The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits related to the web in minutes to users. Currently the features it has built in:
Storage Modes Supported:
- JIG
- SQLite
- MySQL
- MongoDB
- PostgreSQL
- MSSQL
Recon/Informational Modules:
- Whois
- Custom Web Requester (Generic Request Module) – Supports the following methods currently: GET/HEAD/TRACE/OPTIONS/POST
Payload Generation Modules:
- XSS Campaign Creator
- Payload Encoder and Decoder
- Client Side Obfuscator – Creates Unescaped content that is usable with native browser support. – Supports (HTML/CSS/JS)
- String Tools – Aids in generating random strings to be used in payloads e.g. SQL Injection, data type conversion etc.
- Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)
Exploitation Modules:
- LFI/RFI exploitation Module
- Cookie Theft Database Module for potency in stored XSS attacks.
Post Exploitation Modules:
- Web Herd (HTTP Bot tool to manage web shells)
The technologies powering this project :
It’s main principles are as follows :
- It should no have over-reliance , it should be able to adapt to environments its said to run in.
- Minimal use of non-stock packages.