mirror of
https://github.com/lunchcat/sif.git
synced 2026-06-12 11:01:24 -07:00
vmfunc
9401aa669e
three active web-vuln probes wired into the per-target loop: - cors: crafts attacker origins (evil sentinel, null, prefix/suffix bypass, http downgrade) and flags responses that reflect them in access-control-allow-origin, ranking reflection+credentials high. - redirect: injects a controlled sentinel host plus bypass variants (//, https:/, backslash, null-byte, userinfo @) into redirect-prone params and catches 30x location, meta-refresh and js redirects that resolve off-site. - xss: injects a unique canary wrapped in breaking chars, classifies the reflection context (html/attribute/script) and reports only the chars that survive unescaped where they matter, so escaped reflections don't false-positive. all route through httpx.Client so proxy/-H/-cookie/-rate-limit apply. hermetic httptest coverage plus integration testbed entries.
sif documentation
welcome to the sif documentation. sif is a modular pentesting toolkit designed to be fast, concurrent, and extensible.
table of contents
getting started
- installation - how to install sif
- quickstart - get up and running in minutes
- usage - command line options and examples
features
reference
- configuration - runtime configuration options
- api mode - json output for automation
contributing
- development - setting up a dev environment
- writing modules - create your own modules
quick links
# install
git clone https://github.com/dropalldatabases/sif.git && cd sif && make
# basic scan
./sif -u https://example.com
# list modules
./sif -lm
# run all modules
./sif -u https://example.com -am
# help
./sif -h
support
- github issues - bug reports and feature requests
- discord - community chat