| 0d1n |
263.2d723ae |
Web security tool to make fuzzing at HTTP inputs, made in C with libCurl. |
|
| abuse-ssl-bypass-waf |
7.c28f98e |
Bypassing WAF by abusing SSL/TLS Ciphers. |
|
| adfind |
v1.0.3.r0.g3a6a055 |
Simple admin panel finder for php,js,cgi,asp and aspx admin panels. |
|
| adminpagefinder |
0.1 |
This python script looks for a large amount of possible administrative interfaces on a given site. |
|
| albatar |
34.4e63f22 |
A SQLi exploitation framework in Python. |
|
| anti-xss |
166.2725dc9 |
A XSS vulnerability scanner. |
|
| arachni |
1.6.1.3.1.g8e5c5d0a9 |
A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. |
|
| arjun |
236.53afa55 |
HTTP parameter discovery suite. |
|
| astra |
489.092804a |
Automated Security Testing For REST API's. |
|
| atlas |
7.77bd6c8 |
Open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS. |
|
| badministration |
16.69e4ec2 |
A tool which interfaces with management or administration applications from an offensive standpoint. |
|
| bbqsql |
261.b9859d2 |
SQL injection exploit tool. |
|
| bbscan |
52.6731879 |
A tiny Batch web vulnerability Scanner. |
|
| bing-lfi-rfi |
0.1 |
Python script for searching Bing for sites that may have local and remote file inclusion vulnerabilities. |
|
| blisqy |
20.e9995fc |
Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB). |
|
| brutemap |
65.da4b303 |
Penetration testing tool that automates testing accounts to the site's login page. |
|
| brutexss |
54.ba753df |
Cross-Site Scripting Bruteforcer. |
|
| bsqlbf |
2.7 |
Blind SQL Injection Brute Forcer. |
|
| bsqlinjector |
13.027184f |
Blind SQL injection exploitation tool written in ruby. |
|
| burpsuite |
2024.10 |
An integrated platform for attacking web applications (community edition) + SHELLING plugin. |
|
| c5scan |
30.be8845c |
Vulnerability scanner and information gatherer for the Concrete5 CMS. |
|
| cansina |
59.67c6301 |
A python-based Web Content Discovery Tool. |
|
| cent |
v1.3.4.r2.g481700c |
Community edition nuclei templates. |
|
| chankro |
21.7b6e844 |
Tool that generates a PHP capable of run a custom binary (like a meterpreter) or a bash script (p.e. reverse shell) bypassing disable_functions & open_basedir). |
|
| cjexploiter |
2.d1caa21 |
Drag and Drop ClickJacking exploit development assistance tool. |
|
| clairvoyance |
2.5.2 |
Obtain GraphQL API Schema even if the introspection is not enabled. |
|
| cloudget |
64.cba10b1 |
Python script to bypass cloudflare from command line. Built upon cfscrape module. |
|
| cms-few |
0.1 |
Joomla, Mambo, PHP-Nuke, and XOOPS CMS SQL injection vulnerability scanning tool written in Python. |
|
| cmseek |
382.20f9780 |
CMS (Content Management Systems) Detection and Exploitation suite. |
|
| cmsfuzz |
5.6be5a98 |
Fuzzer for wordpress, cold fusion, drupal, joomla, and phpnuke. |
|
| cmsscan |
43.f060b4b |
CMS scanner to identify and find vulnerabilities for Wordpress, Drupal, Joomla, vBulletin. |
|
| cmsscanner |
0.13.8.63.g864c47f |
CMS Scanner Framework. |
|
| comission |
203.67b890e |
WhiteBox CMS analysis. |
|
| commentor |
20.4582674 |
Extract all comments from the specified URL resource. |
|
| commix |
2187.fa8a9723 |
Automated All-in-One OS Command Injection and Exploitation Tool. |
|
| corscanner |
99.593043f |
Fast CORS misconfiguration vulnerabilities scanner. |
|
| corsy |
69.2985ae2 |
CORS Misconfiguration Scanner. |
|
| crabstick |
47.bb7827f |
Automatic remote/local file inclusion vulnerability analysis and exploit tool. |
|
| crackql |
1.0.r53.gac26a44 |
GraphQL password brute-force and fuzzing utility |
|
| crawlic |
51.739fe2b |
Web recon tool (find temporary files, parse robots.txt, search folders, google dorks and search domains hosted on same server). |
|
| crlfuzz |
62.7a442bb |
A fast tool to scan CRLF vulnerability written in Go. |
|
| csrftester |
1.0 |
The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws. |
|
| cybercrowl |
111.f7cac52 |
A Python Web path scanner tool. |
|
| dalfox |
1464.f3262c7 |
Parameter Analysis and XSS Scanning tool. |
|
| darkdump |
54.b71776b |
Search The Deep Web Straight From Your Terminal. |
|
| darkjumper |
5.8 |
This tool will try to find every website that host at the same server at your target. |
|
| darkscrape |
68.2ca0e37 |
OSINT Tool For Scraping Dark Websites. |
|
| davscan |
30.701f967 |
Fingerprints servers, finds exploits, scans WebDAV. |
|
| dawnscanner |
v2.2.0.r15.g0d647fc |
A static analysis security scanner for ruby written web applications. |
|
| dff-scanner |
1.1 |
Tool for finding path of predictable resource locations. |
|
| dirble |
1.4.2 |
Fast directory scanning and scraping tool. |
|
| dirbuster-ng |
9.0c34920 |
C CLI implementation of the Java dirbuster tool. |
|
| dirhunt |
329.a5ea20d |
Find web directories without bruteforce. |
|
| dirscraper |
16.e752450 |
OSINT Scanning tool which discovers and maps directories found in javascript files hosted on a website. |
|
| dirsearch |
2474.8f83e14 |
HTTP(S) directory/file brute forcer. |
|
| docem |
21.59db436 |
Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids). |
|
| domi-owned |
41.583d0a5 |
A tool used for compromising IBM/Lotus Domino servers. |
|
| dontgo403 |
1.0.1.r11.ga47e83b |
Tool to bypass 40X response codes.. |
|
| doork |
6.90c7260 |
Passive Vulnerability Auditor. |
|
| dorknet |
58.419d6a2 |
Selenium powered Python script to automate searching for vulnerable web apps. |
|
| droopescan |
1.45.1 |
A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe. |
|
| drupal-module-enum |
11.525543c |
Enumerate on drupal modules. |
|
| drupalscan |
0.5.2 |
Simple non-intrusive Drupal scanner. |
|
| drupwn |
59.8186732 |
Drupal enumeration & exploitation tool. |
|
| dsfs |
36.8e9f8e9 |
A fully functional File inclusion vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. |
|
| dsjs |
32.26287d0 |
A fully functional JavaScript library vulnerability scanner written in under 100 lines of code. |
|
| dsss |
123.84ddd33 |
A fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. |
|
| dsstore-crawler |
7.efa51f5 |
A parser + crawler for .DS_Store files exposed publically. |
|
| dsxs |
130.3e628b6 |
A fully functional Cross-site scripting vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. |
|
| eos |
16.47f0086 |
Enemies Of Symfony - Debug mode Symfony looter. |
|
| epicwebhoneypot |
2.0a |
Tool which aims to lure attackers using various types of web vulnerability scanners by tricking them into believing that they have found a vulnerability on a host. |
|
| evine |
42.46051de |
Interactive CLI Web Crawler. |
|
| extended-ssrf-search |
28.680f815 |
Smart ssrf scanner using different methods like parameter brute forcing in post and get. |
|
| eyewitness |
1159.8a21526 |
Designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. |
|
| fbht |
70.d75ae93 |
A Facebook Hacking Tool |
|
| fdsploit |
26.4522f53 |
A File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool. |
|
| feroxbuster |
v2.11.0.r1.g3b0e530 |
A fast, simple, recursive content discovery tool written in Rust. |
|
| ffuf |
v2.1.0.r3.gde9ac86 |
Fast web fuzzer written in Go. |
|
| fhttp |
1.3 |
This is a framework for HTTP related attacks. It is written in Perl with a GTK interface, has a proxy for debugging and manipulation, proxy chaining, evasion rules, and more. |
|
| filebuster |
95.f2b04c7 |
An extremely fast and flexible web fuzzer. |
|
| filegps |
90.03cbc75 |
A tool that help you to guess how your shell was renamed after the server-side script of the file uploader saved it. |
|
| fingerprinter |
480.105ab04 |
CMS/LMS/Library etc Versions Fingerprinter. |
|
| flask-session-cookie-manager2 |
v1.2.1.1.r12.ga2b1b57 |
Decode and encode Flask session cookie. |
|
| flask-session-cookie-manager3 |
v1.2.1.1.r12.ga2b1b57 |
Decode and encode Flask session cookie. |
|
| flask-unsign |
1.2.0 |
Decode, encode and brute-force Flask session cookie. |
|
| fockcache |
10.3e7efa9 |
Tool to make cache poisoning by trying X-Forwarded-Host and X-Forwarded-Scheme headers on web pages. |
|
| fuxploider |
140.ec8742b |
Tool that automates the process of detecting and exploiting file upload forms flaws. |
|
| gau |
167.5d4e127 |
Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. |
|
| ghauri |
1.3.8.r3.g24cacde |
An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws. |
|
| ghost-py |
2.0.0 |
Webkit based webclient (relies on PyQT). |
|
| gitdump |
1.682fa37 |
A pentesting tool that dumps the source code from .git even when the directory traversal is disabled. |
|
| gittools |
70.7cac63a |
A repository with 3 tools for pwn'ing websites with .git repositories available'. |
|
| gobuster |
367.308cf9f |
Directory/file & DNS busting tool written in Go. |
|
| golismero |
73.7d605b9 |
Opensource web security testing framework. |
|
| goop-dump |
71.3c15d60 |
Tool to dump a git repository from a website, focused on as-complete-as-possible dumps and handling weird edge-cases. |
|
| gopherus |
33.90a2fd5 |
Tool generates gopher link for exploiting SSRF and gaining RCE in various servers. |
|
| gospider |
108.f6cc9a7 |
Fast web spider written in Go. |
|
| gowitness |
451.a433caa |
A golang, web screenshot utility using Chrome Headless. |
|
| grabber |
0.1 |
A web application scanner. Basically it detects some kind of vulnerabilities in your website. |
|
| graphql-path-enum |
23.5450280 |
Tool that lists the different ways of reaching a given type in a GraphQL schema. |
|
| graphqlmap |
63.59305d7 |
Scripting engine to interact with a graphql endpoint for pentesting purposes. |
|
| graphw00f |
1.1.18.r4.gc29656d |
GraphQL endpoint detection and engine fingerprinting. |
|
| h2csmuggler |
7.7ea573a |
HTTP Request Smuggling over HTTP/2 Cleartext (h2c). |
|
| h2t |
36.9183a30 |
Scans a website and suggests security headers to apply. |
|
| hakrawler |
234.14e240b |
Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application. |
|
| hetty |
134.f60202e |
HTTP toolkit for security research. Aims to become an open source alternative to commercial software like Burp Suite Pro. |
|
| hookshot |
205.df30b85 |
Integrated web scraper and email account data breach comparison tool. |
|
| htcap |
155.a59c592 |
A web application analysis tool for detecting communications between javascript and the server. |
|
| http2smugl |
36.78abc09 |
Http2Smugl - Tool to detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion. |
|
| httpforge |
11.02.01 |
A set of shell tools that let you manipulate, send, receive, and analyze HTTP messages. These tools can be used to test, discover, and assert the security of Web servers, apps, and sites. An accompanying Python library is available for extensions. |
|
| httpgrep |
2.4 |
A python tool which scans for HTTP servers and finds given strings in HTTP body and HTTP response headers. |
|
| httppwnly |
47.528a664 |
"Repeater" style XSS post-exploitation tool for mass browser control. |
|
| httpx |
2236.ca398ed |
A fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library. |
|
| identywaf |
207.ae7e44a |
Blind WAF identification tool. |
|
| injectus |
12.3c01fa0 |
CRLF and open redirect fuzzer. |
|
| interactsh-client |
v1.2.2.r0.g5630c1c |
Open-Source Solution for Out of band Data Extraction. |
|
| ipsourcebypass |
1.2.r15.g7befb82 |
This Python script can be used to bypass IP source restrictions using HTTP headers. |
|
| jaeles |
233.243e0b6 |
The Swiss Army knife for automated Web Application Testing. |
|
| jaidam |
18.15e0fec |
Penetration testing tool that would take as input a list of domain names, scan them, determine if wordpress or joomla platform was used and finally check them automatically, for web vulnerabilities using two well-known open source tools, WPScan and Joomscan. |
|
| jast |
17.361ecde |
Just Another Screenshot Tool. |
|
| jdeserialize |
31.20635ba |
A library that interprets Java serialized objects. It also comes with a command-line tool that can generate compilable class declarations, extract block data, and print textual representations of instance values. |
|
| jexboss |
86.338b531 |
Jboss verify and Exploitation Tool. |
|
| jira-scan |
7.447d0ec |
A simple remote scanner for Atlassian Jira |
|
| jok3r |
447.0761996 |
Network and Web Pentest Framework. |
|
| jomplug |
0.1 |
This php script fingerprints a given Joomla system and then uses Packet Storm's archive to check for bugs related to the installed components. |
|
| jooforce |
11.43c21ad |
A Joomla password brute force tester. |
|
| joomlascan |
1.2 |
Joomla scanner scans for known vulnerable remote file inclusion paths and files. |
|
| joomlavs |
254.eea7500 |
A black box, Ruby powered, Joomla vulnerability scanner. |
|
| joomscan |
83.2ea8cc7 |
Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site. |
|
| jshell |
7.ee3c92d |
Get a JavaScript shell with XSS. |
|
| jsonbee |
30.c0c87fc |
A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP). |
|
| jsparser |
31.ccd3ab6 |
Parse javascript using Tornado and JSBeautifier to discover interesting enpoints. |
|
| jsql-injection |
0.101 |
A Java application for automatic SQL database injection. |
|
| jstillery |
65.512e9af |
Advanced JavaScript Deobfuscation via Partial Evaluation. |
|
| juumla |
106.130565e |
Python tool created to identify Joomla version, scan for vulnerabilities and search for config files. |
|
| jwt-hack |
v1.2.0.r0.g32e486b |
A tool for hacking / security testing to JWT. |
|
| kadimus |
183.ac5f438 |
LFI Scan & Exploit Tool. |
|
| katana-pd |
v1.1.1.r0.gf8486d4 |
Crawling and spidering framework. |
|
| kiterunner |
19.7d5824c |
Contextual Content Discovery Tool. |
|
| kolkata |
3.0 |
A web application fingerprinting engine written in Perl that combines cryptography with IDS evasion. |
|
| konan |
23.7b5ac80 |
Advanced Web Application Dir Scanner. |
|
| kubolt |
28.0027239 |
Utility for scanning public kubernetes clusters. |
|
| lfi-exploiter |
1.1 |
This perl script leverages /proc/self/environ to attempt getting code execution out of a local file inclusion vulnerability.. |
|
| lfi-fuzzploit |
1.1 |
A simple tool to help in the fuzzing for, finding, and exploiting of local file inclusion vulnerabilities in Linux-based PHP applications. |
|
| lfi-image-helper |
0.8 |
A simple script to infect images with PHP Backdoors for local file inclusion attacks. |
|
| lfi-sploiter |
1.0 |
This tool helps you exploit LFI (Local File Inclusion) vulnerabilities. Post discovery, simply pass the affected URL and vulnerable parameter to this tool. You can also use this tool to scan a URL for LFI vulnerabilities. |
|
| lfifreak |
21.0c6adef |
A unique automated LFi Exploiter with Bind/Reverse Shells. |
|
| lfimap |
283.5db3000 |
Local file inclusion discovery and exploitation tool. |
|
| liffy |
33.89dd4f8 |
A Local File Inclusion Exploitation tool. |
|
| lightbulb |
88.9e8d6f3 |
Python framework for auditing web applications firewalls. |
|
| linkfinder |
168.1debac5 |
Discovers endpoint and their parameters in JavaScript files. |
|
| list-urls |
0.1 |
Extracts links from webpage. |
|
| log4j-bypass |
33.f5c92f9 |
Log4j web app tester that includes WAF bypasses. |
|
| log4j-scan |
88.07f7e32 |
A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-44228. |
|
| lorsrf |
v2.1.r3.g5c69453 |
Find the parameters that can be used to find SSRF or Out-of-band resource load. |
|
| lulzbuster |
1.3.2 |
A very fast and smart web directory and file enumeration tool written in C. |
|
| magescan |
1.12.9 |
Scan a Magento site for information. |
|
| malicious-pdf |
47.10d08b2 |
Generate a bunch of malicious pdf files with phone-home functionality. |
|
| mando.me |
9.8b34f1a |
Web Command Injection Tool. |
|
| meg |
87.9daab00 |
Fetch many paths for many hosts - without killing the hosts. |
|
| metoscan |
05 |
Tool for scanning the HTTP methods supported by a webserver. It works by testing a URL and checking the responses for the different requests. |
|
| monsoon |
261.f4f9852 |
A fast HTTP enumerator that allows you to execute a large number of HTTP requests. |
|
| mooscan |
10.82963b0 |
A scanner for Moodle LMS. |
|
| morxtraversal |
1.0 |
Path Traversal checking tool. |
|
| multiinjector |
0.4 |
Automatic SQL injection utility using a lsit of URI addresses to test parameter manipulation. |
|
| nosqli |
37.6fce3eb |
NoSQL scanner and injector. |
|
| nosqlmap |
298.efe6f7a |
Automated Mongo database and NoSQL web application exploitation tool |
|
| novahot |
23.69857bb |
A webshell framework for penetration testers. |
|
| nuclei |
v3.0.0.r950.g97403c203 |
A fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use. |
|
| okadminfinder |
117.bd394ef |
Tool to find admin panels / admin login pages. |
|
| onionsearch |
44.fc9d62c |
Script that scrapes urls on different ".onion" search engines. |
|
| opendoor |
422.d1ed311 |
OWASP WEB Directory Scanner. |
|
| owasp-bywaf |
26.e730d1b |
A web application penetration testing framework (WAPTF). |
|
| owtf |
2187.af993ecb |
The Offensive (Web) Testing Framework. |
|
| pappy-proxy |
77.e1bb049 |
An intercepting proxy for web application testing. |
|
| parameth |
56.8da6f27 |
This tool can be used to brute discover GET and POST parameters. |
|
| parampampam |
45.9171018 |
This tool for brute discover GET and POST parameters. |
|
| paros |
3.2.13 |
Java-based HTTP/HTTPS proxy for assessing web app vulnerabilities. Supports editing/viewing HTTP messages on-the-fly, spiders, client certificates, proxy-chaining, intelligent scanning for XSS and SQLi, etc. |
|
| payloadmask |
17.58e0525 |
Web Payload list editor to use techniques to try bypass web application firewall. |
|
| peepingtom |
56.bc6f4d8 |
A tool to take screenshots of websites. Much like eyewitness. |
|
| photon |
328.d88d5f3 |
Incredibly fast crawler which extracts urls, emails, files, website accounts and much more. |
|
| php-findsock-shell |
2.b8a984f |
A Findsock Shell implementation in PHP + C. |
|
| php-malware-finder |
0.3.4.r82.g87b6d7f |
Detect potentially malicious PHP files. |
|
| phpggc |
644.bd9c6e0 |
A library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically. |
|
| phpsploit |
1021.aea961d |
Stealth post-exploitation framework. |
|
| pinkerton |
1.6.r19.g3195a4a |
JavaScript file crawler and secret finder. |
|
| pixload |
87.a8f58a7 |
Image Payload Creating/Injecting tools. |
|
| plecost |
104.4895e34 |
Wordpress finger printer Tool. |
|
| plown |
13.ccf998c |
A security scanner for Plone CMS. |
|
| poly |
52.4e6f189 |
Polymorphic webshells. |
|
| pown |
332.0e32edf |
Security testing and exploitation toolkit built on top of Node.js and NPM. |
|
| ppfuzz |
31.80982ec |
A fast tool to scan client-side prototype pollution vulnerability written in Rust. |
|
| ppmap |
v1.2.0.r15.g9426af6 |
A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets. |
|
| proxenet |
712.67fc6b5 |
THE REAL hacker friendly proxy for web application pentests. |
|
| pwndrop |
18.385ba70 |
Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. |
|
| pyfiscan |
2999.eb42cef |
Free web-application vulnerability and version scanner. |
|
| python-witnessme |
1.5.0 |
Web Inventory tool, takes screenshots of webpages using Pyppeteer. |
|
| python2-jsbeautifier |
1.13.4 |
JavaScript unobfuscator and beautifier. |
|
| rabid |
v0.1.0.r124.gf67962d |
A CLI tool and library allowing to simply decode all kind of BigIP cookies. |
|
| rapidscan |
221.296a20b |
The Multi-Tool Web Vulnerability Scanner. |
|
| remot3d |
38.a707ef7 |
An Simple Exploit for PHP Language. |
|
| restler-fuzzer |
404.90c39b8 |
First stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. |
|
| riwifshell |
38.40075d5 |
Web backdoor - infector - explorer. |
|
| ruler |
310.1fe118c |
A tool to abuse Exchange services. |
|
| rustbuster |
302.4a243d4 |
DirBuster for Rust. |
|
| rww-attack |
0.9.2 |
Performs a dictionary attack against a live Microsoft Windows Small Business Server. |
|
| sawef |
32.e5ce862 |
Send Attack Web Forms. |
|
| scanqli |
26.40a028d |
SQLi scanner to detect SQL vulns. |
|
| scrapy |
2.11.1 |
A fast high-level scraping and web crawling framework. |
|
| scrying |
234.caa233c |
Collect RDP, web, and VNC screenshots smartly. |
|
| second-order |
v3.2.r0.g242569b |
Second-order subdomain takeover scanner. |
|
| secretfinder |
15.d06119d |
A python script to find sensitive data (apikeys, accesstoken, jwt,..) in javascript files. |
|
| secscan |
1.5 |
Web Apps Scanner and Much more utilities. |
|
| see-surf |
v2.0.r41.g826f05a |
A Python based scanner to find potential SSRF parameters in a web application. |
|
| serializationdumper |
34.6d161cd |
A tool to dump Java serialization streams in a more human readable form. |
|
| shortfuzzy |
0.1 |
A web fuzzing script written in perl. |
|
| shuffledns |
362.1e45a1b |
A wrapper around massdns written in GO. |
|
| sitadel |
123.e4d9ed4 |
Web Application Security Scanner. |
|
| sitediff |
3.1383935 |
Fingerprint a web app using local files as the fingerprint sources. |
|
| skipfish |
2.10b |
A fully automated, active web application security reconnaissance tool. |
|
| smplshllctrlr |
9.2baf390 |
PHP Command Injection exploitation tool. |
|
| smuggler |
23.2be871e |
An HTTP Request Smuggling / Desync testing tool written in Python 3. |
|
| smuggler-py |
1.0 |
Python tool used to test for HTTP Desync/Request Smuggling attacks. |
|
| snallygaster |
243.ece8e7b |
Tool to scan for secret files on HTTP servers. |
|
| snuck |
6.76196b6 |
Automatic XSS filter bypass. |
|
| sourcemapper |
37.467916e |
Extract JavaScript source trees from Sourcemap files. |
|
| spaf |
11.671a976 |
Static Php Analysis and Fuzzer. |
|
| sparty |
0.1 |
An open source tool written in python to audit web applications using sharepoint and frontpage architecture. |
|
| spiga |
655.c5e3d31 |
Configurable web resource scanner. |
|
| spike-proxy |
148 |
A Proxy for detecting vulnerabilities in web applications |
|
| spipscan |
69.4ad3235 |
SPIP (CMS) scanner for penetration testing purpose written in Python. |
|
| sprayingtoolkit |
60.82e2ec8 |
Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient. |
|
| sqid |
0.3 |
A SQL injection digger. |
|
| sqlmap |
1.8.8 |
Automatic SQL injection and database takeover tool |
|
| ssrf-sheriff |
2.f95d691 |
A simple SSRF-testing sheriff written in Go. |
|
| ssrfmap |
115.36eb5a3 |
Automatic SSRF fuzzer and exploitation tool. |
|
| stews |
1.0.0.r7.gc7bba5a |
A Security Tool for Enumerating WebSockets. |
|
| striker |
85.87c184d |
An offensive information and vulnerability scanner. |
|
| subjs |
45.76ce9ec |
Fetches javascript file from a list of URLS or subdomains. |
|
| themole |
0.3 |
Automatic SQL injection exploitation tool. |
|
| tidos-framework |
v2.0.beta2.r22.g4098187 |
Offensive Web Application Penetration Testing Framework. |
|
| tinja |
1.1.4.r0.gb470b21 |
CLI tool for testing web pages for template injection vulnerabilities. |
|
| torcrawl |
127.568a859 |
Crawl and extract (regular or onion) webpages through TOR network. |
|
| tplmap |
719.616b0e5 |
Automatic Server-Side Template Injection Detection and Exploitation Tool. |
|
| typo3scan |
v1.2.final.r0.g0c4ec73 |
Enumerate Typo3 version and extensions. |
|
| uncaptcha2 |
7.473f33d |
Defeating the latest version of ReCaptcha with 91% accuracy. |
|
| uppwn |
9.f69dec4 |
A script that automates detection of security flaws on websites' file upload systems'. |
|
| urlcrazy |
v0.7.3.r0.g93e910c |
Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage. |
|
| urldigger |
02c |
A python tool to extract URL addresses from different HOT sources and/or detect SPAM and malicious code |
|
| urlextractor |
19.739864d |
Information gathering & website reconnaissance. |
|
| vane |
1899.48f9ab5 |
A vulnerability scanner which checks the security of WordPress installations using a black box approach. |
|
| vanguard |
0.1 |
A comprehensive web penetration testing tool written in Perl thatidentifies vulnerabilities in web applications. |
|
| vbscan |
39.2b1ce48 |
A black box vBulletin vulnerability scanner written in perl. |
|
| vega |
1.0 |
An open source platform to test the security of web applications. |
|
| vsvbp |
6.241a7ab |
Black box tool for Vulnerability detection in web applications. |
|
| vulnerabilities-spider |
1.426e70f |
A tool to scan for web vulnerabilities. |
|
| vulnx |
321.bcf451d |
Cms and vulnerabilites detector & An intelligent bot auto shell injector. |
|
| w13scan |
430.432b835 |
Passive Security Scanner. |
|
| wafninja |
25.379cd98 |
A tool which contains two functions to attack Web Application Firewalls. |
|
| wafp |
0.01_26c3 |
An easy to use Web Application Finger Printing tool written in ruby using sqlite3 databases for storing the fingerprints. |
|
| wafpass |
50.4211785 |
Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF. |
|
| wapiti |
3.2.0.r18.ge1fe1b0e |
A vulnerability scanner for web applications. |
|
| wascan |
37.6926338 |
Web Application Scanner. |
|
| waybackpack |
113.3616aee |
Download the entire Wayback Machine archive for a given URL. |
|
| wcvs |
1.2.1.r0.g08865ff |
Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. |
|
| web-soul |
2 |
A plugin based scanner for attacking and data mining web sites written in Perl. |
|
| webanalyze |
121.707f3a4 |
Port of Wappalyzer (uncovers technologies used on websites) in go to automate scanning. |
|
| webborer |
173.b323cf4 |
A directory-enumeration tool written in Go. |
|
| webhandler |
348.1bd971e |
A handler for PHP system functions & also an alternative 'netcat' handler. |
|
| webkiller |
42.d680598 |
Tool Information Gathering Write By Python. |
|
| webshells |
46.e8e1a37 |
Web Backdoors. |
|
| webslayer |
5 |
A tool designed for brute forcing Web Applications. |
|
| webtech |
1.3.3 |
Identify technologies used on websites. |
|
| webxploiter |
56.c03fe6b |
An OWASP Top 10 Security scanner. |
|
| weevely |
902.ff906a1 |
Weaponized web shell. |
|
| weirdaal |
331.c14e36d |
AWS Attack Library. |
|
| whatwaf |
392.b14e866 |
Detect and bypass web application firewalls and protection systems. |
|
| whichcdn |
22.5fc6ddd |
Tool to detect if a given website is protected by a Content Delivery Network. |
|
| wig |
574.d5ddd91 |
WebApp Information Gatherer. |
|
| witchxtool |
1.1 |
A perl script that consists of a port scanner, LFI scanner, MD5 bruteforcer, dork SQL injection scanner, fresh proxy scanner, and a dork LFI scanner. |
|
| wordpress-exploit-framework |
907.e55ded4 |
A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems. |
|
| wpforce |
88.b72ec64 |
Wordpress Attack Suite. |
|
| wpintel |
6.741c0c9 |
Chrome extension designed for WordPress Vulnerability Scanning and information gathering. |
|
| wpscan |
3.8.26 |
Black box WordPress vulnerability scanner |
|
| wpseku |
39.862fb2c |
Simple Wordpress Security Scanner. |
|
| ws-attacker |
1.7 |
A modular framework for web services penetration testing. |
|
| wssip |
75.56d0d2c |
Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa. |
|
| wuzz |
229.66176b6 |
Interactive cli tool for HTTP inspection. |
|
| x8 |
v4.1.0.r2.g6ee4532 |
Hidden parameters discovery suite. |
|
| xmlrpc-bruteforcer |
35.6023237 |
An XMLRPC brute forcer targeting Wordpress written in Python 3. |
|
| xspear |
144.57bb7b4 |
Powerful XSS Scanning and Parameter analysis tool&gem. |
|
| xsrfprobe |
575.b051d78 |
The Prime Cross Site Request Forgery Audit and Exploitation Toolkit. |
|
| xss-freak |
17.e361766 |
An XSS scanner fully written in Python3 from scratch. |
|
| xsscon |
45.ce91fd6 |
Simple XSS Scanner tool. |
|
| xsscrapy |
153.4966255 |
XSS spider - 66/66 wavsep XSS detected. |
|
| xsser |
1.8 |
A penetration testing tool for detecting and exploiting XSS vulnerabilites. |
|
| xssless |
45.8e7ebe1 |
An automated XSS payload generator written in python. |
|
| xsspy |
60.b10d336 |
Web Application XSS Scanner. |
|
| xsss |
0.40b |
A brute force cross site scripting scanner. |
|
| xssscan |
17.7f1ea90 |
Command line tool for detection of XSS attacks in URLs. Based on ModSecurity rules from OWASP CRS. |
|
| xsssniper |
79.02b59af |
An automatic XSS discovery tool |
|
| xsstrike |
467.f292787 |
An advanced XSS detection and exploitation suite. |
|
| xssya |
13.cd62817 |
A Cross Site Scripting Scanner & Vulnerability Confirmation. |
|
| xwaf |
162.c6f6bb7 |
Automatic WAF bypass tool. |
|
| xxxpwn |
10.27a2d27 |
A tool Designed for blind optimized XPath 1 injection attacks. |
|
| xxxpwn-smart |
6.b11b95b |
A fork of xxxpwn adding further optimizations and tweaks. |
|
| yaaf |
7.4d6273a |
Yet Another Admin Finder. |
|
| yasuo |
121.994dcb1 |
A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network. |
|
| yawast |
0.11.0 |
The YAWAST Antecedent Web Application Security Toolkit. |
|
| ycrawler |
0.1 |
A web crawler that is useful for grabbing all user supplied input related to a given website and will save the output. It has proxy and log file support. |
|
| ysoserial |
0.0.6 |
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. |
|
| zaproxy |
2.15.0 |
Integrated penetration testing tool for finding vulnerabilities in web applications |
|