What's Changed

• html a-tag unclosed bug fixed by @gorgiaxx in https://github.com/sensepost/gowitness/pull/187
• Fix database file path location parser by @mr-pmillz in https://github.com/sensepost/gowitness/pull/188
• fix: typo by @testwill in https://github.com/sensepost/gowitness/pull/201
• (fix) MarshalJSON spells with one "l" by @alexandear in https://github.com/sensepost/gowitness/pull/198
• Fixing the missing port issue with Nessus by @quentinpraz in https://github.com/sensepost/gowitness/pull/191

New Contributors

• @gorgiaxx made their first contribution in https://github.com/sensepost/gowitness/pull/187
• @mr-pmillz made their first contribution in https://github.com/sensepost/gowitness/pull/188
• @testwill made their first contribution in https://github.com/sensepost/gowitness/pull/201
• @alexandear made their first contribution in https://github.com/sensepost/gowitness/pull/198
• @quentinpraz made their first contribution in https://github.com/sensepost/gowitness/pull/191

Full Changelog: https://github.com/sensepost/gowitness/compare/2.5.0...2.5.1

1edfe2209731e68621006b3cc0376d6a4b97e85e  gowitness-2.5.1-darwin-amd64
3c817d57d704a3de1dcb084a59b77e684dddb154  gowitness-2.5.1-darwin-arm64
19c75086ac90ae2891f24fa89d76c84748eb3d06  gowitness-2.5.1-linux-amd64
105ecb560afccd5f29fe1d748c32862848f556df  gowitness-2.5.1-linux-arm64
e893957658f560911864eeecec606c0cd9ea8e05  gowitness-2.5.1-linux-armv7
32315a0b50ccd4e28b941a4b0121200b6625eb9e  gowitness-2.5.1-windows-amd64.exe

new

• Make URLs clickable in static report exports (thanks @initstring) (via #172)
• Add ability to execute externally introduced JavaScript via the new --js flag on screenshotted pages. (thanks @djallalzoldik) (via #180)
• Add PostgreSQL support (thanks @habitualdev) (via #166). You should now specify the database to use using a full URI. Eg: sqlite://gowitness.sqlite3 (the default), or postgres://user:pass@host/database.
• Add search API endpoint (docs: search (thanks @habitualdev) (via #166)
• Add ability to store screenshots in the database using a new flag --screenshot-db-store (thanks @habitualdev) (originally via #166 but refactored in https://github.com/sensepost/gowitness/commit/62d6de3d49dd5fa438e0ab38105f3bfb050da0ee). The report viewer will automatically fallback to the filesystem if database screenshots are not available.
• Add HTTP response code filtering, controlling which HTTP codes get screenshotted. (thanks @nickspring) (originally via #137 but implemented in https://github.com/sensepost/gowitness/commit/1503c5b8b0285f25d03f4893ae2c92674451bacc)

fixes

• Fix report server range selector. (thanks @randomactsofsecurity ) (via #163)
• Fix example nessus file syntax (thanks @brettgus) (via #170)
• Prevent duplicate file extensions added to filenames (thanks @maik-s) (via #183)

other

• Bump dependencies and Go version (in https://github.com/sensepost/gowitness/commit/4907ceacfa9edfc09f205deab5bfc47d800a8edf, https://github.com/sensepost/gowitness/commit/921811db51caea40ef6d062da685ca437f55b2a5, https://github.com/sensepost/gowitness/commit/a7941d8d68e049b4786aafd805222888020298bf)
• Remove deprecated use of io/ioutil (in https://github.com/sensepost/gowitness/commit/f939dec411a982f98d6b2e79555a14fd28039e00)

new contributors

• @brettgus made their first contribution in https://github.com/sensepost/gowitness/pull/170
• @initstring made their first contribution in https://github.com/sensepost/gowitness/pull/172
• @maik-s made their first contribution in https://github.com/sensepost/gowitness/pull/183
• @djallalzoldik made their first contribution in https://github.com/sensepost/gowitness/pull/180
• @habitualdev made their first contribution in https://github.com/sensepost/gowitness/pull/166

Full Changelog: https://github.com/sensepost/gowitness/compare/2.4.2...2.5.0

72f9578e558527bd5e8c6212d5e63b18867cd0b7  gowitness-2.5.0-darwin-amd64
d3fa213e6e0c8543256e26c1c3b3b71f23175485  gowitness-2.5.0-darwin-arm64
5f76bc689612b0b1ca5266834c76cb0c55a120b8  gowitness-2.5.0-linux-amd64
9c567241d9202689d395e704735fd8f3c1a47cfb  gowitness-2.5.0-linux-arm64
c8005cc40c8a7a9c1c690737e14853c829263acd  gowitness-2.5.0-linux-armv7
d906179afa9b59950a3ded496f9c0ede260c2cb7  gowitness-2.5.0-windows-amd64.exe

fixes

• Improve web UI reverse proxy support when served under a sub directory. A new wiki article was also added (in https://github.com/sensepost/gowitness/commit/e904933ab1d877beca7f88b14b513144c5c23ca0) (thanks @random-robbie for PR's prompting this).

other

• Bump dependencies and build with Go 1.19 (in https://github.com/sensepost/gowitness/commit/3b2acebe5d7ae126ffb9134ab08f932946c0da80)

8577bca1f581d7f163144b5c9068861fcf401524  gowitness-2.4.2-darwin-amd64
64b7469d97a511650f1efb74499878ad3ef8e76d  gowitness-2.4.2-darwin-arm64
e98b223ae71ef7a8df75ba0a6461b6b772a2176e  gowitness-2.4.2-linux-amd64
18556f2b0b856d90865ddae653c2e05182541e37  gowitness-2.4.2-linux-arm64
adb157143d84ff697c0cf965df3ce04ae34a5a48  gowitness-2.4.2-linux-armv7
6de652cf5ddf8f4f541f6172f127d23747353097  gowitness-2.4.2-windows-amd64.exe

new

• Add ability to specify additional headers when screenshotting via the HTTP api. See the API docs for a usage example (in https://github.com/sensepost/gowitness/commit/f5e2aeac99bf3e8096e25b2f9f2c38fad3037110).
• Add linux/arm and linux/armv7 targets to release binaries (in https://github.com/sensepost/gowitness/commit/12f01a95be815b7f3d0bc099bda50ae8ac005a49)

fixes

• Fix nmap command example documentation. (thanks @crypt0rr ) (via #138)

other

• Build release binaries with Go 1.18.4 (in https://github.com/sensepost/gowitness/commit/31c6e64c091746829d4d5ac57aa331f13da71d9c)
• Bump dependencies (in https://github.com/sensepost/gowitness/commit/2041445c78a6471482c3691713f31a5a2051dd0e)
• Fix internal flag name typo (in https://github.com/sensepost/gowitness/commit/86134ed639acc9d3debc7859a171a57aeca6c077)

8c5dfc2b7f5a66aec4d861522c2d78452e1950ac  gowitness-2.4.1-darwin-amd64
bd4026cad944b6143fbad90b0a9f2e41671509f6  gowitness-2.4.1-darwin-arm64
82c56c41caf8e1474adc851a90df48cb5b7c9ee1  gowitness-2.4.1-linux-amd64
b6391b19c6b5316e74c18f8c05dcec1987186170  gowitness-2.4.1-linux-arm64
9f79dfa11aaf6788a1150da41c12da03185e26af  gowitness-2.4.1-linux-armv7
5ec37979e14290200f0d0919006102cefa89edd2  gowitness-2.4.1-windows-amd64.exe

66 commits later, this is a major release of gowitness with many new features, fixes and overall polish. Some screenshots to see what the updated report server UI looks like is below, followed by the change log for this release. Enjoy!

The new Dashboard view

A dark themed, detailed view:

A light themed, detailed view:

new

• Add application technology identification using Wappalyzer (via #104 and #110 and #127) (in 3a80bf6db6e887180c4963d8e10b1dea175584e3 and e79214e3be016be04de8eac34ce694016c2d3143 and 65816c650f56e5bbe029077226f4ad7f4ef39019) (thanks guervild and Ice3man543 and terrabitz)
• Improve performance in HostsInCIDR() method (via #107) (in 71125b2b19f08b7bc87481c2d7a0c50aa8b6fbb0) (thanks NickChillClub)
• Add a Nessus parser (via #123) (in e1923bb92e4e0935142e331225f8b903c396d509) (thanks randomactsofsecurity)
• Add additional header support (via #124) (in c7b874ad63bf6198dcafc26531b51974ae6fa460) (thanks randomactsofsecurity)
• Refactor the webserver to make use of Gin (in 6fad6c3a9dac17305012e5119cf51baf2315607d)
• Various web UI dependency upgrades, fixes and layout updates (via 05f3c32086588f89b10937f7b303486705cb2d6d)
• Add new API endpoints. API documentation can be found in the Wiki here (via 49c87022eafa56749b36a5b358f76fd72c9b4e21 and 6769e88dfcc6e1bf1a89bf2055fab32f619c3517)
• Add a new dashboard view (via 00f939423095f5b16facae401783baa91bad4b72)
• Restore the ability to export static HTML reports again (via 3e459eb0a10d10c80f929c8a387bb9fbc8ff6683)
• Record both browser console logs and network events as emitted via Chrome. These fields are searchable and make it possible to see the IP's that hosts resolved to at the time of the screenshot (in 396de21ed5f8656b0cf940c43316d40320ec31e9 and 3efb7b0c5a2d04108e7c0e25362a2edd730f3663)
• Add a simple pager to the detail view (in 0c14e67980e87bc6af022c236f83fba0b8ac9e5e)
• Add a theme switcher for light mode or dark mode, defaulting to dark mode (in 0cbdafb4e574fe4eafbafa2f74bdbad6205965a7)
• Add the ability to dump and save the DOM (in 453a0fcfa2868c6498b1d3fb55559de456a01528)
• Significantly refactor the search feature to more agressively search through collected data. This includes URL's, DOM's, network events, console logs and more. (in 78303cb7aa7f71b9acbc7df59ea8c57f715b5879)
• Add the ability to save screenshots as PDF's instead of PNG's (in 2f87924f3431aceb08e49b61901dd5a5445fa57a)
• Add an example docker-compose.yml file to show how the report server could be used when exposed to a larger network.

fixes

• Improve reliability, dealing with some cases where Chrome may hang (via #132) (in 79c4f6e950715157a829560344daa15fdae85188) (thanks rtpt-jonaslieb and randomactsofsecurity)
• Prevent screenshot filenames from becoming overly long (in 19b4e15b57996a93827d14c602046a6bc68f79aa)

other

• build release binaries with Go 1.18.2 (186f57eb9ee1cd429d262b3603256423f75f13be) (8b88b472e673355530439067a5e5030690ffe82f) (19c182705b3d18ee9f7a774c863cca410184190d)
• build releases for macOS ARM (96df49e00361fdd9c15a720571176656f2d8d0f2)
• bump dependencies (3092a86d381076724fe69ec6724618494dd3fea7) (861543ed7e4c7279121e1bd4d23db8b9ed573a66) (01005bbfc76839054ca0684029adc97606ec3845) (af7a504f04fdf3f4964625ca8aeed78400a2849a) (c6da64d46657c01c7608fd41552dfca4ccf43aa3) (0002ef967a32eda866b34add071fa2e4240fe3ba)
• use github actions to build docker image (ff1241d986d8da542724efee08ceff957e86c3b8)
• replace vfsgen with native Golang embed for web assets (d98ae0ce3e054d4ffd5bd41a1f5cefef3bcc42fd)
• Bump the default User-Agent string used (via ec73fbb9fd3023b4da881f67c46a22560d269057)

76065c1c937630e44ecde32abfc0fd945cb20483  gowitness-2.4.0-darwin-amd64
b556b7f45a1b313a1686843f219cf8b045ad0e48  gowitness-2.4.0-darwin-arm64
d361fe3cdf738b0fe60b204a03017e3b4b38ffb5  gowitness-2.4.0-linux-amd64
0f91805c85dd665758e205dda8e8edf09dacb498  gowitness-2.4.0-windows-amd64.exe

This is primarily a security/hardening release.

fixes

• Limit the allowed URI's that may be submitted to the screenshot or report server to only those starting with http / https by default. You can use the new --allow-insecure-uri / -A flag to disable this. Take note that with the -A flag, it means someone could screenshot file:// URI's and read local files on the host filesystem. To combat some of this abuse, by default the report & screenshot servers listen on localhost only. However, if you are exposing the report or screenshot servers to the Internet (or other untrusted networks), make sure you restrict access to it as other problematic URI's such as localhost and cloud metadata URIs (and any other SSRF vector) will also be reachable this way. (https://github.com/sensepost/gowitness/commit/57dffb7a890996daf37254719b035166f1b33d6b) (thanks to Omri Inbar from Checkmarx for reporting the LFI).

other

• go-staticcheck fixes and other code cleanups (https://github.com/sensepost/gowitness/commit/11494176a8fcbb4373e61096d147bd2fe9318d5a)

8a2ca3dc8a58ce3e103aeabd13df7713c0322b2c  gowitness-2.3.6-darwin-amd64
b50938b99af45d7bc209428a648f057b11a6025f  gowitness-2.3.6-linux-amd64
1dcee72acdf074f1850263643ca9297b0d5b38e3  gowitness-2.3.6-windows-amd64.exe

fixes

• Check the correct error when parsing Proxy URI's (https://github.com/sensepost/gowitness/commit/28a8c776195a06ea9080a952da8f9f9182108b19)
• Fix a typo (https://github.com/sensepost/gowitness/commit/c168591ae1bb6e9ec0cc1b83c0d9e8cb7cd709e6) (thanks @benichmt1 via #96)

other

• Bump go version used for release builds to 1.15.10 (https://github.com/sensepost/gowitness/commit/6697b99410b0ca1655eebaf0c96abcaca63f5711)
• Bump dependencies to use chromedp 0.7.2, fixing #101 (https://github.com/sensepost/gowitness/commit/d503334e569d5f7d0e471a65fe766c0cfb0fafee)

72dcadc450a02e931ab9143ef23f9ddba8a6d9cd  gowitness-2.3.5-darwin-amd64
71052ed766b0155c7331c155e7cbed213776c3a8  gowitness-2.3.5-linux-amd64
5446ad08a709d4462269776af78578410616929d  gowitness-2.3.5-windows-amd64.exe

new

• Add the Public Key Algorithm field to the database (https://github.com/sensepost/gowitness/commit/3e9cf0548696cd09cc9567bca4eff22b94041f63) (fixes #91)

78722cc482250dba386c0e562568212a1dcbf4d1  gowitness-2.3.4-darwin-amd64
5fb571b12d761f26adbec073d0d73bc45d194259  gowitness-2.3.4-linux-amd64
26726bf22eb9ad6a274aa07b83e8a624904e937c  gowitness-2.3.4-windows-amd64.exe

fixes

• Automatically dismiss JavaScript dialog boxes which caused gowitness to stall (https://github.com/sensepost/gowitness/commit/bd6114e70b299ad3627aa5074f7ab81ab0732a70) (via #89) (thanks @Serizao)

f86cc43856f756960898bbc4ff8ce16ded30717f  gowitness-2.3.3-darwin-amd64
b2c5afe02d91c26dfe06547f668390d517a934e0  gowitness-2.3.3-linux-amd64
750c84767a8786fa812f7836ed5b3586f2b7c835  gowitness-2.3.3-windows-amd64.exe

other

• Dependency bump (https://github.com/sensepost/gowitness/commit/84ef468204a2a0169807275858e04bc6cf93b8a9)

632016c57e12d046cd7efc2debd6ebce0b8a5ba5  gowitness-2.3.2-darwin-amd64
ecc414ffd377e212cc66f32ed2a9ee055b5af640  gowitness-2.3.2-linux-amd64
aa2bc8b925d2bbd7942e8fbd650fa02d9c296f3c  gowitness-2.3.2-windows-amd64.exe