30 open-source projects similar to mak-/parameth, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Parameth alternative.
Arjun is an HTTP parameter discovery tool that identifies valid parameters on web endpoints by testing large dictionaries of parameter names against target URLs. It systematically probes endpoints using GET, POST, JSON, and XML request formats to find which parameters the server accepts, and can detect parameters whose values appear reflected in the response body. The tool distinguishes itself through its multi-method scanning approach, passive parameter collection from public archives like OTX and CommonCrawl, and its ability to detect value-sensitive parameters that only trigger a response
Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
This project is an open-source intelligence reconnaissance framework and recursive attack surface mapper. It functions as a containerized security scanner designed to map public-facing infrastructure, perform subdomain enumeration, and automate the gathering of open-source intelligence. The system employs a recursive discovery engine to iteratively explore target infrastructure, utilizing a plugin-based module architecture to extend scanning capabilities. It integrates third-party APIs for data enrichment and applies YARA rules across discovered assets to identify specific vulnerability patte
Gau is a command-line tool and passive URL enumerator designed to discover and aggregate known and historical web addresses for specific target domains. It functions as a collection framework that retrieves domain-specific data from public web archives and threat intelligence providers. The tool focuses on passive reconnaissance and open-source intelligence research to map attack surfaces without sending requests directly to target infrastructure. It aggregates data from multiple external sources to identify accessible web endpoints and forgotten pages. The system includes capabilities for r
Gobuster is a command-line security utility designed for brute-force discovery of hidden infrastructure and content. It operates by systematically testing wordlists against target network services to identify files, directories, subdomains, and cloud storage buckets. The tool utilizes a concurrent worker pool to execute these requests in parallel, ensuring efficient scanning across various network environments. The project distinguishes itself through a modular plugin architecture that supports multiple discovery modes, including HTTP, DNS, and TFTP. This design allows for protocol-agnostic r
Automation for javascript recon in bug bounty.
dirsearch is a command-line security tool and web path scanner used for discovering hidden directories and files on web servers. It functions as a recursive directory fuzzer and brute-force utility that identifies undocumented paths and sensitive files using wordlists and HTTP status codes. The tool distinguishes itself through template-driven path generation and an automated HTTP response filter that uses status codes, content length, and regex patterns to isolate valid targets. It supports recursive directory crawling to map complex web structures and provides state-persistence serializatio
K8tools is a multi-stage attack framework that combines memory-only payload execution, credential testing, port forwarding, privilege escalation, and physical USB-based keystroke injection for comprehensive system compromise. At its core, the Ladon PowerShell module loads a multi-function scanner directly into memory, enabling command execution without writing files to disk, while supporting memory-only payload delivery that downloads and runs obfuscated shellcode or PowerShell commands to evade antivirus detection. The framework distinguishes itself through its breadth of integrated capabili
Exphub is a CVE exploit script library and enterprise software vulnerability suite designed to verify and exploit known security flaws in server environments such as WebLogic, Struts2, Tomcat, and JBoss. It functions as a remote code execution toolkit and a web shell deployment framework for triggering unauthorized command execution and establishing persistent access on remote systems. The project includes specialized utilities for internal network reconnaissance, specifically using server-side request forgery to scan for open ports and services. It further provides mechanisms for bypassing a
w3af is a web penetration testing suite and security audit framework designed to identify and exploit vulnerabilities in web applications. It functions as a vulnerability scanner that crawls targets to find injection points and a fuzzer used to discover hidden endpoints and test input validation. The project distinguishes itself by providing an intercepting HTTP proxy for capturing and modifying traffic, combined with a knowledge-base driven exploitation system. It enables the execution of security exploits to gain remote shell access and supports post-exploitation activities, such as routing
Monkey is an adversary emulation platform and breach and attack simulation tool designed to test network defenses through automated lateral movement and exploit delivery. It functions as a network security testing system that evaluates security posture by attempting to propagate through vulnerabilities and extract sensitive system credentials. The platform distinguishes itself by simulating specific real-world attacker behaviors, such as ransomware encryption, cryptojacking, and the theft of browser-stored credentials and secure shell keys. It utilizes binary hash randomization to evade antiv
Dalfox is an automated web application security tool specifically designed for discovering and verifying cross-site scripting vulnerabilities. It functions as an XSS vulnerability scanner that analyzes HTTP parameters and DOM structures to identify reflected, stored, and blind injection points. The project distinguishes itself by providing a Model Context Protocol server and a REST API, allowing artificial intelligence agents and remote interfaces to trigger and manage security scans programmatically. It utilizes a payload mutation engine and fingerprinting strategies to execute WAF evasion t
Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe
BLUTO DNS Recon | Brute Forcer | DNS Zone Transfer | DNS Wild Card Checks | DNS Wild Card Brute Forcer | Email Enumeration | Staff Enumeration | Compromised Account Enumeration | MetaData Harvesting
Sublist3r is a subdomain enumeration tool and passive reconnaissance framework designed to discover subdomains by querying search engines and public intelligence sources. It functions as a security tool for identifying the digital footprint of a target domain. The project provides both passive enumeration through multi-source API aggregation and active discovery via a DNS brute force tool. It includes a TCP port scanner to identify active services and open ports on discovered subdomains, facilitating attack surface mapping. The tool can be used as a standalone utility or as a Python security
Extract URLs, paths, secrets, and other interesting bits from JavaScript
https://www.reddit.com/r/django/comments/87qcf4/28165thousanddjangorunningserversareexposed/ https://twitter.com/6ix7ine/status/978598496658960384?lang=en
OSINT scanning tool which discovers and maps directories found in javascript files hosted on a website.
Cloud Security Posture Management (CSPM)
##新版本刚发布 可能存在一些bug,正在修复中,若有问题请提交issue带上图是最好不过辣 关注的人们啊, 被关注不是目的, 要来贡献代码或者反馈bug哦(●'◡'●)ノ♥ ##扫描的漏洞路径如下: - deafult admin & uc_server login page - develop.php - X3 - X3 tools/tools.php ~ Deafult password 188281MWWxjk - X3.1 utility/convert/index.php ~ Remote code execute - 6.x - 6.x my.php ~ SQL -…
Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.