Security tool · Linux · arm64 / amd64

websucker

Frontend recon. JS secrets. APK analysis.

Crawls JS bundles, extracts secrets with 41 built-in patterns, runs taint analysis, decompiles APKs with 35+ CWE-mapped rules, probes 50+ active attack vectors, feeds curated findings to AI analysis. Single Go binary. Machine-bound license.

Get access → See the pipeline
46+
modules
41
secret patterns
35+
APK CWE rules
48
active probes

Pipeline

What runs and in what order

Seven stages run sequentially. Each feeds the next. All stages skippable — run full pipeline or cherry-pick with flags.

Stage Focus What it does
1 · Recon
Subdomain discovery
Live host detection
CF bypass
Passive + active subdomain enumeration from multiple sources. Filters to live hosts only. Tech fingerprinting on discovered assets. Cloudflare bypass: every live subdomain tagged as [REAL-IP] or [CLOUDFLARE] — surfaces origin servers where WAF rules don't apply.
2 · Crawl
JS-aware crawling
Archive mining
Native BFS
Deep JS-aware crawler covers target + all discovered subdomains. Mines archived URLs for forgotten endpoints. Multi-round BFS follows script tags, inline JSON, well-known paths, CSP hints, sourcemap references. Auth-aware via --cookie and --header.
3 · Scan
Secret extraction
JS analysis
Taint tracing
Extracts secrets from JS, HTML, and sourcemaps using 41 built-in patterns covering all major providers. Deep JS analysis: endpoints, auth flows, GraphQL operations, feature flags, routes, postMessage sinks. Taint analysis traces user-controlled input to dangerous sinks. Sourcemap recovery.
4 · APK
Static analysis
35+ CWE rules
Multi-framework
Decompiles APK, AAB, XAPK and more. 35+ CWE-mapped rules covering WebView flaws, insecure crypto, TLS misconfiguration, storage exposure, manifest issues, network security config, and hardcoded secrets. Supports Java/Kotlin, React Native, Flutter, NDK.
5 · Probe
50+ attack checks
Active fuzzing
CVE lookup
Active probing across 50+ vulnerability classes: SSRF against cloud metadata endpoints, CORS misconfiguration, SQLi, CRLF, cache poisoning, subdomain takeover, open redirect, cloud storage exposure, git leaks, dependency confusion, known CVEs. XSS scanning and parameter discovery + fuzzing.
6 · Validate
Live verification
JWT attacks
Exploit chains
Validates found secrets against their issuing services — confirms exploitability before reporting. JWT attacks: decode, algorithm confusion, claim escalation, injection. Builds passive and active exploit chains across findings.
7 · Report
AI analysis
Structured output
Alerts
Critical and High findings fed to Gemini 2.5 Flash (--gemini) for attack-path analysis, exploitation chain, and PoC steps. Severity-grouped Markdown and JSON output. Real-time alerts to Discord, Slack, or Telegram via --webhook.

CLI flags

Key flags

Flags compose. Run the full pipeline or target individual stages.

Active probes

Active checks in stage 5

Pricing

Machine-bound. Cancel anytime.

Your binary is compiled for your machine and license key. Sharing it doesn't work — wrong machine = immediate exit.

Visa · Mastercard · PayPal · and more
Plus
$5
per month · 1 machine
  • All 46+ modules
  • APK static analysis (42 CWE rules)
  • 1 machine bound
Get Plus
Pro — most popular
$10
per month · 10 machines
  • Everything in Plus
  • 10 machines bound
Get Pro

Sign in with Google → pick plan & duration → pay securely → binary ready in dashboard. Compiled for linux/arm64 (Kali) and linux/amd64 (VPS/server). Binary stops validating at expiry.

Questions? Chat with support on Telegram →

Blog

From the team

Real-world bug finds, technique walkthroughs, and tool updates.

All posts →