Tool Release: Webcap
An ultra-lightweight web screenshot tool with advanced features.
Today we’re excited to announce a new web screenshot tool, Webcap.
Webcap is designed to fill the role of Gowitness, but with some additional advanced features that make it ideal for pentesting and bug bounties, while enabling easy integration into your bash or python scripts.
In an upcoming release, it will replace Gowitness as the primary web screenshot module in BBOT.
Features
In addition to the usual features expected from a web screenshot tool, Webcap has some new and unique capabilities. Some of these capabilities make it easier to use, while others appeal to advanced users.
Webcap stays extremely lightweight by interfacing directly with the Chrome Devtools API. It doesn’t depend on any frameworks like Selenium, Puppeteer, or Playwright, and doesn’t use any third party headless libraries. Instead, it natively implements only the features it needs.
Web Interface with Perception Grouping
Webcap’s web interface comes equipped with a feature that groups similar screenshots together, allowing you to browse quickly through them. This works by way of a perception hash which is calculated for every screenshot.
This perception filter is designed to ease the pain of scrolling through pages of identical screenshots.
JSON Output
Webcap supports JSON output in the terminal. This includes comprehensive data extracted from the browser session.
Capturing of JavaScript
In addition to capturing the fully-rendered DOM, Webcap also detects any JavaScript parsed by the browser. It outputs these individually, for later analysis.
Capturing of Individual Requests + Responses
Webcap captures every request and response made by the browser in the course of loading the page. This includes iframes, AJAX API calls, JavaScript files, and more. These are included in the JSON output.
OCR Text Extraction
Finally, Webcap can extract visible text from the fully-rendered page. Since this uses OCR, it includes rasterized text from images.
Upcoming Features
Here are some features we plan on adding soon:
Technology Detection
Custom JavaScript injection
How to Install
pipx install webcap
Example Commands
Scanning
# Capture screenshots of all URLs in urls.txt
webcap scan urls.txt -o ./my_screenshots
# Output to JSON, and include the fully-rendered DOM
webcap scan urls.txt --json --dom | jq
# Capture requests and responses
webcap scan urls.txt --json --requests --responses | jq
# Capture javascript
webcap scan urls.txt --json --javascript | jq
# Extract text from screenshots
webcap scan urls.txt --json --ocr | jq
Server
# Start the server
webcap server
# Browse to http://localhost:8000
Conclusion
We hope you find this tool useful. Stay tuned for more features, and for the imminent Webcap module in BBOT!
If you have questions or ideas, please let us know on the Webcap Github, or ping us in the Black Lantern Security Discord.
Happy hacking!