{"id":21469916,"url":"https://github.com/dobin/waasa","last_synced_at":"2025-10-07T04:25:10.613Z","repository":{"id":165189696,"uuid":"638234364","full_name":"dobin/waasa","owner":"dobin","description":"Windows Application Attack Surface Analyzer","archived":false,"fork":false,"pushed_at":"2024-02-22T12:59:36.000Z","size":1931,"stargazers_count":11,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-04-09T16:16:34.513Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dobin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-05-09T11:09:15.000Z","updated_at":"2024-04-09T16:16:34.514Z","dependencies_parsed_at":"2023-10-13T12:27:02.676Z","dependency_job_id":"f40c3d3e-4e55-4e42-b02e-b319dd2144cd","html_url":"https://github.com/dobin/waasa","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fwaasa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fwaasa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fwaasa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Fwaasa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dobin","download_url":"https://codeload.github.com/dobin/waasa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226023483,"owners_count":17561467,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-23T09:19:29.419Z","updated_at":"2025-10-07T04:25:05.581Z","avatar_url":"https://github.com/dobin.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Windows App Attack Surface Analyzer\n\nIt has three main features:\n* Display all file extensions and their associated programs from a windows machine\n* Test a content filter whitelist/blacklist against the file extensions\n* Give information about which file extensions are malicious\n\nThis can give a RedTeamer: \n* An overview of the attack surface of a machine\n* A list of files or ways the content filter can be bypassed\n\nThere is a online version: \n* [badfiles.ch](https://badfiles.ch): A list of malicious file extensions\n* [badfiles.ch/windows.html](https://badfiles.ch/windows.html): Windows attack surface\n\n\n# Usage\n\n## Attack Surface\n\n![Waasa Attack Surface Windows](https://raw.githubusercontent.com/dobin/waasa/master/doc/waasa-win.png)\n\n\n## Content Filter Test\n\n![Waasa Content Filter Examine](https://raw.githubusercontent.com/dobin/waasa/master/doc/waasa-contentfilter-examine.png)\n\n![Waasa Content Filter File](https://raw.githubusercontent.com/dobin/waasa/master/doc/waasa-contentfilter-file.png)\n\n\n## Usage Console (beta)\n\n* It uses `./waasa.json` as default dump filename by default\n* You can copy `waasa.json` to another machine for analysis\n\n\nCreate a registry dump (to `waasa.json`):\n```\n\u003e .\\waasa.exe dump\n```\n\nCreate CSV from dump:\n```\n\u003e .\\waasa.exe dump --csv output.csv\n```\n\nCreate all files in `./output/`:\n```\n\u003e .\\waasa.exe --files\n```\n\n\n## Files \n\n* gathered_data.json: a dump from the registry of a machine and more, around 10MB\n* waasa.json:  parsed registry dump (from gathered_data.json)\n* waasa.csv: Output to CSV\n* waasa.txt: Input of file extensions\n\n\n## Example Results\n\nFrom a fresh Windows 10 VM with Visual Studio installed:\n\n* [Result CSV File](https://github.com/dobin/waasa/blob/master/data/windev.csv)\n* [Dump File Download](https://raw.githubusercontent.com/dobin/waasa/master/data/windev.json)\n\n\n## Notes about the results\n\nWindows basically knows three types of actions when clicking a file: \n1) Execute the associated program\n2) Show \"Open With\" dialog, where a program is preselected (recommended)\n3) Show \"Open With\" dialog, no preselection or recommendation\n\nBecause of Windows restrictions, waasa will treat 1) and 2) mostly as the same. \nWhich makes sense from an attackers perspective too, as users will likely click \"Open With Recommended\"\nentry. \n\nThe results are mostly based on Windows `shlwap` interface, which gives a lot of wrong results. \nI tried to improve the algorihmn, but there are still misidentifications possible. Double check\nyour results (by manually clicking on the files). \n\n![OpenWith 1](https://raw.githubusercontent.com/dobin/waasa/master/doc/openwith-1.png)\n![Recommended](https://raw.githubusercontent.com/dobin/waasa/master/doc/recommended-1.png)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Fwaasa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdobin%2Fwaasa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Fwaasa/lists"}