Author: Trix Cyrus
[🔹 Try My] Waymap Pentesting Tool
[🔹 Follow] TrixSec GitHub
[🔹 Join] TrixSec Telegram
Waymap v7.2.1 Released
Waymap is an open-source web vulnerability scanner for authorized security testing. It automates SQLi, XSS, RCE, LFI, CORS, CRLF, Open Redirect, API, Recon, Misconfiguration, and WordPress security checks with session-based results, multi-threading, crawling, authentication, and reporting.
Today we're releasing Waymap v7.2.1, a release focused entirely on stability, security hardening, and bug fixes.
No new scan types this time. Instead, we revisited every module to improve reliability and ensure they behave correctly under real-world conditions.
Why This Release Matters
Waymap v7.2.0 introduced:
- Google Dork Discovery
- WPScan Profiles
- RCE Scanning
- Secrets Management
After testing against real targets and incorporating community feedback, we identified several issues ranging from multi-threaded data races to SQL injection payload handling bugs.
v7.2.1 fixes them all.
What's Changed
Thread-Safe Result Saving
The biggest change is the introduction of a new ResultManager with file locking.
Previously, concurrent writes from multiple scanning threads could corrupt session JSON files.
Now every scanner uses the centralized ResultManager:
- SQLi
- XSS
- LFI
- CMDi
- RCE
- SSTI
- CORS
- CRLF
- Open Redirect
- Advanced
- WPScan
- Recon/Misconfiguration
Result writes are now properly synchronized.
Secure XML Parsing
The SQLi and CMDi scanners load payload definitions from XML files.
Previous releases used Python's built-in xml.etree.ElementTree, which is susceptible to XXE (XML External Entity) attacks if payload files are modified.
Waymap now uses:
defusedxml
which blocks XXE attacks by default.
The dependency has been added to requirements.txt.
SQL Injection Improvements
Boolean-based SQLi
Previously payloads were appended to the end of URLs instead of replacing actual parameter values.
This meant the scanner was testing incorrect requests.
Fixed.
Error-based SQLi
Single quotes were being stripped from payloads before injection, breaking quote-dependent payloads.
Removed.
Time-based SQLi
A baseline response time is now measured before testing.
This significantly reduces false positives caused by naturally slow servers.
CRLF Detection
Previously only HTTP response headers were checked.
Now Waymap checks:
- Response headers
- Response body
allowing more injection points to be detected.
Open Redirect
Redirect detection previously relied on external curl.
This caused failures on Windows systems without curl installed.
Waymap now uses Python Requests with:
allow_redirects=False
making the scanner fully cross-platform.
CMDi URL Handling
Payload injection previously relied on string replacement.
URLs containing multiple parameters or encoded characters could break.
Waymap now rebuilds URLs using proper query-string parsing.
Report Loading
A path resolution bug prevented reports from loading session JSON files.
This has been fixed for every supported report format:
- HTML
- CSV
- Markdown
Other Fixes
- Config paths now resolve from the project root instead of
os.getcwd() - Fixed incorrect WAF detection import path
- Improved Unicode rendering on Windows (no mojibake)
Installation
pip install waymap==7.2.1
Or install from source:
git clone https://github.com/TrixSec/waymap.git
cd waymap
pip install -r requirements.txt
python waymap.py --help
Quick Start
SQL Injection Scan
waymap --target "https://example.com/page?id=1" --scan sqli
Full Scan
waymap \
--target https://example.com \
--scan all \
--crawl 2 \
--threads 4 \
--no-prompt \
--report-format html,csv \
--output-dir reports
Interactive Mode
waymap
Links
- GitHub: https://github.com/TrixSec/waymap
- PyPI: https://pypi.org/project/waymap/7.2.1/
- Telegram: https://t.me/Trixsec
If you find Waymap useful, consider ⭐ starring the GitHub repository.
Bug reports, feature requests, and pull requests are always welcome.
Disclaimer
Waymap is intended for authorized security testing and educational purposes only.
Only scan systems that you own or have explicit permission to test.
~TrixSec
Top comments (0)