yawast-ng is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors. It performs basic checks in these categories:

This is meant to provide an easy way to perform initial analysis and information discovery. It’s not a full testing suite, and it certainly isn’t Metasploit. The idea is to provide a quick way to perform initial data collection, which can then be used to better target further tests. It is especially useful when used in conjunction with Burp Suite (via the --proxy parameter). For authenticated scanning, a cookie or header can be passed in (see Usage)

Getting Started

yawast-ng is packaged as a Python package and as a Docker container to make installing it as easy as possible. Details are available on the installation page.

macOS, Linux, etc.

The simplest options to install are:

As a Python package: pip3 install yawast-ng (yawast-ng Python 3.9+)

It’s strongly recommended that you review the installation page to ensure you have the proper dependencies.

Docker

docker pull adamcaudill/yawast-ng

The Docker image includes all dependencies, including those required for TLS/SSL scanning and browser automation. As such, it is the recommended option for most users.

Documentation

Details about yawast-ng and how to use it can be found below:

There are a few related projects that may be of interest, which are developed as part of the yawast-ng project:

Recent Blog Posts