Commix is an automated tool for detecting and exploiting OS command injection vulnerabilities in web applications. It probes user-supplied input vectors with heuristic test payloads, analyzes response differences to identify injection points, and then automates the execution of arbitrary operating system commands on the target server. The tool distinguishes itself through a multi-layer filter bypass engine that evaluates input constraints independently per filter type and composes tailored evasion strategies into a single payload. A modular payload tamper pipeline transforms raw injection str
XSStrike is an automated security scanning engine designed for web application discovery, input
Ghauri is an automated SQL injection scanner and exploitation tool designed to detect and extract data from vulnerable databases. It functions as a database exfiltration framework that identifies security flaws and retrieves system banners, hostnames, and database schemas. The tool identifies boolean, error, time-based, and stacked query vulnerabilities across multiple input vectors, including HTTP headers, cookies, JSON, SOAP, and XML. It provides capabilities for automated database exfiltration and the processing of bulk target lists to identify flaws across multiple environments. The syst
OWASP ZAP is a dynamic application security testing tool and intercepting HTTP proxy used to find vulnerabilities in web applications. It functions as a penetration testing framework that enables both automated security scanning and manual security testing of running web services. The tool provides a suite of capabilities for analyzing web applications from the outside in, including the ability to capture and modify traffic between a browser and a target application. It is designed to integrate into DevSecOps pipelines to provide consistent security checks across different environments.
This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from…
The main features of sqlmapproject/sqlmap are: Injection Testers, SQL Injection Tools, Database Enumerators, Security Automation Suites, Injection Engines, Penetration Testing Frameworks, Database Enumeration Tools, System Command Executors.
Open-source alternatives to sqlmapproject/sqlmap include: commixproject/commix — Commix is an automated tool for detecting and exploiting OS command injection vulnerabilities in web applications. It… s0md3v/xsstrike — XSStrike is an automated security scanning engine designed for web application discovery, input. r0oth3x49/ghauri — Ghauri is an automated SQL injection scanner and exploitation tool designed to detect and extract data from vulnerable… zaproxy/zaproxy — OWASP ZAP is a dynamic application security testing tool and intercepting HTTP proxy used to find vulnerabilities in… samratashok/nishang — Nishang is a PowerShell-based offensive security framework designed for red teaming and penetration testing on Windows… codingo/nosqlmap — Automated NoSQL database enumeration and web application exploitation tool.