Skip to content

call-yog/pocforge

Repository files navigation

pocforge

ci license: MIT python: 3.10+

A web vulnerability scanner that writes the PoC for you.

Most scanners stop at "vulnerable: yes". That is the half a triager throws away. pocforge produces, for every finding, a runnable artifact — an HTML page, a curl command, an auto-submitting form — that the reviewer can open in a browser and watch the bug fire.

The point is not better detection. The point is shorter time-to-triage.

What it detects

ID Bug Severity range PoC artifact
CORS-001 Reflected attacker origin + credentials CRITICAL HTML that reads victim data
CORS-002 Reflected attacker origin, no credentials MEDIUM HTML (unauthenticated read)
CORS-003 Origin: null accepted + credentials HIGH Sandboxed-iframe HTML
REDIR-001 Open redirect (vanilla + 5 bypass payloads) HIGH / MEDIUM Clickable URL + curl reproduction
CSRF-001 POST form without anti-CSRF token HIGH / MEDIUM Auto-submitting HTML form
CLICK-001 Page can be framed (no XFO, no frame-ancestors) HIGH Overlay clickjacking page

Run pocforge --list-checks to print this list from the tool.

What this won't do

  • Authenticated scans. No login flow, no session juggling. If you need cookies, route through Burp with --burp and let the proxy add them.
  • Crawl. Give it URLs. It tests those URLs. It will not spider your scope file.
  • Pretend ACAO: * is a finding. Browsers refuse to send credentials there. Reporting it is how you lose reputation on HackerOne.
  • Hide its traffic. Every probe carries a User-Agent: pocforge/... header. Assume the WAF sees you.

Install

pip install -e .

Python 3.10+.

Usage

# Single URL → print markdown report to stdout
pocforge https://target.example.com/

# Single URL → write report.md + per-PoC files into a dir
pocforge https://target.example.com/ -o reports/target/

# Batch
pocforge -f targets.txt -o reports/ --burp

# Pipe to other tools
pocforge https://target.example.com/ --json | jq '.[].findings[].check_id'

# Force everything through Burp (alias for --proxy http://127.0.0.1:8080 --insecure)
pocforge https://staging.example.com/ --burp

The -o directory contains:

reports/target/
├── report.md
├── 01_cors_creds_poc.html
├── 02_cors_null_poc.html
└── 03_clickjacking_poc.html

The markdown is your report draft. The HTML files are what you attach. The triager opens them, the exploit fires, they pay.

Sample output

See examples/sample_run/ for a real scan output (CORS + clickjacking against a deliberately-vulnerable httpbin endpoint).

For a full worked engagement — discovery, scan, and a finished PDF report against the Acunetix vulnweb test apps — see examples/sample_engagement/. That run was driven end to end by examples/recon_scan.ps1 (domain → Wayback URL discovery → recon_filter.py → pocforge).

Architecture

pocforge/
├── detectors/        # one file per bug class — (client, target) -> [Finding]
├── poc/              # one file per bug class — Finding -> PoC artifact
├── http_client.py    # shared httpx.Client (proxy, timeout)
├── models.py         # Finding / Evidence / PoC / ScanReport
├── reporter.py       # markdown + per-PoC file output
└── cli.py

Detectors are pure functions over a shared HTTP client. Adding a new bug class is one file in detectors/, one in poc/, one line in the registry. See CONTRIBUTING.md.

Tests

pip install -e ".[dev]"
pytest -v

13 tests, all run against httpx.MockTransport — no network, deterministic, ~1.5 s.

Roadmap

  • SSRF detector with a built-in OOB callback listener (no Burp Collaborator required)
  • JWT alg-confusion / weak-secret / kid injection
  • Race-condition tester (Kettle-style single-packet attack)
  • GraphQL alias batching, introspection abuse
  • OAuth redirect_uri chain analysis (composes with REDIR-001)

Acknowledgments

Standing on the shoulders of:

License

MIT.

About

No description or website provided.

Topics

Resources

License

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages