. To combat some of this abuse, by default the report & screenshot servers listen on localhost only. However, if you are exposing the report or screenshot servers to the Internet (or other untrusted networks), make sure you restrict access to it as other problematic URI's such as localhost and cloud metadata URIs (and any other SSRF vector) will also be reachable this way. (https://github.com/sensepost/gowitness/commit/57dffb7a890996daf37254719b035166f1b33d6b) (thanks to Omri Inbar from Checkmarx for reporting the LFI).

other

• go-staticcheck fixes and other code cleanups (https://github.com/sensepost/gowitness/commit/11494176a8fcbb4373e61096d147bd2fe9318d5a)

8a2ca3dc8a58ce3e103aeabd13df7713c0322b2c  gowitness-2.3.6-darwin-amd64
b50938b99af45d7bc209428a648f057b11a6025f  gowitness-2.3.6-linux-amd64
1dcee72acdf074f1850263643ca9297b0d5b38e3  gowitness-2.3.6-windows-amd64.exe

fixes

• Check the correct error when parsing Proxy URI's (https://github.com/sensepost/gowitness/commit/28a8c776195a06ea9080a952da8f9f9182108b19)
• Fix a typo (https://github.com/sensepost/gowitness/commit/c168591ae1bb6e9ec0cc1b83c0d9e8cb7cd709e6) (thanks @benichmt1 via #96)

other

• Bump go version used for release builds to 1.15.10 (https://github.com/sensepost/gowitness/commit/6697b99410b0ca1655eebaf0c96abcaca63f5711)
• Bump dependencies to use chromedp 0.7.2, fixing #101 (https://github.com/sensepost/gowitness/commit/d503334e569d5f7d0e471a65fe766c0cfb0fafee)

72dcadc450a02e931ab9143ef23f9ddba8a6d9cd  gowitness-2.3.5-darwin-amd64
71052ed766b0155c7331c155e7cbed213776c3a8  gowitness-2.3.5-linux-amd64
5446ad08a709d4462269776af78578410616929d  gowitness-2.3.5-windows-amd64.exe

new

• Add the Public Key Algorithm field to the database (https://github.com/sensepost/gowitness/commit/3e9cf0548696cd09cc9567bca4eff22b94041f63) (fixes #91)

78722cc482250dba386c0e562568212a1dcbf4d1  gowitness-2.3.4-darwin-amd64
5fb571b12d761f26adbec073d0d73bc45d194259  gowitness-2.3.4-linux-amd64
26726bf22eb9ad6a274aa07b83e8a624904e937c  gowitness-2.3.4-windows-amd64.exe

fixes

• Automatically dismiss JavaScript dialog boxes which caused gowitness to stall (https://github.com/sensepost/gowitness/commit/bd6114e70b299ad3627aa5074f7ab81ab0732a70) (via #89) (thanks @Serizao)

f86cc43856f756960898bbc4ff8ce16ded30717f  gowitness-2.3.3-darwin-amd64
b2c5afe02d91c26dfe06547f668390d517a934e0  gowitness-2.3.3-linux-amd64
750c84767a8786fa812f7836ed5b3586f2b7c835  gowitness-2.3.3-windows-amd64.exe

other

• Dependency bump (https://github.com/sensepost/gowitness/commit/84ef468204a2a0169807275858e04bc6cf93b8a9)

632016c57e12d046cd7efc2debd6ebce0b8a5ba5  gowitness-2.3.2-darwin-amd64
ecc414ffd377e212cc66f32ed2a9ee055b5af640  gowitness-2.3.2-linux-amd64
aa2bc8b925d2bbd7942e8fbd650fa02d9c296f3c  gowitness-2.3.2-windows-amd64.exe

other

• Bump the golang build version to 1.15.8 (https://github.com/sensepost/gowitness/commit/ea74b977351eda8a54ff5653360508b5282912fa)

0c753be54f305d89120d4827b30eb602651a16e4  gowitness-2.3.1-darwin-amd64
5302eadb51736eafedef9a51a87c71171d536552  gowitness-2.3.1-linux-amd64
2750f88de5093f493927d803578c254debef65b6  gowitness-2.3.1-windows-amd64.exe

new

• Add the --delay flag to have Chrome wait between navigation and screenshotting. (https://github.com/sensepost/gowitness/commit/c67b522d6db7f5640ee17deb58063b07ec449e8a)

dd3c98d56daf34dce8e78448cf76c4992fdb7b35  gowitness-2.3.0-darwin-amd64
dfbf5c07c2009d61000b49c35556bdcc706f2844  gowitness-2.3.0-linux-amd64
374727171c6c0095c72d98d8c118ce8ac79ad644  gowitness-2.3.0-windows-amd64.exe

This is small a bug fix release.

fixes

• Prevent crashes when the database is disabled (#83)
• Correctly parse URL's with a fragment (#) in it (#84)

other

• Bump golang build container version to 1.14.12 (https://github.com/sensepost/gowitness/commit/16229e33c678f6635f7a6e728e2f78a4de5a571f)

5591e6e601ae5377c72932af3cb845f6a71d72e1  gowitness-2.2.1-darwin-amd64
357380c4771afe2f9fb6e7fad017882d9d13c6e7  gowitness-2.2.1-linux-amd64
8b1ab7b1f2652839a924d4e6271bce26514fe700  gowitness-2.2.1-windows-amd64.exe

new

• Add a new merge sub command. This command takes multiple gowitness sqlite databases and outputs a new, merged database. Check gowitness merge --help for more information.

other

• Small report viewer UI updates (thanks @hackerpain).
• Add an error message when the report viewer has no results, indicating that the database is either empty or not found.

fixes

• Improved file name generation, specifically to append the .png extension.

5859a65d295b1cde4c3176b6b7c31225de495964  gowitness-2.2.0-darwin-amd64
366975463825f9d25f136c52a2509ac8d9c09d6f  gowitness-2.2.0-linux-amd64
67f78eb6404f22ea938a13434a80ff102f96c7fa  gowitness-2.2.0-windows-amd64.exe

fixes

• Resolve a flag naming conflict with the scan port and global proxy.

1eb5adedb5d652b88729249a7cd3dd4af25024f0  gowitness-2.1.2-darwin-amd64
15fc67fa73261ce8234b1e27582e5fd67be1d7f3  gowitness-2.1.2-linux-amd64
9dac98cca720e7a2c3c3bace54695aa7a650cf24  gowitness-2.1.2-windows-amd64.exe

fixes

• Resolve a flag naming conflict with the nmap port and global proxy.

61f1261000f167484177b1af3cd6002b64d69ffd  gowitness-2.1.1-darwin-amd64
61f8a8d9f1188b0281232af4f40f2c202b079769  gowitness-2.1.1-linux-amd64
618c54ca1290ff79f59d6f4c1c842bf1c3e53e73  gowitness-2.1.1-windows-amd64.exe

new

• Add proxy support (https://github.com/sensepost/gowitness/commit/9736345601bcb75f56ac5340b738d5615178eeb3) thanks @randomactsofsecurity

fixes

• Ensure that the screenshot path is ready for the single command
• Build artefacts with CGO_ENABLED=1 for all platforms so that the sqlite library in use also works cross-platform

0a6395a6882bc1808386e788cb2c7dee20c0b8c4  gowitness-2.1.0-darwin-amd64
d1b21650ecd2459169c19f90113628a0cf2f6679  gowitness-2.1.0-linux-amd64
dc29f0b2adc11ddb47a63485871bb9908055a273  gowitness-2.1.0-windows-amd64.exe

This version contains a major code refactor with many changes and upgrades to improve the overall performance and experience of using gowitness! Enjoy.

new

• Add json & csv output flags for the report list subcommand.
• Add better error handling for the screenshot integration server subcommand (serve)
• Add a new interactive report viewer subcommand: report serve.
• Add the ability to submit URL's for screenshotting via the report viewer.
• Add the ability to search for title names in the report viewer.

changes

• Replace the home grown invocation of Google Chrome with chromedp.
• Remove the proxy server hack to bypass TLS errors in the v1 Chrome invocation implementation. We now use the ignore-certificate-errors flag via chromedp.
• Refactor the file, scan, nmap and single subcommands for better readability and options parsing.
• Replace logging from logrus to zerolog.
• Remove log levels and add a --debug flag.
• Replace the database used from BuntDB to Sqlite3.
• Remove gorequest used for preflighting and replace it with the nativehttp.Client
• Remove static HTML report generation.
• Update the Dockerfile to use chromedp/headless-shell as the base image.

fixes

Various bugs found along the way were also fixed, but most importantly the use of chromedp should make for a more stable and predictable experience overall.

v1.3.4

new

• Add support for stdin as a file input source by using - as the file name. This means you can pipe tool output to gowitness. eg. tool | gowitness file --source -. You could use something like subfinder to get urls to screenshot for a domain too! (https://github.com/sensepost/gowitness/commit/d4b20440b77e94603c60b9216004c2bba3840c72)
• Add a new server sub command to start a webservice to take screenshots. Once the web server is running with gowitness server, browse to it with a url parameter to have a screenshot returned as an HTTP response. eg. http://localhost:7171/?url=https://www.google.com. Thanks @x0rzkov (#55)
• Add a new --output / -o flag to the single command to specify the target file name for the screenshot. Thanks @gmessow-cxomni (#53)
• Add a new --open flag to the nmap command to only use ports that were considered open. Thanks @randomactsofsecurity (#52)
• Add port collections for the scan command in the form of flags. --ports-sm (defaults to enabled), --ports-me and --ports-lg each have a set of ports which may be used in conjunction with the --ports flag to specify other custom ports. (https://github.com/sensepost/gowitness/commit/41494d4ba9a0113306f0e4c58341534eb7d0c92a)

fixes

• Restore the ability to have single page reports again by specifying 0 as the chunk size for reports. (https://github.com/sensepost/gowitness/commit/056af0b7bd9ca8bed8aac7a92cb7a7f8cc91fc1c)

other

• Improve debug logging for Chrome to help with hunting down issues. Example usage is described in this comment. (https://github.com/sensepost/gowitness/commit/2699bf210e14b66f8fac43c4f1f9bebd1c1c8eea)
• Ensure that the final ports list is unique for the scan command. (https://github.com/sensepost/gowitness/commit/92c642b5b610bc5c50f5457cf19015978464c1b0)

3fba7bb295b2c488a5d7badb685638d50f30cdbe  gowitness-darwin-amd64
b5eb3dd4815004f3ad8e6d6341788283423446ad  gowitness-linux-amd64
7796a0eda61d89b0d4ef8fcbc7af406da10a18ed  gowitness-windows-amd64.exe

v1.3.3

other

• Improve internal error handling when the Chrome screenshot function fails.

4b50407f352c13e1e6b8440d1055227df0334b6e  gowitness-darwin-amd64
75962c1cc96f81cf4e41f889ee7d2fa4c7616b5b  gowitness-linux-amd64
507d7914ca9c9cc9ae3aec70b02d3b23586606a7  gowitness-windows-amd64.exe