External Projects & Open-Source Dependencies¶
BeDefended is built on top of industry-leading open-source security tools. This page lists all external projects, GitHub repositories, and their purposes within the platform.
Reconnaissance & Discovery Tools¶
ProjectDiscovery Suite¶
The ProjectDiscovery team maintains the most modern, actively-developed reconnaissance tools:
| Tool | GitHub | Purpose |
|---|---|---|
| Subfinder | projectdiscovery/subfinder | Subdomain enumeration from passive sources |
| Httpx | projectdiscovery/httpx | HTTP/HTTPS probing and web server detection |
| Katana | projectdiscovery/katana | Web crawler with JavaScript execution |
| Dnsx | projectdiscovery/dnsx | DNS resolution and enumeration |
| Naabu | projectdiscovery/naabu | Fast port scanner |
| Nuclei | projectdiscovery/nuclei | Template-based vulnerability scanner (9000+ templates) |
| Alterx | projectdiscovery/alterx | Permutation-based subdomain generation |
| Uncover | projectdiscovery/uncover | Query Shodan, Censys, Fofa for exposed services |
| Asnmap | projectdiscovery/asnmap | Map ASN to IP ranges |
Internet Archive Tools¶
| Tool | GitHub | Purpose |
|---|---|---|
| Waybackurls | tomnomnom/waybackurls | Find historical URLs from Internet Archive |
| GAU | lc/gau | Get all URLs from multiple archive sources |
| Waymore | xnl-h4ck3r/waymore | Advanced archive searching (7 sources) |
Vulnerability Scanning Tools¶
| Tool | GitHub | Purpose |
|---|---|---|
| Nikto | sullo/nikto | Web server vulnerability scanner |
| SQLMap | sqlmapproject/sqlmap | SQL injection detection and exploitation |
| Dalfox | hahwul/dalfox | XSS vulnerability scanner |
| SSRFMAP | swisskyrepo/ssrfmap | SSRF attack payload generator |
| Commix | commixproject/commix | OS command injection detection |
| Arjun | s0md3v/Arjun | HTTP parameter discovery |
| NOMORE403 | devploit/nomore403 | 403 Forbidden bypass techniques |
| Garak | leondz/garak | LLM vulnerability scanner |
| Testssl.sh | drwetter/testssl.sh | TLS/SSL configuration scanner |
JavaScript Analysis Tools¶
| Tool | GitHub | Purpose |
|---|---|---|
| JSLuice | nevkontakte/jsluice | AST-based JavaScript analysis |
| LinkFinder | GerbenJavado/LinkFinder | Endpoint discovery from JavaScript |
| SecretFinder | m4ll0k/SecretFinder | Secret/API key extraction from JavaScript |
| JSHunter | jshunter/jshunter | JavaScript deobfuscation and entropy analysis |
| SubJS | lc/subjs | JavaScript file collector from domains |
| GetJS | 003random/getJS | Extract JavaScript from HTML and files |
Web Fuzzing & Parameter Discovery¶
| Tool | GitHub | Purpose |
|---|---|---|
| FFUF | ffuf/ffuf | Fast fuzzer for endpoint and parameter discovery |
| Puredns | d3mondev/puredns | DNS brute-force with validation |
Exploitation & PoC Tools¶
| Tool | GitHub | Purpose |
|---|---|---|
| YSOSerial | frohoff/ysoserial | Java deserialization payload generator |
| Hashcat | hashcat/hashcat | GPU-accelerated password cracking |
| Interactsh | projectdiscovery/interactsh | Out-of-band testing and interaction detection |
| Trufflehog | trufflesecurity/trufflehog | Secret detection in files and repositories |
| GitLeaks | gitleaks/gitleaks | Git secret scanning |
Mobile Security Tools¶
| Tool | GitHub | Purpose |
|---|---|---|
| APKTool | iBotPeaches/Apktool | Decode and rebuild Android APKs |
| JADX | skylot/jadx | Java decompiler for Android |
| DEX2JAR | ThexXTURBOXx/dex2jar | Convert Dalvik executable to JAR |
| Androguard | androguard/androguard | Python library for Android analysis |
| Frida | frida/frida | Dynamic instrumentation framework |
| Objection | sensepost/objection | Runtime mobile security testing |
| MobSF | MobSFTeam/Mobile-Security-Framework-MobSF | Automated mobile security testing framework |
Data Processing & Reporting Tools¶
| Tool | GitHub | Purpose |
|---|---|---|
| jq | stedolan/jq | JSON query and processing |
| Pandoc | jgm/pandoc | Universal document converter |
| Mermaid | mermaid-js/mermaid | Diagram generation from text |
Web Testing Platforms¶
Burp Suite Pro¶
Vendor: PortSwigger
Purpose: Industry-standard web proxy and testing suite
Integration: BeDefended routes all traffic through Burp when --proxy flag is used
Features:
- Request interception and modification
- Automated scanner
- Repeater (request replay)
- Intruder (fuzzing)
- Burp AI Agent (53 MCP tools for AI-assisted testing)
Caido¶
GitHub: caido Purpose: Modern web proxy alternative Features: - Fast, lightweight proxy - Request replay - Parameter extraction - 47 CLI commands
Infrastructure & Runtime Tools¶
| Tool | Purpose | Repository |
|---|---|---|
| Docker | Containerization | moby/moby |
| Playwright | Browser automation | microsoft/playwright |
| Chromium | Headless browser | chromium/chromium |
| OpenSSL | TLS/cryptography | openssl/openssl |
| Curl | HTTP client | curl/curl |
| HTTPie | User-friendly HTTP client | httpie/httpie |
Supporting Libraries & Frameworks¶
| Library | GitHub | Purpose |
|---|---|---|
| Python 3 | python/cpython | Runtime environment |
| SecLists | danielmiessler/SecLists | Wordlists for fuzzing and enumeration |
| OWASP ModSecurity Core Rule Set | coreruleset/coreruleset | WAF rule set used in testing context |
Wordlists & Dictionaries¶
| Wordlist | GitHub | Purpose |
|---|---|---|
| SecLists | danielmiessler/SecLists | Comprehensive wordlists for all testing phases |
| raft wordlists | Included in SecLists | Directory and file discovery wordlists |
| API wordlists | Included in SecLists | API-specific parameter and endpoint wordlists |
How to Contribute to Dependencies¶
If you find bugs or improvements for any of the above tools:
- Report issues directly on the tool's GitHub repository
- Submit pull requests with improvements
- Share with BeDefended: Let us know how you've improved a tool (we may integrate your improvements)
License Compliance¶
All tools used by BeDefended are open-source under permissive licenses: - MIT License (most tools) - Apache 2.0 (some tooling) - GPL (some tools)
See individual repositories for specific license details. Commercial tools (Burp Suite Pro) are used where superior capabilities justify licensing costs.
Tool Version Management¶
BeDefended Dockerfile pins specific tool versions for reproducibility:
RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
RUN pip3 install nuclei==2.9.5
To update tools:
Acknowledgments¶
BeDefended is built on the excellent work of the open-source security research community. We're grateful for: - ProjectDiscovery team (subfinder, httpx, nuclei, etc.) - TomnomNom (waybackurls and other utilities) - PortSwigger (Burp Suite, security research) - All individual tool maintainers and contributors