Webapp Exploit Hunter

Intelligent web application vulnerability scanner. Context-aware testing that adapts to the target's technology stack.

Important

CRITICAL: Only test web applications you have explicit authorization to test (pentest agreement, bug bounty program, or own infrastructure).

Instructions

Step 1: Target Setup

Accept input as:

1. Single domain or URL
2. List of domains/URLs (from recon-dominator output or manual list)
3. Specific endpoint to test

For each target, determine:

• Is it in scope?
• What technology stack is it running? (use tech_fingerprint.py from recon-dominator or fingerprint inline)
• Are there any testing restrictions (rate limits, no automated scanning, etc.)?

Step 2: Crawling and Endpoint Discovery

python scripts/crawler.py --target {url} --depth 3

Intelligent crawling:

1. Spider all linked pages up to configured depth
2. Extract forms and input parameters
3. Identify API endpoints from JavaScript files
4. Parse robots.txt and sitemap.xml for hidden paths
5. Fuzz for common hidden endpoints

Output: Structured map of all endpoints with parameters.

Step 3: Parameter Classification

For each discovered parameter, classify:

• Input type: string, numeric, email, URL, file path, JSON, XML
• Reflection: Is input reflected in response? Where? (HTML body, attribute, JS, header)
• Sink type: Database query, file system, HTTP request, template, command, redirect
• Authentication: Does the endpoint require auth?

This classification determines which vulnerability tests are relevant.

Step 4: Vulnerability Testing

Run tests based on parameter classification. Order by severity:

4a. SQL Injection

python scripts/sqli_tester.py --target {url} --params {param_file}

Test types:

• Error-based: Single quote, double quote, comment injection
• Boolean-based blind: True/false condition comparison
• Time-based blind: SLEEP/WAITFOR/pg_sleep injection
• UNION-based: Column count detection + data extraction
• Second-order: Stored input used later in queries

For each finding: extract DBMS type, confirm exploitability, extract sample data as PoC.

4b. Cross-Site Scripting (XSS)

python scripts/xss_tester.py --target {url} --params {param_file}

Context-aware payloads:

• HTML body: <script>, <img onerror>, <svg onload>
• HTML attribute: Event handlers, attribute breaking
• JavaScript context: String breaking, template literals
• URL context: javascript: protocol, data: URIs
• CSS context: expression(), url()

Test for:

• Reflected XSS (immediate response)
• Stored XSS (submit then check display page)
• DOM-based XSS (analyze client-side JS)

Bypass techniques: encoding, case variation, tag alternatives, WAF bypass patterns.

4c. Server-Side Request Forgery (SSRF)

python scripts/ssrf_tester.py --target {url} --params {param_file}

Test URL/redirect parameters for:

• Internal network access: 127.0.0.1, 0.0.0.0, localhost
• Cloud metadata: 169.254.169.254 (AWS), metadata.google.internal (GCP)
• Internal services: common ports on internal IPs
• Protocol smuggling: file://, gopher://, dict://
• Bypass techniques: decimal IP, hex IP, DNS rebinding, URL parsing tricks

4d. Insecure Direct Object Reference (IDOR)

python scripts/idor_tester.py --target {url} --endpoints {endpoint_file}

For endpoints with IDs (numeric, UUID, sequential):

• Test horizontal access: Change ID to access other users' resources
• Test vertical access: Access admin-only endpoints with regular user
• Test with different HTTP methods (GET vs POST vs PUT vs DELETE)
• Pattern detection: Sequential IDs, predictable UUIDs, encoded IDs

4e. Server-Side Template Injection (SSTI)

python scripts/ssti_tester.py --target {url} --params {param_file}

Template engine detection and exploitation:

• Jinja2: {{7*7}}, {{config}}, {{''.__class__.__mro__}}
• Twig: {{7*7}}, {{_self.env.registerUndefinedFilterCallback("system")}}
• Freemarker: ${7*7}, <#assign ex="freemarker.template.utility.Execute"?new()>
• ERB: <%= 7*7 %>, <%= system('id') %>
• Smarty: {php}system('id');{/php}

Polyglot detection: ${{<%[%'"}}%\.

4f. Authentication and Session Testing

python scripts/auth_tester.py --target {url}

Test for:

• Default credentials (based on detected technology)
• Password reset flaws (token prediction, no rate limit)
• Session fixation
• JWT vulnerabilities (none algorithm, weak secret, key confusion)
• OAuth/OIDC misconfigurations (open redirect, token leakage)
• 2FA bypass patterns

4g. File Upload Testing

python scripts/upload_tester.py --target {url} --upload-endpoint {endpoint}

Bypass techniques:

• Double extension: shell.php.jpg
• Null byte: shell.php%00.jpg
• Content-Type manipulation
• Magic bytes injection (GIF89a + PHP)
• Polyglot files (valid image + valid PHP)
• Case variation: .pHp, .PhP
• Alternative extensions: .phtml, .php5, .phar

4h. Race Condition Testing

python scripts/race_tester.py --target {url} --endpoint {endpoint}

Test on:

• Financial transactions (double spend)
• Coupon/discount application
• Account creation (duplicate accounts)
• File operations (TOCTOU)

Method: Send N parallel requests to same endpoint simultaneously.

Step 5: PoC Generation

For each confirmed vulnerability:

python scripts/generate_poc.py --findings {findings_file}

Generate:

1. curl command that demonstrates the vulnerability
2. Python script for automated exploitation
3. Step-by-step reproduction guide
4. Screenshot description (what to look for in response)
5. Impact assessment (CVSS score, business impact)

Step 6: Report Generation

python scripts/vuln_report.py --findings {findings_file} --format {md|json}

Bug bounty ready report per finding:

• Title (vulnerability type + location)
• Severity (Critical/High/Medium/Low with CVSS)
• URL and parameter affected
• Reproduction steps
• PoC (curl/script)
• Impact description
• Remediation recommendation

Error Handling

WAF Blocking Requests

If requests are blocked:

1. Reduce request rate: --delay 2
2. Use WAF bypass payloads: --waf-bypass
3. Rotate User-Agent headers: --random-ua
4. If persistent, inform user and suggest manual testing approach

Authentication Required

If endpoints require authentication:

1. Ask user for session cookie or auth token
2. Use: --cookie "session=abc123" or --header "Authorization: Bearer token"
3. If no creds available, test only unauthenticated endpoints

Rate Limiting

If 429 errors occur:

1. Scripts auto-adjust rate with exponential backoff
2. Override with: --rate-limit 1 (1 request per second)
3. For bug bounty: always respect program's rate limit policy

Examples

Example 1: Full Scan on Single Domain

User says: "Find all vulnerabilities on app.example.com"

Actions:

1. Crawl the application
2. Classify all parameters
3. Run all applicable test modules
4. Generate PoCs for findings
5. Produce report

Example 2: Targeted XSS Hunt

User says: "Test for XSS on example.com/search?q="

Actions:

1. Focus on the search parameter
2. Determine reflection context
3. Test context-appropriate payloads
4. Try WAF bypass if blocked
5. Generate PoC for any finding

Example 3: Bug Bounty Scope Scan

User says: "Scan these 20 subdomains for the HackerOne program"

Actions:

1. Verify all targets are in scope
2. Crawl each subdomain
3. Prioritize testing by technology/attack surface
4. Respect rate limits
5. Generate bug bounty formatted report for each finding