Shulou(Shulou.com)05/31 Report--

How to analyze the application of automated web penetration testing framework, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

About Vajar

Vajra is an automated Web penetration testing framework, which can help security researchers automatically perform boring reconnaissance tasks and the same scanning for multiple targets during Web application penetration testing. Vajra has a highly customizable feature, allowing researchers to customize the scan range, we do not have to perform all the scans on the target, we can choose the scan tasks to be performed according to our own needs, which minimizes unnecessary traffic and outputs the scan results to CouchDB.

Vajra uses the most common open source tools that many security researchers use when conducting security tests. Vajra does all the work through the Web browser and provides an easy-to-use user interface and a beginner-friendly functional framework.

As we all know, analyzing data from scan results is very important in the process of penetration testing, and only when you can visualize your data in an appropriate way will we find as much valuable information as possible.

Currently, Vajra developers have added 27 unique vulnerability incentive features, and more support will be added later.

Core function

Highly targeted scanning can be performed

Run multiple scan tasks in parallel

Scanning tasks can be highly customized according to user requirements

Absolutely beginner-friendly Web UI

Fast scanning speed (asynchronous scanning)

Export the results in CSV format or copy them directly to the clipboard

Telegram notification support

What can Vajra do?

Use IP, status code, and title to scan subdomain names

Subdomain name takeover scan

Port scan

Host discovery

Host parameter scan

7x24 hourly subdomain name monitoring

7x24 hourly JavaScript monitoring

Perform a template scan using Nuclei

Fuzzy testing of end nodes to find hidden nodes or key files (for example, .env)

Extract JavaScript

Using a custom generated dictionary for fuzzy testing

Extract sensitive data, such as API keys and hidden JavaScript

Detect invalid links

Filter nodes based on extension

Favicon hash

GitHub Dork

CORS scanning

CRLF scanning

403 bypass

Find hidden parameters

Google Hacking

Shodan search query

Extract Hidden Node from JavaScript

Create a target-based custom word list

Vulnerability scanning

CVE scanning

CouchDB stores all scan output

Tools manually install $git clone-recursive https://github.com/r3curs1v3-pr0xy/vajra.git# sudo su (root access is required) # cd vajra/tools/ & & chmod + x * # cd.. / # nano .env (Update username, password, and JWT Secret) # cd. / install# chmod + x. / install.sh#. / install.sh runs using Docker-Compose

First, we need to clone the project source code locally using the following command:

Git clone-- recursive https://github.com/r3curs1v3-pr0xy/vajra.git

Next, modify the configuration file, add API tokens, and so on. Then run the following command:

Docker-compose up

If you want to modify and update the file, you need to run the following command again:

Sample usage of docker-compose builddocker-compose up tool

Full scan:

Scan results:

Subdomain name scan:

Sub-domain name monitoring:

This is the answer to the question on how to analyze the application of the automated web penetration testing framework. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.