Today we’re excited to announce a new web screenshot tool, Webcap.

Webcap is designed to fill the role of Gowitness, but with some additional advanced features that make it ideal for pentesting and bug bounties, while enabling easy integration into your bash or python scripts.

In an upcoming release, it will replace Gowitness as the primary web screenshot module in BBOT.

Features

In addition to the usual features expected from a web screenshot tool, Webcap has some new and unique capabilities. Some of these capabilities make it easier to use, while others appeal to advanced users.

Webcap stays extremely lightweight by interfacing directly with the Chrome Devtools API. It doesn’t depend on any frameworks like Selenium, Puppeteer, or Playwright, and doesn’t use any third party headless libraries. Instead, it natively implements only the features it needs.

Web Interface with Perception Grouping

Webcap’s web interface comes equipped with a feature that groups similar screenshots together, allowing you to browse quickly through them. This works by way of a perception hash which is calculated for every screenshot.

This perception filter is designed to ease the pain of scrolling through pages of identical screenshots.

JSON Output

Webcap supports JSON output in the terminal. This includes comprehensive data extracted from the browser session.

Capturing of JavaScript

In addition to capturing the fully-rendered DOM, Webcap also detects any JavaScript parsed by the browser. It outputs these individually, for later analysis.

Capturing of Individual Requests + Responses

Webcap captures every request and response made by the browser in the course of loading the page. This includes iframes, AJAX API calls, JavaScript files, and more. These are included in the JSON output.

OCR Text Extraction

Finally, Webcap can extract visible text from the fully-rendered page. Since this uses OCR, it includes rasterized text from images.

Upcoming Features

Here are some features we plan on adding soon:

• Technology Detection

• Custom JavaScript injection

How to Install

pipx install webcap

Example Commands

Scanning

# Capture screenshots of all URLs in urls.txt
webcap scan urls.txt -o ./my_screenshots

# Output to JSON, and include the fully-rendered DOM
webcap scan urls.txt --json --dom | jq

# Capture requests and responses
webcap scan urls.txt --json --requests --responses | jq

# Capture javascript
webcap scan urls.txt --json --javascript | jq

# Extract text from screenshots
webcap scan urls.txt --json --ocr | jq

Server

# Start the server
webcap server

# Browse to http://localhost:8000

Conclusion

We hope you find this tool useful. Stay tuned for more features, and for the imminent Webcap module in BBOT!

If you have questions or ideas, please let us know on the Webcap Github, or ping us in the Black Lantern Security Discord.

Happy hacking!