WebSeekurity is a multi-platform tool that can be used to assess the security of Web applications that interact with a server via AMF/SOAP over HTTP. In particular, Adobe Flex applications can be audited thanks to this software.The tool acts as a client that can be used to communicate with the backend server to test. It enables to send requests to this server and to receive the corresponding responses. WebSeekurity attempts to discover and identify potential server-side vulnerabilities: weak authentication and authorization mechanisms, information leakage, vulnerability to SQL injections, etc.Several modes are proposed: Manual, Automatic and Fuzzing. The Manual mode enables to create a request from scratch. The Automatic mode is used to discover the services and methods made available by the application in an automated manner. Finally, fuzzing can be performed thanks to the last mode.WebSeekurity is released under the GNU GPLv2 license.

Python 2.7 (not compatible with Python 3.0 or greater)

Mini MySqlat0r

Mini MySqlat0r is a multi-platform application used to audit web sites in order to discover and exploit SQL injection vulnerabilities. It is written in Java and is used through a user-friendly GUI that contains three distinct modules.

The Crawler modules allows the user to view the web site structure and gather all tamper able parameters. These parameters are then sent to the Tester module that tests all parameters for SQL injection vulnerabilities. If any are found, they are then sent to the Exploiter module that can exploit the injections to gather data from the database.

Mini MySqlat0r can be used on any platform running the Java environment and is distributed under licence GPL.


The Java runtime environment is necessary to use Mini MySqlat0r:
Java JRE


XSSploit is a multi-platform Cross-Site Scripting scanner and exploiter written in Python. It has been developed to help discovery and exploitation of XSS vulnerabilities in penetration testing missions.

When used against a website, XSSploit first crawls the whole website and identifies encountered forms. It then analyses these forms to automatically detect existing XSS vulnerabilities as well as their main characteristics.

The following elements are required by XSSploit:

Python 2.5
wxPython GUI toolkit


LFI_Fuzzploit is a simple tool to help in the fuzzing for, finding,and exploiting local file inclusions in Linux based PHP applications. Using special encoding and fuzzing techniques lfi_fuzzploit will scan for some known and some not so known LFI filter bypasses and exploits using some advanced encoding/bypass methods to try to bypass security and achieve its goal which is ultimately, exploiting a Local file inclusion.In addition to LFI_fuzzploit's fuzzing and encoding techniques, it also has built in methods for LFI exploitation including /proc/self/environ shell exploit, File descriptor shell and LFI shell via log injection. LFI_fuzzploit injects code using different command injection functions in the event that certain functions are disabled. Coded by nullbyt3.


Veracrypt Password Cracker
This script will go through a list of passwords and try these against the specified volume. If succeeded, it will mount the partition.

Note: This project is currently only working under Python 3.x on Windows and Linux systems.
Note: No dependencies are needed, but VeraCrypt has to be installed.


Kadabra is a automatic Local File Inclusion (also known as LFI) Exploiter and Scanner, written in C++ and a couple extern module in Python.



Ronin is a Ruby platform for vulnerability research and exploit development. Ronin allows for the rapid development and distribution of code, Exploits, Payloads, Scanners, etc, via Repositories.


Ronin provides users with a powerful Ruby Console, pre-loaded with powerful convenience methods. In the Console one can work with data and automate complex tasks, with greater ease than the command-line.



Jack is a web based ClickJacking PoC development assistance tool.
Jack makes use of static HTML and JavaScript.
Jack is web based and requires either a web server to serve its HTML and JS content or can be run locally. Typically something like Apache will suffice but anything that is able to serve HTML content to a browser will do. Simply download Jack's contents and open "index.html" with your browser locally and Jack is ready to go.



Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.



clusterd is an open source application server attack toolkit. Born out of frustration with current fingerprinting and exploitation methods, clusterd automates the fingerprinting, reconnaissance, and exploitation phases of an application server attack. See the wiki for more information.

Syndicate content