Webshag Package Description

Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.

Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server).

Source: http://www.scrt.ch/en/attack/downloads/webshag
Webshag Homepage | Kali Webshag Repo

  • Author: ~SaD~, SCRT – Information Security
  • License: GPLv3

Tools included in the webshag package

webshag-cli – Multi-threaded web server audit tool (CLI)
root@kali:~# webshag-cli -h
Usage: webshag-cli [-U | [options] target(s)]

  --version       show program's version number and exit
  -h, --help      show this help message and exit
  -U              Update the URL scanner databases and exit
  -m MODULE       Use MODULE [pscan|info|spider|uscan|fuzz]. (default: uscan)
  -p PORT         Set target port to PORT. For modules uscan and fuzz PORT can
                  be a list of ports [port1,port2,...]. (default: 80)
  -r ROOT         Set root directory to ROOT. For modules uscan and fuzz ROOT
                  can be a list of directories [/root1/,/root2/,...].
                  (default: /)
  -k SKIP         *uscan only* Set a false positive detection string
  -s SERVER       *uscan only* Bypass server detection and force server as
  -i SPIDER_INIT  *spider) only* Set spider initial crawling page (default: /)
  -n FUZZ_MODE    *fuzz only* Choose the fuzzing mode [list|gen]. (default:
  -e FUZZ_CFG     *fuzz / list only* Set the fuzzing parameters for list mode.
                  11 = fuzz directories and files; 01 = fuzz files only; 10 =
                  fuzz directories only; 00 = fuzz nothing. (default: 11)
  -g FUZZ_GEN     *fuzz / gen only* Set the filename generator expression.
                  Refer to documentation for syntax reference. (default: )
  -x              Export a report summarizing results.
  -o OUTPUT       Set the format of the exported report. [xml|html|txt].
                  (default: html)
  -f OUTPUT_FILE  Write report to FILE. (default: webshag_report.html)

webshag-gui – Multi-threaded web server audit tool (GUI)

A multi-threaded, multi-platform web server audit tool. The GUI-version.

webshag-cli Usage Example

Run a port scan (-m pscan) on the remote IP address (

root@kali:~# webshag-cli -m pscan
~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
% webshag 1.10
% Module: pscan
% Host:
~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

% PORT %    22 (tcp)
% SRVC %    ssh
% PROD %    OpenSSH
% SYST %    Linux

% PORT %    80 (tcp)
% SRVC %    http
% PROD %    Apache httpd

% PORT %    9876 (tcp)
% SRVC %    http
% PROD %    Apache httpd

~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

webshag-gui Usage Example

root@kali:~# webshag-gui