WebVac is an asyncio-powered dynamic web scraping and crawling tool built for modern JavaScript-heavy targets. It drives a real Chromium browser through Patchright, supports proxy rotation, robots handling, anti-bot resilience, optional login/session reuse, and exports rich scan artifacts in multiple formats.
- Dynamic scraping with a real browser engine (Patchright)
- Single-page and recursive crawl modes
- Concurrency support with isolated browser slot identities
- Proxy pools with latency-based selection, round-robin, or random strategy
- robots.txt support with optional crawl-delay override
- Cloudflare-origin bypass helpers (manual origin IP and CF-Hero integration)
- Automatic screenshots for blocked/CAPTCHA pages
- Structured output in JSON, CSV, HTML, Markdown, SQLite, or all formats
- Historical scan sessions and diff generation between runs
- PDF and sourcemap asset download support
- Optional VAPT/recon pipeline present in codebase (disabled by default)
run.py: Interactive menu launchercore/scraper.py: Main CLI entry point and orchestrationcore/crawler.py: BFS crawler logiccore/page_scrape_flow.py: Per-page execution flow and anti-block handlingutils/: Browser management, proxies, robots handling, screenshots, origin probingdata/: HTML parsing, record building, and storage/export pipelinestore/: Scan session layout and artifact persistence helperscollectors/,analyzers/,findings/,active/: Optional security/recon stackdocs/: Architecture documents and one-page architecture viewtests/: Unit and integration-like fixture tests
- Python 3.11+ (3.12 recommended)
- Windows, Linux, or macOS
- Browser dependencies required by Patchright
- Clone the repository.
- Create and activate a virtual environment.
- Install dependencies.
python -m venv .venv
(Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned) ; (& .\.venv\Scripts\Activate.ps1)
pip install -r requirements.txtpython3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtpython run.pyThe launcher helps you choose scrape mode, output formats, robots strategy, proxy mode, and browser visibility.
python -m core.scraper --url https://example.com --mode singlepython -m core.scraper --url https://example.com --mode crawl --depth 3 --max-pages 50 --concurrency 2--url: Target URL (required)--mode single|crawl: Single page or recursive internal crawl--engine dynamic|lightweight: Browser-based or lightweight HTTP engine--depth: Maximum crawl depth (crawl mode)--max-pages: Maximum number of pages (omit for unlimited crawl)--concurrency: Parallel workers for crawl mode
--no-headless: Run browser in visible mode--timeout: Page load timeout in milliseconds--wait-until domcontentloaded|load|networkidle: Navigation wait strategy
--output: Output root directory (default:scraped_data)--format:json,csv,markdown,sqlite,html,all--label: Custom label for output naming
--no-robots: Ignore robots.txt entirely--ignore-crawl-delay: Obey allow/deny rules but ignore crawl-delay--delay-min,--delay-max: Request pacing window
--login: Enable login flow--login-url: Login page URL--username,--password: Credentials--session-file: Reuse and persist session cookies
--proxy-file FILE: One proxy per line--proxies "...": Comma-separated proxy list--proxy-strategy latency|random|round_robin--sticky-requests N: Requests before voluntary rotate--cooldown-seconds SECS: Cooldown after 429/timeout--no-health-check: Skip startup benchmark
--origin-ip IP: Scrape using origin IP + Host header--cf-hero: Discover origin IP via CF-Hero first--cf-hero-bin PATH: Explicit CF-Hero executable path--cf-hero-args "...": Additional flags passed to CF-Hero--origin-title TITLE: Expected title for origin validation--skip-origin-validate: Skip title validation guard
Use either of the following per line:
http://ip:porthttp://ip:port|username|password
Lines beginning with # are treated as comments.
Example:
# plain
http://1.2.3.4:8080
# authenticated
http://5.6.7.8:3128|myuser|mypassword
WebVac writes data under scraped_data using scan-session folders for versioned runs.
scraped_data/
<target>/
scans/
<timestamp>_<scan-id>/
scrape/
data.json
data.csv
report.html
assets/
pdfs/
sourcemaps/
screenshots/
meta/
meta.json
session.json
diffs/
...
docs/ARCHITECTURE.md: Detailed architectural referencedocs/webvac-architecture-one-page.html: One-page visual architecturedocs/webvac-architecture.pdf: Exported PDF architecture diagram
To regenerate architecture PDF:
python scripts/generate_architecture_pdf.pyRun tests from project root:
python -m unittest discover -s tests -p "test_*.py"- Respect target terms of service and legal boundaries.
- Use
--no-robotsonly when you are explicitly authorized. - Avoid scraping sensitive targets without permission.
- Store credentials and proxy secrets securely.
- Scrape pipeline is enabled.
- VAPT/recon modules exist but are disabled by default in configuration.
- Default output formats are
json,csv,html.
- Ensure dependencies are installed in the active virtual environment.
- Try visible browser mode with
--no-headless. - Switch wait strategy to
--wait-until domcontentloaded.
- Enable proxies and use latency strategy.
- Lower concurrency.
- Increase delays between requests.
- Use origin mode only when authorized.
- Increase timeout.
- Crawl deeper with higher
--depth. - Verify selectors if using targeted extraction options.
- Create a feature branch.
- Keep changes focused and test locally.
- Add or update tests where relevant.
- Open a pull request with a concise summary.
Add your preferred license file and update this section accordingly.