soysauce
| Crates.io | soysauce |
| lib.rs | soysauce |
| version | 0.1.0 |
| created_at | 2024-12-19 12:15:34.767891+00 |
| updated_at | 2024-12-19 12:15:34.767891+00 |
| description | Pen-test Tool |
| homepage | |
| repository | https://gitlab.com/xamn/soysauce |
| max_upload_size | |
| id | 1489102 |
| size | 93,163 |
Samuel Kriikkula (XamNn)
documentation
README
SoySauce - Pen-test Tool
The all-around brute-forcing and fuzzing tool for penetration testers and ethical hackers.
NOTE: SoySauce is in the development phase. Features will be added, things changed, and bugs found!
Installing
Make sure these packages are installed:
- openssl
- pkg-config
- libssl-dev
cargo install soysauce
Usage
SoySauce performs penetration tests specifid in a testfile. Testfiles are TOML-formatted textfiles that specify the details of the test.
HTTP brute-forcing and dictionary tests
With SoySauce you can fuzz and brute-force HTTP-requests. Speficy a HTTP test as follows:
[httpTest]
url = "https://example.com/^PARAM^"
method = "POST" # supported methods: GET, POST. Default is GET
body = "username=^USER^&password=^PASS^" # optional
pass_codes = [200] # Accept responses with these codes, optional, default: [200]
reject_codes = [] # Reject responses with these codes, optional, default: []
pass_string = "ok!" # Accept responses with this string includeed in the response body. This field is not required
reject_string = "Unathorized" # Reject responses with this string included in the response body. This field is not required
default_action = "reject" # Default action when none of the above matches. default: "reject"
exhaust = false # optional, true means all combinations will be tested
# By default, program will exit on first match
[httpTest.headers] # optional
Content-Type = "application/x-www-form-urlencoded"
Parameters
Parameters are tokens for passwords, usernames, directories, or others like base64 formatted basic-auth strings.
Specifying parameters in your testfile can be done as following: The parameter name can be any uppercase word, and is specified after the period (.) Parameters can be referenced in other places like so: ^PARAM^ where 'PARAM' is the name of the parameter. Parameters are specifid like so:
[param.PARAM]
...
Wordlists
Wordlist parameters read a file with multiple strings separated with lines. You can specify a wordlist parameters as follows:
[param.NAME]
type = "wordlist"
wordlist = "names.txt"
Compositions
Compositions can be crafted from other paramters dynamically. Encoding can be specifid with the 'encode' field. One example can be a base64 formatted login string. For the list of supported encodings, see below.
[param.COMP]
type = "compose"
compose = "^LOGIN^:^PASS^"
encode = "base64"
Brutes
Brutes are flexible ways to generate parameters.
The following generates all the possible combinations of the characters specified to the length of 4.
if fixed_length is true, only strings with length are generated, if false, all lengths below and including length are generated.
[param.BRUTE]
type = "brute"
brute = "a-z,0-9"
length = 4
fixed_length = true
Brutes can also be used to append strings to other parameters.
[param.BRUTE2]
type = "brute"
brute = "^FILENAME^.txt"
Ranges
All numbers in a range.
[param.RANGE]
type = "range"
from = 1
to = 10
In-place wordlists
Words specifid in the TOML-file.
[param.INPLACE]
type = "words"
words = """
apple
orange
pear
"""
Literal strings
A simple literal string. Can be useful as a placeholder or if you need to escape parameter names
[param.BRUTE2]
type = "string"
string = "^LITERALLY^"
Templates
You can generate a few templates of testfiles with the --generate argument.
Encodings
List of supported encodings:
- text
- base64
- url
Custom encoding
Not supported yet
Additional flags
-o <file>: Output file--verfiy-file <file>: Check a tesfile for syntax errors--banner hide: Disable banner
see: soysauce --help