Version 0.9.17



  • changed parameter parsing for better handling
  • Boolean-SQL check now also takes xml parameters for testing
  • new appearance of CA certificates

Manual Request Editor

  • XML parser, xml-request parameters available in table



  • request line removed on remove_header regex match
  • double insert of Content-Length header
  • bad markdown format of CHANGELOG
  • wrong parameter parsing if value contains '=' sign
  • new custom response viewer; now you can code your own handler, e.g. lambda{ |response| return response.content_type }
  • added table view on request viewer

Version 0.9.16



  • double insert of Content-Length header
  • bad markdown format of CHANGELOG

Version 0.9.15



  • improved socket handling
  • fixed some UTF-8 issues in passive modules
  • added application/octet-stream to pass-through content-types
  • shapers.rb didn't replace single quotes in replace_post_parm
  • setting/replacing http-headers is now case-in-sensitive

Passive Modules

  • fixed Disclosure_ipaddr; now all IPs inside body are reported

Active Modules

  • Domino DB enumeration will now run on all requests

Crawler Plugin

  • extended allowed/excluded URL checks on full url path /w query


  • Struts2 module for detecting CVE-2013-2251
  • Struts2 module for detecting CVE-2013-1966
  • conversation filter; added some shortcuts
  • conversation table; added send to->Crawler
  • client certificates; added PKCS12
  • SAP passive module; extracts SAP headers, e.g. sap-system

Version 0.9.14


Manual Request Editor

  • fixed crash when clicking OTT-Settings


  • watobo stopped working when crawler was started (Linux only) - workaround

Version 0.9.13



  • Faster socket communication!! Now client sockets are reused
  • Big big changes on core modules, e.g. Watobo::Chats or Watobo::Findings.
  • PassiveScanner - passive checks now run in background
  • New DSL-like Plugin Style - digging into Metaprogramming ... check out WShell Plugin!


  • XSS-NG supports "Parameter Prefetching" - using form fields of response as test parameters
  • Hidden Field Spotter
  • Improved boolean SQLi detection
  • added some .NET Checks for well-known files, e.g. Trace.adx and Error Pages /w Stack-Trace
  • XXE (Xml eXternal Entity) check
  • Check html password fields for autocomplete attribute


  • SSL Checker now also shows the tested method (SSLv3, TLS, ..)
  • WShell - Watobo Shell; With WShell you can execute ruby commands in the context of WATOBO. Very useful for advanced analysis, debugging purposes or simply to explore WATOBO.


  • Parameter names in Table view are now automatically en-/decoded
  • Right-Click on a plugin to get some information about it - only works on new plugins at the moment ...
  • Introduced a new chat viewer with HTML highlighting (based on FXScintilla)
  • ConversationTable: added 'space' hotkey to open "Edit Comment" dialog
  • ConversationTable: added hotkeys for "goto url" navigation
  • ChatViewer: xml/html content gets prettyfied for text- and html-viewer
  • FindingsTree: added counter to finding class
  • FindingsTree: memorize expanded nodes
  • Conversation table filter now opens as a dialog and displays more information



  • Bug in parsing multipart requests caused by incorrect boundary handling
  • conversation text filter now works on responses without content-type header


  • fixed generator in fuzzer engine


  • crash after selecting client certs
  • no more swallowing a space-char at the end of a string when b64decoding with short-cuts


  • Catalog-Scanner: now all placeholders will be replaced
  • SSLChecker now supports more methods and ciphers, incl. SSLv2

Passive Modules

  • FormSpotter: now using nokogiri for parsing/extracting

= Version 0.9.12 == NEW

  • [Module] Siebel Checks: Enumeration of default apps and files, e.g. base.txt
  • [Module] PassiveCheck filtering Domino DB names
  • [GUI] added De-Select-All buttons to scan policy
  • [GUI] finding details menu available at finding-class level

== Fixes

  • crash when pasting data (Linux)
  • crash on starting full scan dialog
  • minor issue when adding a new db-path to catalog scanner plugin

= Version 0.9.11 == NEW

  • [FileFinder] pimped the interface, added save-settings

== Fixes

  • [ConversationTable] Request-/Resoponse View is updated when navigating with arrow-keys
  • [INTERCEPOR] fixed bug in parsing intercepted responses

= Version 0.9.10 == Fixes

  • fixed sqlmap temp directory

= Version 0.9.9 == NEW

  • [Module] Time-based SQL injection module
  • [Module] Rated XSS which gives a more accurate exploitability result
  • [GUI] ConversationTable: values in coloumn Parameters are url-decoded
  • [Plugin] WebCrawler - based on Mechanize
  • [GUI] Manual Request Editor: Url is displayed in the window title
  • [GUI] Menubar items are disabled if no project is defined
  • [CORE] Create SSL certificates for each target on-the-fly, now you only have to trust the internal CA once
  • [Interceptor] Rewrite/Inject Feature to Interceptor
  • [CORE] added .yml file extension for chats, findings, logs, ...
  • [Plugin] SQLmap - easy to use sqlmap interface
  • [Interceptor] Transparent Proxy Feature - only available on Linux (depends on netfilter_queue)
  • [CatalogScanner] added predefined database paths
  • [CORE] general unzipping and unchunking of server responses

== Fixes

  • CA Directory is now created in WATOBO working directory '.watobo'
  • Fixed Crash on opening client-certificate dialog
  • Improved Socket communication
  • ConversationTable: GET and POST parameters are shown in the parameters coloumn
  • TreeView-Pane: Show full conversation list when Findings tab is selected
  • Fixed a bug in parsing post parameters
  • QuickScan: double scanning each module
  • the disclaimer.chk file now is written to .watobo
  • some minor bugs

= Version 0.9.8 == NEW

  • Ruby 1.9 Support - no more 1.8 don't even try it ;)
  • WATOBO available as a Gem
  • Reorganisation of WATOBO settings files.
  • Reorganisation of WATOBO project.
  • Introduced Framework capabilities
  • Changed version numbering for Gem compatibility
  • SSLChecker-Plugin: nicer gui, now you can scan a site which is not already in conversation list
  • Conversation-Table: better search features, e.g. URL, Request or Response
  • Chat-Viewer: added a 'save'-button to save the response's body to a file, e.g. save a flash file for further investigations
  • Scanner: now follows 302-redirects - this option is only available via QuickScan
  • GUI: purge (multiple) findings is possibel via FindingsTree

== Fixes

  • interceptor reset-button
  • Constant declarations
  • lib/mixin/request_parser.rb: fixed file handling
  • fixed pattern for detecting file upload fields
  • optimized "tagless" view
  • optimized lots of threading stuff, e.g. progress bars, log-windows, ...
  • lib/qGui: changed progress_window

= Version 0.9.7 Revision 534 == NEW

  • MasterPassword for encrypting Proxy- and WWW-Auth-Passwords
  • Hotkey-Help: Press F1 to view all Hotkeys for the focused widget!!! Works in ManualRequestEditor, Interceptor, ChatViewers
  • Interceptor: Intercept Filters, Editor, Hotkeys - almost complete rewrite!!!
  • Passive Module: 'DOM XSS' - checks for javascript code which manipulates DOM and may be misused for XSS
  • Passive Module: 'Detect One-Time-Tokens' - checks for parameters which may be used to prevent CSRF-Attacks
  • ManualRequest Following Redirects Automatically (optional)
  • ManualRequest: Added Hotkeys for 'send' (ctrl-enter) and transcoding ctrl-[shift]-b (base64), ctrl-[shift]-u (url)
  • ManualRequest: new Transform 'Get -> Post'
  • TableEditor: Added Hotkeys; ctrl-[shift]-b (base64), ctrl-[shift]-u (url), ctrl-enter (send request)
  • Passive Module: 'Detect Code' - Now also checks for ASP-Snippets
  • ConversationTable: added SSL-Icon
  • TextView: added Match-Navigation for 'Highlight'- and 'Grep'-Filter
  • One-Time-Token-Dialog: Target chat is also visible for OTT-pattern creation.
  • WATOBO-Logo: watobo-48x48.png for nice desktop shortcuts/launchers ;)

== Fixes

  • FullScan-Wizzard: Empty Scanlist
  • Fixed Typo in lib/utils/response_hash.rb (SmartHash)
  • Manual Request Editor: Add Parameter in TableView
  • ConversationTable: Fixed Error Cutting Of Last Char On Copy
  • ConversationTable: Now update 'comment' immediately in table
  • Required BasicAuth will now be sent to browser
  • Module SQL_Boolean: Adding a Finding produced an error
  • FileFinder & CatalogScanner: 'Custom Error Patterns' are recognized
  • TableEditor: Fixed Parsing Problem - appended parms instead of replacing
  • Interceptor: Fixed handling of chunk-encoded server responses
  • SmartHash: Fixed Reduction -> much faster and less false-positives on blindSQLi

= Version 0.9.6 Build 271 == Fixes

  • Scanner: Scanner works without proxy

= Version 0.9.6 Build 270 == Fixes

  • ProxyDialog: AddProxy-Crash
  • Scanner: No Probe For Target If Proxy Is Set
  • Session: Fixed NTLM-Authentication

= Version 0.9.6 !! NOTE !! Due to the import fix you can't import older WATOBO sessions!

== NEW

  • General: Supports One-Time-Tokens (e.g. Anti-CSRF-Tokens)
  • General: NTLM Authentication (Server and Proxy)
  • New Plugin: FileFinder
  • GUI: switch the icon and text size for lower screen resolution
  • Manual Request Editor: Table-View for easier parameter manipulation

== !!! CONTRIBUTIONS !!! :)) Hans-Martin Muench contributed two active-check modules:

  • modstatus.rb:
  • crossdomain.rb:

== Minor Changes

  • slightly improved SQL-Injection (Simple)
  • now you can hide 404 and 302 in Sites Tree

== Fixes

  • General: Fixed Import Problem ('inspect' data before YAML'izing)
  • General: Fixed "limitation" of forwarding proxy port length 4 -> 5, wtf???
  • General: Fixed EOF handling on socket operation
  • Catalog Scan: now use forwarding proxy
  • Interceptor: Fixed Drop and Discard

== Minor Fixes

  • General: switched to unix style line breaks again * got lost somewhere ...
  • General: fixed path reference for already tested directories in HTTP-Methods and Dir-Walker (reported by Hans-Martin Muench)
  • General: fixed HashBang line in start_watobo.rb (reported by Achim Hoffmann)
  • GUI: changed appearance of History
  • Sites Tree: workaround for FXTreeList.findItem (bug?)
  • GUI: now counters get reset when new project is started

= Version 0.9.5 == New

  • PassThrough for large responses or special content-types (Interceptor/Proxy)
  • Introduced Plugins
  • Introduced Full logging of Scans
  • Introduced Target-Scope
  • Introduced Quick-Filter in Sites-Tree-View
  • Introduced Scope-Filter-Option for conversation table
  • Introduced Request-Transform (POST->GET) for Manual Requests
  • New Plugin: Catalog-Scan
  • New Plugin: SSL-Check

== Improvements/Bugfixes

  • using YAML for saving settings
  • speedup of session-import
  • request/response-viewer: auto-reset on grep
  • fixed hash-calculation for findings in passive checks
  • fixed autoscroll not disable-able
  • fixed passive module "cookie-options"
  • fixed numRequests calculation in FuzzFile-Generator
  • fixed url-shaping if parameter contains /https?/
  • fixed button behaviour @interceptor

= Version 0.9.2

  • NEW: History navigation (for Manual Requests Editor)
  • NEW: Fuzzer Engine
  • NEW: Differ usability improved
  • NEW: WATOBO now can run on Windows, Linux and MAC
  • FIX: fixed table-right-click crash
  • MISC: Redesign of chat-table-menu
  • MISC: Improved checks for recognizing proxy settings

= Version 0.9.1-96

  • load fox16 problem fixed - hope not too many user were hit by this!
  • auto-save of proxy settings
  • fixed some issues with the fuzzer

= Version 0.9.1-95

  • fixed hash calculation for better blind-sql checks
  • added Differ for diffing chats (very nice)
  • added HexViewer (no editor yet)
  • open session/project by double clicking
  • response get cut off after