{"id":35170721,"url":"https://github.com/supun2001/pen-testing","last_synced_at":"2026-04-14T01:32:02.996Z","repository":{"id":330462543,"uuid":"1122841897","full_name":"supun2001/pen-testing","owner":"supun2001","description":"A collection of ethical penetration testing automation scripts for OAuth/Auth0 testing, security header analysis, JWT token inspection, and web application misconfiguration detection.","archived":false,"fork":false,"pushed_at":"2025-12-25T16:53:39.000Z","size":28,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-04T10:20:51.100Z","etag":null,"topics":["auth0","bug-bounty","headers-checker","jwt","pentesting-python","python3","security-testing","web-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/supun2001.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-25T16:25:33.000Z","updated_at":"2025-12-25T16:53:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/supun2001/pen-testing","commit_stats":null,"previous_names":["supun2001/pen-testing"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/supun2001/pen-testing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supun2001%2Fpen-testing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supun2001%2Fpen-testing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supun2001%2Fpen-testing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supun2001%2Fpen-testing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/supun2001","download_url":"https://codeload.github.com/supun2001/pen-testing/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/supun2001%2Fpen-testing/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31778580,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T00:11:49.126Z","status":"ssl_error","status_checked_at":"2026-04-14T00:10:29.837Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","bug-bounty","headers-checker","jwt","pentesting-python","python3","security-testing","web-security"],"created_at":"2025-12-28T20:39:32.886Z","updated_at":"2026-04-14T01:32:02.985Z","avatar_url":"https://github.com/supun2001.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Web Hacking \u0026 Bug Bounty Scripts\n\n\u003e A curated collection of penetration testing and web security automation scripts. During my bug bounty and pentesting journey, I developed these tools to automate common security testing tasks, including **Auth0 analysis**, **JWT inspection**, **security header validation**, and **modern web vulnerability testing**.\n\n## Disclaimer\n\nThese scripts are intended **for educational and research purposes only**.  \nUse them **only on systems you own or have explicit authorization to test**.  \nAny illegal or unauthorized use is strictly prohibited.\n\n---\n\n## Overview\n\nThis repository contains Python-based tools designed to help **security researchers, bug bounty hunters, and developers** automate common and repeatable web security checks.\n\nThe goal is to reduce manual effort while improving consistency when testing authentication and authorization flows—especially **Auth0-based applications**.\n\n### Included (and Planned) Capabilities\n\n- Auth0 security testing automation  \n- JWT token analyzers \n- HTTP security header checkers  \n- Open redirect \u0026 CORS testing  \n- Session fixation \u0026 CSRF testing  \n- XSS payload generators  \n- Rate limiting \u0026 PKCE enforcement tests  \n\n\u003e **Warning:**  \n\u003e These scripts must only be used on systems you own or have explicit permission to test.  \n\u003e Unauthorized testing is illegal and unethical.\n\n---\n\n## Features\n\n- **Auth0 Security Tester**  \n  Automated testing for:\n  - Open redirects\n  - JWT weaknesses \u0026 algorithm confusion\n  - Token replay risks\n  - CORS misconfigurations\n  - Session fixation\n  - CSRF exposure\n  - PKCE enforcement issues\n\n- **Header Checker** *(coming soon)*  \n  Validate security headers such as:\n  - Content-Security-Policy (CSP)\n  - X-Frame-Options\n  - Strict-Transport-Security (HSTS)\n\n- **JWT Analyzer** *(coming soon)*  \n  Decode and inspect JWTs for:\n  - Weak algorithms\n  - Overly long expiration times\n  - Embedded sensitive data\n\n- **XSS Payload Generator** *(coming soon)*  \n  Generate payloads for safe, manual testing of user input fields.\n\n---\n\n## Scripts\n\n### Auth0 Security Tester (React SDK v2.6.0) \n[Script](scripts/auth0_test.py)\n\nThis script automates multiple security checks against applications using **Auth0 React SDK version 2.6.0**.\n\n**Run example:**\n```bash\npython3 auth0_test.py --domain your-domain.auth0.com --client-id YOUR_CLIENT_ID --token YOUR_ACCESS_TOKEN\n```\n\n**Example Output:**\n```bash\n============================================================\nSECURITY TEST REPORT\n============================================================\nTest completed at: 2025-12-25T12:00:00\nTarget Domain: example.auth0.com\nClient ID: abc123\n\nVulnerabilities: 5\nWarnings: 1\nSecure: 4\n\n⚠️  VULNERABILITIES FOUND:\n  - Open Redirect: Redirect to https://evil.com was accepted\n  - CORS: Wildcard CORS origin allowed\n  - CSRF: Logout endpoint https://example.com/logout has no CSRF protection\n  - JWT Algorithm: Weak algorithm detected: HS256\n  - Sensitive Data: Possible sensitive data in token: api_key\n\n⚡ WARNINGS:\n  - Token Expiration: Token valid for 48.00 hours\n\nFull report saved to: auth0_security_report_20251225_120000.json\n```\n\n## Disclaimer\n\n- Only use these scripts on systems you own or are authorized to test.\n- This repository is for educational and research purposes only.\n- Do not attempt to exploit or harm third-party systems without permission.\n\n## Recommended Tools for Use\n\n- Bug Bounty \u0026 Pentesting: Burp Suite, Nmap, Nikto, Sublist3r, Gobuster\n- SOC \u0026 Security Analysis: Splunk, ELK Stack, Wireshark, OpenCanary\n- Software \u0026 Dev: Python, MERN Stack, Docker, Git\n- Security Concepts: XSS, CSRF, Open Redirect, JWT attacks, PKCE, OAuth 2.0\n\n## Contact\n\n- Email: supun2001hasanka.com\n- LinkedIn: [supun2001](https://www.linkedin.com/in/supun-hasanka-908741186/)\n- Portfolio: [supunhasanka.tech](https://supunhasanka.tech/)\n\n## More Labs \u0026 Hands-On Practice\nFor additional security labs, automation scripts, and practical exercises, check out my blog: [Blog](https://supunhasanka.tech/blog)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsupun2001%2Fpen-testing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsupun2001%2Fpen-testing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsupun2001%2Fpen-testing/lists"}