π¦ ClawHub
Web Security Penetration Test
by @liubo2025code
Automates web security penetration testing by performing reconnaissance, vulnerability scanning, exploitation, and generating detailed compliance reports.
π‘ Examples
Example 1: Full Penetration Test
from scripts.web_pentest import WebPentestInitialize scanner
scanner = WebPentest(target="https://example.com")Run reconnaissance
scanner.reconnaissance()Run vulnerability scan
scanner.vulnerability_scan()Test for specific vulnerabilities
scanner.test_sql_injection()
scanner.test_xss()
scanner.test_command_injection()Generate report
scanner.generate_report(format="html", output="report.html")
Example 2: API Security Testing
from scripts.api_security_tester import APISecurityTesterInitialize API tester
tester = APISecurityTester(api_url="https://api.example.com")Test authentication
tester.test_authentication()Test authorization
tester.test_authorization()Test input validation
tester.test_input_validation()Test rate limiting
tester.test_rate_limiting()Generate API security report
tester.generate_api_report()
Example 3: Custom Payload Testing
from scripts.payload_tester import PayloadTesterInitialize payload tester
tester = PayloadTester(target_url="https://example.com/search")Test SQL injection payloads
sql_payloads = [
"' OR '1'='1",
"'; DROP TABLE users; --",
"1' AND SLEEP(5) --"
]
tester.test_sql_payloads(sql_payloads)Test XSS payloads
xss_payloads = [
"",
"
",
"βοΈ Configuration
Configuration File (config.yaml)
# Scanning configuration
scanning:
threads: 10
timeout: 30
user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"Vulnerability detection
vulnerabilities:
sql_injection: true
xss: true
command_injection: true
directory_traversal: true
file_inclusion: trueReporting
reporting:
format: html
include_poc: true
risk_level: medium
compliance: [pci_dss, gdpr]Target scope
scope:
include_subdomains: true
max_depth: 3
excluded_paths: [/logout, /admin/delete]
π Tips & Best Practices
Scanning Best Practices
1. Get Authorization - Always obtain written permission before testing 2. Define Scope - Clearly define what is in scope and out of scope 3. Use Test Environment - Test in staging/development environments first 4. Schedule Tests - Schedule tests during maintenance windows 5. Monitor Impact - Monitor system performance during testsReporting Best Practices
1. Clear Findings - Clearly describe each finding 2. Provide Evidence - Include screenshots and proof of concept 3. Risk Assessment - Assess business impact and risk level 4. Remediation Steps - Provide clear remediation steps 5. Follow-up - Schedule follow-up verificationEthical Considerations
1. Confidentiality - Keep findings confidential 2. Responsible Disclosure - Follow responsible disclosure practices 3. Data Protection - Do not access or exfiltrate sensitive data 4. Legal Compliance - Comply with all applicable laws and regulationsTERMINAL
clawhub install web-security-pentest-skill-complete