Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Auto-pentest
- A modular python-requests based framework for semi-automation of simple web pen-testing. The pwntools of web.
- ### Rationale
- Websites are many, testers are few. Good automation can set a minimum standard for web dev, quickly and efficiently iron out the simple derp moments developers have. A super simple example of this would be adding this as a vsc hook that runs a set of common user/pass combos when deploying a backend or db update to a production environment.
- ### Goals
- 1. Have a solution that can run a basic set of tests with little to no input on a given target.
- 2. Extend this solution to include custom tests, provided in a human readable format *- That maybe get interpreted into python? This might not be feasible otherwise as would need an interpreter*
- 3. Create small library of tests as examples/baselines/PoC
- 4. Continuous testing environment - Gym for pentesters, maybe use/adapt webgoat
- 5. Build target identification functionality, given a scope can find login fields, search functionality that might be vulnerable to information disclosure, *identify old unused endpoints (maybe - this seems like a separate project)*, etc.
- ### The dream
- As a webhook:
- ```python
- import auto-pentest as ap
- TARGET = "super-secure.org"
- user_names = ["admin", "CEO", "IT_people"]
- l_form = ap.find_login_forms(TARGET): # Magic target id to find login form
- for pword in ap.dumb_passwords: # rockyou or something idk
- for user in user_names: # Probably needs to be defined by org
- _, success = ap.try_login(l_form, user=user, password=pword)
- if success:
- no_pr_for_you()
- ```
Add Comment
Please, Sign In to add comment