Go Web Application Penetration Test
Switch branches/tags
Nothing to show
Clone or download
dzonerzy Merge pull request #5 from phra/patch-1
fix typo in cookie-httponly plugin
Latest commit fa3cb85 Apr 16, 2018

README.md

GOWAPT - Go Web Application Penetration Test

GOWAPT is the younger brother of wfuzz a swiss army knife of WAPT, it allow pentester to perform huge activity with no stress at all, just configure it and it's just a matter of clicks.

How to install

To install gowapt just type:

make
sudo make install

Usage

From the -h menu

Usage of gowapt:
  -H value
    	A list of additional headers
  -a string
    	Basic authentication (user:password)
  -c string
    	A list of cookies
  -d string
    	POST data for request
  -e string
    	A list of comma separated encoders (default "plain")
  -f string
    	Filter the results
  -from-proxy
    	Get the request via a proxy server
  -fuzz
    	Use the built-in fuzzer
  -p string
    	Use upstream proxy
  -plugin-dir string
    	Directory containing all scanning module
  -scanner
    	Run in scanning mode
  -ssl
    	Use SSL
  -t string
    	Template for request
  -threads int
    	Number of threads (default 10)
  -u string
    	URL to fuzz
  -w string
    	Wordlist file
  -x string
    	Extension file example.js

Examples

Scan http://www.example.com and filter all 200 OK requests

gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200"

Scan http://www.example.com fuzzing vuln GET parameter looking for XSS (assume it had 200 tag with a legit request)

gowapt -u "http://www.example.com/?vuln=FUZZ" -w wordlist/Injections/XSS.txt -f "tags > 200"

Scan http://www.example.com fuzzing vuln POST parameter looking for XSS (assume it had 200 tag with a legit request)

gowapt -u "http://www.example.com/" -d "vuln=FUZZ" -w wordlist/Injections/XSS.txt -f "tags > 200"

Scan auth protected http://www.example.com and filter all 200 OK requests

gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200" -a "user:password"

Scan http://www.example.com adding header Hello: world and filter all 200 OK requests

gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -f "code == 200" -H "Hello: world"

Scan http://www.example.com using basic auth with user/pass guest:guest

gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -a "guest:guest"

Scan http://www.example.com adding an extension

gowapt -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt -x myextension.js

Scan http://www.example.com through a proxy (like Burp):

gowapt -p "http://localhost:8080" -u "http://www.example.com/FUZZ" -w wordlist/general/common.txt

Scan http://www.example.com (received from proxy) and filter all 200 OK requests

gowapt --from-proxy -w wordlist/general/common.txt

Run scanner mode on http://www.example.com (received from proxy) with default plugins

gowapt --from-proxy --scanner --plugin-dir plugin/

Then open BurpSuite send the request you want to fuzz to repeater and set an upstream proxy to 127.0.0.1:31337 when you're ready click send, if everything was right you should see as response Request received by GOWAPT

Extension

Extension are an easy way to extend gowapt features, a JavaScript VM is the responsible for loading and executing extension files.

JS Api

Below a list of currently implemented API

Method Number of params Description Params
addCustomEncoder 2 Create a custom encoder to be used with wordlists Param1 -> EncoderName (string)
Param2 -> EncoderLogic (function)
panic 1 For debugging purpose crash the application Param1 -> PanicText (string)
dumpResponse 2 Dump a full request/response to disk, useful to save testcase Param1 -> ResponseObject (http.Response)
Param2 -> Path (string)
setHTTPInterceptor 1 Create an interceptor for outgoing HTTP Request and ingoing responses Param1 -> HTTPCallback (function) *
sendRequestSync * 4 Send an HTTP Request in a synchronous way Param1 -> Method (string)
Param2 -> Url (string)
Param3 -> PostData (string)
Param4 -> Headers (Object{Name:Value})

* PS: When using setHTTPInterceptor the callback method receive 3 parameters:

  • A request/response object
  • A result object
  • A flag object that indicate whenever the first object is a request or a response

Since the nature of sendRequestSync it will slow down the engine due to synchronous request so use moderately

More info on the example extension below:

example.js

/*
* Create a custom encoder called helloworld
*
* This encore just add the string "_helloworld" to every payload
* coming from the wordlist
*/
addCustomEncoder("helloworld", myenc);
/*
* Define the callback method for the helloworld encoder
*/
function myenc(data) {
	return data + "_helloword";
}
/*
* Create an HTTP interceptor
*
* The interceptor will hook every request / response
* is possible to modify request before send it, anyway the respose item
* it's just shadow copy of the one received from the server so no modification
* are possible
*
*
* request_response is an object which may contains both http.Request
* or http.Response , to know which on is contained check is_request flag
*
* REMEMBER! request_response is an http.* object so you must interact with
* this one just like you would do in golang!
*
* dumpResponse is a built-in function which dump full request-response to
* disk.
* result is an object filled with stats about the response it contains some fields
*
* result.tags => Number of tags in the response
* result.code => HTTP Response status
* result.words => Number of words in the response
* result.lines => Number of lines in the response
* result.chars => Number of chars in the response
* result.request => Full dump of the request
* result.response => Full dump of the response
* result.response => The injected payload
*
*/
setHTTPInterceptor(function(request_response, result, is_request){
	if(is_request){
		request_response.Header.Set("Hello", "world")
	}else{
		dumpResponse(request_response, "/tmp/dump.txt")
		/*
		* Send an HTTP request in a synchronous way
		*
		* This API accept 4 parameters:
		* method => GET | POST | HEAD | PUT | PATCH | UPDATE
		* url => The url of the HTTP service
		* post_data => The content of request bodyBytes
		* headers => A javascript dictionary {headerName => headerValue}
		*
		* The response object may be null or undefined or an http.Response from golang
		*/
		var response = sendRequestSync("GET", "http://example.com/", null, {"Fake": "Header"})
	}
})

Scanner

A new mode called Scanner was introduced with the latest commit , it allow user to create fully customizable plugins in order to perform active web scanning for more info read the Wiki!.

Wordlists

Wordlists comes from wfuzz project! so thanks much guys!

Look&Feel

asciicast

Encoders

Below the list of encoders available

  • url (URL encode)
  • urlurl (Double URL encode)
  • html (HTML encode)
  • htmlhex (HTML hex encode)
  • unicode (Unicode encode)
  • hex (Hex encode)
  • md5hash (MD5 hash)
  • sha1hash (SHA1 hash)
  • sha2hash (SHA2 hash)
  • b64 (Base64 encode)
  • b32 (Base32 encode)
  • plain (No encoding)

Filters

You can apply filters on the following variables

  • tags (Number of tags)
  • lines (Number of lines of response body)
  • words (Number of words of response body)
  • length (Size of response body)
  • code (HTTP status code)
  • chars (Number of chars of response body)

License

gowapt is released under the GPL 3.0 license and it's copyleft of Daniele 'dzonerzy' Linguaglossa