WebCopilot - An automation tool for XSS, SQLi, LFI, SSRF and RCE

[●] @h4r5h1t.hrs | G!2m0
webcopilot -d
webcopilot -d -s
webcopilot [-d target] [-o output destination] [-t threads] [-b blind server URL] [-x exclude domains]
-d Add your target [Requried]
-o To save outputs in folder [Default: domain.com]
-t Number of threads [Default: 100]
-b Add your server for BXSS [Default: False]
-x Exclude out of scope domains [Default: False]
-s Run only Subdomain Enumeration [Default: False]
-h Show this help message
Example: webcopilot -d domain.com -o domain -t 333 -x exclude.txt -b testServer.xss
Use https://xsshunter.com/ or https://interact.projectdiscovery.io/ to get your server

WebCopilot is an automation tool designed to enumerate subdomains of the target and detect bugs using different open-source tools.

The script first enumerates all the subdomains of the given target domain using assetfinder, sublister, subfinder, amass, findomain, hackertarget, riddler and crt then do active subdomain enumeration using gobuster from SecLists wordlist then filters out all the live subdomains using dnsx then it extract titles of the subdomains using httpx & scans for subdomain takeover using subjack. Then it uses gauplus & waybackurls to crawl all the endpoints of the given subdomains then it use gf patterns to filters out xss, lfi, ssrf, sqli, open redirect & rce parameters from that given subdomains, and then it scans for vulnerabilities on the subdomains using different open-source tools (like kxss, dalfox, openredirex, nuclei, etc). Then it'll print out the result of the scan and save all the output in a specified directory.


  • Subdomain Enumeration using assetfinder, sublist3r, subfinder, amass, findomain, etc.
  • Active Subdomain Enumeration using gobuster & amass from SecLists/DNS wordlist.
  • Extract titles and take screenshots of live subdomains using aquatone & httpx.
  • Crawl all the endpoints of the subdomains using waybackurls & gauplus and filter out XSS, SQLi, SSRF, etc parameters using gf patterns.
  • Run different open-source tools (like dalfox, nuclei, sqlmap, etc) to search for vulnerabilities on these parameters and then save all the outputs in the folder.

Installing WebCopilot

WebCopilot requires git to install successfully. Run the following command as a root to install webcopilot.

git clone https://github.com/h4r5h1t/webcopilot && cd webcopilot/ && chmod +x webcopilot install.sh && mv webcopilot /usr/bin/ && ./install.sh

Tools Used:

SubFinder • Sublist3r • Findomain • gf • OpenRedireX • dnsx • sqlmap • gobuster • assetfinder • httpx • kxss • qsreplace • Nuclei • dalfox • anew • jq • aquatone • urldedupe • Amass • gauplus • waybackurls • crlfuzz


g!2m0:~ webcopilot -h

Get WebCopilot