Documentation

How to scan, verify, and ship clean code.

Everything you need to go from fresh install to finding real vulnerabilities. Written by operators, for operators.

Installation

Web Iron Shield ships as a standalone Windows installer. No Python, no dependencies, no admin rights required.

  1. Download the installer from the downloads page
  2. Run WebIronShield-v2.8-Setup.exe
  3. Choose install location (defaults to Program Files\WebIronShield)
  4. Launch from the Start Menu or Desktop shortcut

First launch creates a profile folder at %USERPROFILE%\.webironshield\ for license, scan history, and settings.

macOS / Linux

Python source builds available. Clone or download, then:

pip install -r requirements.txt
python scanner_gui.py

Or use the bundled BUILD_MAC.sh to produce a standalone macOS app.

Your First Scan

After launch, the scanner opens to the Issues tab with an empty findings list. To run a scan:

  1. Enter the target URL (e.g. https://yoursite.com) in the top bar
  2. Choose a scan profile (see below)
  3. Click Start Scan
  4. Confirm website ownership in the authorization dialog

Findings appear in real time in the Issues tab. Switch to the Real-Time Activity tab to watch the raw scan log.

Activation

The free tier allows 3 full scans. To activate a Pro license:

  1. Open License → Activate from the menu bar
  2. Copy your Hardware ID from the activation dialog
  3. Email it along with your purchase email to licenses@webironshield.com
  4. Paste the returned serial key into the dialog
  5. Click Activate
Licenses are machine-bound via a hardware fingerprint. If you change computers, email us for a transfer — two machine activations per license, no questions.

Scan Profiles

Four profiles balance speed vs thoroughness:

ProfilePagesDepthBest For
Quick102Smoke test, CI/CD
Normal503Daily checks, staging
Deep2005Pre-production audit
Pentest50010Full bug-bounty hunt

Authorization

Before any scan, Web Iron Shield requires you to confirm ownership of the target. This is not theatre — it logs an audit entry to %USERPROFILE%\.webironshield\scan_audit.log with:

  • Timestamp
  • Target URL
  • Owner email you supplied
  • Dual-checkbox confirmations
  • Your local IP

If you're ever questioned about a scan, the audit log is your receipt. Don't scan targets you don't own.

Scan Phases

Every scan runs in four distinct phases:

Phase 1 — Crawl & Discover

Recursive crawler maps pages, forms, parameters, and technologies. Uses your chosen profile's depth/page limits. Detects CMS, frameworks, JS libraries for CVE correlation.

Phase 2 — Standard Checks

150+ rule-based checks: missing security headers, exposed files, weak cookie flags, SQL injection probes, XSS testing, CSRF, CORS, SSRF precursors, known CVEs.

Phase 3 — Active Pentest

Runs only with user authorization. Sends real (but safe) exploit payloads for XXE, JWT weakness, IDOR, OS command injection, SSRF. Canary strings and time-based blind tests confirm exploitability.

Phase 4 — Anomaly Hunt

10 independent hunters look for the unusual — see the Anomaly Hunter section.

Proxy & Tor Support

Route all scan traffic through a proxy for anonymity or WAF testing. Open Settings → Proxy:

HTTP:   http://user:pass@proxy.example.com:8080
SOCKS5: socks5://user:pass@127.0.0.1:9050   (Tor)

The scanner includes a real-time IP leak detector — if your direct IP is exposed during a proxied scan, you'll see a red warning in the activity log.

Verify Now

Double-click any finding to open its detail popup, then click 🔬 Verify Now (Live Test). The verification engine will:

  1. Establish a baseline response
  2. Send category-specific payloads (different for SQL, XSS, RCE, etc.)
  3. Analyze responses for hard evidence (canary reflection, error signatures, timing deltas)
  4. Output a verdict, confidence score, HTTP request log, and full remediation guide

Nine verifier categories are supported: Command Injection, SQL Injection, XSS, Path Traversal, Open Redirect, CORS, Security Headers, Exposed Files, Cookie Flags.

Confidence Scores

Every Verify Now result includes a confidence percentage:

ConfidenceMeaning
90-100%Confirmed exploit — hard evidence captured (canary reflected, DB error signature matched, significant timing delta)
60-89%Likely vulnerable — partial indicators, recommend manual verification
30-59%Inconclusive — response didn't confirm or deny clearly
< 30%Probably not vulnerable — no evidence of exploitation

Anomaly Hunter

Standard scanners miss novel bugs because they only check what they were told to. The Anomaly Hunter runs 10 independent "weirdness detectors" that flag anything unusual — the same instinct that makes a human pentester notice when something's off.

The 10 Hunters

  1. Stack traces & debug output — PHP/Python/Java/Ruby/.NET/Node error leaks
  2. Filesystem path disclosure/var/www/..., cPanel paths, Windows paths
  3. Suspicious headersX-Powered-By, version leaks, debug markers
  4. Dangerous HTTP methods — PUT/DELETE/TRACE/PATCH accepted
  5. Default installation pages — Apache/Nginx/IIS welcome, phpMyAdmin
  6. Debug & admin endpoints — probes 40+ paths like /actuator/env, /.git/HEAD
  7. HTTP parameter pollution — duplicate-param behaviour differences
  8. Content-Type mismatches — JSON served as HTML (XSS vector)
  9. Timing oracles — login endpoints leaking valid usernames
  10. Reflection surfaces — finds XSS targets the rules didn't know about

History & Replay

Every scan is stored in a local SQLite database at %USERPROFILE%\.webironshield\scan_history.db. To review past scans:

  1. Switch to the History tab
  2. Double-click any row
  3. The Issues tab rebuilds with the full findings from that scan
  4. Every feature (Verify Now, Copy Commands, detail popup) works on restored findings

Exporting Reports

From the History menu:

  • Export JSON — structured data for programmatic pipelines
  • Export CSV — spreadsheet-friendly scan summaries
  • Export per-finding report — formatted write-up for bug bounty submissions

Bug Bounty Submissions

Findings flagged in Bug Bounty Mode include estimated payout ranges and pre-formatted report templates for the major platforms. Right-click any finding and choose Export for HackerOne (or Bugcrowd / Intigriti) to get a markdown report ready to paste.

AI Scanning

Optional Claude-powered analysis that understands business logic, authentication flows, and novel patterns. Requires an Anthropic API key:

  1. Get a key at console.anthropic.com
  2. Open Settings → AI Provider
  3. Paste your key
  4. Tick Use AI for scan before starting a new scan

Troubleshooting

Scan hangs or crashes

Check the activity log for timeouts. Increase the per-request timeout in Settings → Network. If the target is behind strict rate limiting, increase request delay.

Activation fails

Most likely causes: hardware ID mismatch (email us), network issue reaching our activation server, or typo in serial key. Paste carefully — keys are case-sensitive.

Window won't restore from taskbar

Fixed in v2.7+. If you see this on v2.6 or earlier, update.

Nothing else fixes it

Email support@webironshield.com with your Hardware ID, OS version, and the contents of %USERPROFILE%\.webironshield\scanner.log.