springboot>> goWAPT>> 返回
项目作者: dzonerzy

项目描述 :
Go Web Application Penetration Test
高级语言: Go
项目地址: git://github.com/dzonerzy/goWAPT.git
创建时间: 2017-12-05T19:32:43Z
项目社区:https://github.com/dzonerzy/goWAPT
开源协议:GNU General Public License v3.0
下载


GOWAPT - Go Web Application Penetration Test

GOWAPT is the younger brother of wfuzz a swiss army knife of WAPT, it allow pentester to perform huge activity with no stress at all, just configure it and it’s just a matter of clicks.

How to install

To install gowapt just type:

  1. make
  2. sudo make install

Usage

From the -h menu

  1. Usage of gowapt:
  2.   -H value
  3.         A list of additional headers
  4.   -a string
  5.         Basic authentication (user:password)
  6.   -c string
  7.         A list of cookies
  8.   -d string
  9.         POST data for request
  10.   -e string
  11.         A list of comma separated encoders (default "plain")
  12.   -f string
  13.         Filter the results
  14.   -from-proxy
  15.         Get the request via a proxy server
  16.   -fuzz
  17.         Use the built-in fuzzer
  18.   -p string
  19.         Use upstream proxy
  20.   -plugin-dir string
  21.         Directory containing all scanning module
  22.   -scanner
  23.         Run in scanning mode
  24.   -ssl
  25.         Use SSL
  26.   -t string
  27.         Template for request
  28.   -threads int
  29.         Number of threads (default 10)
  30.   -u string
  31.         URL to fuzz
  32.   -w string
  33.         Wordlist file
  34.   -x string
  35.         Extension file example.js

Examples

Scan http://www.example.com and filter all 200 OK requests

  1. gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200"

Scan http://www.example.com fuzzing vuln GET parameter looking for XSS (assume it had 200 tag with a legit request)

  1. gowapt -u "http://www.example.com/?vuln=FUZZ" -w wordlist/Injections/XSS.txt -f "tags > 200"

Scan http://www.example.com fuzzing vuln POST parameter looking for XSS (assume it had 200 tag with a legit request)

  1. gowapt -u "http://www.example.com/" -d "vuln=FUZZ" -w wordlist/Injections/XSS.txt -f "tags > 200"

Scan auth protected http://www.example.com and filter all 200 OK requests

  1. gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200" -a "user:password"

Scan http://www.example.com adding header Hello: world and filter all 200 OK requests

  1. gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200" -H "Hello: world"

Scan http://www.example.com using basic auth with user/pass guest:guest

  1. gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -a "guest:guest"

Scan http://www.example.com adding an extension

  1. gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -x myextension.js

Scan http://www.example.com through a proxy (like Burp):

  1. gowapt -p "http://localhost:8080" -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt

Scan http://www.example.com (received from proxy) and filter all 200 OK requests

  1. gowapt --from-proxy -w wordlist/general/common.txt

Run scanner mode on http://www.example.com (received from proxy) with default plugins

  1. gowapt --from-proxy --scanner --plugin-dir plugin/

Then open BurpSuite send the request you want to fuzz to repeater and set an upstream proxy to 127.0.0.1:31337
when you’re ready click send, if everything was right you should see as response Request received by GOWAPT

Extension

Extension are an easy way to extend gowapt features, a JavaScript VM is the responsible for loading and executing extension files.

JS Api

Below a list of currently implemented API

Method Number of params Description Params
addCustomEncoder 2 Create a custom encoder to be used with wordlists Param1 -> EncoderName (string)
Param2 -> EncoderLogic (function)
panic 1 For debugging purpose crash the application Param1 -> PanicText (string)
dumpResponse 2 Dump a full request/response to disk, useful to save testcase Param1 -> ResponseObject (http.Response)
Param2 -> Path (string)
setHTTPInterceptor 1 Create an interceptor for outgoing HTTP Request and ingoing responses Param1 -> HTTPCallback (function) *
sendRequestSync * 4 Send an HTTP Request in a synchronous way Param1 -> Method (string)
Param2 -> Url (string)
Param3 -> PostData (string)
Param4 -> Headers (Object{Name:Value})

* PS: When using setHTTPInterceptor the callback method receive 3 parameters:

  • A request/response object
  • A result object
  • A flag object that indicate whenever the first object is a request or a response

Since the nature of sendRequestSync it will slow down the engine due to synchronous request so use moderately

More info on the example extension below:

example.js

  1. /*
  2. * Create a custom encoder called helloworld
  3. *
  4. * This encore just add the string "_helloworld" to every payload
  5. * coming from the wordlist
  6. */
  7. addCustomEncoder("helloworld", myenc);
  8. /*
  9. * Define the callback method for the helloworld encoder
  10. */
  11. function myenc(data) {
  12.     return data + "_helloword";
  13. }
  14. /*
  15. * Create an HTTP interceptor
  16. *
  17. * The interceptor will hook every request / response
  18. * is possible to modify request before send it, anyway the respose item
  19. * it's just shadow copy of the one received from the server so no modification
  20. * are possible
  21. *
  22. *
  23. * request_response is an object which may contains both http.Request
  24. * or http.Response , to know which on is contained check is_request flag
  25. *
  26. * REMEMBER! request_response is an http.* object so you must interact with
  27. * this one just like you would do in golang!
  28. *
  29. * dumpResponse is a built-in function which dump full request-response to
  30. * disk.
  31. * result is an object filled with stats about the response it contains some fields
  32. *
  33. * result.tags => Number of tags in the response
  34. * result.code => HTTP Response status
  35. * result.words => Number of words in the response
  36. * result.lines => Number of lines in the response
  37. * result.chars => Number of chars in the response
  38. * result.request => Full dump of the request
  39. * result.response => Full dump of the response
  40. * result.response => The injected payload
  41. *
  42. */
  43. setHTTPInterceptor(function(request_response, result, is_request){
  44.     if(is_request){
  45.         request_response.Header.Set("Hello", "world")
  46.     }else{
  47.         dumpResponse(request_response, "/tmp/dump.txt")
  48.         /*
  49.         * Send an HTTP request in a synchronous way
  50.         *
  51.         * This API accept 4 parameters:
  52.         * method => GET | POST | HEAD | PUT | PATCH | UPDATE
  53.         * url => The url of the HTTP service
  54.         * post_data => The content of request bodyBytes
  55.         * headers => A javascript dictionary {headerName => headerValue}
  56.         *
  57.         * The response object may be null or undefined or an http.Response from golang
  58.         */
  59.         var response = sendRequestSync("GET", "http://example.com/", null, {"Fake": "Header"})
  60.     }
  61. })

Scanner

A new mode called Scanner was introduced with the latest commit , it allow user to create fully customizable plugins in order to perform active web scanning for more info read the Wiki!.

Wordlists

Wordlists comes from wfuzz project! so thanks much guys!

Look&Feel

asciicast

Encoders

Below the list of encoders available

  • url (URL encode)
  • urlurl (Double URL encode)
  • html (HTML encode)
  • htmlhex (HTML hex encode)
  • unicode (Unicode encode)
  • hex (Hex encode)
  • md5hash (MD5 hash)
  • sha1hash (SHA1 hash)
  • sha2hash (SHA2 hash)
  • b64 (Base64 encode)
  • b32 (Base32 encode)
  • plain (No encoding)

Filters

You can apply filters on the following variables

  • tags (Number of tags)
  • lines (Number of lines of response body)
  • words (Number of words of response body)
  • length (Size of response body)
  • code (HTTP status code)
  • chars (Number of chars of response body)

License

gowapt is released under the GPL 3.0 license and it’s copyleft of Daniele ‘dzonerzy’ Linguaglossa