Kiterunner Logo

Kiterunner

0
Free
Visit Website

For the longest of times, content discovery has been focused on finding files and folders. While this approach is effective for legacy web servers that host static files or respond with 3xx’s upon a partial path, it is no longer effective for modern web applications, specifically APIs. Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications. Modern application frameworks such as Flask, Rails, Express, Django and others follow the paradigm of explicitly defining routes which expect certain HTTP methods, headers, parameters and values. When using traditional content discovery tooling, such routes are often missed and cannot easily be discovered. By collating a dataset of Swagger specifications and condensing it into our own schema, Kiterunner can use this dataset to bruteforce API endpoints by sending the correct HTTP method, headers, path, parameters.

FEATURES

ALTERNATIVES

Utility for comparing control flow graph signatures to Android methods with scanning capabilities for malicious applications.

XSS Polyglot Challenge - XSS payload running in multiple contexts for testing XSS.

A simple Swagger-ui scanner that detects old versions vulnerable to various XSS attacks

StaCoAn is a cross-platform tool for static code analysis on mobile applications, emphasizing the identification of security vulnerabilities.

A third-party Nginx module that prevents common web attacks by reading a small subset of simple rules containing 99% of known patterns involved in website vulnerabilities.

A tool to scan for CORS misconfigurations in web applications

Yara Based Detection for web browsers

A tool for automated HTTP header injection