afrog is an HTTP vulnerability scanner and web vulnerability management system that identifies security flaws and known CVEs using a YAML-based rule engine. It functions as a payload generator and scanner, comparing server responses against detection rules to find unauthorized access points.
The project provides a framework for out-of-band security testing, detecting blind vulnerabilities by triggering and verifying external DNS or HTTP callbacks. Beyond web traffic, it includes a protocol fuzzer capable of executing multi-step read and write sequences over raw TCP and SSL sockets to identify flaws in non-HTTP services.
The system covers a broad range of security capabilities, including network service discovery, dictionary-based brute forcing, and HTTP protocol fuzzing. It supports dynamic variable injection for payload construction, regex-based data extraction from responses, and the ability to store results in a database or export them as HTML and JSON reports.
