{"id":13493050,"url":"https://github.com/0xsauby/yasuo","last_synced_at":"2025-12-17T12:13:27.259Z","repository":{"id":21143878,"uuid":"24446154","full_name":"0xsauby/yasuo","owner":"0xsauby","description":"A ruby script that scans for vulnerable \u0026 exploitable 3rd-party web applications on a network","archived":false,"fork":false,"pushed_at":"2017-12-09T19:02:12.000Z","size":2291,"stargazers_count":569,"open_issues_count":6,"forks_count":137,"subscribers_count":52,"default_branch":"master","last_synced_at":"2024-10-31T07:34:12.412Z","etag":null,"topics":["hacking-tool","network-security","pentest-scripts","pentest-tool","pentesting","pentesting-networks","ruby","security-automation","security-scanner","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xsauby.png","metadata":{"files":{"readme":"README.md","changelog":"changelog.txt","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-09-25T06:20:08.000Z","updated_at":"2024-10-03T05:11:40.000Z","dependencies_parsed_at":"2022-08-19T18:01:41.430Z","dependency_job_id":null,"html_url":"https://github.com/0xsauby/yasuo","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsauby%2Fyasuo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsauby%2Fyasuo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsauby%2Fyasuo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsauby%2Fyasuo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xsauby","download_url":"https://codeload.github.com/0xsauby/yasuo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246020939,"owners_count":20710850,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking-tool","network-security","pentest-scripts","pentest-tool","pentesting","pentesting-networks","ruby","security-automation","security-scanner","security-tools"],"created_at":"2024-07-31T19:01:11.759Z","updated_at":"2025-12-17T12:13:27.162Z","avatar_url":"https://github.com/0xsauby.png","language":"Ruby","funding_links":[],"categories":["Ruby"],"sub_categories":[],"readme":"# YASUO [@0xsauby]\n\n[![AUR](https://img.shields.io/aur/license/yaourt.svg?maxAge=2592000)](http://www.fsf.org/licensing/)\n[![ToolsWatch 2016 Arsenal](https://www.toolswatch.org/badges/arsenal/2016.svg)](https://www.blackhat.com/eu-16/arsenal.html)\n[![ToolsWatch 2017 Arsenal](https://rawgithub.com/toolswatch/badges/master/arsenal/2017.svg)](https://www.blackhat.com/us-17/arsenal/schedule/index.html#yasuo-7909)\n[![Twitter URL](https://img.shields.io/twitter/url/http/shields.io.svg?style=social\u0026maxAge=2592000)](https://twitter.com/0xsauby)\n\n## Description\n\nYasuo is a ruby script that scans for vulnerable 3rd-party web applications.\n\nWhile working on a network security assessment (internal, external, redteam\ngigs etc.), we often come across vulnerable 3rd-party web applications or web\nfront-ends that allow us to compromise the remote server by exploiting publicly\nknown vulnerabilities. Some of the common \u0026 favorite applications are Apache\nTomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on.\n\nIf you search through Exploit-db, there are over 10,000 remotely exploitable\nvulnerabilities that exist in tons of web applications/front-ends and could\nallow an attacker to completely compromise the back-end server. These\nvulnerabilities range from RCE to malicious file uploads to SQL injection to\nRFI/LFI etc.\n\nYasuo is built to quickly scan the network for such vulnerable applications\nthus serving pwnable targets on a silver platter.\n\n## Setup / Install\nYou would need to install the following gems:\n\n- bundle install --path vendor\n\n- bundler exec ./yasuo.rb -f [myfile] \n\n## Details\n\nYasuo provides following command-line options:\n\n-r :: If you want Yasuo to perform port scan, use this switch to provide an IP address or IP range\n\n-l :: If you want Yasuo to perform port scan, use this switch to provide an input file with new-line separated IP addresses, similar to nmap's -iL option\n\n-s :: Provide custom signature file. [./yasuo.rb -s mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]\n\n-f :: If you do not want Yasuo to perform port scan and already have an nmap output in xml format, use this switch to feed the nmap output\n\n-u :: Takes a newline-separated file of URLs saved from previous run of Yasuo. See below for more details.\n\n-n :: Tells Yasuo to not ping the host while performing the port scan. Standard nmap option.\n\n-p :: Use this switch to provide port number(s)/range\n\n-A :: Use this switch to scan all the 65535 ports. Standard nmap option.\n\n-b [all/form/basic] :: If the discovered application implements authentication, use this switch to brute-force the auth. \"all\" will brute-force both form \u0026 http basic auth. \"form\" will only brute-force form-based auth. \"basic\" will only brute-force http basic auth.\n\n-t :: Specify maximum number of threads\n\n-h :: Well, take a guess\n\n## What is this new switch: --usesavedstate (-u)\n\nWhen Yasuo runs, it performs several steps before starting to enumerate vulnerable applications. If you provide an IP address or range, it will perform a port scan against the provided targets. If you provide Yasuo with nmap xml output file, it will parse that file and enumerate hosts with open web ports. It then sends a request for a fake (non-existent) file and directory to each enumerated host:ip. To reduce false-positives, it discards all ip:port that respond back with HTTP 200 Ok for the fake file \u0026 directory requests. At the end of this whole process, we get a list of, let's say, \"good urls\". These good urls are then used to enumerate vulnerable applications.\n\nIf for some reason, you have to re-run Yasuo against the same set of targets, the previous versions of Yasuo will go through this whole process again. That's not efficient at all. I know, I am mostly dumb and a slow learner but I am constantly evolving. Anyways, a good reason to re-run Yasuo against the same targets could be to use a different (or custom) signatures file.\n\nThis latest version of Yasuo will automatically save a file, savedURLstateXXXXX.out, in the same folder it runs from. This file will contain all the \"good urls\". If you plan to re-run Yasuo on the same targets, just feed this file to Yasuo without the -f or -r options.\n\n`Example: ruby yasuo.rb -s my_custom_signatures.yaml -u savedURLstateXXXXX.out`\n\nYasuo will parse this file and start enumerating vulnerable applications against the listed \"good urls\". Ta-Da.\n\n## Examples\n\n`./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form`\n\nThe above command will perform port scan against 127.0.0.1 on ports 80, 8080,\n443 and 8443 and will brute-force login for all the applications that implement\nform-based authentication.\n\n\n`./yasuo -l /project/hosts -p 80,8080,443,8443`\n\nThe above command will perform port scan against the hosts in file /projetcs/hosts \non ports 80, 8080, 443 and 8443 and will not perform any brute-force actions against\nthe applications dicovered.\n\n\n`./yasuo -f my_nmap_output.xml -b all`\n\nThe above command will parse the nmap output file \"my_nmap_output.xml\" and will\nbrute-force login for all the applications that implement form-based and http\nbasic authentication.\n\n\n## Tetris-style Program Flow\n\n![Alt text](./tetris-style-program-flow.JPG)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xsauby%2Fyasuo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xsauby%2Fyasuo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xsauby%2Fyasuo/lists"}