A web vulnerability scanner that writes the PoC for you.
Most scanners stop at "vulnerable: yes". That is the half a triager throws away. pocforge produces, for every finding, a runnable artifact — an HTML page, a curl command, an auto-submitting form — that the reviewer can open in a browser and watch the bug fire.
The point is not better detection. The point is shorter time-to-triage.
| ID | Bug | Severity range | PoC artifact |
|---|---|---|---|
| CORS-001 | Reflected attacker origin + credentials | CRITICAL | HTML that reads victim data |
| CORS-002 | Reflected attacker origin, no credentials | MEDIUM | HTML (unauthenticated read) |
| CORS-003 | Origin: null accepted + credentials |
HIGH | Sandboxed-iframe HTML |
| REDIR-001 | Open redirect (vanilla + 5 bypass payloads) | HIGH / MEDIUM | Clickable URL + curl reproduction |
| CSRF-001 | POST form without anti-CSRF token | HIGH / MEDIUM | Auto-submitting HTML form |
| CLICK-001 | Page can be framed (no XFO, no frame-ancestors) |
HIGH | Overlay clickjacking page |
Run pocforge --list-checks to print this list from the tool.
- Authenticated scans. No login flow, no session juggling. If you need cookies, route through Burp with
--burpand let the proxy add them. - Crawl. Give it URLs. It tests those URLs. It will not spider your scope file.
- Pretend
ACAO: *is a finding. Browsers refuse to send credentials there. Reporting it is how you lose reputation on HackerOne. - Hide its traffic. Every probe carries a
User-Agent: pocforge/...header. Assume the WAF sees you.
pip install -e .Python 3.10+.
# Single URL → print markdown report to stdout
pocforge https://target.example.com/
# Single URL → write report.md + per-PoC files into a dir
pocforge https://target.example.com/ -o reports/target/
# Batch
pocforge -f targets.txt -o reports/ --burp
# Pipe to other tools
pocforge https://target.example.com/ --json | jq '.[].findings[].check_id'
# Force everything through Burp (alias for --proxy http://127.0.0.1:8080 --insecure)
pocforge https://staging.example.com/ --burpThe -o directory contains:
reports/target/
├── report.md
├── 01_cors_creds_poc.html
├── 02_cors_null_poc.html
└── 03_clickjacking_poc.html
The markdown is your report draft. The HTML files are what you attach. The triager opens them, the exploit fires, they pay.
See examples/sample_run/ for a real scan output (CORS + clickjacking against a deliberately-vulnerable httpbin endpoint).
For a full worked engagement — discovery, scan, and a finished PDF report against the Acunetix vulnweb test apps — see examples/sample_engagement/. That run was driven end to end by examples/recon_scan.ps1 (domain → Wayback URL discovery → recon_filter.py → pocforge).
pocforge/
├── detectors/ # one file per bug class — (client, target) -> [Finding]
├── poc/ # one file per bug class — Finding -> PoC artifact
├── http_client.py # shared httpx.Client (proxy, timeout)
├── models.py # Finding / Evidence / PoC / ScanReport
├── reporter.py # markdown + per-PoC file output
└── cli.py
Detectors are pure functions over a shared HTTP client. Adding a new bug class is one file in detectors/, one in poc/, one line in the registry. See CONTRIBUTING.md.
pip install -e ".[dev]"
pytest -v13 tests, all run against httpx.MockTransport — no network, deterministic, ~1.5 s.
- SSRF detector with a built-in OOB callback listener (no Burp Collaborator required)
- JWT alg-confusion / weak-secret /
kidinjection - Race-condition tester (Kettle-style single-packet attack)
- GraphQL alias batching, introspection abuse
- OAuth
redirect_urichain analysis (composes with REDIR-001)
Standing on the shoulders of:
- James Kettle — single-packet race attacks, cache poisoning, CORS research
- Sam Curry and the team behind the auto-industry research — OAuth chain craft
- PortSwigger Web Security Academy — the labs every detector here was first tested against
- OWASP Cheat Sheet Series — canonical references for the remediation copy
MIT.