WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
Most important features:
WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
WATOB can act as a transparent proxy (requires nfqueue)
WATOBO can perform vulnerability checks out of the box
WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
WATOBO is written in (FX)Ruby and enables you to easily define your own checks
WATOBO runs on Windows, Linux, MacOS ... every OS supporting (FX)Ruby
WATOBO is free software ( licensed under the GNU General Public License Version 2)
It’s by siberas ;)
Installation on Windows
gem install watobo
This might take some time ...
To start watobo enter
will show you the full installation, including Ruby, DevKit & watobo:
WATOBO is included in the official Kali Linux repo. You can install it by
apt-get install watobo
Installation on Linux
The installation process for a Ubuntu based linux is described on our blog:
Installing FX/Ruby on (Kali) Linux
How to run WATOBO as a transparent proxy
Using the custom viewer
Using the crawler plugin
Testing CSRF/One-Time-Token protected functions
Feature Requests/Bug Reports
Please use the ticket system at
or write me a mail.
Make your hands dirty
Git repo coming soon.
Spread the word
The most easiest way to help projects like WATOBO is to make it more public. So talk, tweet, mail, write about it!