Skip to content
A simple framework for sending test payloads for known web CVEs.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci update Apr 19, 2019
tests update May 17, 2019
.gitignore lint fixes Dec 26, 2018
Makefile update Apr 19, 2019 update Apr 18, 2019
groups.json update May 17, 2019
requirements.txt update May 7, 2019


PRs Welcome CircleCI

The goal of this tool is to send PoC payloads to verify server-side attack detection solutions. If detected, the server side should return a specified HTTP status code.

This tool is not intended to actually exploit the vulnerability or to test for the existence of the vulnerability.



./ --url

Specify detected response code (default is 403):

./ --url --status-code 406

Verbose (output CVE descriptions):

./ --url -v

Test a single CVE (with example output):

./ --url --status-code 406 --cve CVE-2017-9791 -v
The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution
via a malicious field value passed in a raw message to the ActionMessage.
        Test passed (406)
        Test passed (406)
        Test passed (406)
        Test passed (406)

Test for a group of CVEs. Groups are defined in groups.json.

./ --url --group struts

Test for a group type of CVEs. Types are defined in groups.json.

./ --url --type cms

List available groups or types.

./ --list group
./ --list type


Pull requests are welcome. Please use the existing CVE directories as examples of how you should structure your submission.

You can’t perform that action at this time.