{"id":25697870,"url":"https://github.com/patricktulskie/concuss","last_synced_at":"2025-04-28T14:44:28.463Z","repository":{"id":65406646,"uuid":"590735974","full_name":"PatrickTulskie/concuss","owner":"PatrickTulskie","description":"Throw a bunch of headers at a web app and see what sticks","archived":false,"fork":false,"pushed_at":"2024-09-26T16:45:46.000Z","size":343,"stargazers_count":5,"open_issues_count":2,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-26T23:04:33.947Z","etag":null,"topics":["malformed-headers","pentest","ruby","security","security-auto","security-tools","testing","webapp-security"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PatrickTulskie.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["patricktulskie"]}},"created_at":"2023-01-19T04:27:55.000Z","updated_at":"2025-04-17T02:16:16.000Z","dependencies_parsed_at":"2024-03-29T17:53:36.906Z","dependency_job_id":null,"html_url":"https://github.com/PatrickTulskie/concuss","commit_stats":{"total_commits":19,"total_committers":2,"mean_commits":9.5,"dds":"0.052631578947368474","last_synced_commit":"0488e2870178f25816c01dc703ccf7886a818d51"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PatrickTulskie%2Fconcuss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PatrickTulskie%2Fconcuss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PatrickTulskie%2Fconcuss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PatrickTulskie%2Fconcuss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PatrickTulskie","download_url":"https://codeload.github.com/PatrickTulskie/concuss/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251332362,"owners_count":21572601,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malformed-headers","pentest","ruby","security","security-auto","security-tools","testing","webapp-security"],"created_at":"2025-02-25T02:32:44.963Z","updated_at":"2025-04-28T14:44:28.440Z","avatar_url":"https://github.com/PatrickTulskie.png","language":"Ruby","funding_links":["https://github.com/sponsors/patricktulskie"],"categories":[],"sub_categories":[],"readme":"![Concuss](documentation/img/concuss_logo.png)\n\n[![Gem Version](https://badge.fury.io/rb/concuss.svg)](https://badge.fury.io/rb/concuss)\n[![Build Status](https://github.com/patricktulskie/concuss/actions/workflows/main.yml/badge.svg)](https://github.com/patricktulskie/concuss/actions/workflows/main.yml)\n\n## What is it?\n\nConcuss is a tool for banging against a url with a bunch of different headers to look for potential vulnerabilities.\n\nIt works by sending a custom or a random string to a webserver for a specific url in a variety of headers to see if it's able to get that string to appear on the page. If so, you'll get a HIT and you can evaluate that header to see if it's useful for some kind of XSS, cache poisoning, or some other form of injection from malformed headers.\n\nOften times web app and framework developers assume that headers from the client are not malicious or manipulated and will just write them out to the page in one form or another. This project is a specialized tool to find instances of this so that they can be fixed before they are abused.\n\n## What it is NOT.\n\nConcuss is not a tool for automating vulnerabilities, nor should it be used to certify that a page is safe from vulnerabilities. It should not be used on applications or website that you do not personally have permission to scan.\n\nSending malformed headers to a site can potentially cause errors, crashing, and other damage that I am not responsible for as a result of any usage of this tool. You agree to use this tool at your own risk.\n\n## Installation\n\nInstall the gem and add to the application's Gemfile by executing:\n\n    $ bundle add concuss\n\nIf bundler is not being used to manage dependencies, install the gem by executing:\n\n    $ gem install concuss\n\n## Usage\n\nPrimarily, you'll want to use it as a CLI like so:\n\n```\nconcuss http://localhost:4567\nconcuss http://localhost:4567 -h non_standard\n```\n\nSee `concuss --help` for more usage details.\n\nWhile concuss is designed to be used as a command line tool, you can also include it in your own custom application like so:\n\n```\nrequire 'concuss'\n\nconcuss = Concuss.new(url: 'http://localhost:4567', file: 'header_file.txt', header_set: :standard, test_string: \"OOGABOOGA\")\nreport = concuss.attack!\n```\n\nFrom there, you'll get a `Concuss::Report` object that contains the raw data as well as filters for `hits`, `misses`, `headers`, and the `url` in the event you've done a bunch of these.\n\n## Demo\n\nThere is a sample app with a vulnerability to test with in the `vuln_app` directory. It takes the contents of `X-CSRF-Token` and spits them out blindly.\n\nHere's some steps to get going with that:\n\n```\ndocker-compose build\ndocker-compose run console bash\n\n# You should see the vuln_app container boot up and\n# then you'll land in bash on the console container\n\nbin/concuss http://vuln_app:4567 -h non_standard\n```\n\n## Development\n\nPrimarily, you'll want to use Docker to do debugging and development. To get into the console, just run `docker-compose run console bash` and from there you can run `bin/concuss` against the sample vulnerable app, or you can run `rspec` to run the specs.\n\nIf you prefer to develop without docker, after checking out the repo, run `bundle install` to install dependencies. Then, run `rspec` to run the tests.\n\nWhen developing using docker or on your bare machine you can also run `script/console` for an interactive prompt that will allow you to experiment. This will give you access to the underlying classes and let you experiment outside the confines of the CLI.\n\nIf you add features or fix bugs, please write specs and open up a PR.\n\nNote: Concuss was designed to easily install on most systems with ruby 3+. As such, its only dependencies are in the ruby standard library.\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/patricktulskie/concuss\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatricktulskie%2Fconcuss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatricktulskie%2Fconcuss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatricktulskie%2Fconcuss/lists"}