call-yog/pocforge

# pocforge [](https://github.com/call-yog/pocforge/actions/workflows/ci.yml) [](LICENSE) [](pyproject.toml) A web vulnerability scanner that writes the PoC for you. Most scanners stop at *"vulnerable: yes"*. That is the half a triager throws away. `pocforge` produces, for every finding, a runnable artifact — an HTML page, a curl command, an auto-submitting form — that the reviewer can open in a browser and watch the bug fire. The point is not better detection. The point is shorter time-to-triage. ## What it detects | ID | Bug | Severity range | PoC artifact | | ---------- | --------------------------------------------------- | -------------- | ------------------------------------- | | CORS-001 | Reflected attacker origin + credentials | CRITICAL | HTML that reads victim data | | CORS-002 | Reflected attacker origin, no credentials | MEDIUM | HTML (unauthenticated read) | | CORS-003 | `Origin: null` accepted + credentials | HIGH | Sandboxed-iframe HTML | | REDIR-001 | Open redirect (vanilla + 5 bypass payloads) | HIGH / MEDIUM | Clickable URL + curl reproduction | | CSRF-001 | POST form without anti-CSRF token | HIGH / MEDIUM | Auto-submitting HTML form | | CLICK-001 | Page can be framed (no XFO, no `frame-ancestors`) | HIGH | Overlay clickjacking page | Run `pocforge --list-checks` to print this list from the tool. ## What this won't do - **Authenticated scans.** No login flow, no session juggling. If you need cookies, route through Burp with `--burp` and let the proxy add them. - **Crawl.** Give it URLs. It tests those URLs. It will not spider your scope file. - **Pretend `ACAO: *` is a finding.** Browsers refuse to send credentials there. Reporting it is how you lose reputation on HackerOne. - **Hide its traffic.** Every probe carries a `User-Agent: pocforge/...` header. Assume the WAF sees you. ## Install pip install -e . Python 3.10+. ## Usage # Single URL → print markdown report to stdout pocforge https://target.example.com/ # Single URL → write report.md + per-PoC files into a dir pocforge https://target.example.com/ -o reports/target/ # Batch pocforge -f targets.txt -o reports/ --burp # Pipe to other tools pocforge https://target.example.com/ --json | jq '.[].findings[].check_id' # Force everything through Burp (alias for --proxy http://127.0.0.1:8080 --insecure) pocforge https://staging.example.com/ --burp The `-o` directory contains: reports/target/ ├── report.md ├── 01_cors_creds_poc.html ├── 02_cors_null_poc.html └── 03_clickjacking_poc.html The markdown is your report draft. The HTML files are what you attach. The triager opens them, the exploit fires, they pay. ## Sample output See [`examples/sample_run/`](examples/sample_run/) for a real scan output (CORS + clickjacking against a deliberately-vulnerable httpbin endpoint). For a full worked engagement — discovery, scan, and a finished PDF report against the Acunetix vulnweb test apps — see [`examples/sample_engagement/`](examples/sample_engagement/). That run was driven end to end by [`examples/recon_scan.ps1`](examples/recon_scan.ps1) (domain → Wayback URL discovery → [`recon_filter.py`](examples/recon_filter.py) → pocforge). ## Architecture pocforge/ ├── detectors/ # one file per bug class — (client, target) -> [Finding] ├── poc/ # one file per bug class — Finding -> PoC artifact ├── http_client.py # shared httpx.Client (proxy, timeout) ├── models.py # Finding / Evidence / PoC / ScanReport ├── reporter.py # markdown + per-PoC file output └── cli.py ## Tests pip install -e ".[dev]" pytest -v 13 tests, all run against `httpx.MockTransport` — no network, deterministic, ~1.5 s. ## Roadmap - SSRF detector with a built-in OOB callback listener (no Burp Collaborator required) - JWT alg-confusion / weak-secret / `kid` injection - Race-condition tester (Kettle-style single-packet attack) - GraphQL alias batching, introspection abuse - OAuth `redirect_uri` chain analysis (composes with REDIR-001) ## Acknowledgments Standing on the shoulders of: - [James Kettle](https://portswigger.net/research) — single-packet race attacks, cache poisoning, CORS research - [Sam Curry](https://samcurry.net/) and the team behind the auto-industry research — OAuth chain craft - [PortSwigger Web Security Academy](https://portswigger.net/web-security) — the labs every detector here was first tested against - [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/) — canonical references for the remediation copy ## License [MIT](LICENSE).