Where is v1.0 you might say?! If you aren't aware of webpaste
already, it is a tool by @TomNomNom that can be found here.
This is just a upgraded version to add a few extra options and give this great tool a bit of
In a nutshell, it can save your dorking results to the terminal.
You can go to a site such as Google, Shodan, Security Trails, etc. and then click on a button to send information you want, such as endpoints, to your terminal. For example, you can go to Google and look for site:target.com
and then click a button for Google on the extension, and all the endpoints magically appear on your terminal, and get written to a file. This is done by entering a javascript snippet to get the endpoints, and then optionally another javascript post snippet to click the next page button for example. So then you can just keep clicking away and watch the site go from page to page and get all the endpoints. This is useful for sites that don't have an API.
The main differences are:
- The output will also be written to a file, and the user can specify the file name.
- The output will be unique and sorted by default, but you have an option of keep duplicates if you wish.
- It defaults to running on localhost on port 8082. Why 8082 instead of 8080? Well, most people using this tool will probably have Burp Suite running on 8080, and I also use 8081 for proxying to Burp from my VPS.
- Include a default snippets for Google and Bing that work at the time of writing this.
- Improved error messages.
- Fixed some UI issues.
- Actively maintained (while Chrome allows it to work!).
- Provide a Identifier string that will only show the button in the popup for the relevant site.
- Run
git clone https://github.com/xnl-h4ck3r/webpaste/
- Run
go build -o webpaste main.go
to build thewebpaste
binary. - Before starting
webpaste
, set the environment variableWEBPASTE_TOKEN
, e.g.export WEBPASTE_TOKEN=ilovetomnomnom
-
Open the Extension Manager in Chrome by following: Kebab menu(three vertical dots) -> Extensions -> Manage Extensions
-
If the developer mode is not turned on, turn it on by clicking the toggle in the top right corner.
-
Now click on Load unpacked button on the top left
-
Go the directory where you have the
webpaste/chrome
folder and select it. -
The extension is now loaded. You can click on the extension icon in the toolbar, and then the pin icon to pin
webpaste
to your toolbar.
IMPORTANT: When you load the Chrome extension you will see the following error:
Manifest version 2 is deprecated, and support will be removed in 2023. See https://developer.chrome.com/blog/mv2-transition/ for more details.
Google say that from January 2023 the Chrome browser will no longer run Manifest V2 extensions. That's obviously not true because it still runs, but for how long I don't know. Unfortunately this extension can't be upgraded to Manifest V3 because it has tighter security that prevents the requests being sent to the local server running on the terminal.
You have to use Manifest V3 for Firefox now. As mentioned above, this extension can't be upgraded to Manifest V3 with the way it works currently.
Open the extension Options page
- Enter the Server and port. e.g.
http://localhost:8082
- Enter the Token with the value you used for the environment variable above, e.g.
ilovetomnomnom
- Click the Save button (at the bottom of the page)
You can then optionally add more javascript snippets by clicking the Add Snippet button.
These are the options available when calling webpaste
-o string
output file name (default "webpaste.txt")
-h string
address to listen on (default "localhost")
-p string
port to listen on (default "8082")
-d don't sort and de-duplicate output
For example, start webpaste
to write the output to a file:
./webpaste -o target_endpoints.txt
Using the example Google URLs snippet that is included by default:
- Open google and search for something like
site:redbull.com
- Make sure
wepaste
is running in the terminal and there are no errors, and it says it is listening. - Click on
webpaste
extension and click onGoogle URLs
, and you will see URLs from the google search engine in your terminal. The post snippet will also load the next set of results (e.g. click the More results button). - Keep pressing the
Google URLs
and get links. At some point Google will probably show you a Captcha screen. Just complete it and carry on clicking!
IMPORTANT: Any examples provided work at the time of writing this, but if the target changes their site, you may need to change the javascript snippet to work again.
If you come across any problems at all, or have ideas for improvements, please feel free to raise an issue on Github. If there is a problem, it will be useful if you can provide the exact URL you were on, and any console errors.
Good luck and good hunting!
If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)
🤘 /XNL-h4ck3r