Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/orf/xcat

XPath injection tool
https://github.com/orf/xcat

Last synced: about 2 months ago
JSON representation

XPath injection tool

Host: GitHub
URL: https://github.com/orf/xcat
Owner: orf
License: mit
Created: 2011-09-05T11:30:07.000Z (about 13 years ago)
Default Branch: master
Last Pushed: 2023-01-11T21:46:05.000Z (over 1 year ago)
Last Synced: 2024-07-07T16:34:50.615Z (3 months ago)
Language: Python
Homepage: https://xcat.readthedocs.org/
Size: 22.8 MB
Stars: 356
Watchers: 18
Forks: 80
Open Issues: 9
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# XCat

![Python package](https://github.com/orf/xcat/workflows/Python%20package/badge.svg)
![](https://img.shields.io/pypi/v/xcat.svg)
![](https://img.shields.io/pypi/l/xcat.svg)
![](https://img.shields.io/pypi/pyversions/xcat.svg)
[![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/)
[![](https://images.microbadger.com/badges/image/tomforbes/xcat.svg)](https://microbadger.com/images/tomforbes/xcat)

XCat is a command line tool to exploit and investigate blind XPath injection vulnerabilities.

For a complete reference read the documentation here: https://xcat.readthedocs.io/en/latest/

It supports an large number of features:

- Auto-selects injections (run `xcat injections` for a list)

- Detects the version and capabilities of the xpath parser and
selects the fastest method of retrieval

- Built in out-of-bound HTTP server
- Automates XXE attacks
- Can use OOB HTTP requests to drastically speed up retrieval

- Custom request headers and body

- Built in REPL shell, supporting:
- Reading arbitrary files
- Reading environment variables
- Listing directories
- Uploading/downloading files (soon TM)

- Optimized retrieval
- Uses binary search over unicode codepoints if available
- Fallbacks include searching for common characters previously retrieved first
- Normalizes unicode to reduce the search space

## Install

Run `pip install xcat`

Or using docker: `docker run -it tomforbes/xcat --help`

Or on fedora, `dnf install xcat` 😎

**Requires Python 3.7**. You can easily install this with [pyenv](https://github.com/pyenv/pyenv):
`pyenv install 3.7.1`

## Example application

There is a complete demo application you can use to explore the features of XCat.
See the README here: https://github.com/orf/xcat_app