{"id":49453990,"url":"https://github.com/venkatas/vikramaditya","last_synced_at":"2026-04-30T04:02:27.477Z","repository":{"id":346941149,"uuid":"1192238404","full_name":"venkatas/vikramaditya","owner":"venkatas","description":"Autonomous VAPT platform. Give it a target (FQDN, IP, CIDR) — it hunts, it reports. Inspired by the Obsidian Order.","archived":false,"fork":false,"pushed_at":"2026-04-27T15:45:18.000Z","size":1963,"stargazers_count":6,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-27T17:12:53.980Z","etag":null,"topics":["ai-security","autonomous-agent","bash","bug-bounty","penetration-testing","python","recon","security","vapt","vulnerability-scanner"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/venkatas.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-26T02:49:28.000Z","updated_at":"2026-04-27T15:45:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/venkatas/vikramaditya","commit_stats":null,"previous_names":["venkatas/obsidian","venkatas/vikramaditya"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/venkatas/vikramaditya","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/venkatas%2Fvikramaditya","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/venkatas%2Fvikramaditya/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/venkatas%2Fvikramaditya/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/venkatas%2Fvikramaditya/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/venkatas","download_url":"https://codeload.github.com/venkatas/vikramaditya/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/venkatas%2Fvikramaditya/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32454170,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T22:27:22.272Z","status":"online","status_checked_at":"2026-04-30T02:00:05.929Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","autonomous-agent","bash","bug-bounty","penetration-testing","python","recon","security","vapt","vulnerability-scanner"],"created_at":"2026-04-30T04:02:24.167Z","updated_at":"2026-04-30T04:02:27.470Z","avatar_url":"https://github.com/venkatas.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n```\n ██╗ ██╗██╗██╗ ██╗██████╗ █████╗ ███╗ ███╗ █████╗ ██████╗ ██╗████████╗██╗ ██╗ █████╗\n ██║ ██║██║██║ ██╔╝██╔══██╗██╔══██╗████╗ ████║██╔══██╗██╔══██╗██║╚══██╔══╝╚██╗ ██╔╝██╔══██╗\n ██║ ██║██║█████╔╝ ██████╔╝███████║██╔████╔██║███████║██║ ██║██║ ██║ ╚████╔╝ ███████║\n ╚██╗ ██╔╝██║██╔═██╗ ██╔══██╗██╔══██║██║╚██╔╝██║██╔══██║██║ ██║██║ ██║ ╚██╔╝ ██╔══██║\n ╚████╔╝ ██║██║ ██╗██║ ██║██║ ██║██║ ╚═╝ ██║██║ ██║██████╔╝██║ ██║ ██║ ██║ ██║\n ╚═══╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝\n```\n\n**v8.0.0 — Dual-track VAPT: Blackbox engine + Whitebox AWS audit, unified correlator, single report**\n\nGive it a target. It picks the right engine — recon/fuzz/scan from the outside, or `cloud_hunt` from the inside (Prowler + PMapper + secrets correlator) — and feeds findings through the same correlator into the same Burp-style HTML report. The whitebox layer adds CIS / SOC2 / HIPAA / FedRAMP / FFIEC compliance evidence, IAM blast-radius graphs, and Lambda-environment / S3 / CloudWatch-Logs / SSM / SecretsManager / EC2-userdata secret scanning. v8 stays compatible with everything v7 added — engagement-privacy proxy, HAR auth replay, meme-coin module, HackerOne MCP, anonymization vault.\n\n\u003e *\"He who seeks the truth must be ready to face the fire.\"*\n\u003e — inspired by the legend of Vikramaditya\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](LICENSE)\n[![Python 3.10+](https://img.shields.io/badge/Python-3.10+-3776AB.svg?style=flat-square\u0026logo=python\u0026logoColor=white)](https://python.org)\n[![Shell](https://img.shields.io/badge/Shell-bash-4EAA25.svg?style=flat-square\u0026logo=gnubash\u0026logoColor=white)](https://www.gnu.org/software/bash/)\n[![AI Powered](https://img.shields.io/badge/AI-Ollama%20%7C%20MLX%20%7C%20Claude%20%7C%20GPT--4o%20%7C%20Grok-blueviolet.svg?style=flat-square)](#multi-provider-ai)\n\n[Quick Start](#quick-start) · [What's New in v8.0](#whats-new-in-v80) · [Whitebox AWS Audit](#whitebox-aws-audit-v80) · [Engagement Privacy](#engagement-privacy-v70v71) · [HAR-based Testing](#har-based-authenticated-testing) · [Architecture](#architecture) · [Vulnerability Coverage](#vulnerability-coverage) · [Reports](#reports) · [Installation](#installation) · [Contributing](#contributing)\n\n---\n\n**One target → Auto-fingerprint → Smart engine selection → AI writes exploit code → Professional report**\n\n**🔥 NEW in v8.0: Whitebox AWS audit (Prowler + PMapper + secrets correlator) feeds the same report.**\n\n\u003c/div\u003e\n\n---\n\n## What's New in v8.0\n\n| Pillar | What it does |\n|:-------|:-------------|\n| **`whitebox/cloud_hunt.py`** | Authenticated AWS audit. Iterates account-wide inventory (26 services × enabled regions), runs Prowler full-checks suite (~380 controls, OCSF JSON + CIS 1.4 / 1.5 / 2.0 / 3.0 / SOC2 / HIPAA / FedRAMP / FFIEC / GxP / AWS-FSBP / AWS-Well-Architected compliance CSVs), builds the PMapper IAM blast-radius graph (privesc paths, admin-reachability), scans secrets across Lambda env vars / SSM / SecretsManager / EC2 user-data / CloudWatch-Logs / S3 (with brain-driven or heuristic bucket selection so the scan finishes in minutes not hours), and emits a normalized correlator-ready findings dump. |\n| **Region-aware by default** | `ec2 describe-regions` filtered to opt-in-status in (`opt-in-not-required`, `opted-in`) — unenabled opt-in regions never enter the iteration set, so boto3 doesn't hang in SYN_SENT against `me-south-1` / `af-south-1`. Override via `WHITEBOX_REGIONS=us-east-1,ap-south-1,eu-west-1`. |\n| **Isolated-venv tool discovery** | Prowler 4.5 hard-pins `pydantic 1.10.18` (incompatible with `ollama` and most other deps in the main venv); PMapper 1.1.5 has its own dependency cluster. Whitebox discovers both binaries via env override → standard venv paths → `$PATH`. Lifts the typical pain of running CIS-grade audit tools alongside an LLM agent in one repo. |\n| **macOS / Linux storage path support** | PMapper's graph storage on macOS lives under `~/Library/Application Support/com.nccgroup.principalmapper/`, not `~/.principalmapper/`. Wrapper handles both, plus Linux XDG paths and `/var/lib/principalmapper`. |\n| **Configurable phase timeouts** | `PROWLER_TIMEOUT` (default 5400s) and `PMAPPER_TIMEOUT` (default 1800s) — large IAM estates and full-scope Prowler scans now extend cleanly without source edits. |\n| **Per-phase atomic manifest** | Every phase reports `complete` or `failed` with `completed_at` and `artifacts`. Re-runs without `--refresh` skip cached fresh phases (24h TTL); `--refresh` busts everything. Failed phases auto-retry on the next invocation. |\n| **Correlator hand-off** | Cloud assets (EC2, S3, Route53) are written as a per-account `asset_feed_\u003caccount\u003e.json` and merged across accounts into `asset_feed.json` so blackbox findings on `203.0.113.42` get cloud context (instance ID, IAM role, SG posture, bucket public-access state) inline in the final report. |\n| **Scope-lock by allowlist** | Route53 zones in the audited account are intersected with `--allowlist \u003cdomain\u003e` before being treated as in-scope; `--no-scope-lock` is required to audit every zone. Prevents the engagement-creep pattern of \"I audited this account, look what I found in their other domain.\" |\n| **142-test whitebox suite** | Unit + integration coverage of every phase, plus optional smoke (`WHITEBOX_SMOKE=1`) against real AWS profiles for end-to-end validation. |\n\n### Why dual-track matters\n\nBlackbox tests like a real attacker (no credentials, perimeter-only). Whitebox tests like an authorized cloud auditor (read-only IAM credentials, account-wide visibility). They surface different bug classes:\n\n- Blackbox finds: open ports, default IIS pages, SSRF, IDOR, public S3 with the right key guess.\n- Whitebox finds: orphan SG rules, IAM privesc graphs, leaked secrets in Lambda env vars, missing CIS controls, GuardDuty findings going to a void, root MFA misconfig, CloudTrail / KMS gaps.\n\nRun them together, and the correlator surfaces the chains: \"the public-Internet host you found is in a VPC peered to PROD, runs as an IAM role with `iam:AttachRolePolicy`, and the Lambda next door has an AWS access key in its env vars.\" That chain is invisible to either tool alone.\n\n### Whitebox AWS Audit (v8.0)\n\n```bash\n# Run alongside a blackbox engagement (vikramaditya.py auto-detects from whitebox_config.yaml)\npython3 vikramaditya.py example.com\n\n# Standalone whitebox-only run, single AWS profile\npython3 -m whitebox.cloud_hunt --profile client-erp \\\n --allowlist example.com \\\n --session-dir recon/example.com\n\n# Multi-account run with all timeouts widened for a large IAM estate\nPROWLER_TIMEOUT=7200 PMAPPER_TIMEOUT=3600 \\\nWHITEBOX_REGIONS=us-east-1,ap-south-1,eu-west-1 \\\npython3 -m whitebox.cloud_hunt \\\n --profile client-erp --profile client-data \\\n --allowlist example.com --allowlist example-data.invalid \\\n --session-dir recon/example.com --refresh\n\n# Audit every public Route53 zone in the account (skip allowlist intersection)\npython3 -m whitebox.cloud_hunt --profile client-erp --no-scope-lock \\\n --session-dir recon/example.com\n```\n\n**Required external tools (one-time install):**\n\n```bash\n# Prowler — pydantic-pinned, install in an isolated venv\npython3 -m venv ~/.venvs/prowler # use Python 3.11\n~/.venvs/prowler/bin/pip install prowler-cloud==4.5.0\n\n# PMapper — patch a Python 3.10+ collections.abc bug\npython3.11 -m venv ~/.venvs/pmapper\n~/.venvs/pmapper/bin/pip install principalmapper\nsed -i '' 's/from collections import Mapping/from collections.abc import Mapping/' \\\n ~/.venvs/pmapper/lib/python*/site-packages/principalmapper/util/case_insensitive_dict.py\n```\n\nThe discovery order for both binaries: `\u003cTOOL\u003e_BIN` env var → `~/.venvs/\u003ctool\u003e/bin/\u003ctool\u003e` → `~/.local/share/\u003ctool\u003e/bin/\u003ctool\u003e` → `/opt/\u003ctool\u003e/bin/\u003ctool\u003e` → `$PATH`.\n\n**Required IAM permissions** (audit user / role): `ReadOnlyAccess` + `SecurityAudit`. To enable full secret-value scanning add `secretsmanager:GetSecretValue`; without it the scanner falls back to metadata-only.\n\n**Session output structure:**\n\n```\nrecon/\u003ctarget\u003e/cloud/\u003caccount_id\u003e/\n├── inventory/ # 26 services × N regions, raw boto3 JSON\n├── prowler/ # OCSF JSON + 17 compliance CSVs\n├── pmapper/ # Graph storage copy + stdout/stderr logs\n├── secrets/ # Per-finding redacted JSON (mode 0600 in 0700 dir)\n├── findings.json # Consolidated normalized findings\n├── manifest.json # Per-phase status + TTL cache key\n└── ../correlation/\n ├── asset_feed_\u003caccount\u003e.json\n └── asset_feed.json # Merged across accounts in this session\n```\n\n---\n\n## What's New in v7.x (still active)\n\nv5 → v7 added **10 releases, 270 passing tests, 1 new security domain (client-data anonymization), 1 new web3 sub-domain (meme-coin / Solana / DEX LP), and a HackerOne MCP server.** Full changelog in [`CHANGELOG.md`](CHANGELOG.md).\n\n### **🛡️ Engagement Privacy — anonymization proxy for Claude Code (v7.0 / v7.1)**\n\n| Feature | Description |\n|:--------|:------------|\n| **Reverse proxy** (`llm_anon/proxy.py`) | FastAPI on `127.0.0.1:8080`. Point `ANTHROPIC_BASE_URL` at it; Claude Code never sees real client data. |\n| **Regex detector** (`llm_anon/regex_detector.py`) | IPv4/IPv6/CIDR, MAC, email, URL, FQDN, AWS keys, API tokens, JWT, MD5/SHA1/SHA256/NTLM hashes. NTLM `lm:nt` pair beats two adjacent MD5s; CIDR beats bare IPv4. |\n| **Deterministic surrogates** (`llm_anon/surrogates.py`) | RFC 5737 TEST-NET IPs, `.pentest.local` FQDNs, locally-administered MACs, length-preserving fake hashes. Same original → same surrogate within an engagement. |\n| **SQLite vault** (`llm_anon/vault.py`) | Per-engagement mapping store. Engagement isolation — client A and client B never share surrogates. |\n| **SSE-aware** | Anthropic's streaming `text_delta` events are parsed line-by-line; deanonymized in place; pass straight through to Claude Code so streaming stays live. |\n\nDesign credit: [zeroc00I/LLM-anonymization](https://github.com/zeroc00I/LLM-anonymization) (README-only spec — implementation is entirely original).\n\n### **🪙 Web3 meme-coin / Solana / DEX LP security domain (v6.0)**\n\n| Module | Catches |\n|:-------|:--------|\n| `token_scanner.py` (783 lines, EVM + Solana) | Unrestricted mint, unbounded fee/tax, trading toggles, hidden transfer hooks, blacklists, owner privileges, pause authority, honeypot logic |\n| `web3/10-meme-coin-bugs.md` | 8 meme-coin bug classes + Immunefi paid examples |\n| `web3/11-solana-token-audit.md` | SPL / Token-2022 / freeze-authority / transfer-hook attacks |\n| `web3/12-dex-lp-attacks.md` | AMM / concentrated-liquidity / JIT |\n| `skills/meme-coin-audit/SKILL.md` | Launch-audit workflow |\n| `/token-scan \u003ccontract\u003e` | Slash command |\n\n### **🔧 Hunting workflow upgrades (v5.1 – v6.3)**\n\n| Release | Addition |\n|:--------|:---------|\n| **v5.0** | CVSS 4.0 scoring (AT + VC/VI/VA + SC/SI/SA + Safety axis) — modern programs reward this |\n| **v5.1** | HackerOne MCP server — live Hacktivity + program stats + safe-harbor lookup |\n| **v5.2** | sisakulint CI/CD scanner — `pwn_request` / unpinned actions / script injection across whole orgs |\n| **v5.3** | `/pickup` session resume + auto-logged session summaries — warm-restart over 20+ existing engagement histories |\n| **v5.4** | `credential_store.py` — `.env`-backed auth headers, never logs raw values |\n| **v5.5** | `bb-methodology` master skill — 5-phase non-linear hunting orchestrator |\n| **v5.6** | `intel_engine.py` + `/intel` — cross-references CVEs against hunt memory to flag untested surface |\n| **v6.1** | `/remember`, `/surface`, recon-ranker agent — fill the gap between \"I ran recon\" and \"I started hunting\" |\n| **v6.2** | `/autopilot` agent — ties the existing autopilot engine to scope checking + checkpoint modes |\n| **v6.3** | `sneaky_bits.py` — invisible-Unicode prompt injection encoder for LLM red-teaming |\n| **v6.4** | **229-test suite** ported from upstream (audit log, hunt journal, scope checker, token scanner, intel engine, credential store, HackerOne MCP) |\n\n### **📜 Original v4.1 capabilities (preserved)**\n\nHAR-based authenticated testing, autonomous VAPT, multi-provider AI, Burp-style HTML reports — [see below](#har-based-authenticated-testing).\n\n---\n\n## Engagement Privacy (v7.0 / v7.1)\n\nWhen the NDA says \"don't send client data to third-party AI services\" but you still want Claude Code's reasoning on real `nmap` / `crackmapexec` / `mimikatz` / Burp output:\n\n```bash\n# Terminal 1 — start the anonymization proxy\nexport ENGAGEMENT_ID=acme-2026-vapt\nexport ANTHROPIC_API_KEY=sk-ant-... # forwarded to upstream as-is\npython3 -m llm_anon.proxy # listens on 127.0.0.1:8080\n\n# Terminal 2 — run Claude Code through the proxy\nexport ANTHROPIC_BASE_URL=http://127.0.0.1:8080\nexport ENGAGEMENT_ID=acme-2026-vapt # must match Terminal 1\nclaude\n```\n\n**What Claude actually sees:**\n```\nnmap scan of 203.0.113.47 on xkqpzt.pentest.local returned OpenSSH 8.2\n```\n**What your terminal shows:**\n```\nnmap scan of 10.20.0.10 on dc01.acmecorp.local returned OpenSSH 8.2\n```\n\nMappings persist in `~/.vikramaditya/anon_vault.db`, scoped by `ENGAGEMENT_ID`. Run `/anon` for command reference. See [`llm_anon/`](llm_anon/) and [`commands/anon.md`](commands/anon.md).\n\n**Threat model:** prevents content-based correlation. Does **not** prevent query-pattern or timing correlation. Binds to `127.0.0.1` only. Not a compliance certification — review your contract.\n\n---\n\n## HAR-Based Authenticated Testing\n\n### **🎯 Capture Real Sessions**\n\n```bash\n# Step 1: Capture browser session\n# 1. Open target app in browser\n# 2. Open DevTools (F12) → Network tab\n# 3. Login and navigate authenticated areas\n# 4. Right-click → Save as HAR file\n\n# Step 2: Run authenticated VAPT\npython3 har_vapt.py admin_session.har\n```\n\n### **🔥 What HAR Testing Finds**\n\n- **SQL Injection** — Authentication bypass in login forms\n- **File Upload RCE** — Malicious file uploads in admin panels\n- **Authentication Bypass** — Admin functions accessible without credentials\n- **IDOR** — User enumeration and unauthorized data access\n- **XSS** — Cross-site scripting in authenticated parameters\n- **Session Management** — Token security and session hijacking\n\n### **🛠️ HAR Testing Tools**\n\n```bash\n# Complete HAR-based VAPT workflow\npython3 har_vapt.py session.har # All-in-one testing\n\n# Individual components\npython3 har_analyzer.py session.har # Extract endpoints \u0026 tokens\npython3 har_vapt_engine.py session_analysis.json # Run vulnerability tests\n\n# Combined infrastructure + authenticated testing\npython3 vapt_companion.py --full example.com # Best of both approaches\n\n# Interactive suite with all tools\npython3 vapt_suite.py # Unified interface\n```\n\n### **📊 Real-World Results**\n\nRecent HAR-based testing on email platform:\n- **83 endpoints** discovered from browser session\n- **49 vulnerabilities** found including:\n - 32 Critical (File upload RCE)\n - 6 High (Authentication bypass)\n - 11 Medium (Session management)\n- **Bearer token extraction** and security analysis\n- **Complete attack surface** mapped from real usage\n\n---\n\n## What's New in v2.0\n\n| Feature | v1.x | v2.0 |\n|:--------|:-----|:-----|\n| **Entry point** | 5+ scripts with flags (`hunt.py --target x --full`) | `python3 vikramaditya.py` — one command, interactive |\n| **Target detection** | Manual: pick the right script | Auto: fingerprints tech stack, login, API, routes to right engine |\n| **Brain role** | Supervisor only (CONTINUE/SKIP/INJECT) | **Writes and executes exploit code** — PoCs, bypasses, code audits |\n| **Fix verification** | Manual retest | `--verify-fix` mode: brain reads deployed code, finds logic flaws, writes bypasses |\n| **Code audit** | Not available | `--audit-code` mode: feed source code, brain finds vulns and writes PoCs |\n| **Endpoint discovery** | Single main.js bundle only | All JS chunks (Vite, Next.js, CRA), dynamic imports, OpenAPI/Swagger |\n| **Login detection** | Required `--login-url` flag | Auto-detects from 18+ common patterns + dev/staging endpoints |\n| **API base path** | Required `--base-url` flag | Auto-probes `/api/`, `/v1/`, subdomains, same-origin detection |\n| **URL dedup** | No dedup (scans thousands of identical news/video URLs) | Pattern-based collapse: 5000 → 50 unique code paths |\n| **Scope lock** | `--scope-lock` flag | Interactive prompt: \"scan this exact host only?\" |\n| **CLI args** | Required (`--target x --full --with-brain`) | `python3 vikramaditya.py example.com` — one arg, everything auto |\n| **Banner** | Orange gradient | Indian flag colors (saffron, white, green, Ashoka blue) |\n\n---\n\n## The Legend\n\n**Vikramaditya** — the legendary Indian emperor whose throne could only be ascended by one who sought truth fearlessly and judged without bias. His name means *\"valour of the sun\"*.\n\nThis tool operates the same way. Give it a target. Walk away. Come back to a full VAPT report — every vulnerability exposed, every weakness catalogued.\n\nIt was inspired by and evolved from [**claude-bug-bounty**](https://github.com/shuvonsec/claude-bug-bounty) — the original AI-assisted bug bounty automation platform that laid the recon pipeline, ReAct agent architecture, and AI analysis engine that powers this tool today.\n\n---\n\n## What It Does\n\nVikramaditya is an autonomous VAPT tool built for professional security consultants. You give it a target — a domain, a single IP, or an entire subnet. It runs the full assessment pipeline and produces a submission-ready report.\n\n| Stage | What happens |\n|:------|:-------------|\n| 🔭 **Recon** | Subdomain enumeration, DNS resolution, live host discovery, URL crawling, JS analysis, secret extraction |\n| 🔬 **Fingerprint** | Tech stack detection (httpx), CVE risk scoring, priority host ranking |\n| 🔍 **Scan** | SQLi, XSS, SSTI, RCE, file upload, CORS, JWT, cloud misconfigs, framework exposure |\n| 💥 **Exploit** | CMS exploit chains (Drupal, WordPress), Spring actuators, exposed admin panels |\n| 🧠 **Analyze** | AI-powered triage — finds chains, ranks by impact, kills noise |\n| 📋 **Report** | Burp Suite-style HTML report: executive summary, CVSS scores, PoC evidence, remediation |\n| 🔐 **HAR Testing** | **NEW**: Browser session analysis, authenticated vulnerability testing, real-world attack simulation |\n\n---\n\n## Quick Start\n\n```bash\ngit clone https://github.com/venkatas/vikramaditya.git\ncd vikramaditya\nchmod +x setup.sh \u0026\u0026 ./setup.sh # installs all required tools\n\n# Download BugTraceAI brain (security-tuned, recommended)\nwget -c 'https://huggingface.co/BugTraceAI/BugTraceAI-Apex-G4-26B-Q4/resolve/main/BugTraceAI-Apex-G4-26B-Q4.gguf' -O /tmp/BugTraceAI-Apex-G4-26B-Q4.gguf\nollama create bugtraceai-apex -f Modelfiles/BugTraceAI-Modelfile\n\n# Or use stock Gemma4 (also works well)\nollama pull gemma4:26b # fast all-rounder brain (17GB)\n```\n\n### The Only Command You Need\n\n```bash\n# Fully autonomous — zero prompts (when Ollama is installed)\npython3 vikramaditya.py example.com\npython3 vikramaditya.py https://app.example.com --creds \"user@domain.com:password\"\npython3 vikramaditya.py 10.0.0.0/24\n\n# NEW: HAR-based authenticated testing\npython3 har_vapt.py admin_session.har\n\n# Combined infrastructure + authenticated testing\npython3 vapt_companion.py --full example.com\n\n# With fix verification\npython3 vikramaditya.py https://app.example.com --creds \"user:pass\" --verify-fix \"CSRF fixed via ols token\"\n```\n\nWhen Ollama is installed, **zero prompts** — brain drives everything:\n- Auto-fingerprints, auto-selects engine, auto-enables brain + active scanner\n- Auto-generates report when done\n- Only asks for credentials if login detected and `--creds` not provided\n\nWithout Ollama, falls back to interactive mode with prompts.\n\n### HAR Testing Workflow\n\n```bash\n# Interactive HAR testing\npython3 vapt_suite.py\n\n# Quick HAR analysis\npython3 har_analyzer.py session.har\n\n# Complete HAR VAPT\npython3 har_vapt.py session.har\n\n# Combined assessment\npython3 vapt_companion.py --full target.com\n```\n\nIt will:\n\n1. Ask for a target (URL, domain, IP, CIDR, **or HAR file**)\n2. Auto-fingerprint the target (tech stack, login pages, API endpoints, JS bundles, OpenAPI specs)\n3. **NEW**: Analyze HAR files for authenticated endpoints and session data\n4. Show a summary of what it found and recommend the right scan type\n5. Ask for credentials if a login page is detected (password input is hidden)\n6. Enable the AI brain automatically if Ollama is installed\n7. Offer **brain active scanner** — LLM writes and executes exploit code, not just supervises\n8. **NEW**: Offer **HAR-based authenticated testing** for deep vulnerability analysis\n9. Offer **fix verification** — developer says \"fixed\"? Brain reads the code and finds bypasses\n10. Route to the right scan engine and run the full assessment\n11. Offer to generate a professional report at the end\n\n```\n$ python3 vikramaditya.py app.example.com\n\n ────────────────────────────────────────────────────────\n TARGET SUMMARY\n ────────────────────────────────────────────────────────\n Target : https://app.example.com\n Status : HTTP 200\n Tech : Vite, React\n Login : /auth/login\n API : https://app.example.com/v1\n JS : 52 bundles, 80+ API calls found\n OpenAPI : found\n\n Recommended: Authenticated API VAPT\n ────────────────────────────────────────────────────────\n\n Proceed? [Y/n]: y\n Do you have credentials? [Y/n]: y\n Username / email: admin@example.com\n Password: ********\n Second account for IDOR / privilege escalation testing? [y/N]: n\n AI brain supervisor: enabled. Keep enabled? [Y/n]: y\n Run brain active scanner? (LLM writes + executes exploit code) [y/N]: y\n Verify a developer's fix claim? [y/N]: n\n\n [launching 12-phase brain-supervised API VAPT...]\n [then brain active scanner writes + runs exploit PoCs...]\n```\n\n### HAR File Testing Example\n\n```\n$ python3 har_vapt.py admin_session.har\n\n ────────────────────────────────────────────────────────\n HAR ANALYSIS SUMMARY\n ────────────────────────────────────────────────────────\n Target Domain : app.example.com\n Total Endpoints : 127\n Admin Endpoints : 18\n File Uploads : 3\n High-Value Targets: 31\n Authentication : bearer_token\n Bearer Token : eyJ0eXAiOiJKV1QiLCJh...\n\n Recommended Tests : sql_injection, file_upload_rce, auth_bypass\n ────────────────────────────────────────────────────────\n\n 🚀 Starting comprehensive VAPT scan...\n 🧪 Testing SQL Injection...\n 🚨 [CRITICAL] SQL Injection: Authentication bypass confirmed\n 🧪 Testing File Upload RCE...\n 🚨 [CRITICAL] File Upload RCE: 4 malicious files uploaded successfully\n 🧪 Testing Authentication Bypass...\n 🚨 [HIGH] Authentication Bypass: Admin panels accessible without auth\n\n 📊 Found 23 vulnerabilities (8 Critical, 5 High, 10 Medium)\n 💾 Results saved to: har_vapt_results_20240414_143022.json\n```\n\n---\n\n## Core Architecture\n\n\u003cdiv align=\"center\"\u003e\n\n```mermaid\ngraph TB\n A[Target Input] --\u003e B{Target Type}\n B --\u003e|Domain/IP/CIDR| C[vikramaditya.py]\n B --\u003e|HAR File| D[har_vapt.py]\n B --\u003e|Combined| E[vapt_companion.py]\n \n C --\u003e F[Auto-Fingerprint]\n F --\u003e G[Engine Selection]\n G --\u003e H[hunt.py Infrastructure]\n G --\u003e I[autopilot_api_hunt.py Web/API]\n \n D --\u003e J[HAR Analysis]\n J --\u003e K[Session Extraction]\n K --\u003e L[Vulnerability Testing]\n \n E --\u003e F\n E --\u003e J\n \n H --\u003e M[Report Generation]\n I --\u003e M\n L --\u003e M\n \n style D fill:#ff9999\n style J fill:#ff9999\n style K fill:#ff9999\n style L fill:#ff9999\n```\n\n\u003c/div\u003e\n\n### **File Structure**\n\n```\nvikramaditya/\n├── vikramaditya.py # Main orchestrator\n├── hunt.py # Infrastructure VAPT\n├── autopilot_api_hunt.py # Web/API VAPT\n├── har_analyzer.py # HAR file analysis\n├── har_vapt_engine.py # HAR-based vulnerability testing\n├── har_vapt.py # Complete HAR VAPT workflow\n├── vapt_companion.py # Combined infrastructure + HAR\n├── vapt_suite.py # Interactive unified interface\n├── brain.py / brain_scanner.py # AI analysis + exploit generation\n├── agent.py # Autonomous ReAct agent\n├── reporter.py # HTML/PDF report generation\n├── recon.sh / scanner.sh # Recon + vuln scanning pipelines\n├── poc_*.py # Proof-of-concept scripts\n├── validate.py # Finding validation (CVSS 4.0 — v5.0)\n├── credential_store.py # .env-backed auth store (v5.4)\n├── intel_engine.py # CVE + HackerOne + hunt-memory intel (v5.6)\n├── token_scanner.py # EVM + Solana meme-coin red flags (v6.0)\n├── sneaky_bits.py # LLM prompt-injection encoder (v6.3)\n├── cicd_scanner.sh # sisakulint GitHub Actions auditor (v5.2)\n│\n├── whitebox/cloud_hunt.py # Whitebox VAPT — AWS audit (Prowler + PMapper + secrets), feeds blackbox\n│\n├── llm_anon/ # 🛡️ Engagement privacy (v7.0 / v7.1)\n│ ├── proxy.py # FastAPI reverse proxy for Claude Code\n│ ├── regex_detector.py # IP/hash/credential/FQDN/JWT patterns\n│ ├── surrogates.py # RFC 5737 / .pentest.local generator\n│ ├── vault.py # SQLite per-engagement mapping store\n│ └── anonymizer.py # Facade for anonymize() / deanonymize()\n│\n├── mcp/hackerone-mcp/ # H1 GraphQL MCP server (v5.1)\n├── memory/ # Hunt journal, audit log, pattern DB\n├── skills/ # bug-bounty, bb-methodology, meme-coin-audit,\n│ # report-writing, triage-validation,\n│ # security-arsenal, web2-*, web3-audit\n├── agents/ # recon-agent, chain-builder, validator,\n│ # report-writer, web3-auditor,\n│ # token-auditor (v6.0), recon-ranker (v6.1),\n│ # autopilot (v6.2)\n├── commands/ # /recon /hunt /validate /report /triage /chain\n│ # /scope /web3-audit /cicd (v5.2)\n│ # /pickup (v5.3) /intel (v5.6)\n│ # /token-scan (v6.0) /remember /surface (v6.1)\n│ # /autopilot (v6.2) /anon (v7.1)\n└── tests/ # 270 tests — pytest + pytest-asyncio\n```\n\n---\n\n## Vulnerability Coverage\n\n### **Infrastructure Testing (Original)**\n\n| Category | Tools | Techniques |\n|:---------|:------|:-----------|\n| **Recon** | subfinder, assetfinder, amass, httpx | Subdomain enumeration, live host discovery, tech fingerprinting |\n| **Scanning** | nuclei, sqlmap, naabu, feroxbuster | CVE detection, SQL injection, port scanning, directory bruteforce |\n| **Exploitation** | manual + brain-generated PoCs | CMS exploits, Spring Boot actuators, cloud misconfigs |\n\n### **Authenticated Testing (New)**\n\n| Category | Vulnerability Types | HAR-Based Testing |\n|:---------|:-------------------|:------------------|\n| **Injection** | SQL injection, NoSQL injection, Command injection | ✅ Authentication bypass, Parameter injection |\n| **Broken Auth** | Session management, Authentication bypass | ✅ Admin panel access, Invalid session acceptance |\n| **Sensitive Data** | IDOR, Information disclosure | ✅ User enumeration, Unauthorized data access |\n| **File Upload** | RCE, Path traversal, Filter bypass | ✅ Malicious uploads, Bypass techniques |\n| **XSS** | Reflected, Stored, DOM-based | ✅ Parameter-based testing |\n| **Session** | Token security, Hijacking | ✅ Bearer token analysis, Cookie security |\n\n### **Web3 Meme-Coin / SPL / DEX LP (v6.0)**\n\n| Category | What `token_scanner.py` flags | Reference |\n|:---------|:-------------------------------|:----------|\n| **Mint abuse** | Unrestricted mint, `onlyOwner` mint without cap | `web3/10-meme-coin-bugs.md` |\n| **Fee traps** | Unbounded `setFee()`/`setTax()`, missing `MAX_FEE` | `web3/10` |\n| **Trading toggles** | Reversible `enableTrading`, pause / unpause loops | `web3/10` |\n| **Transfer hooks** | Hidden pre/post-transfer logic, fee-on-transfer accounting | `web3/10`, `web3/11` |\n| **Blacklists / freeze authority** | Owner can blacklist/freeze user funds | `web3/11` (Solana) |\n| **LP / AMM attacks** | Concentrated-liquidity, JIT sandwich, LP-share accounting | `web3/12` |\n\n### **CI/CD \u0026 Supply Chain (v5.2)**\n\n| Category | Tools | Detected |\n|:---------|:------|:---------|\n| **GitHub Actions** | `cicd_scanner.sh` (sisakulint wrapper) | `pwn_request`, script injection in `run:`, unpinned 3rd-party actions, missing `permissions:`, reusable-workflow privilege chains |\n| **Org-wide batch** | `./cicd_scanner.sh \"org:\u003cname\u003e\" --recursive` | Scan every public repo in an organization |\n\n### **LLM / AI Red-Team**\n\n| Category | Tool | Use case |\n|:---------|:-----|:---------|\n| **Invisible Unicode injection** | `sneaky_bits.py` | U+2062 / U+2064 / Variant Selector encoding for indirect prompt-injection payloads |\n| **HAR-based chatbot IDOR** | `har_vapt_engine.py` | Replay authenticated LLM app sessions against injection, tool-call abuse, context leaks |\n\n### **Engagement Privacy (v7.0 / v7.1)**\n\n| Category | Tool | Purpose |\n|:---------|:-----|:--------|\n| **Client-data anonymization** | `llm_anon/` | Transparent reverse proxy — real IPs / hashes / credentials / FQDNs never reach Anthropic |\n| **Per-engagement vault** | `llm_anon/vault.py` | SQLite mapping store scoped by `ENGAGEMENT_ID` — no cross-client correlation |\n\n### **AI-Powered Analysis**\n\n- **Exploit Generation** — Brain writes custom PoC code for found vulnerabilities\n- **Chain Discovery** — Identifies multi-step attack paths\n- **False Positive Reduction** — AI triage removes noise\n- **Fix Verification** — Reads deployed code, finds logic bypass opportunities\n- **Impact Assessment** — Business risk scoring and prioritization\n\n---\n\n## Multi-Provider AI\n\n| Provider | Models | Use Case |\n|:---------|:-------|:---------|\n| **Ollama** (Local) | BugTraceAI-Apex-G4, Gemma4, Llama3.1, Codestral | Primary brain, exploit generation, code analysis |\n| **MLX** (Apple Silicon) | Gemma4-MLX, Llama3.1-MLX | Fast inference on M1/M2/M3 Macs |\n| **OpenAI** | GPT-4o, GPT-4-Turbo | Premium analysis, complex reasoning |\n| **Anthropic** | Claude 3.5 Sonnet, Claude 3 Opus | Code understanding, vulnerability research |\n| **Google** | Gemini 1.5 Pro | Multimodal analysis, document processing |\n| **xAI** | Grok-2 | Alternative reasoning, real-time knowledge |\n\nConfigure via environment variables or interactive setup.\n\n---\n\n## Reports\n\n### **Professional VAPT Reports**\n\n- **Executive Summary** — Business impact, risk scores, remediation timeline\n- **Technical Findings** — Detailed vulnerability descriptions with PoC evidence\n- **CVSS Scoring** — Industry-standard risk assessment\n- **Remediation Guidance** — Step-by-step fix instructions\n- **Compliance Mapping** — OWASP Top 10, CWE references\n\n### **Output Formats**\n\n```bash\n# Generate HTML report\npython3 reporter.py findings/ --client \"Acme Corp\" --consultant \"Your Name\"\n\n# Multiple formats\npython3 reporter.py findings/ --format html,pdf,json\n```\n\nSample outputs:\n- **HTML**: Burp Suite-style professional report\n- **JSON**: Machine-readable findings for integration\n- **PDF**: Executive presentation format\n- **Markdown**: Documentation-friendly format\n\n---\n\n## Installation\n\n### **Automated Setup**\n\n```bash\ngit clone https://github.com/venkatas/vikramaditya.git\ncd vikramaditya\nchmod +x setup.sh \u0026\u0026 ./setup.sh\n```\n\nThe setup script installs all required tools:\n- **Core Tools**: httpx, subfinder, nuclei, sqlmap, naabu, feroxbuster\n- **Python Dependencies**: requests, beautifulsoup4, selenium\n- **AI Runtime**: Ollama (optional but recommended)\n\n### **Manual Setup**\n\n```bash\n# Install Go tools\ngo install -v github.com/projectdiscovery/httpx/cmd/httpx@latest\ngo install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest\ngo install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest\n\n# Install Python dependencies\npip install requests beautifulsoup4 selenium\n\n# Install Ollama (for AI features)\ncurl -fsSL https://ollama.ai/install.sh | sh\nollama pull gemma4:26b\n```\n\n### **Docker Support**\n\n```bash\ndocker build -t vikramaditya .\ndocker run -v $(pwd)/results:/app/results vikramaditya:latest example.com\n```\n\n---\n\n## Professional Usage\n\n### **VAPT Engagement Workflow**\n\n1. **Scoping** — Define targets, obtain written authorization\n2. **Reconnaissance** — `python3 vikramaditya.py target.com`\n3. **Authenticated Testing** — Capture HAR files, run `python3 har_vapt.py session.har`\n4. **Analysis** — AI-powered triage and impact assessment\n5. **Reporting** — Generate client-ready reports\n6. **Remediation Support** — Fix verification and retesting\n\n### **Scan Capabilities**\n\n- **Multi-target scanning** — Subnet, CIDR, and domain-range support (`hunt.py --target 10.0.0.0/24`)\n- **Authenticated testing** — HAR-based session analysis and JSON-API auth replay\n- **Structured output** — JSON findings files under `findings/\u003ctarget\u003e/` for downstream tooling\n- **Hunt memory** — JSONL journal (`hunt-memory/journal.jsonl`) picked up by `/pickup \u003ctarget\u003e` on warm restart\n\n### **Quality Assurance**\n\n- **False positive reduction** — AI triage gate + regex dedup rules (see v7.1.2 and v7.4.2 for fixes that removed real FP classes)\n- **Reproducible testing** — sqlmap command log + per-phase watchdog traces saved per session\n- **Evidence collection** — request/response pairs, screenshots (via gowitness), scan logs\n\n---\n\n## Ethical Use \u0026 Legal Compliance\n\n### **Authorization Requirements**\n\n- ✅ **Only test systems you own or have explicit written permission to test**\n- ✅ **Obtain proper documentation** before starting any assessment\n- ✅ **Stay within defined scope** — use `--scope-lock` for strict boundaries\n- ✅ **Follow responsible disclosure** for any findings\n\n### **Methodology Alignment**\n\nThe tool does not carry any certification on its own. The operator is responsible for conducting engagements under the frameworks their client requires — typical choices:\n\n- **OWASP Testing Guide v4.2** — the recon → param discovery → vuln scan → exploit chain Vikramaditya implements follows the OTG structure. Section references appear in report metadata when `--emit-otg-refs` is enabled.\n- **NIST Cybersecurity Framework** — the scan→find→triage→report flow maps to Identify-Protect-Detect-Respond-Recover at the engagement level.\n- **CERT-In VAPT format** — `tools/report_generator.py` supports the Indian CERT-In empanelled template when `--format cert-in` is passed.\n\nClaim alignment only where it's honestly supported by your configuration.\n\n### **Data Protection**\n\n- **HAR files contain session data** — handle securely\n- **Encrypt sensitive findings** during storage and transmission\n- **Follow data retention policies** for client information\n- **Implement secure deletion** procedures post-engagement\n\n---\n\n## Contributing\n\nWe welcome contributions! Here's how to get involved:\n\n### **Development**\n\n```bash\n# Fork the repository\ngit clone https://github.com/venkatas/vikramaditya.git\ncd vikramaditya\n\n# Create a feature branch\ngit checkout -b feature/new-testing-module\n\n# Make your changes\n# Add tests for new functionality\n# Update documentation\n\n# Submit a pull request\n```\n\n### **Contribution Areas**\n\n- **New vulnerability testing modules**\n- **Additional AI model integrations**\n- **Enhanced reporting formats**\n- **Performance optimizations**\n- **Documentation improvements**\n- **HAR analysis enhancements**\n\n### **Code Standards**\n\n- **Python 3.10+** compatibility\n- **Type hints** for new functions\n- **Comprehensive docstrings**\n- **Unit tests** for critical functionality\n- **Security-first design** principles\n\n---\n\n## License \u0026 Support\n\n### **License**\n\nMIT License - see [LICENSE](LICENSE) file for details.\n\n### **Support**\n\n- 📧 **Email**: [venkat.9099@gmail.com](mailto:venkat.9099@gmail.com)\n- 🐛 **Issues \u0026 PRs**: [github.com/venkatas/vikramaditya/issues](https://github.com/venkatas/vikramaditya/issues)\n\n---\n\n## Security Notice\n\nThis tool is designed for authorized security testing only. The developers assume no liability for misuse. Always ensure you have explicit written permission before testing any systems.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Built with ❤️ for the cybersecurity community**\n\n*Inspired by the legend of Emperor Vikramaditya — fearless pursuit of truth*\n\n**[⭐ Star this project](https://github.com/venkatas/vikramaditya)** if it helps secure your applications!\n\n\u003c/div\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvenkatas%2Fvikramaditya","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvenkatas%2Fvikramaditya","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvenkatas%2Fvikramaditya/lists"}