{"id":13580448,"url":"https://github.com/telekom-security/explo","last_synced_at":"2025-04-06T02:31:33.375Z","repository":{"id":48724923,"uuid":"46345473","full_name":"telekom-security/explo","owner":"telekom-security","description":"Human and machine readable web vulnerability testing format","archived":true,"fork":false,"pushed_at":"2022-09-19T04:19:40.000Z","size":204,"stargazers_count":188,"open_issues_count":2,"forks_count":45,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-17T04:36:42.798Z","etag":null,"topics":["automation","pentesting","security","web-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/telekom-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-17T12:24:47.000Z","updated_at":"2025-03-07T18:07:29.000Z","dependencies_parsed_at":"2022-08-27T09:51:32.672Z","dependency_job_id":null,"html_url":"https://github.com/telekom-security/explo","commit_stats":null,"previous_names":["dtag-dev-sec/explo"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom-security%2Fexplo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom-security%2Fexplo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom-security%2Fexplo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telekom-security%2Fexplo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/telekom-security","download_url":"https://codeload.github.com/telekom-security/explo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247426000,"owners_count":20937050,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","pentesting","security","web-security"],"created_at":"2024-08-01T15:01:51.568Z","updated_at":"2025-04-06T02:31:33.093Z","avatar_url":"https://github.com/telekom-security.png","language":"Python","readme":"# explo\n\n![screenshot](screenshot.png)\n\n`explo` is a simple tool to describe web security issues in a human and machine readable format.\nBy defining a request/condition workflow, `explo` is able to exploit security issues without the\nneed of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format. \n\nExample for extracting a csrf token and using this in a form:\n```yaml\nname: get_csrf\ndescription: extract csrf token\nmodule: http\nparameter:\n    url: http://example.com/contact\n    method: GET\n    header:\n        user-agent: Mozilla/5.0\n    extract:\n        csrf: [CSS, \"#csrf\"]\n---\nname: exploit\ndescription: exploits sql injection vulnerability with valid csrf token\nmodule: http\nparameter:\n    url: http://example.com/contact\n    method: POST\n    body:\n        csrf: \"{{get_csrf.extracted.csrf}}\"\n        username: \"' SQL INJECTION\"\n    find: You have an error in your SQL syntax\n```\n\n# Table of contents\n\n - [Installation](#installation)\n - [Usage](#usage)\n - [Modules](#modules)\n   - [HTTP (Basic)](#http-basic)\n   - [HTTP (Header)](#http_header)\n   - [SQLI (Blind)](#sqli_blind)\n   - [Metadata](#metadata)\n\nIn this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string 'You have an error in your SQL syntax' to be found.\n\n## Installation\n\n### Install via PyPI\n\n    pip install explo\n\n### Install via source\n\n    git clone https://github.com/dtag-dev-sec/explo\n    cd explo\n    python setup.py install\n\n## Usage\n\n    explo [--verbose|-v] testcase.yaml\n    explo [--verbose|-v] examples/*.yaml\n\nThere are a few example testcases in the `examples/` folder.\n\n    $ explo examples/SQLI_simple_testphp.vulnweb.com.yaml\n\nYou can also include explo as a python lib:\n\n```python\nfrom explo.core import from_content as explo_from_content\nfrom explo.core import ExploException, ProxyException\n\ndef save_log(msg):\n    print(msg)\n\ntry:\n    result = explo_from_content(explo_yaml_file, save_log)\nexcept ExploException as err:\n    print(err)\n```\n\n## Options\n\nA http/https proxy and a timeout for requests can be set via environment variables. The default timeout is set to 15 seconds.\n\n    $ export http_proxy=http://proxy:8089\n    $ export https_proxy=https://proxy:8090\n    $ export timeout=10\n    $ explo ...\n\n## Modules\n\nModules can be added to improve functionality and classes of security issues.\n\n### http (basic)\n\nThe http modules allows to make a http request, extract content and search/verify content. \n\nThe following data is made available for following steps:\n\n* the http response body: `stepname.response.content` \n* the http response cookies: `stepname.response.cookies`\n* extracted content: `response.extracted.variable_name`\n\nIf a `find_regex` parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).\n\nWhen extracting by regular expressions, use the match group `extract` to mark the value to extract (view below for an example).\n\nFor referencing cookies, reference the name of the previous step where cookies should be taken from (`cookies: the_other_step.response.cookies`).\n\nParameter examples:\n\n```yaml\nparameter:\n    url: http://example.com\n    method: GET\n    allow_redirects: True\n    headers:\n        User-Agent: explo\n        Content-Type: abc\n    cookies: stepname.response.cookies\n    body:\n        key: value\n    find: search for string\n    find_regex: search for (reg|ular)expression\n    find_in_headers: searchstring in headers\n    expect_response_code: 200\n    extract:\n        variable1: [CSS, '#csrf']\n        variable2: [REGEX, '\u003cinput(.*?)value=\"(?P\u003cextract\u003e.*?)\"']\n```\n\n### http\\_header\n\nThe `http_header` module allows to check if a response misses a specified set of headers (and values). All other parameters are *identical* to the http module.\n\nThe following data is made available for other modules:\n\n* the http response body: `stepname.response.content` \n* the http response cookies: `stepname.response.cookies`\n\nParameter examples:\n\n```yaml\nparameter:\n    url: http://example.com\n    method: GET\n    allow_redirects: True\n    headers:\n        User-Agent: explo\n        Content-Type: abc\n    body:\n        key: value\n    headers_required:\n        X-XSS-Protection: 1\n        Server: .               # all values are valid\n```\n\n### sqli\\_blind\n\nThe sqli\\_blind module is able to identify time based blind sql injections.\n\nThe following data is made available for other modules:\n\n* the http response body: `stepname.response.content` \n* the http response cookies: `stepname.response.cookies`\n\nParameter examples:\n\n```yaml\nparameter:\n    url: http://example.com/vulnerable.php?id=1' waitfor delay '00:00:5'--\n    method: GET\n    delay_seconds: 5\n```\n\nIf the threshold of 5 seconds (delay\\_seconds) is exceeded, the check returns true (and thus resulting in a success).\n\n### metadata\n\nThe metadata block is a special block which can be added as the first block in a .yaml file to add metadata to a vulnerability for further processing. This becomes usefull when explo is used as a lib and metadata for each vulnerability description can be read with `meta_from_content(content)`. This module does not need a name or description.\n\nExamples:\n\n```yaml\nmodule: metadata\nparameter:\n    cvss: 8.9\n    author: Robin Verton\n---\nname: login\ndescription: login with test credentials\nmodule: http\nparameter:\n    url: http://testphp.vulnweb.com/userinfo.php\n    method: POST\n    body:\n        uname: test\n        pass: test\n```\n","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelekom-security%2Fexplo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftelekom-security%2Fexplo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelekom-security%2Fexplo/lists"}