DEV Community

Trix Cyrus
Trix Cyrus

Posted on

Waymap v7.2.1: Thread-Safe Results, Hardened Security, and a Dozen Bug Fixes

Author: Trix Cyrus

[🔹 Try My] Waymap Pentesting Tool

[🔹 Follow] TrixSec GitHub

[🔹 Join] TrixSec Telegram


Waymap v7.2.1 Released

Waymap is an open-source web vulnerability scanner for authorized security testing. It automates SQLi, XSS, RCE, LFI, CORS, CRLF, Open Redirect, API, Recon, Misconfiguration, and WordPress security checks with session-based results, multi-threading, crawling, authentication, and reporting.

Today we're releasing Waymap v7.2.1, a release focused entirely on stability, security hardening, and bug fixes.

No new scan types this time. Instead, we revisited every module to improve reliability and ensure they behave correctly under real-world conditions.


Why This Release Matters

Waymap v7.2.0 introduced:

  • Google Dork Discovery
  • WPScan Profiles
  • RCE Scanning
  • Secrets Management

After testing against real targets and incorporating community feedback, we identified several issues ranging from multi-threaded data races to SQL injection payload handling bugs.

v7.2.1 fixes them all.


What's Changed

Thread-Safe Result Saving

The biggest change is the introduction of a new ResultManager with file locking.

Previously, concurrent writes from multiple scanning threads could corrupt session JSON files.

Now every scanner uses the centralized ResultManager:

  • SQLi
  • XSS
  • LFI
  • CMDi
  • RCE
  • SSTI
  • CORS
  • CRLF
  • Open Redirect
  • Advanced
  • WPScan
  • Recon/Misconfiguration

Result writes are now properly synchronized.


Secure XML Parsing

The SQLi and CMDi scanners load payload definitions from XML files.

Previous releases used Python's built-in xml.etree.ElementTree, which is susceptible to XXE (XML External Entity) attacks if payload files are modified.

Waymap now uses:

  • defusedxml

which blocks XXE attacks by default.

The dependency has been added to requirements.txt.


SQL Injection Improvements

Boolean-based SQLi

Previously payloads were appended to the end of URLs instead of replacing actual parameter values.

This meant the scanner was testing incorrect requests.

Fixed.

Error-based SQLi

Single quotes were being stripped from payloads before injection, breaking quote-dependent payloads.

Removed.

Time-based SQLi

A baseline response time is now measured before testing.

This significantly reduces false positives caused by naturally slow servers.


CRLF Detection

Previously only HTTP response headers were checked.

Now Waymap checks:

  • Response headers
  • Response body

allowing more injection points to be detected.


Open Redirect

Redirect detection previously relied on external curl.

This caused failures on Windows systems without curl installed.

Waymap now uses Python Requests with:

allow_redirects=False
Enter fullscreen mode Exit fullscreen mode

making the scanner fully cross-platform.


CMDi URL Handling

Payload injection previously relied on string replacement.

URLs containing multiple parameters or encoded characters could break.

Waymap now rebuilds URLs using proper query-string parsing.


Report Loading

A path resolution bug prevented reports from loading session JSON files.

This has been fixed for every supported report format:

  • HTML
  • CSV
  • Markdown
  • PDF

Other Fixes

  • Config paths now resolve from the project root instead of os.getcwd()
  • Fixed incorrect WAF detection import path
  • Improved Unicode rendering on Windows (no mojibake)

Installation

pip install waymap==7.2.1
Enter fullscreen mode Exit fullscreen mode

Or install from source:

git clone https://github.com/TrixSec/waymap.git

cd waymap

pip install -r requirements.txt

python waymap.py --help
Enter fullscreen mode Exit fullscreen mode

Quick Start

SQL Injection Scan

waymap --target "https://example.com/page?id=1" --scan sqli
Enter fullscreen mode Exit fullscreen mode

Full Scan

waymap \
  --target https://example.com \
  --scan all \
  --crawl 2 \
  --threads 4 \
  --no-prompt \
  --report-format html,csv \
  --output-dir reports
Enter fullscreen mode Exit fullscreen mode

Interactive Mode

waymap
Enter fullscreen mode Exit fullscreen mode

Links


If you find Waymap useful, consider ⭐ starring the GitHub repository.

Bug reports, feature requests, and pull requests are always welcome.


Disclaimer

Waymap is intended for authorized security testing and educational purposes only.

Only scan systems that you own or have explicit permission to test.


~TrixSec

Top comments (0)