infocyn/oxtrace

# 🔥 OxTrace v5.0 ## ⚠️ 关键法律免责声明 By using OxTrace, you agree that: - ✅ You have explicit written permission to test target systems - ✅ You will NOT use this tool for illegal activities - ✅ You understand unauthorized access is a criminal offense - ✅ You accept FULL RESPONSIBILITY for your actions - ❌ Unauthorized access is illegal and punishable by law ## 🎯 概述 **OxTrace** is a comprehensive penetration testing framework designed for security professionals and ethical hackers. It combines 6+ specialized security testing modules into a single, powerful tool with real-time monitoring and professional reporting. ### ✨ 为何选择 OxTrace？ ``` ┌─────────────────────────────────────────────────────────────┐ │ 🎯 All-in-One │ 6+ specialized testing modules │ │ 📊 Real-Time │ Live dashboard with progress │ │ 📄 Professional │ HTML + JSON + Executive reports │ │ ⚡ High Performance │ Parallel processing up to 100 │ │ 🔒 Stealth Mode │ Proxy & TOR support │ │ 🎨 Modern UI │ Beautiful terminal interface │ └─────────────────────────────────────────────────────────────┘ ``` ## 🔧 核心模块

### 🔐 身份验证测试 ``` ├─ Default credentials testing ├─ SQL injection in login forms ├─ Brute force protection checks ├─ Account enumeration detection └─ HTTPS security verification ``` ### 🔌 API 安全扫描器 ``` ├─ BOLA/IDOR testing ├─ Broken authentication checks ├─ Excessive data exposure ├─ Rate limiting validation └─ API documentation exposure ``` ### 🎫 JWT 令牌分析 ``` ├─ Algorithm confusion attacks ├─ Weak signing secrets ├─ Expiration validation ├─ Sensitive data exposure └─ Signature verification ```

### 📤 文件上传测试 ``` ├─ Dangerous file type uploads ├─ Filter bypass techniques ├─ Path traversal attacks ├─ MIME type validation └─ Content verification ``` ### 🔐 会话管理 ``` ├─ Cookie security flags ├─ Session fixation tests ├─ Timeout validation ├─ Session ID entropy └─ Security attributes ``` ### 🔒 密码学测试 ``` ├─ SSL/TLS version checks ├─ Certificate validation ├─ Weak cipher detection ├─ Key size verification └─ HSTS headers ```

## 🚀 安装与快速启动 ### 📦 快速安装 ``` # 1️⃣ 克隆仓库 git clone https://github.com/infocyn/oxtrace.git cd oxtrace # 2️⃣ 安装依赖 pip install -r requirements.txt # 3️⃣ 验证安装 python oxtrace.py --help ``` ### ⚡ 快速使用

**🎮 Interactive Mode (Beginners)** ``` python oxtrace.py -i ``` Easy interactive menu: - ✅ Accept legal terms - 🎯 Enter target URL - 📋 Select modules - 📊 Generate reports

**⌨️ Command Line (Advanced)** ``` # 完整扫描 python oxtrace.py -t https://example.com -m full -r html # 特定模块 python oxtrace.py -t https://example.com -m auth,api,jwt # JSON 报告 python oxtrace.py -t https://example.com -m full -r json ```

## 📖 详细用法 ### 命令语法 ``` python oxtrace.py [OPTIONS] ``` ### 可用选项 | Option | Long Form | Description | Example | |--------|-----------|-------------|---------| | `-t` | `--target` | Target URL/domain/IP (required) | `-t https://example.com` | | `-m` | `--modules` | Comma-separated modules | `-m auth,api,jwt` | | `-r` | `--report` | Report format (html/json/executive) | `-r html` | | `-o` | `--output` | Output directory | `-o ./reports` | | `-i` | `--interactive` | Interactive menu mode | `-i` | | `-v` | `--verbose` | Verbose debug output | `-v` | | | `--skip-legal` | Skip legal disclaimer | `--skip-legal` | | `-h` | `--help` | Show help message | `-h` | ### 可用模块 | Code | Module | Description | |------|--------|-------------| | `auth` | Authentication | Login mechanisms and auth security | | `api` | API Security | REST/GraphQL API vulnerabilities | | `jwt` | JWT Analysis | JWT token security flaws | | `upload` | File Upload | File upload vulnerabilities | | `session` | Session Management | Session handling and cookies | | `crypto` | Cryptography | SSL/TLS and crypto configs | | `full` | Full Scan | Run ALL modules (recommended) | ## 💡 使用示例

### 🎯 示例 1：完整安全审计 ``` python oxtrace.py \ -t https://target.com \ -m full \ -r html \ -v ```	### 🔌 示例 2：仅 API 测试 ``` python oxtrace.py \ -t https://api.target.com \ -m api,jwt \ -r json ```
### 🔐 示例 3：身份验证扫描 ``` python oxtrace.py \ -t https://login.target.com \ -m auth \ -r executive ```	### 🕵️ 示例 4：隐身模式 ``` export OXTRACE_USE_TOR="true" python oxtrace.py \ -t https://target.com \ -m full ```
### 📤 示例 5：上传测试 ``` python oxtrace.py \ -t https://upload.target.com \ -m upload \ -v ```	### 🔒 示例 6：密码学测试 ``` python oxtrace.py \ -t https://secure.target.com \ -m crypto,session \ -r html ```

## 📊 报告类型 ### 1️⃣ 交互式 HTML 报告 **Generate:** ``` python oxtrace.py -t https://example.com -m full -r html ``` **Features:** - 🎨 Professional cybersecurity aesthetic - 📊 Severity distribution pie chart - 📈 Vulnerabilities by module bar chart - 🔍 Searchable findings table - 📱 Mobile-friendly responsive design - 🖨️ Optimized for PDF printing - 🔗 Links to vulnerability databases ### 2️⃣ JSON 报告（机器可读） **Generate:** ``` python oxtrace.py -t https://example.com -m full -r json ``` **Use Cases:** - ✅ CI/CD pipeline integration - ✅ Custom report generation - ✅ Data analysis and metrics - ✅ SIEM system integration - ✅ Automated vulnerability tracking **Sample Structure:** ``` { "meta": { "tool": "OxTrace", "version": "5.0.0", "target": "https://example.com", "timestamp": "2024-01-15_14-30-00", "scan_duration": 245.67 }, "summary": { "total_vulnerabilities": 12, "risk_score": 78, "by_severity": { "critical": 3, "high": 5, "medium": 2, "low": 2 } }, "scans": [ { "target": "https://example.com", "scan_type": "authentication_security", "vulnerabilities": [ { "name": "Default Credentials", "severity": "critical", "cvss": 9.8, "cwe": "CWE-798", "evidence": "Login successful with admin:admin" } ] } ] } ``` ### 3️⃣ 执行摘要（管理报告） **Generate:** ``` python oxtrace.py -t https://example.com -m full -r executive ``` **Ideal For:** - 👔 C-level executives - 📊 Board presentations - 📋 Compliance reports - 📈 Risk assessments **Sample Output:** ``` ════════════════════════════════════════════════════════════════ EXECUTIVE SECURITY SUMMARY ════════════════════════════════════════════════════════════════ TARGET: https://example.com DATE: 2024-01-15 14:30:00 SCAN DURATION: 4 minutes 5 seconds ──────────────────────────────────────────────────────────────── RISK OVERVIEW ──────────────────────────────────────────────────────────────── Overall Risk Rating: CRITICAL Total Vulnerabilities: 12 ├─ Critical: 3 ├─ High: 5 ├─ Medium: 2 └─ Low: 2 Risk Score: 78/100 (HIGH RISK) IMMEDIATE ACTION REQUIRED: 3 critical vulnerabilities ──────────────────────────────────────────────────────────────── TOP 5 CRITICAL FINDINGS ──────────────────────────────────────────────────────────────── 1. DEFAULT CREDENTIALS ACCEPTED Severity: CRITICAL | CVSS: 9.8 Location: https://example.com/login Impact: Unauthorized administrative access Recommendation: Change default credentials immediately 2. SQL INJECTION VULNERABILITY Severity: CRITICAL | CVSS: 9.8 Location: https://example.com/login Impact: Database compromise possible Recommendation: Use parameterized queries 3. WEAK JWT SECRET KEY Severity: CRITICAL | CVSS: 9.8 Location: Authentication tokens Impact: Token forgery possible Recommendation: Use strong secret (min 256 bits) ──────────────────────────────────────────────────────────────── BUSINESS IMPACT ASSESSMENT ──────────────────────────────────────────────────────────────── Data Breach Risk: HIGH └─ SQL injection could expose customer data Compliance Risk: HIGH └─ May violate GDPR, PCI-DSS requirements Reputational Risk: HIGH └─ Security breach could damage brand trust Financial Risk: HIGH └─ Potential fines and remediation costs ──────────────────────────────────────────────────────────────── PRIORITY RECOMMENDATIONS ──────────────────────────────────────────────────────────────── IMMEDIATE (Within 24 hours): 1. Change all default credentials 2. Disable vulnerable endpoints 3. Rotate JWT secret keys 4. Enable WAF protection SHORT-TERM (Within 1 week): 1. Fix SQL injection vulnerabilities 2. Implement proper API authorization 3. Add security headers 4. Enable rate limiting LONG-TERM (Within 1 month): 1. Comprehensive code review 2. Security testing in CI/CD 3. Team security training 4. Vulnerability management program ════════════════════════════════════════════════════════════════ ``` ## 🔍 模块深度解析 ### 1. 身份验证安全测试 🔐 **What It Tests:** - ✅ Default credentials (admin:admin, root:root, etc.) - ✅ SQL injection in login forms - ✅ Brute force protection mechanisms - ✅ Account enumeration vulnerabilities - ✅ HTTPS enforcement on credentials - ✅ Session management after authentication **Sample Vulnerabilities:** ``` [CRITICAL] Default Credentials URL: https://example.com/login Evidence: Login successful with admin:admin CVSS: 9.8 | CWE-798 Fix: Change default credentials, enforce strong passwords [CRITICAL] SQL Injection in Login URL: https://example.com/login Payload: ' OR '1'='1 Evidence: SQL error in response CVSS: 9.8 | CWE-89 Fix: Use parameterized queries [MEDIUM] No Brute Force Protection URL: https://example.com/login Evidence: 10 failed attempts without blocking CVSS: 5.3 | CWE-307 Fix: Implement rate limiting and account lockout ``` ### 2. API 安全扫描器 🔌 **What It Tests:** - ✅ BOLA/IDOR (Broken Object Level Authorization) - ✅ Broken authentication mechanisms - ✅ Excessive data exposure in responses - ✅ Missing rate limiting - ✅ Exposed API documentation - ✅ Mass assignment vulnerabilities **Sample Vulnerabilities:** ``` [HIGH] Potential BOLA/IDOR URL: https://api.example.com/users/123 Evidence: Accessed resource with ID 456 unauthorized CVSS: 7.5 | CWE-639 Fix: Implement proper authorization checks [MEDIUM] Excessive Data Exposure URL: https://api.example.com/users Evidence: API returns password hashes CVSS: 5.3 | CWE-200 Fix: Filter sensitive data from responses [LOW] Exposed API Documentation URL: https://api.example.com/swagger Evidence: Swagger UI publicly accessible CVSS: 3.7 | CWE-200 Fix: Restrict documentation in production ``` ### 3. JWT 令牌分析 🎫 **What It Tests:** - ✅ Algorithm confusion ('none' algorithm attacks) - ✅ Weak signing secrets (brute force) - ✅ Token expiration validation - ✅ Sensitive data in payload - ✅ Signature verification bypass - ✅ Missing security claims **Sample Vulnerabilities:** ``` [CRITICAL] Weak JWT Secret Evidence: Token signed with "password123" Algorithm: HS256 CVSS: 9.8 | CWE-798 Fix: Use cryptographically strong secret (256+ bits) [CRITICAL] Algorithm Confusion Evidence: Server accepts "none" algorithm CVSS: 9.8 | CWE-327 Fix: Whitelist algorithms, never accept "none" [HIGH] Sensitive Data in JWT Evidence: Token contains user password CVSS: 7.5 | CWE-200 Fix: Never store sensitive data in JWT payloads ``` ### 4. 文件上传测试 📤 **What It Tests:** - ✅ Dangerous file types (PHP, JSP, ASPX) - ✅ Double extension bypass (file.php.jpg) - ✅ Null byte injection (file.php%00.jpg) - ✅ MIME type validation - ✅ Path traversal in filenames - ✅ File content validation **Sample Vulnerabilities:** ``` [CRITICAL] Dangerous File Upload URL: https://example.com/upload Evidence: Successfully uploaded test.php CVSS: 9.8 | CWE-434 Fix: Whitelist file types, validate content [HIGH] Filter Bypass URL: https://example.com/upload Payload: test.php.jpg (double extension) Evidence: PHP file executed CVSS: 8.6 | CWE-434 Fix: Validate extensions properly, check magic bytes [MEDIUM] No MIME Validation URL: https://example.com/upload Evidence: Uploaded executable with image MIME CVSS: 6.5 | CWE-434 Fix: Validate both extension and MIME type ``` ### 5. 会话管理测试 🔐 **What It Tests:** - ✅ Secure flag on cookies - ✅ HttpOnly flag validation - ✅ SameSite attribute - ✅ Session fixation vulnerabilities - ✅ Session timeout enforcement - ✅ Session ID randomness **Sample Vulnerabilities:** ``` [HIGH] Session Fixation URL: https://example.com Evidence: Session ID not regenerated after login CVSS: 7.5 | CWE-384 Fix: Regenerate session ID after authentication [MEDIUM] Missing HttpOnly Flag Cookie: PHPSESSID Evidence: Cookie accessible via JavaScript CVSS: 5.3 | CWE-1004 Fix: Set HttpOnly flag to prevent XSS theft [MEDIUM] Missing Secure Flag Cookie: session_token Evidence: Cookie can be sent over HTTP CVSS: 5.3 | CWE-614 Fix: Always set Secure flag for HTTPS cookies ``` ### 6. 密码学测试 🔒 **What It Tests:** - ✅ SSL/TLS versions (SSLv2, SSLv3, TLS 1.0/1.1) - ✅ Certificate validity and expiration - ✅ Weak cipher suites - ✅ RSA/ECC key sizes - ✅ HSTS headers - ✅ Certificate transparency **Sample Vulnerabilities:** ``` [HIGH] Outdated TLS Version URL: https://example.com Protocol: TLSv1.0 (deprecated) CVSS: 7.5 | CWE-326 Fix: Disable TLS 1.0/1.1, use TLS 1.2+ only [MEDIUM] Weak Cipher Suite URL: https://example.com Cipher: DES-CBC3-SHA CVSS: 5.9 | CWE-327 Fix: Disable weak ciphers, use AES-GCM [LOW] Certificate Expiring Soon URL: https://example.com Evidence: Certificate expires in 15 days CVSS: 3.7 | CWE-295 Fix: Renew certificate before expiration ``` ## ⚙️ 高级配置 ### 🔧 环境变量 ``` # 代理配置 export OXTRACE_PROXY="http://proxy.example.com:8080" export OXTRACE_PROXY_USER="username" export OXTRACE_PROXY_PASS="password" # TOR 支持 export OXTRACE_USE_TOR="true" export OXTRACE_TOR_PROXY="socks5://127.0.0.1:9050" # 自定义用户代理 export OXTRACE_USER_AGENT="Mozilla/5.0 Custom Scanner" # 线程 export OXTRACE_MAX_THREADS="50" # 超时 export OXTRACE_TIMEOUT="30" # 速率限制 export OXTRACE_RATE_LIMIT="0.1" # 输出目录 export OXTRACE_OUTPUT_DIR="/path/to/reports" ``` ### 📝 配置文件（config.yaml） ``` # OxTrace 配置文件 # 全局设置 version: "5.0.0" verbose: false # 扫描设置 scanning: max_threads: 100 max_async_tasks: 200 timeout: 30 max_retries: 3 rate_limit_delay: 0.05 # 代理设置 proxy: enabled: false proxy_list: - "http://proxy1.example.com:8080" - "http://proxy2.example.com:8080" rotation: true # TOR 设置 tor: enabled: false proxy: "socks5://127.0.0.1:9050" # 隐身模式 stealth: rotate_user_agent: true random_delay: true delay_min: 0.1 delay_max: 0.5 evasion_mode: true # 模块配置 modules: auth: enabled: true test_default_creds: true test_sql_injection: true test_brute_force: true api: enabled: true test_bola: true test_rate_limiting: true jwt: enabled: true test_weak_secrets: true test_algorithm_confusion: true upload: enabled: true test_dangerous_types: true test_bypasses: true session: enabled: true test_cookie_security: true test_fixation: true crypto: enabled: true test_ssl_tls: true test_certificates: true # 报告 reporting: default_format: "html" output_directory: "./reports" include_screenshots: false include_request_response: true # 日志 logging: level: "INFO" file: "oxtrace.log" max_size_mb: 100 backup_count: 5 # 自定义负载 custom_payloads: sql_injection: - "' OR '1'='1" - "admin'--" - "1' UNION SELECT NULL--" xss: - "" - "" # 词典 wordlists: usernames: "wordlists/usernames.txt" passwords: "wordlists/passwords.txt" directories: "wordlists/directories.txt" ``` ## 🛡️ 安全最佳实践 ### 开始评估前 #### 1. 法律授权 ⚖️ **CRITICAL:** Always obtain written permission ``` Required Documentation: ✅ Signed penetration testing agreement ✅ Scope of work document ✅ Rules of engagement ✅ Emergency contact information ✅ Data handling procedures ``` #### 2. 定义范围 🎯 ``` Clearly Define: ✅ Target systems and IP ranges ✅ Allowed testing methods ✅ Off-limits systems ✅ Testing time windows ✅ Data sensitivity levels ``` #### 3. 准备环境 🔧 ``` Pre-Testing Checklist: ✅ Verify target backups exist ✅ Set up monitoring and logging ✅ Establish communication channels ✅ Prepare incident response plan ✅ Document baseline system state ``` ### 评估期间 #### 1. 监控影响 📊 ``` # 监控系统性能 # 发现问题即停止 # 记录所有活动 # 保持与利益相关方沟通 ``` #### 2. 速率限制 ⏱️ ``` # 使用适当的延迟 python oxtrace.py -t https://example.com -m full --delay 0.5 # 针对生产系统 export OXTRACE_RATE_LIMIT="1.0" ``` #### 3. 记录一切 📝 ``` Keep Detailed Records: ✅ All commands executed ✅ Vulnerabilities discovered ✅ Activity timestamps ✅ System anomalies ✅ Evidence and screenshots ``` ### 评估后 #### 1. 安全报告 🔒 ``` # 加密敏感报告 gpg --encrypt --recipient security@example.com report.html # 设置适当权限 chmod 600 report.html ``` #### 2. 负责任披露 📢 ``` Follow These Steps: 1. Report to authorized contacts immediately 2. Provide detailed remediation guidance 3. Allow time for fixes (30-90 days) 4. Follow up on progress 5. Document disclosure process ``` #### 3. 清理 🧹 ``` Post-Assessment Actions: ✅ Remove test accounts created ✅ Delete uploaded test files ✅ Clear temporary data ✅ Verify no persistent access ✅ Document cleanup activities ``` ## 🐛 故障排除 ### 常见问题

#### ❌ ModuleNotFoundError ``` # 解决方案 pip install -r requirements.txt ``` #### ❌ SSL 证书错误 ``` # 解决方案 1 pip install --upgrade certifi # 解决方案 2（仅测试） export PYTHONHTTPSVERIFY=0 ``` #### ❌ 连接超时 ``` # 解决方案 python oxtrace.py -t target --timeout 60 ```

#### ❌ 请求过多（429） ``` # 解决方案 export OXTRACE_RATE_LIMIT="1.0" ``` #### ❌ 权限被拒绝 ``` # 解决方案 mkdir -p reports chmod 755 reports ``` #### ❌ 内存问题 ``` # 解决方案 export OXTRACE_MAX_THREADS="20" ```

## 🤝 贡献 We welcome contributions from the security community! ### 如何贡献 ``` # 1. 叉取仓库 git clone https://github.com/infocyn/oxtrace.git # 2. 创建功能分支 git checkout -b feature/amazing-scanner # 3. 修改并测试 # 4. 推送修改 git push origin feature/amazing-scanner # 5. 创建拉取请求 ``` ### 我们寻找什么 ``` ├─ 🔧 New scanner modules (CORS, XXE, SSRF) ├─ 🐛 Bug fixes and improvements ├─ 📚 Documentation enhancements ├─ 🎨 UI/UX improvements └─ ⚡ Performance optimizations ``` ## 📚 学习资源 ### 🎓 培训资源 **OWASP Resources:** - OWASP Top 10 - OWASP Testing Guide - OWASP API Security Top 10 **Vulnerability Databases:** - CVE Details - NVD - National Vulnerability Database - Exploit-DB **Recommended Books:** - "The Web Application Hacker's Handbook" by Dafydd Stuttard - "Real-World Bug Hunting" by Peter Yaworski - "Black Hat Python" by Justin Seitz - "OWASP Testing Guide v4" ### 🔧 互补工具 ``` ├─ Burp Suite → Professional web testing ├─ OWASP ZAP → Free alternative to Burp ├─ Nmap → Network discovery ├─ Metasploit → Exploitation framework └─ SQLMap → SQL injection tool ``` ## 📝 更新日志 ### 版本 5.0.0（2025-12-5） - 当前 #### ✨ 新功能 - 🎨 Real-time display with live dashboard - 🔄 Advanced multi-threading (up to 100 workers) - ⚖️ Interactive legal framework - 📊 HTML reports with Chart.js visualizations - 🎫 JWT token analysis module - 📤 File upload vulnerability scanner - 🔐 Session management testing - 🔒 Cryptography and SSL/TLS testing - 🕵️ Stealth mode with proxy/TOR support - 💾 Intelligent caching system #### 🐛 错误修复 - Fixed race conditions in multi-threading - Resolved SQL injection false positives - Corrected charset encoding issues - Fixed memory leaks in long scans #### ⚡ 性能 - 300% faster with parallel execution - 40% reduced memory footprint - Optimized regex patterns - Improved request caching ## 📄 许可证 ## 🌐 与我们联系 ## ⚠️ 最终警告 ``` ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ ┃ ┃ ❌ DO NOT use on systems you don't own ┃ ┃ ❌ DO NOT use for malicious purposes ┃ ┃ ❌ DO NOT ignore legal warnings ┃ ┃ ┃ ┃ ✅ ALWAYS get written authorization ┃ ┃ ✅ FOLLOW responsible disclosure ┃ ┃ ✅ USE ethically and legally ┃ ┃ ┃ ┃ YOU ARE SOLELY RESPONSIBLE FOR YOUR ACTIONS ┃ ┃ UNAUTHORIZED ACCESS IS ILLEGAL AND PUNISHABLE ┃ ┃ ┃ ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛ ``` ## 🙏 致谢

标签：API安全, GraphQL安全矩阵, HTML报告, JSON报告, JSON输出, JWT分析, Python, WSL, 专业报告, 代码生成, 企业安全, 会话管理, 反取证, 合规测试, 安全扫描器, 安全评估, 密码学测试, 并行扫描, 开源安全工具, 授权测试, 攻击模拟, 文件上传, 无后门, 渗透测试工具, 渗透测试框架, 网络安全, 网络资产管理, 认证测试, 逆向工具, 逆向工程平台, 防御, 隐私保护, 隐身模式, 驱动签名利用