Releases: Lookyloo/lookyloo
v1.36.0
Breaking change
This release requires kvrocks >= 2.14. You can install it by compiling the sources, or grabbing the deb/rpm packages from Lookyloo or RocksLabs builds.
New feature
- Add support for kvrocks for public index (avoids ever-growing valkey, a problem for big public instances)
- Add pagination for the indexes pages (public and hidden), allows a near-instant rendering. Also massively speedup initialization of the web server.
Changes
- Reduce logging on captures with errors
- Improve shutdown checks on long running scripts
- Refactoring for getting captures out of the cache, allow to skip tree pickle
- Bump dependencies
What's Changed
- build(deps): bump docker/metadata-action from 5.9.0 to 5.10.0 by @dependabot[bot] in #1214
- build(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #1230
Full Changelog: v1.35.3...v1.36.0
Contributors
Assets 2
v1.35.3
This release fixes multiple XSS vulnerabilities reported by @Wachizungu, thank you!
TL;DR: please update asap, especially if you're running a public instance.
More details in the advisories:
Full Changelog: v1.35.2...v1.35.3
Contributors
Assets 2
v1.35.2
The main change in this release is the shorten string (the one causing GHSA-m9g6-23c8-vrxf) made generic, so it also works properly on small screens.
I'd also like to thank Jeroen Pinoy (@Wachizungu) for investigating further on GHSA-m9g6-23c8-vrxf, and finding out that it is in fact possible to trigger the vulnerability, even with the default CSP settings.
The two POCs are as follow:
- Capture a page on lookyloo that loads a malicious JS, so it is saved in the resources index
- Trigger a capture to
https://malicous.url.domain/test.html"/><script src="/ressource_by_hash/<sha512 of the malicious JS>"></script> - As it is loaded locally, it will be executed
Or
Trigger a capture to https://malicous.url.domain/test.html"/><a href="javascript:<malicious JS code>">View capture details</a>, where the JS will be triggered on click.
This issue is fixed because we properly escape the URL before displaying it, but the script-src-elem CSP settings are not strict enough, and this will need to be improved (but other JS dependencies are currently failing if we use strict-dynamic).
Full Changelog: v1.35.1...v1.35.2
Contributors
Assets 2
v1.35.1
An HTML injection issue was identified in Lookyloo’s web interface helper function shorten_string (website/web/__init__.py). The function is used to truncate and render user-controlled values inside HTML (for example in a <span title="..."> attribute) without first escaping the string. This allowed crafted input containing HTML to be injected into the rendered page.
On a standard Lookyloo installation, the configured Content Security Policy (CSP) significantly limited the impact and prevented direct script execution in most scenarios, but the underlying HTML injection bug was still present and could become exploitable if CSP was relaxed or modified.
References:
Full Changelog: v1.35.0...v1.35.1
v1.35.0
New features
Frames
Support iFrames as implemented in Lacus v1.20.0, see release notes for more details on why.
On Lookyloo side, it does the following:
- Better tree, as we can use the URLs on the iframe to attach the node at the right place.
- When getting the rendered content worked, you can download it from the relevant node in the tree
- The dump of the contents of all the frames is also submitted for a Trusted Timestamp (the same way the main frame was timestamped before)
Guess download links
For google docs and drop box, it is possible to guess the download/export link from the landing page. If it works, you can trigger a subsequent capture for that link and download the file, and submit it to pandora.
Free form for subsequent captures
On the subsequent capture modal, you can pass any URL you want and capture it in the current context (the browser local storage will be passed to the capture)
Improvements
- Change the index page so the captures without titles can be open
- Better init script example in the capture page
- Update the bundled-in UA list, and automate that process
- Update playwright
What's Changed
- build(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #1195
- build(deps): bump docker/metadata-action from 5.8.0 to 5.9.0 by @dependabot[bot] in #1201
Full Changelog: v1.34.0...v1.35.0
Contributors
Assets 2
v1.34.0 - Hack.lu 2025
Important: this version doesn't support Python 3.9.
New features
- Dark mode (is the user asks for it)
- New navbar to expose previously hidden endpoints
- Add TSR in MISP exports
- Alert user when capture was done via a proxy, and we don't have the actual IP addresses (127.0.0.1)
- Changes by Lacus v1.19
- Add setting to automatically filter the contacts based on a blocklist.
- Add very basic playwtight test suite
Bugfixes
- Improve logging
- Skip DNS queries for onions and i2p
Full Changelog: v1.33.0...v1.34.0
v1.33.0
Important: This is the last release supporting Python 3.9.
New Features
If you're using a dedicated Lacus instance, make sure to update it to v1.18.0 first.
Trusted Timestamps
Support for Trusted Timestamps (RFC3161). Allows to validate the results of the captures with a trusted Time Stamping Authority (TSA). The default TSA is provided by the German National Research and Education Network (DFN) - thank you very much for offering this service. But you can change it to any other rfc3161-compatible TSA: TrailsOfBits has a list of working (and not working) servers, feel free to pick another one in there.
When enabled, the SHA512s for the HAR, the rendered HTML, the page screenshot, the URL in the address bar and any downloaded content are sent to the timestamping service. The result of the capture contains an archive with the verification files.
You can download an archive (Actions -> Get forensic acquisition) that contains all these elements along with the verification files and validate it using openssl (or the tool of your choice) - there is also a pre-populated validation script in the archive.
This feature can be enabled by default for all the captures, or manually triggered by the user from the capture form.
Invisible Internet Project (I2P)
Similarly to tor (.onion) domains, it is now possible to capture .i2p domains. For that, you'll need to install a client. The default lacus config points to the default port for i2p.
If you enable it, give it some time as it takes a while to initialize so if you immediately trigger a capture, it might fail.
Custom theme
It is now possible to customize the theme of a Lookyloo instance with the following files:
website/web/templates/custom_header.html: Adds a headerwebsite/web/templates/custom_footer.html: Adds a footerwebsite/web/static/css/overrides.css: To set specific CSS styleswebsite/web/static/js/overrides.js: To run custom JS codewebsite/web/custom_csp.py: If you need to add extra CSP rules to load images from other domains, for example
No promises it works out of the box for you, but please open an issue if you have a problem.
Other changes
- Pivot on IP from PDNS table
- Improve logging with UUIDs whenever possible
- Use orjson instead of default version
What's Changed
- build(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @dependabot[bot] in #1165
- build(deps): bump actions/setup-python from 5 to 6 by @dependabot[bot] in #1158
Full Changelog: v1.32.0...v1.33.0
Contributors
Assets 2
v1.32.0 - Back to school release
New features
- Add pretty print for text, JSON and multipart POSTed contents in hostnode
- Show on tree the presence of POSTs in a node
- Support for an init script that is run before any other script once the page is loaded, as implemented in Lacus v1.17.0
- Support for proxies in Mastoton bot, automatically verify lookyloo website from mastodon bot
- Support system proxy in all modules
- Add TLD search
- Optional auto-push to MISP
Changes
- Add support for disabling queries against IPASN History
- Properly avoid connecting to SaneJS when disabled
- Make fetching Cloudflare IPs optional
- Only return recent captures listed on index by default in the API
- Support partitionKey in cookies (new feature from playwright)
Bugfixes
- Avoid background processing to be stuck on long queues
- Support for new lxml
- Avoid exception in MISP search
- Avoid reloading the tree template when a modal failed to load properly, and many more UI fixes when some modules are disabled
What's Changed
- build(deps): bump docker/setup-buildx-action from 3.10.0 to 3.11.0 by @dependabot[bot] in #1080
- build(deps): bump docker/setup-buildx-action from 3.11.0 to 3.11.1 by @dependabot[bot] in #1083
- build(deps): bump sigstore/cosign-installer from 3.8.2 to 3.9.0 by @dependabot[bot] in #1084
- build(deps): bump sigstore/cosign-installer from 3.9.0 to 3.9.1 by @dependabot[bot] in #1086
- build(deps): bump sigstore/cosign-installer from 3.9.1 to 3.9.2 by @dependabot[bot] in #1111
- build(deps): bump docker/metadata-action from 5.7.0 to 5.8.0 by @dependabot[bot] in #1124
- build(deps): bump docker/login-action from 3.4.0 to 3.5.0 by @dependabot[bot] in #1129
- build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #1135
Full Changelog: v1.31.0...v1.32.0
Contributors
Assets 2
v1.31.0
This release contains the changes and bugfixes we worked on during GeekWeek X, we'd like to thank the CCCS for having us, and organizing this event.
New Features
/json/advanced_search: Returns Captures matching multiple parameters (IP, Hostname, URL, Hash) by @GavinMacNabb- Docker compose files for dev and prod by @litobro
- New module to automatically submit URLs from Lookyloo to CCCS AssemblyLine by @litobro
/json/ip_info: Returns the captures containing a specific IP address/json/<string:capture_uuid>/ips: Returns all the IPs contained in a capture/json/favicon_info: Returns the captures containing a specific favicon/json/<string:capture_uuid>/favicons: Returns all the favicons in a capture.- Note: playwright doesn't download the favicon, so we fetch them after the fact by extracting the possible favicons from the rendered HTML. This call may return more than one favicon.
/json/hash_info: Returns the captures containing a resource with a specific hash (sha512)- Normalize the JSON API endpoints to they support pagination, accept the same parameters, and return data in the same format
Bugfixes
- Multiple calls to get captures from specific indicators (Hostnames, URLs, IPs, body hashes ...) were not working properly when queried via the API
- Many improvements in error handling
- When the capture queue is really long and they're not captured within one hour (by default), they were expired on Lacus side. Now, if it happens, but the capture is still in the queue on Lookyloo side, it will be re-queued into Lacus.
What's Changed
- Add modules folder to docker-compose.yml to allow live development by @litobro in #1065
- FEAT: Support AssemblyLine Submission by @litobro in #1066
- New POST /json/advanced_search endpoint by @GavinMacNabb in #1071
New Contributors
- @Wachizungu made their first contribution in #1053
- @litobro made their first contribution in #1065
- @GavinMacNabb made their first contribution in #1071
Full Changelog: v1.30.0...v1.31.0
Contributors
Assets 2
v1.30.0 - GeekWeek X
New Feature
This release adds a new endpoint /json/remote_lacuses to get a list of all the remote lacus instances configured on the lookyloo instance, if they're up, and all the proxies they expose, support Lacus v1.15.0:
{
"is_up": true,
"name": "default",
"proxies": {
"Netherlands": {
"description": "Proxy for Netherlands",
"meta": {
"provider": "wireguard"
}
},
"Tor": {
"description": "Trigger the capture via the tor network.",
"meta": {
"provider": "Tor Project"
}
}
}
}
Bugfixes and changes
- Allow for much bigger trees by increasing recursion limit
- Improve the way we retry failed captures
- Avoid deadlock on the UI if the monitoring interface is non-responsive
- Avoid exception on the capture page if lacus is temporary unresponsive
- Avoid exception if archives are not on S3
- Avoid race condition between enqueuing and starting the capture.
And all that, just on time for Geekweek X \o/
Full Changelog: v1.29.0...v1.30.0