Web Discovery

ApacheTomcatScanner: A python script to scan for Apache Tomcat server vulnerabilities.

bypass-cf: This tool is a simple bypass for a website running Cloudflare by finding the Origin IP of the domain. By doing so we are able to access the website without going trough Cloudflare's IP.

dirsearch: Dirsearch is a mature command-line tool designed to brute force directories and files in webservers.

feroxbuster: A simple, fast, recursive content discovery tool written in Rust.

feroxbuster -H "User-Agent: PENTEST" -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.10.10/

kiterunner: Contextual Content Discovery Tool. Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications.

# Just have a list of hosts and no wordlist
kr scan hosts.txt -A=apiroutes-210328:20000 -x 5 -j 100 --fail-status-codes 400,401,404,403,501,502,426,411

# You have your own wordlist but you want assetnote wordlists too
kr scan target.com -w routes.kite -A=apiroutes-210328:20000 -x 20 -j 1 --fail-status-codes 400,401,404,403,501,502,426,411

# Bruteforce like normal but with the first 20000 words
kr brute https://target.com/subapp/ -A=aspx-210328:20000 -x 20 -j 1

# Use a dirsearch style wordlist with %EXT%
kr brute https://target.com/subapp/ -w dirsearch.txt -x 20 -j 1 -exml,asp,aspx,ashx -D

CMSmap: CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

cmsmap.py https://example.com
cmsmap.py https://example.com -f W -F --noedb -d
cmsmap.py https://example.com -i targets.txt -o output.txt
cmsmap.py https://example.com -u admin -p passwords.txt
cmsmap.py -k hashes.txt -w passwords.txt

droopescan: A plugin-based scanner that aids security researchers in identifying issues with several CMS (SilverStripe, WordPress, Drupal).

drupwn: Drupwn claims to provide an efficient way to gather drupal information.

magescan: The idea behind this is to evaluate the quality and security of a Magento site you don't have access to. The scenario when you're interviewing a potential developer or vetting a new client and want to have an idea of what you're getting into.

moodlescan: Tool for scan vulnerabilities in Moodle platforms.

wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

IIS-ShortName-Scanner: The latest version of scanner for IIS short file name (8.3) disclosure vulnerability by using the tilde (~) character.

- Example 0 (to see if the target is vulnerable):
 java -jar iis_shortname_scanner.jar http://example.com/folder/
 
 - Example 2 (uses 20 threads - recommended):
 java -jar iis_shortname_scanner.jar 2 20 http://example.com/folder/new%20folder/

relative-url-extractor: During reconnaissance (recon) it is often helpful to get a quick overview of all the relative endpoints in a file.

cat demo-file.js | ./extract.rb
...
/vulnerability-coordination-maturity-model/user_data
/mail_subscriptions/update_monthly_digest_subscription
/subscription.json?subscribe=true
/subscription.json?subscribe=false
/terms/finder
/resources/download-web-hacking-101
/settings/reputation/log
/plugins/servlet/webhooks
/secure/project/ViewProjects.jspa
...

XSStrike: Most advanced XSS scanner.

xsscrapy: XSS spider - 66/66 wavsep XSS detected.

dalfox: DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang.

nginxpwner: Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.