Webnuke is a console based python application useful when pentesting web based applications.
var msg="hello world"; alert(msg); @@@
To escape back to menu
HTML tools menu
The HTML tools can be used to expose hidden form elements and can also control the browser by clicking every HTML elements on the page.
The click every element option can take abit of time to complete but can be helpful flushing out urls for the site.
The type 'test' option is useful when dealing with Ajax calls.
- Show hidden form elements
- Turn password fields into text
- Turn css visibility on for all HTML elements
- Click every element on the page
- Type 'test' into every text box
- Run all js functions without args
The main advantage of the AngularJS option is the ability to try and attempt data extraction from any service or api defined using the AngularJS ngResource class within the AngularJS web application.
- Show Main Application Name
- Show Routes (Urls to things!)
- Show Dependencies
- Show Main Classes
- Show All Classes
- Test classes relying on ngResource
Spider will crawl the current url using the awesome KitchenSinks resource by FuzzDB
- Set Url to spider
- Run Kitchensinks in foreground
The followme option is useful for testing authenicated access, this option will open another browser instance and visit the urls being visited by the orinigal browser instance.
- login as an a user
- activate followme
- click around the web application using the browser thats currently logged in
- Urls visited will be loaded in the unauthenicated second browser instance
The brute option will attempt to brute force login screens, first the user has to identify the login and password fields by supplying nukeuser into the username field amd nukepass into the password field.
The username and password list is limited and left to the user to supply/code.