{"id":18900258,"url":"https://github.com/hex0punk/gore","last_synced_at":"2025-12-15T16:28:13.296Z","repository":{"id":57513709,"uuid":"152160618","full_name":"hex0punk/goRE","owner":"hex0punk","description":"A modular bug hunting and web application pentesting framework written in Go","archived":false,"fork":false,"pushed_at":"2022-03-05T00:31:30.000Z","size":2146,"stargazers_count":55,"open_issues_count":1,"forks_count":9,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-28T14:39:07.467Z","etag":null,"topics":["appsec","chrome","chrome-devtools","gorp","gorp-plugin"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hex0punk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-10-08T23:43:10.000Z","updated_at":"2025-01-07T02:21:15.000Z","dependencies_parsed_at":"2022-08-31T06:40:55.210Z","dependency_job_id":null,"html_url":"https://github.com/hex0punk/goRE","commit_stats":null,"previous_names":["dharmaofcode/gorp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2FgoRE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2FgoRE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2FgoRE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2FgoRE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hex0punk","download_url":"https://codeload.github.com/hex0punk/goRE/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248995100,"owners_count":21195497,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","chrome","chrome-devtools","gorp","gorp-plugin"],"created_at":"2024-11-08T08:50:42.931Z","updated_at":"2025-12-15T16:28:13.209Z","avatar_url":"https://github.com/hex0punk.png","language":"Go","readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/hex0punk/goRE)](https://goreportcard.com/report/github.com/hex0punk/goRE)\n[![Go Documentation](http://godoc.org/github.com/hex0punk/goRE?status.svg)](http://godoc.org/github.com/hex0punk/goRE)\n[![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n\n# goRE\nA modular bug hunting, pentesting and webapp reverse engineering framework written in Go.\n\n_If you want to learn more about how this idea came about and how I went about writing this, you can read [this blog post](https://codedharma.com/posts/chrome-devtools-fun-with-golang/). However, note that a lot has changed in the architecture since I wrote that post._\n\ngoRE is an created for web pentesting and reverse engineering. It leverages the Chrome Dev Tool protocol to intercept HTTP responses as you conduct pentest with Chrome via the use of go plugins.\n\n## goRE plugins\ngoRE plugins are essentially modules that you can use to modify or audit web responses. There are two different types of plugins (so far):\n\n- **Processors:** processors plugins alter the response before it is rendered in the browser. This can be useful for things like modifying JavaScript code, changing HTML directives, unhiding elements in the page, highlighting areas of interest, etc.\n\n- **Inspectors:**: inspectors conduct  analysis on responses. For instance, you may want to record all references to API calls made by the application by inspecting JavaScript code. This way, rather than waiting until the browser makes a call to `/api/admin/adduser`, you may be able to find a reference to that path in the client side code. JS Framework specific inspectors could also be used to inspect things such as services, controllers, authorization controllers, etc. Inspectors do not modify responses.\n\n\n### Recompiling goRE plugins\nAt the moment there are constant changes on the module package. A change in that package would require that plugins are recompiled. This can be a pain as every module would need to be recompiled, so we have automated that task. Just run the below command and all modules will be recompiled:\n\n```shell\ngo run main.go -p\n```\n\n## Using goRE\n1. Create a configuration file that uses the structure used by the `config.yaml` file in the root directory of this repo.\n2. Make sure the plugins that you want to use are compiled. You can compile all available plugins by running `go run main.go -p`\n3. You can find information about any plugin by running this command:\n   ```bash\n   go run main.go -i -m \"/the/path/of/the/module/\"\n   ```\n4. To run goRE:\n   ```bash\n   go run main.g -c \"./path/to/your/config/file.yml\"\n   ```\n   \nIf run successfully, a new Chrome window should open up with two tabs. Use the second tab to navigate to the site that you are currently pentesting. Press `ctrl + c` to end the session (TODO: make a more effective way to end sessions).\n\n### Ok, but what can I actually do with goRE?\n\nThere are 7 modules available at the moment. You can find information about each plugin by running `go run main.go -i /path/to/module/`\n\nHere are some fun things that you can do right now. Each task is followed by a code snippet showing how your config would look like to enable the right plugins. Note that you can enable multiple plugins at the same time.\n\n**1) Force Angular 2 application to load in development mode**\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  processors:\n    - path: \"/data/modules/processors/angular/prodModeHijacker/\"\n      options: {}\n```\n\n**2) Hijack and alter a function loaded by a web application**\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  processors:\n    - path: \"/data/modules/processors/generic/functionhijacker/\"\n      options:\n         Indicator: \"isLoggedIn\"\n         NewBody: \"{return true}\"\n```\n\n**3) Record API calls in a file**\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  inspectors:\n    - path: \"/data/modules/inspectors/generic/apifinder/\"\n      options:\n        FilePath : \"./logs/apifinds.txt\"\n```\n\n**4) Inject code in an existing function**\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  processors:\n   - path: \"/data/modules/processors/generic/injector/\"\n      options:\n        FunctionName: \"isAdmin\"\n        Injection: \"console.log('function called, injection confirmed!');return true;\"}\n```\n\n**5) Set all ngIf and ng-if attributes to always return true (applies to Angular apps)**\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  processors:\n    - path: \"/data/modules/processors/angular/unhider/\"\n      options: {}\n```\n\n\n**6) Simple find and replace**\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  processors:\n    - path: \"/data/modules/processors/generic/findreplace/\"\n      options:\n         Find: \"isAdmin=false\"\n         Replace: \"isAdmin=true\"\n```\n\n**7) Unhide all hidden input and add highlight what the input is used for\n\n```yaml\nscope: \"example.com\"\nverbose: False\nflags: [\"-na\", \"--disable-gpu\", \"--window-size=1200,800\", \"--auto-open-devtools-for-tabs\",\"--disable-popup-blocking\"]\nmodules:\n  processors:\n    - path: \"/data/modules/processors/generic/unhider/\"\n      options: {}\n```\n\n## Creating your own gorp plugin\nThe power of gorp is in the plugins. Creating your own plugin is simple.\n\n1. Create a file called `gorpmod.go` under `/data/modules/processors` or `/data/modules/inspectors`, depending on your type of plugin (see above for the differences between an inspector and a processor.\n2. Depending on the type of plugin, your code must implement either the `Processor` or `Inspector` interface, which are declared in the `modules` package. Both module types must accept a struct parameter of type `modules.WebData` which gives your module access the response body, headers and type. The type can be `Document`, `Script` or `Request` (`Request` types have not been implemented yet but that is my list of priorities for this gorp).\n3. Your plugin must include a symbol to be used by gorp. The symbol should be declared like this:\n\n   ```golang\n   //apifinder is just the name of your plugin\n   type apifinder struct {\n       Registry    modules.Registry\n       Options    []modules.Option\n   }\n   ```\n4. Make sure to export the symbol at the end of your plugin, like so:\n\n   ```golang\n   var Inspector apifinder\n   ```\n 5. Compile your plugin like so:\n \n    ```bash\n    go build -buildmode=plugin -o gorpmod.so gorpmod.go\n    ```\n 6. Now you are ready to use your plugin with gorp. \n \n## Addtional Debugging Options\n\n### Injecting Custom Debugger Code\n\nGorp now allows you to inject code used for automating debugging tasks from the console. To do so do the following:\n\n1) Create a JS files where you will enter your custom code.\n2) Add any logic/code you want to your file. \n3) You will need to add any intialization logic inside a function call `gorp()`. Gorp will call `gopr()` on page loads.\n4) Add the following to your `config.yml` file:\n    ```\n    script:\n      path: \"/path/to/scripts.js\"\n    ```\n5) Lunch gorp and make use of your functions from the cosole.\n\n### XHR Based Breakpoints\n\nYou can now also setup breakpoints based on XHR logic. Let's say you want to pause execution and examine variables when a calls to `/v1/accounts` and `/v1/api_keys` are made by the front end. Simple add the following to your config file to do so:\n\n```yaml\nxhrBreakPoints:\n  - \"/v1/accounts\"\n  - \"/v1/api_keys\"\n```\n\n## Immediate Needs\n- I have not found a JS beautifies and deobfuscation go library yet. Worst-case scenario, I could either write one (kinda of a project of its own) or use node libraries via system calls.\n\n## Todo\n \n - Add a fancy, interactive shell-like CLI. \n - Rad CLI colors and functions for fancy cli printing\n - Create more plugins for tasks such as:\n     - Keep track of values such as user GUIDs and show alarms when certain conditions occur while you explore an application (helpful for finding IDORs).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhex0punk%2Fgore","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhex0punk%2Fgore","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhex0punk%2Fgore/lists"}