Skip to content

Suizer/Saudit

BranchesTags

Repository files navigation

Saudit

Autonomous web reconnaissance and vulnerability scanning framework. Passive-first, plugin-based pipeline designed for authorized penetration testing and security assessments.

Español — versión en español al final del documento.

Installation

pip install -e .

Requires Python 3.9+. External tool dependencies (ffuf, nuclei, masscan, wafw00f) are installed automatically on first use.

Scan presets

Saudit is organized around four progressive presets. Each one extends the previous.

initial → web-basic → web-authenticated → web-advanced

1. initial — Passive-first recon

No brute-force. Safe to run as the first step on any authorized target.

saudit -t https://app.example.com -p initial

Covers:

  • HTTP fingerprinting — technology detection, WAF detection, NTLM endpoint discovery
  • SSL/TLS — certificate inspection and subdomain discovery
  • JS analysis — static analysis for secrets, endpoints and source maps (jsfuzzer), vulnerable libraries (retirejs)
  • API discovery — Swagger/OpenAPI and GraphQL introspection
  • Secrets — hardcoded secrets in HTTP headers/cookies (badsecrets)
  • Security posture — security headers audit, robots.txt, security.txt
  • Source code exposure — exposed .git detection, Git repo download, external repo link discovery, self-hosted GitLab enumeration
  • Nuclei — technology fingerprinting templates only (mode: technology)
  • Stack advisor — detects CMS, framework, server, language and WAF per host; emits a STACK_PROFILE event consumed by other modules and targeted advisory FINDING events for ai_review

Timing: ~20–40 min on a medium-sized target.

2. web-basic — Standard web audit (no credentials)

Extends initial with active enumeration.

saudit -t https://app.example.com -p web-basic

# Custom wordlist
saudit -t https://app.example.com -p web-basic \
  -c modules.ffuf.wordlist=/opt/wordlists/my-list.txt

Adds:

  • 403 bypass — common bypass techniques against forbidden resources
  • Subdomain takeover — dangling DNS detection (baddns)
  • Directory discovery — ffuf with raft-medium (5 000 lines), depth 2, file extensions: php,asp,aspx,txt,bak,config
  • File harvesting — downloads exposed PDFs, DOCX, ZIP, SQL dumps, keys, configs and extracts their text content
  • API probing — active canary injection on endpoints discovered by swagger/graphql
  • Nuclei overridden to severe mode — runs all critical+high severity templates (not just technology-specific)

Timing: +45–90 min on top of initial. Full web-basic run: 1–1.5 hours on a medium target.

3. web-authenticated — Authenticated audit

Requires an active session. Extends web-basic with parameter mining and fuzzing.

# Bearer token
saudit -t https://app.example.com -p web-authenticated --bearer <token>

# Cookie
saudit -t https://app.example.com -p web-authenticated -C session=abc123

Adds:

  • Session validation — verifies the provided credentials are actually authenticated before proceeding
  • Parameter mining — GET params, headers and cookie parameter discovery
  • Reflected parameters — confirms which parameters reflect in responses
  • SQLi on APIs — error-based SQLi probe on discovered API endpoints
  • Lightfuzz — parameter fuzzing for SQLi, XSS, SSTI, SSRF, path traversal, CMDi, ESI, crypto

ai_review automatically recommends the appropriate lightfuzz sub-preset based on signals found during the scan.

Timing: +1–2 hours on top of web-basic.

4. web-advanced — Full aggressive audit

All modules active. Authorized targets with explicit written approval only.

saudit -t https://app.example.com -p web-advanced -C session=abc123

Adds:

  • Host header injection
  • SSRF probing
  • HTTP request smuggling
  • URL manipulation bypasses
  • Lightfuzz reconfigured: POST enabled, force-fuzz common headers, test each param instance individually, speculate params from JSON/XML responses

Optional sub-presets

Combine with any main preset using multiple -p flags.

Nuclei strategy

web-basic already runs nuclei in severe mode (critical+high). Add a sub-preset when you need broader or more targeted coverage:

# Full template library, directory roots only
saudit -t https://app.example.com -p web-basic -p nuclei

# Budget — ~10 requests per host (recommended when WAF is strict)
saudit -t https://app.example.com -p web-basic -p nuclei-budget

# Technology — only templates matching detected technologies
saudit -t https://app.example.com -p web-basic -p nuclei-technology

# Intense — all URLs, no directory_only restriction
saudit -t https://app.example.com -p web-basic -p nuclei-intense

Directory brute-force

# Aggressive recursive (depth 3, extensions, 5000-line wordlist)
saudit -t https://app.example.com -p web-basic -p ffuf-heavy

# IIS target
saudit -t https://app.example.com -p web-basic -p ffuf-heavy -p iis-shortnames

IIS / .NET stack

# Full IIS/.NET audit (Telerik, DotNetNuke, AjaxPro, shortnames, bin exposure)
saudit -t https://app.example.com -p web-basic -p dotnet-audit

stack_advisor recommends dotnet-audit automatically when IIS or ASP.NET is detected.

Parameter fuzzing

saudit -t https://app.example.com -p web-basic -p lightfuzz-xss        # XSS only
saudit -t https://app.example.com -p web-basic -p lightfuzz-light       # all vulns, no POST
saudit -t https://app.example.com -p web-basic -p lightfuzz-medium      # + paramminer + badsecrets + hunt
saudit -t https://app.example.com -p web-basic -p lightfuzz-heavy       # POST enabled
saudit -t https://app.example.com -p web-basic -p lightfuzz-superheavy  # maximum coverage

Sub-preset reference

Sub-preset Description
osint Full passive OSINT: crt.sh, SecurityTrails, VirusTotal, subfinder, GitHub, cloud buckets, Google Dorks, Wayback
nuclei Full Nuclei template library, directory roots only
nuclei-budget Nuclei budget mode (~10 req/host)
nuclei-technology Nuclei templates matching detected technologies only
nuclei-intense Nuclei against ALL discovered URLs
portscan TCP port scan + service fingerprinting (requires root)
dirbust-light Surface-level directory brute-force
ffuf-heavy Recursive directory brute-force (depth 3, extensions, 5000-line wordlist)
iis-shortnames IIS 8.3 shortname enumeration
dotnet-audit Full IIS/.NET audit: Telerik, DotNetNuke, AjaxPro, bin exposure
paramminer Parameter discovery only — GET params, headers, cookies
lightfuzz-xss Parameter fuzzing limited to XSS via GET
lightfuzz-light All vuln classes, no POST, minimal modules
lightfuzz-medium All vuln classes, no POST, adds paramminer + badsecrets + hunt
lightfuzz-heavy POST enabled, paramminer included
lightfuzz-superheavy Maximum — force headers, individual instances, speculate params

Recommended workflows

Unknown target, start here:

saudit -t https://app.example.com -p initial

Full passive OSINT:

SECURITYTRAILS_API_KEY=xxx VIRUSTOTAL_API_KEY=yyy \
  saudit -t https://app.example.com -p osint

Standard unauthenticated audit:

saudit -t https://app.example.com -p web-basic

Authenticated audit:

saudit -t https://app.example.com -p web-authenticated --bearer <token>

IIS / .NET target:

saudit -t https://app.example.com -p web-basic -p dotnet-audit

WordPress target:

saudit -t https://app.example.com -p web-basic -p nuclei-technology -m wpscan

WAF present — stay quiet:

saudit -t https://app.example.com -p web-basic -p nuclei-budget

Full progressive flow (typical engagement):

# Step 1 — passive recon
saudit -t https://app.example.com -p initial

# Step 2 — active unauthenticated audit
saudit -t https://app.example.com -p web-basic

# Step 3 — authenticated audit with obtained credentials
saudit -t https://app.example.com -p web-authenticated --bearer <token>

Re-run from previous scan (skip re-discovery):

saudit -t https://app.example.com -p web-authenticated \
  -m from_report -c modules.from_report.report_file=scan.json --bearer <token>

Full aggressive (approved):

saudit -t https://app.example.com -p web-advanced -p nuclei-intense --bearer <token>

Real-time AI triage

Every FINDING and VULNERABILITY event is automatically triaged as the scan runs. An LLM classifies each finding as validated or false_positive before it reaches the final report — eliminating noise without manual review.

Trigger rules:

  • Severity critical or high → always triaged
  • Severity medium on high-FP modules → triaged: github_recon, jsfuzzer, hunt, google_dorks, cloud_buckets, bypass403, baddns, retirejs

Result:

  • ai-false-positive tag → finding is silently dropped from ai_review and the report
  • ai-validated tag → finding proceeds with an ai_summary field added to its data

Backend: NVIDIA NIM → Gemini (fallback). Runs fire-and-forget; never blocks the scan.

Confidence threshold: findings with confidence < 0.5 are treated as false positives regardless of status.

RAG — Grounded payload knowledge base

Saudit includes a local retrieval-augmented knowledge base built from public pentest sources. When ai_review detects application technologies in HTTP responses (CMS, frameworks, languages), it automatically queries the index and injects matching payloads into the LLM prompt — eliminating hallucinated attack vectors.

Sources:

  • PayloadsAllTheThings — payloads and bypass techniques per vulnerability class
  • Nuclei templates — HTTP + SSL templates

One-time setup:

# 1) Install vector store
pip install chromadb

# 2) Pull embedding model (~274 MB, local only)
ollama pull nomic-embed-text

# 3) Build the index
python -m saudit.rag.index

Index stored at ~/.saudit/rag/chroma/. Override with SAUDIT_RAG_DB env var.

Refresh:

python -m saudit.rag.index                         # all sources, incremental
python -m saudit.rag.index -s payloadsallthethings  # single source
python -m saudit.rag.index --rebuild                # wipe and re-embed
python -m saudit.rag.index --list                   # show configured sources

Query standalone:

python -m saudit.rag.query "Laravel SQL injection bypass"
python -m saudit.rag.query "graphql introspection" -s nuclei-templates -k 5

The RAG is optional. If chromadb is not installed or the index has not been built, ai_review runs normally without the payload context block.

Performance note: Embedding requires GPU for acceptable speed. On CPU, use a lighter model: SAUDIT_RAG_EMBED_MODEL=all-minilm python -m saudit.rag.index

AI review

ai_review runs after the scan and produces a prioritized attack plan. It uses real target URLs, detected technologies, WAF context, and — when available — grounded payloads from the RAG index.

Backend priority:

  1. Ollama (local, free — preferred)
  2. Gemini (Google API)
  3. NVIDIA NIM (cloud, free tier — 1 000 req/month)
  4. Claude (Anthropic API)
  5. Skip (warn and exit cleanly if no backend available)

Setup:

# Ollama (recommended)
ollama pull qwen2.5-coder:7b

# Cloud backends — set any one or more
export GEMINI_API_KEY=...
export NVIDIA_API_KEY=...
export ANTHROPIC_API_KEY=...

What it produces:

  • Prioritized attack plan with exact bash commands using real discovered URLs
  • WAF-aware payloads with specific evasion techniques per vendor (Cloudflare, ModSecurity, Akamai, AWS WAF, F5, Imperva)
  • Source-map JS code review with targeted grep/curl commands
  • Hardcoded secrets and exposed sensitive files highlighted as critical
  • Grounded payload hints per detected technology (from RAG index, when available)
  • Next steps — specialized modules and manual actions with exact saudit commands

Override model or skip map review:

saudit -t https://app.example.com -p initial \
  -c modules.ai_review.ollama_model=llama3.1:8b \
  -c modules.ai_review.analyze_maps=false

CLI reference

Target:
  -t TARGET             Target URL, domain, or IP
  -w WHITELIST          In-scope whitelist (defaults to target)
  -b BLACKLIST          Exclude these hosts/paths
  --strict-scope        Disable subdomain expansion
  --bearer TOKEN        Authorization: Bearer <TOKEN> on every request
  -C cookie=value       Custom cookies

Presets:
  -p PRESET [PRESET ..]  One or more presets (main + optional sub-presets)
  -c key=value           Override config options
  -lp                    List all available presets

Modules:
  -m MODULE [MODULE ..]  Enable specific modules
  -f FLAG [FLAG ..]      Enable modules by flag (e.g. -f passive)
  -ef FLAG               Exclude modules with this flag
  -em MODULE             Exclude a specific module
  -l                     List all scan modules
  -lo                    List all output modules
  -lf                    List all flags
  -mh MODULE             Show all config options for a module

Scan:
  -n SCAN_NAME           Name the scan
  -y                     Skip confirmation prompt
  -s                     Silent mode
  -v / -d                Verbose / debug output
  --dry-run              Validate config without running
  --current-preset       Print the active preset YAML and exit

Output:
  -o DIR                 Output directory (default: ./<scan_name>/)
  -om MODULE [MODULE ..]  Output modules
  -j / --json            JSON output to stdout

HTTP:
  --proxy URL            HTTP/HTTPS proxy
  -H header=value        Custom request headers
  -ua USER_AGENT         Override User-Agent
  --custom-yara-rules    Additional YARA rules for secret detection

Modules

Scan modules

Module Preset Description
httpx initial HTTP crawler — required by most modules
robots initial Parse robots.txt
securitytxt initial Parse security.txt
ntlm initial NTLM endpoint detection (exposes AD domain info)
wafw00f initial WAF detection
sslcert initial SSL/TLS certificate inspection + subdomain discovery
oauth initial OAuth/OIDC endpoint discovery
azure_realm initial Azure tenant discovery
badsecrets initial Detect known/weak secrets in web frameworks
jsfuzzer initial JS static analysis — secrets, endpoints, source maps
retirejs initial Detect vulnerable JavaScript libraries
git initial Exposed .git directory detection
code_repository initial Detect links to external repos (GitHub, GitLab, Docker Hub)
gitdumper initial Download and reconstruct exposed Git repositories
gitlab_onprem initial Self-hosted GitLab detection and repo enumeration
swagger_probe initial OpenAPI/Swagger endpoint discovery
graphql_introspection initial GraphQL introspection
hunt initial Flag parameters commonly linked to injection vulns
security_headers initial HTTP security headers audit
nuclei initial (tech) / web-basic (severe) Nuclei template scanner
stack_advisor initial Detect full web stack (CMS, framework, server, WAF) and emit targeted recommendations
bypass403 web-basic 403 bypass techniques
baddns web-basic Subdomain takeover detection
ffuf web-basic Web directory/file brute-force
filedownload web-basic Download PDFs, DOCX, ZIP, SQL dumps, keys, configs
extractous web-basic Extract text from downloaded files
api_probe web-basic Active injection probe on discovered API endpoints
session_check web-authenticated Validate session before proceeding
paramminer_getparams web-authenticated GET parameter mining
paramminer_headers web-authenticated HTTP header parameter mining
paramminer_cookies web-authenticated Cookie parameter mining
reflected_parameters web-authenticated Reflected parameter detection
api_sqli_probe web-authenticated Error-based SQLi on API endpoints
lightfuzz web-authenticated Parameter fuzzer (SQLi, XSS, SSTI, SSRF, path, CMDi, ESI)
host_header web-advanced Host header injection
generic_ssrf web-advanced SSRF probing
smuggler web-advanced HTTP request smuggling
url_manipulation web-advanced URL normalization bypass
osint_enum osint Subdomain discovery via crt.sh + Shodan
securitytrails osint Historical DNS data (API key required)
virustotal osint Passive DNS subdomain discovery
subfinder osint Passive subdomain discovery (40+ sources)
github_recon osint GitHub leak search + public repo enumeration
cloud_buckets osint AWS S3, Azure Blob, GCP bucket enumeration
google_dorks osint Generate + execute Google Dorks
wayback osint Historical URL discovery via archive.org
portscan portscan TCP port scan (requires root)
fingerprintx portscan Service fingerprinting on open ports
iis_shortnames sub-preset IIS 8.3 shortname enumeration
ajaxpro sub-preset AjaxPro RCE detection
aspnet_bin_exposure sub-preset ASP.NET bin exposure
dotnetnuke sub-preset DotNetNuke vulnerability scan
telerik sub-preset Telerik UI vulnerability scan
wpscan standalone WordPress vulnerability scan
mendix_recon standalone Mendix access-control testing
from_report standalone Re-seed scan from a previous JSON output

Output modules

Module Description
html_report Self-contained HTML report (default in all presets)
ai_review AI-powered attack plan — WAF-aware commands, RAG payloads, lightfuzz recommendations
json NDJSON file (output.json, default in all presets)
stdout Plain-text terminal output

Configuration

Path Default Description
web.spider_distance 3 Max link hops from seed URL
web.spider_depth 5 Max directory depth
web.spider_links_per_page 30 Max links followed per page
modules.ffuf.wordlist raft-medium-directories ffuf wordlist URL or path
modules.ffuf.lines 5000 Max lines to read from wordlist
modules.ffuf.max_depth 2 Directory recursion depth
modules.ffuf.extensions php,asp,aspx,txt,bak,config File extensions to probe
modules.ffuf.rate 50 ffuf requests per second
modules.nuclei.mode technology (initial) / severe (web-basic) Nuclei run mode
modules.nuclei.tags "" (all) Nuclei template tags filter
modules.gitlab_onprem.api_key "" GitLab API token
modules.securitytrails.api_key "" SecurityTrails API key
modules.virustotal.api_key "" VirusTotal API key
dns.threads 25 DNS resolver threads
scope.strict false Disable subdomain expansion

Development

pip install -e .
pre-commit install

ruff check saudit/
ruff format saudit/

pytest --exitfirst --disable-warnings --log-cli-level=ERROR saudit/
pytest -k test_preset_module_resolution saudit/

Saudit (ES)

Framework autónomo de reconocimiento web y escaneo de vulnerabilidades. Pipeline pasivo-primero, basado en plugins, diseñado para pruebas de penetración y auditorías de seguridad autorizadas.

Instalación

pip install -e .

Requiere Python 3.9+. Las dependencias externas (ffuf, nuclei, masscan, wafw00f) se instalan automáticamente en el primer uso.

Presets de escaneo

Saudit se organiza en cuatro presets progresivos. Cada uno extiende al anterior.

initial → web-basic → web-authenticated → web-advanced

1. initial — Reconocimiento pasivo

Sin fuerza bruta. Seguro como primer paso en cualquier objetivo autorizado.

saudit -t https://app.example.com -p initial

Cubre:

  • Fingerprinting HTTP — detección de tecnología, WAF, endpoints NTLM
  • SSL/TLS — inspección de certificados y descubrimiento de subdominios
  • Análisis JS — análisis estático de secretos, endpoints y source maps (jsfuzzer), librerías vulnerables (retirejs)
  • Descubrimiento de APIs — Swagger/OpenAPI e introspección GraphQL
  • Secretos — secretos hardcodeados en headers/cookies HTTP (badsecrets)
  • Postura de seguridad — auditoría de security headers, robots.txt, security.txt
  • Exposición de código fuente — detección de .git expuesto, descarga de repos Git, detección de GitLab on-premise
  • Nuclei — solo templates de fingerprinting de tecnología (mode: technology)
  • Stack advisor — detecta CMS, framework, servidor, lenguaje y WAF por host; emite evento STACK_PROFILE consumido por otros módulos y FINDING de advisory para ai_review

Duración: ~20–40 min en un objetivo de tamaño medio.

2. web-basic — Auditoría web estándar (sin credenciales)

Extiende initial con enumeración activa.

saudit -t https://app.example.com -p web-basic

# Wordlist personalizada
saudit -t https://app.example.com -p web-basic \
  -c modules.ffuf.wordlist=/opt/wordlists/mi-lista.txt

Añade:

  • 403 bypass — técnicas de bypass contra recursos restringidos
  • Subdomain takeover — detección de DNS colgante (baddns)
  • Directory discovery — ffuf con raft-medium (5 000 líneas), depth 2, extensiones: php,asp,aspx,txt,bak,config
  • File harvesting — descarga PDFs, DOCX, ZIP, SQL dumps, claves, configs y extrae su contenido
  • API probing — inyección de canarios en endpoints descubiertos por swagger/graphql
  • Nuclei sobrescrito a modo severe — ejecuta todos los templates de severidad critical+high

Duración: +45–90 min sobre initial. web-basic completo: 1–1.5 horas en un objetivo medio.

3. web-authenticated — Auditoría autenticada

Requiere sesión activa. Extiende web-basic con minería de parámetros y fuzzing.

saudit -t https://app.example.com -p web-authenticated --bearer <token>
saudit -t https://app.example.com -p web-authenticated -C session=abc123

Añade:

  • Validación de sesión — verifica que las credenciales están autenticadas antes de continuar
  • Minería de parámetros — descubrimiento de params GET, headers y cookies
  • Parámetros reflejados — confirma qué parámetros se reflejan en respuestas
  • SQLi en APIs — sonda SQLi basada en errores sobre endpoints API descubiertos
  • Lightfuzz — fuzzing de parámetros para SQLi, XSS, SSTI, SSRF, path traversal, CMDi, ESI, crypto

Duración: +1–2 horas sobre web-basic.

4. web-advanced — Auditoría agresiva completa

Solo para objetivos autorizados con aprobación escrita explícita.

saudit -t https://app.example.com -p web-advanced -C session=abc123

Añade: inyección de Host header, sondeo SSRF, HTTP request smuggling, bypasses de URL. Lightfuzz reconfigurado con POST habilitado, headers forzados y especulación de parámetros.

Sub-presets opcionales

Nuclei

web-basic ya corre nuclei en modo severe. Añade un sub-preset cuando necesites más cobertura:

saudit -t https://app.example.com -p web-basic -p nuclei           # librería completa
saudit -t https://app.example.com -p web-basic -p nuclei-budget    # ~10 req/host (con WAF)
saudit -t https://app.example.com -p web-basic -p nuclei-technology # solo techs detectadas

IIS / .NET

saudit -t https://app.example.com -p web-basic -p dotnet-audit

Fuzzing de parámetros

saudit -t https://app.example.com -p web-basic -p lightfuzz-light      # sin POST
saudit -t https://app.example.com -p web-basic -p lightfuzz-medium     # + paramminer
saudit -t https://app.example.com -p web-basic -p lightfuzz-heavy      # POST habilitado
saudit -t https://app.example.com -p web-basic -p lightfuzz-superheavy # cobertura máxima

Referencia de sub-presets

Sub-preset Descripción
osint OSINT pasivo completo: crt.sh, SecurityTrails, VirusTotal, subfinder, GitHub, cloud buckets, Google Dorks, Wayback
nuclei Librería completa de templates Nuclei
nuclei-budget Modo budget (~10 req/host)
nuclei-technology Solo templates de tecnologías detectadas
nuclei-intense Nuclei contra todas las URLs descubiertas
portscan Escaneo TCP + fingerprinting de servicios (requiere root)
ffuf-heavy Brute-force recursivo (depth 3, extensiones, 5000 líneas)
dotnet-audit Auditoría completa IIS/.NET
lightfuzz-light Todas las clases de vuln, sin POST
lightfuzz-medium + paramminer + badsecrets + hunt
lightfuzz-heavy POST habilitado, paramminer incluido
lightfuzz-superheavy Cobertura máxima

Flujos de trabajo recomendados

# Objetivo desconocido
saudit -t https://app.example.com -p initial

# OSINT pasivo completo
SECURITYTRAILS_API_KEY=xxx saudit -t https://app.example.com -p osint

# Auditoría estándar sin credenciales
saudit -t https://app.example.com -p web-basic

# Auditoría autenticada
saudit -t https://app.example.com -p web-authenticated --bearer <token>

# Flujo completo de engagement
saudit -t https://app.example.com -p initial
saudit -t https://app.example.com -p web-basic
saudit -t https://app.example.com -p web-authenticated --bearer <token>

# Objetivo IIS/.NET
saudit -t https://app.example.com -p web-basic -p dotnet-audit

# WAF presente — modo silencioso
saudit -t https://app.example.com -p web-basic -p nuclei-budget

# Repetir desde escaneo anterior (sin re-descubrimiento)
saudit -t https://app.example.com -p web-authenticated \
  -m from_report -c modules.from_report.report_file=scan.json --bearer <token>

Triage de IA en tiempo real

Cada evento FINDING y VULNERABILITY se triagea automáticamente mientras el escaneo corre. Un LLM clasifica cada hallazgo como validated o false_positive antes de que llegue al informe final.

Reglas de activación:

  • Severidad critical o high → siempre se triagea
  • Severidad medium en módulos con alto FP → github_recon, jsfuzzer, hunt, google_dorks, cloud_buckets, bypass403, baddns, retirejs

Resultado:

  • Tag ai-false-positive → descartado silenciosamente del informe
  • Tag ai-validated → continúa con campo ai_summary añadido

Backend: NVIDIA NIM → Gemini (fallback). Fire-and-forget; nunca bloquea el escaneo.

RAG — Base de conocimiento de payloads

Base de conocimiento local de recuperación aumentada. Cuando ai_review detecta tecnologías de aplicación en respuestas HTTP (CMS, frameworks, lenguajes), consulta el índice e inyecta payloads reales en el prompt del LLM — eliminando vectores de ataque inventados.

Fuentes: PayloadsAllTheThings · Nuclei templates HTTP+SSL

Setup único:

pip install chromadb
ollama pull nomic-embed-text
python -m saudit.rag.index

Actualizar:

python -m saudit.rag.index                         # incremental
python -m saudit.rag.index --rebuild               # borrar y re-embeddear
python -m saudit.rag.index -s payloadsallthethings # una fuente

El RAG es opcional. Si no está disponible, ai_review funciona normalmente sin el bloque de payloads.

Nota de rendimiento: El embedding requiere GPU para velocidad aceptable. En CPU usa: SAUDIT_RAG_EMBED_MODEL=all-minilm python -m saudit.rag.index

AI review

Corre después del escaneo y produce un plan de ataque priorizado con comandos exactos, payloads con evasión de WAF por vendor, revisión de código JS con source maps y — cuando el RAG está disponible — hints de payloads específicos por tecnología detectada.

Prioridad de backends:

  1. Ollama (local, gratuito — preferido)
  2. Gemini (API de Google)
  3. NVIDIA NIM (cloud, tier gratuito — 1 000 req/mes)
  4. Claude (API de Anthropic)
  5. Skip (aviso y salida limpia)
ollama pull qwen2.5-coder:7b        # backend local recomendado
export GEMINI_API_KEY=...           # o cualquier backend cloud
export NVIDIA_API_KEY=...
export ANTHROPIC_API_KEY=...

Módulos

Módulo Preset Descripción
httpx initial Crawler HTTP — base para la mayoría de módulos
robots initial Parsear robots.txt
securitytxt initial Parsear security.txt
ntlm initial Detección de endpoints NTLM
wafw00f initial Detección de WAF
sslcert initial Certificados SSL/TLS + descubrimiento de subdominios
oauth initial Descubrimiento de endpoints OAuth/OIDC
azure_realm initial Descubrimiento de tenant Azure
badsecrets initial Secretos débiles/conocidos en frameworks web
jsfuzzer initial Análisis estático JS — secretos, endpoints, source maps
retirejs initial Librerías JavaScript vulnerables
git initial Detección de .git expuesto
code_repository initial Links a repos externos
gitdumper initial Descarga y reconstrucción de repos Git expuestos
gitlab_onprem initial GitLab on-premise — detección y enumeración de repos
swagger_probe initial Descubrimiento de endpoints OpenAPI/Swagger
graphql_introspection initial Introspección GraphQL
hunt initial Parámetros ligados a vulns de inyección
security_headers initial Auditoría de security headers HTTP
nuclei initial (tech) / web-basic (severe) Scanner de templates Nuclei
stack_advisor initial Stack completo (CMS, framework, servidor, WAF) + recomendaciones dirigidas
bypass403 web-basic Técnicas de bypass de 403
baddns web-basic Detección de subdomain takeover
ffuf web-basic Brute-force de directorios/archivos web
filedownload web-basic Descarga de archivos expuestos
extractous web-basic Extracción de texto de archivos descargados
api_probe web-basic Sonda activa en endpoints API descubiertos
session_check web-authenticated Validación de sesión
paramminer_getparams web-authenticated Minería de parámetros GET
paramminer_headers web-authenticated Minería de parámetros de headers
paramminer_cookies web-authenticated Minería de parámetros de cookies
reflected_parameters web-authenticated Detección de parámetros reflejados
api_sqli_probe web-authenticated SQLi en endpoints API
lightfuzz web-authenticated Fuzzer de parámetros (SQLi, XSS, SSTI, SSRF, path, CMDi, ESI)
host_header web-advanced Inyección de Host header
generic_ssrf web-advanced Sondeo SSRF
smuggler web-advanced HTTP request smuggling
url_manipulation web-advanced Bypass por normalización de URL
osint_enum osint Subdominios vía crt.sh + Shodan
securitytrails osint DNS histórico (requiere API key)
virustotal osint DNS pasivo vía VirusTotal
subfinder osint Subdominios pasivos (40+ fuentes)
github_recon osint Búsqueda de leaks en GitHub
cloud_buckets osint Buckets AWS S3, Azure Blob, GCP
google_dorks osint Generar + ejecutar Google Dorks
wayback osint URLs históricas vía archive.org
portscan portscan Escaneo TCP (requiere root)
fingerprintx portscan Fingerprinting de servicios en puertos abiertos
wpscan standalone Vulnerabilidades WordPress
mendix_recon standalone Control de acceso Mendix
from_report standalone Re-seed desde JSON de escaneo anterior

Configuración

Clave Valor por defecto Descripción
web.spider_distance 3 Máximo de saltos desde la URL semilla
web.spider_depth 5 Profundidad máxima de directorio
web.spider_links_per_page 30 Máximo de links por página
modules.ffuf.wordlist raft-medium-directories URL o ruta de wordlist
modules.ffuf.lines 5000 Máximo de líneas de la wordlist
modules.ffuf.max_depth 2 Profundidad de recursión
modules.ffuf.extensions php,asp,aspx,txt,bak,config Extensiones a probar
modules.ffuf.rate 50 Peticiones por segundo
modules.nuclei.mode technology (initial) / severe (web-basic) Modo de ejecución
modules.nuclei.tags "" (todos) Filtro de tags de templates
modules.gitlab_onprem.api_key "" Token API de GitLab
modules.securitytrails.api_key "" API key de SecurityTrails
modules.virustotal.api_key "" API key de VirusTotal
dns.threads 25 Threads del resolver DNS
scope.strict false Desactivar expansión de subdominios

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages