Web exploitation and reconnaissance framework.
Sixty-nine TypeScript modules spanning OWASP Top 10, MITRE ATT&CK web vectors, and custom attack chains. Covers SQL injection (error/union/blind/time/OOB across 5 DB engines), SSTI with 19 template engine fingerprints, JWT attacks (7 vectors), GraphQL introspection fuzzing, HTTP/2 single-packet race conditions, and WebSocket injection. Proxy-aware fetch layer with Tor SOCKS5 rotation. ASN.1-level AJP Ghostcat probe bypasses HTTP WAFs entirely.
scroll to access
Kill_Chain_Position
Capabilities
SQLi — 5 injection types
Error-based, UNION, boolean blind, time-based, and DNS OOB across MySQL, PostgreSQL, MSSQL, Oracle, SQLite
SSTI — 19 engine fingerprints
Jinja2, Twig, Pebble, Freemarker, Velocity, Struts OGNL, Spring EL, Thymeleaf, Mako, Tornado, Smarty, Blade, Handlebars, EJS, Nunjucks, Pug, ERB, Slim
JWT — 7 attack vectors
alg:none, RS256→HS256 confusion, weak-secret brute, kid injection (SQLi/path traversal), jku JWKS spoofing, claim tampering, expired token acceptance
AJP Ghostcat (CVE-2020-1938)
Binary AJP protocol on port 8009 bypasses HTTP WAF entirely — reads WEB-INF/web.xml, application.properties directly
CVE-targeted probing
Tech fingerprinting → live CVE database → active exploit probes with probe-confirmed vs version-match confidence tiers
GraphQL introspection fuzzer
Schema introspection → typed injection across every argument with rate-limited mutation probing
HTTP/2 single-packet race
PortSwigger 2023 technique — concurrent requests in a single TCP packet to exploit time-of-check/time-of-use
IAM privilege escalation
23 AWS escalation paths; GCP enumeration via bearer token; SSRF → IMDS credential extraction for AWS, GCP, Azure
Architecture
Sixty-nine TypeScript modules across 8 directories: webapp/ (15 attack modules), cloud/ (4), network/ (2), api/ (5), post/ (5), mobile/ (1 mobile API bridge), pipeline/ (1 orchestrator), lib/ (7 shared utilities). All modules import from src/lib/: logger.ts (structured JSON logger), rhttp.ts (proxy-aware fetch wrapping Node.js native fetch), proxy-rotator.ts (SOCKS5/HTTP/HTTPS rotation with failure tracking), delay.ts (human-like Gauss jitter + retry). The webapp-pipeline runs Crawl → Headers → SQLi → XSS → Auth → CmdI → IDOR → JWT → CVE in sequence. redteam-pipeline.ts orchestrates the full kill chain: Recon → Cloud → Privesc → API → Credential → Report. tsc --noEmit typechecking with strict mode.
Engagement_Types
Also_In_The_Suite
Secure_Channel
All work requires a signed scope document. Initial contact is encrypted. Response within 48h.
INITIALIZE_CONTACT