2.3.6
This is primarily a security/hardening release.
fixes
- Limit the allowed URI's that may be submitted to the screenshot or report server to only those starting with
http
/https
by default. You can use the new--allow-insecure-uri
/-A
flag to disable this. Take note that with the-A
flag, it means someone could screenshotfile://
URI's and read local files on the host filesystem. To combat some of this abuse, by default the report & screenshot servers listen on localhost only. However, if you are exposing the report or screenshot servers to the Internet (or other untrusted networks), make sure you restrict access to it as other problematic URI's such as localhost and cloud metadata URIs (and any other SSRF vector) will also be reachable this way. (57dffb7) (thanks to Omri Inbar from Checkmarx for reporting the LFI).
other
- go-staticcheck fixes and other code cleanups (1149417)
8a2ca3dc8a58ce3e103aeabd13df7713c0322b2c gowitness-2.3.6-darwin-amd64
b50938b99af45d7bc209428a648f057b11a6025f gowitness-2.3.6-linux-amd64
1dcee72acdf074f1850263643ca9297b0d5b38e3 gowitness-2.3.6-windows-amd64.exe