RDPHijack-BOF – Cobalt Strike Beacon Object File (BOF) That Uses WinStationConnect API To Perform Local/Remote RDP Session Hijacking

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server. To enumerate sessions locally/remotely, you could useRead More

Java-Remote-Class-Loader – Tool to send Java bytecode to your victims to load and execute using Java ClassLoader together with Reflect API

This tool allows you to send Java bytecode in the form of class files to your clients (or potential targets) to load and execute using Java ClassLoader together with Reflect API. The client receives the class file from the server and return the respective execution output. Payloads must be written in Java and compiled beforeRead More

CATS – REST API Fuzzer And Negative Testing Tool For OpenAPI Endpoints

REST API fuzzer and negative testing tool. Run thousands of self-healing API tests within minutes with no coding effort! Comprehensive: tests are generated automatically based on a large number scenarios and cover every field and header Intelligent: tests are generated based on data types and constraints; each Fuzzer have specific expectations depending on the scenarioRead More

TrelloC2 – Simple C2 Over The Trello API

Simple C2 over Trello’s API (Proof-of-Concept) By: Fabrizio Siciliano (@0rbz_) Update 12/30/2019 Removed hardcoded API key and Token, use input() instead. Requirements Python 3.x Setup Create a Trello account: https://trello.com/signup Once logged in, get your API key: https://trello.com/app-key Generate a Token (same page as app-key, follow the “Token” link) Save both API key and Token,Read More

VAmPI – Vulnerable REST API With OWASP Top 10 Vulnerabilities For Security Testing

The Vulnerable API (Based on OpenAPI 3)  VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off toRead More

Dora – Find Exposed API Keys Based On RegEx And Get Exploitation Methods For Some Of Keys That Are Found

Features Blazing fast as we are using ripgrep in backend Exploit/PoC steps for many of the API key, allowing to write a good report for bug bounty hunting Unlike many other API key finders, dora also shows the path to the file and the line with context for easier analysis Can easily be implemented intoRead More

Requests-Ip-Rotator – A Python Library To Utilize AWS API Gateway’s Large IP Pool As A Proxy To Generate Pseudo-Infinite IPs For Web Scraping And Brute Forcing

A Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing. This library will allow the user to bypass IP-based rate-limits for sites and services. X-Forwarded-For headers are automatically randomised and applied unless given. This is because otherwise, AWS will send theRead More

vAPI – Vulnerable Adversely Programmed Interface Which Is Self-Hostable API That Mimics OWASP API Top 10 Scenarios Through Exercises

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises. Requirements PHP MySQL PostMan MITM Proxy Installation (Docker) docker-compose up -d Installation (Manual) Copying the Code cd <your-hosting-directory> git clone https://github.com/roottusk/vapi.git Setting up the Database Import vapi.sql into MySQL Database Configure the DBRead More

HybridTestFramework – End To End Testing Of Web, API And Security

Full-fledged WEB, API and Security testing framework using selenium,ZAP OWASP proxy and rest-assured Supported Platforms This framework supports WebUi automation across a variety of browsers like Chrome, Firefox, IE, no only limited to this but extended to test rest api, security and visual testing. Capabilities Cross browser testing support Added browserstack support for CrossBrowser testingRead More