How to analyze the application of automated web penetration testing framework

About Vajar

Vajra is an automated web penetration testing framework that helps security researchers automate boring reconnaissance tasks and the same scan against multiple targets during web application penetration testing. Vajra is highly customizable, allowing researchers to customize the scanning scope. We do not need to perform all scans on the target. We can choose the scanning tasks to be performed according to our own needs, which can minimize unnecessary communication traffic and Output the scan results to CouchDB.

Vajra uses the most common open source tools, which are some tools that many security researchers use when conducting security testing. Vajra completes all tasks through a web browser and provides an easy-to-use user interface and a beginner-friendly functional framework.

As we all know, analyzing data from scan results is very important in the process of penetration testing. Only when you can visualize your data in an appropriate way can we Will try to find as much valuable information as possible.

Currently, Vajra’s developers have added 27 unique bug bounty program features, with more support to be added later.

Core functions

Can perform highly targeted scans;

Run multiple scan tasks in parallel;

Can highly customize scans according to user requirements Tasks;

Absolutely beginner-friendly Web UI;

Fast scanning (asynchronous scanning);

Export results in CSV format or copy directly to clipboard

Telegram notification support;

What can Vajra do?

Subdomain scanning using IP, status code and header;

Subdomain takeover scanning;

Port scanning;

Host discovery;

Host parameter scanning;

7x24 hours subdomain monitoring;

7x24 hours JavaScript monitoring;

Use Nuclei to perform template scanning;

Fuzz test endpoints to discover hidden nodes or critical files (e.g. .env);

Extract JavaScript;

Use a custom generated dictionary for fuzz testing;

Extract sensitive data such as API keys and hidden JavaScript;

Detect invalid links;

Filter nodes based on extensions;

Favicon hash;

GitHub Dork;

CORS scanning;

CRLF scanning;

403 bypass;

Find hidden parameters;

Google Hacking;

Shodan search query;

Extract hidden nodes from JavaScript;

Create target-based custom word lists;

Vulnerability scanning;

CVE scan;

CouchDB stores all scan output results;

Tool manual installation

$ git clone --recursive https://github.com/r3curs1v3-pr0xy/vajra.git

# sudo su (root access is required)

# cd vajra/tools/ && chmod +x *

# cd ../

# nano .env  (Update username, password, and JWT Secret)

# cd ./install

# chmod +x ./install.sh

# ./install.sh

Use Docker-Compose to run

First , we need to use the following command to clone the project source code locally:

git clone --recursive https://github.com/r3curs1v3-pr0xy/vajra.git

Next, modify the configuration file, add API tokens, etc. Then run the following command:

docker-compose up

If you want to modify and update the file, you need to run the following command again:

docker-compose build

docker-compose up

Tool usage example

Complete Scan:

Scan result:

Subdomain name scan :

Subdomain name monitoring:

The above is the detailed content of How to analyze the application of automated web penetration testing framework. For more information, please follow other related articles on the PHP Chinese website!