endpointscanner 7.0.4__tar.gz → 7.2__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. endpointscanner-7.2/PKG-INFO +201 -0
  2. endpointscanner-7.2/README.md +183 -0
  3. endpointscanner-7.2/endpointscanner.egg-info/PKG-INFO +201 -0
  4. {endpointscanner-7.0.4 → endpointscanner-7.2}/endpointscanner.egg-info/requires.txt +1 -0
  5. endpointscanner-7.2/enumerateendpoint.py +1228 -0
  6. {endpointscanner-7.0.4 → endpointscanner-7.2}/pyproject.toml +3 -2
  7. endpointscanner-7.0.4/PKG-INFO +0 -139
  8. endpointscanner-7.0.4/README.md +0 -122
  9. endpointscanner-7.0.4/endpointscanner.egg-info/PKG-INFO +0 -139
  10. endpointscanner-7.0.4/enumerateendpoint.py +0 -654
  11. {endpointscanner-7.0.4 → endpointscanner-7.2}/LICENSE +0 -0
  12. {endpointscanner-7.0.4 → endpointscanner-7.2}/endpointscanner.egg-info/SOURCES.txt +0 -0
  13. {endpointscanner-7.0.4 → endpointscanner-7.2}/endpointscanner.egg-info/dependency_links.txt +0 -0
  14. {endpointscanner-7.0.4 → endpointscanner-7.2}/endpointscanner.egg-info/entry_points.txt +0 -0
  15. {endpointscanner-7.0.4 → endpointscanner-7.2}/endpointscanner.egg-info/top_level.txt +0 -0
  16. {endpointscanner-7.0.4 → endpointscanner-7.2}/setup.cfg +0 -0
endpointscanner-7.2/PKG-INFO ADDED
@@ -0,0 +1,201 @@
1
+ Metadata-Version: 2.4
2
+ Name: endpointscanner
3
+ Version: 7.2
4
+ Summary: Website endpoint reconnaissance tool and rate limit tester that bypasses simple captchas.
5
+ Project-URL: Homepage, https://github.com/SphericalFlower52811/endpointscanner
6
+ Project-URL: Issues, https://github.com/SphericalFlower52811/endpointscanner/issues
7
+ Project-URL: Repository, https://github.com/SphericalFlower52811/endpointscanner
8
+ Keywords: endpoint-scanner,website-recon,bug-bounty,rate-limiting,dir-search,url-discovery,web-reconnaissance
9
+ Requires-Python: >=3.9
10
+ Description-Content-Type: text/markdown
11
+ License-File: LICENSE
12
+ Requires-Dist: curl_cffi
13
+ Requires-Dist: beautifulsoup4
14
+ Requires-Dist: playwright
15
+ Requires-Dist: playwright-stealth
16
+ Requires-Dist: httpx[http2]>=0.27.0
17
+ Dynamic: license-file
18
+
19
+ # Website Endpoint Scanner and Rate Limit Tester For Websites (Version 7.2.0)
20
+
21
+ A fast automated website reconnaissance tool that extracts endpoints, files, and even external links from websites. Tests for IDOR or other broken access control bugs on websites by changing variables in endpoints to 1. Has a built in rate limit tester that can test on any endpoint, and can bypass simple WAFs/captchas and client-side SPAs.
22
+
23
+ For Installation, please go to the Installation section below!
24
+
25
+ ## How it works
26
+
27
+ - Uses curl_cffi and playwright-stealth to bypass simple captchas
28
+ - Uses a fake path to test which are real paths and which are shells. (websites like SPAs give a lot of trouble to current tools)
29
+ - Scrapes all `.js` and `.xml` files and `<script>` tags inside the html with a regex to find paths
30
+ - Has a hardcoded set of paths that should never exist in a website to test. (e.g. .env.local, .git/config)
31
+ - Differentiates paths by website endpoints, assets, redirects etc.
32
+ - Autofills {id} variables in endpoints as '1' to test the endpoints (can reveal potential IDORs)
33
+ - Checks server uptime and prints out JS Stack of the website
34
+ - Has a rate limit tester by sending n requests to a certain endpoint
35
+ - Can scan extra files like robots.txt for more endpoints
36
+ - Also scans for assets like images with a flag to disable showing them
37
+
38
+ ## How to run
39
+
40
+ Command to run after installing **(For installation, look for the 'Installation' section.)**:
41
+
42
+ Passable arguments:
43
+
44
+ | Argument | Short Form | Description |
45
+ | :---------------------- | :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
46
+ | `target` | `NIL` | URL |
47
+ | `--ratelimit` | `-r` | Number of requests to send during the rate limit test. Default is 100. |
48
+ | `--ratelimit-type` | `-rt` | HTTP Method to use for the rate limit test. Defaults to GET. |
49
+ | `--ratelimit-body` | `-rb` | Payload data to send in request to use for POST, PATCH and PUT requests. If the custom payload contains double quotes, please use single quotes instead of double quotes to pass this flag. |
50
+ | `--ratelimit-var` | `-rv` | Variable in payload data (e.g. {X}) to use. |
51
+ | `--ratelimit-header` | `-rh` | Custom headers. Must be seperated by a pipe(\|), or newlines. Example use: Cookies: {ExampleCookie: example} \| Accept: application/json, text/plain, _/_. If the custom header contains double quotes, please use single quotes instead of double quotes to pass this flag. |
52
+ | `--force` | `NIL` | Mandatory flag to pass if doing a rate limit test with over 2500 requests using a non-GET HTTP method. Has no short form flag. |
53
+ | `--testpath` | `-t` | Endpoint to test for rate limiting. |
54
+ | `--show-404s` | `-s` | Show endpoints tested that returned a 404 |
55
+ | `--disable-extra-files` | `-d` | Disable scanning of extra structural mapping files (robots, sitemaps, manifests, etc.) |
56
+ | `--show-media` | `-m` | Include assets/media like images and fonts in scan results |
57
+ | `--show-prog` | `-sp` | Print endpoints to the terminal one by one in real-time as they are found. Warning: will show duplicate paths if endpoints are defined multiple times in the code. Results will not contain duplicates. |
58
+ | `--output-file` | `-o` | Save formatted results directly to a local text file. |
59
+ | `--disable-og` | `-do` | Disable code from showing the original endpoint with variables. Keeps output tidier. Will NOT remove original tag from progress if the --show-prog flag is present. |
60
+ | `--tidy` | `-ti` | Script will not show where it got extra endpoints from, and will not show if it is a client side route and requires login, or react shell etc (or any SPA shell). Will also not show if an endpoint is a potential service. |
61
+ | `--tidy-all` | `-ta` | Flags --disable-og and --tidy combined. |
62
+ | `--only-res` | `-or` | Only show summarised endpoints. |
63
+ | `--only-original` | `-oo` | Only show the original version of the flag instead of it being replaced with a 1. Will also affect show prog. |
64
+ | `--show-source` | `-ss` | Print the source of each endpoint during progress, like printing out which file it found the endpoint from. |
65
+ | `--scan-timeout` | `-st` | Stop scan completely after given number of minutes and print/save any results found in that time window. Will leave unsorted endpoints in a section labelled 'UNSORTED', and will leave out sensitive endpoints. Will NOT interrupt rate limiting test. |
66
+ | `--raw-output` | `-ro` | Do not sort out endpoints after finding them. Will leave out sensitive endpoints whether they are exposed or not. |
67
+
68
+ ## Installation
69
+
70
+ You MUST have python 3.9 or above to use this!!
71
+ To install endpointscanner, run the command:
72
+
73
+ ```bash
74
+ python3 -m pip install endpointscanner
75
+ ```
76
+
77
+ After that, install chromium on playwright (playwright will be installed when you install endpointscanner):
78
+
79
+ ```bash
80
+ playwright install chromium
81
+ ```
82
+
83
+ ### You may need to create a virtual environment if there is PEP 668. (For the endpointscanner installation, not playwright install chromium.)
84
+
85
+ To create a virtual environment named 'myvenv':
86
+
87
+ ```bash
88
+ python3 -m venv myvenv
89
+ ```
90
+
91
+ To activate virtual environment on Mac/Linux:
92
+
93
+ ```bash
94
+ source myvenv/bin/activate
95
+ ```
96
+
97
+ To activate virtual environment on Windows Command Prompt:
98
+
99
+ ```text
100
+ myvenv\Scripts\activate
101
+ ```
102
+
103
+ To activate virtual environment on Windows PowerShell:
104
+
105
+ ```powershell
106
+ myvenv\Scripts\Activate.ps1
107
+ ```
108
+
109
+ ### Alternative (Not Recommended)
110
+
111
+ If you do not want to create a virtual environment, you can run:
112
+
113
+ ```bash
114
+ python3 -m pip install endpointscanner --break-system-packages
115
+ ```
116
+
117
+ to install it without PEP 668.
118
+
119
+ **Warning**: Using `--break-system-packages` may corrupt your OS-managed python environment. Proceed entirely at your own risk. The author is not liable for any system damage if you run this.
120
+
121
+ ### Updating script
122
+
123
+ To update the script, you can run:
124
+
125
+ ```bash
126
+ python3 -m pip install --upgrade endpointscanner
127
+ ```
128
+
129
+ ## Example Commands
130
+
131
+ Example command to run to scan a site (show inaccessible endpoints, show assets, show progress as it finds endpoints, and show files that it got endpoints from):
132
+
133
+ ```bash
134
+ endpointscanner https://example.com -s -m -sp -ss
135
+ ```
136
+
137
+ Example command to run to test a site (Assuming you are testing 5000 requests and creating 5k accounts)
138
+
139
+ ```bash
140
+ endpointscanner example.com -r 5000 -t /signup -rt POST -rb '{"username":"ExampleUser{X}", "pass":"ExamplePassword"}' -rv '{X}' --force -rh 'POST /signup HTTP/2
141
+ Host: example.com
142
+ Cookie: clearedcaptcha=true
143
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:151.0) Gecko/20100101 Firefox/151.0
144
+ Accept: application/json, text/plain, */*
145
+ Accept-Language: en-US,en;q=0.9
146
+ Prefer: safe
147
+ Accept-Encoding: gzip, deflate, br
148
+ Content-Type: application/json
149
+ Content-Length: 60
150
+ Origin: https://example.com
151
+ Referer: https://example.com/
152
+ Sec-Fetch-Dest: empty
153
+ Sec-Fetch-Mode: cors
154
+ Sec-Fetch-Site: same-origin
155
+ Priority: u=0
156
+ Te: trailers'
157
+ ```
158
+
159
+ Example command to only show the original endpoint, only print endpoints and output to a file:
160
+
161
+ ```bash
162
+ endpointscanner example.com -oo -or -o examplescan.txt
163
+ ```
164
+
165
+ ## Weaknesses
166
+
167
+ - If there is a login page, the script will either show that all of the pages require login, or label all of them as 403.
168
+ - If there are shells (e.g. React SPA shells) in the page, it may give false positives for sensitive endpoints. If you see sensitive endpoints in the scan, they may not actually be exposed on the website if the website has a shell. (E.g. .gitignore, .env.local)
169
+ - The rate limit test is more susceptible to captchas as it uses a module (httpx, not curl_cffi) that is not built to specifically pass through firewalls/captchas. This is as the httpx module for requests is better for asynchronous functions for rate limit testing on websites.
170
+
171
+ ## What was added
172
+
173
+ Version 7.2 added:
174
+
175
+ - Timeout after a set number of minutes (defined with the -st flag). Accepts floats, not just integers.
176
+ - Raw output flag to not sort out endpoints. Will make output faster as sorting takes up the majority of the time.
177
+ - New rate limit test flags, -rh, -rb, -rv, -rt. Allows defining of the HTTP method for the test, rate limiting headers (Either seperated by newlines or pipes), rate limiting body (may include an {X}), and rate limiting variable (can be defined as {X}, so each body will be different.) Example use is to test login attempts, testing passwords from 1 - 100 with {X} bein the iteration variable.
178
+ - -ss flag, shows source files for where endpoints are found in progress and in the final result.
179
+ - -oo flag, Show only the original endpoint with variables instead of the version replaced with 1.
180
+ - Headers to avoid 304 responses so code and files is always received.
181
+ - Detecting of 405 responses.
182
+ - More accurate sorting (previous bug that put /api/health in SPAs patched)
183
+ - Removed the 'Scraped from JS' label as extra files and html src are being scraped.
184
+
185
+ ## Plans for next version and the future
186
+
187
+ Version 7.3 is planned to have:
188
+
189
+ - Optimisation to make sorting of endpoints faster
190
+ - Detecting what type of captcha was used if the script is blocked.
191
+
192
+ Future plans (May be added in the next version):
193
+
194
+ - Recursive scanning (Going into each valid path to find more endpoints as some files only show up in specific endpoints.)
195
+ - More JS Stacks to detect
196
+
197
+ ai assisted code btw
198
+
199
+ # Legal Disclaimer
200
+
201
+ Note that this tool is strictly meant for **authorised** testing and security research. Running this script on websites where you are not permitted to do so can result in legal action. The author of this script assumes no responsibility for any misuse or legal consequences from running this script. Ensure you have received permission from the owner of the target website before performing tests or scans on their website.
endpointscanner-7.2/README.md ADDED
@@ -0,0 +1,183 @@
1
+ # Website Endpoint Scanner and Rate Limit Tester For Websites (Version 7.2.0)
2
+
3
+ A fast automated website reconnaissance tool that extracts endpoints, files, and even external links from websites. Tests for IDOR or other broken access control bugs on websites by changing variables in endpoints to 1. Has a built in rate limit tester that can test on any endpoint, and can bypass simple WAFs/captchas and client-side SPAs.
4
+
5
+ For Installation, please go to the Installation section below!
6
+
7
+ ## How it works
8
+
9
+ - Uses curl_cffi and playwright-stealth to bypass simple captchas
10
+ - Uses a fake path to test which are real paths and which are shells. (websites like SPAs give a lot of trouble to current tools)
11
+ - Scrapes all `.js` and `.xml` files and `<script>` tags inside the html with a regex to find paths
12
+ - Has a hardcoded set of paths that should never exist in a website to test. (e.g. .env.local, .git/config)
13
+ - Differentiates paths by website endpoints, assets, redirects etc.
14
+ - Autofills {id} variables in endpoints as '1' to test the endpoints (can reveal potential IDORs)
15
+ - Checks server uptime and prints out JS Stack of the website
16
+ - Has a rate limit tester by sending n requests to a certain endpoint
17
+ - Can scan extra files like robots.txt for more endpoints
18
+ - Also scans for assets like images with a flag to disable showing them
19
+
20
+ ## How to run
21
+
22
+ Command to run after installing **(For installation, look for the 'Installation' section.)**:
23
+
24
+ Passable arguments:
25
+
26
+ | Argument | Short Form | Description |
27
+ | :---------------------- | :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
28
+ | `target` | `NIL` | URL |
29
+ | `--ratelimit` | `-r` | Number of requests to send during the rate limit test. Default is 100. |
30
+ | `--ratelimit-type` | `-rt` | HTTP Method to use for the rate limit test. Defaults to GET. |
31
+ | `--ratelimit-body` | `-rb` | Payload data to send in request to use for POST, PATCH and PUT requests. If the custom payload contains double quotes, please use single quotes instead of double quotes to pass this flag. |
32
+ | `--ratelimit-var` | `-rv` | Variable in payload data (e.g. {X}) to use. |
33
+ | `--ratelimit-header` | `-rh` | Custom headers. Must be seperated by a pipe(\|), or newlines. Example use: Cookies: {ExampleCookie: example} \| Accept: application/json, text/plain, _/_. If the custom header contains double quotes, please use single quotes instead of double quotes to pass this flag. |
34
+ | `--force` | `NIL` | Mandatory flag to pass if doing a rate limit test with over 2500 requests using a non-GET HTTP method. Has no short form flag. |
35
+ | `--testpath` | `-t` | Endpoint to test for rate limiting. |
36
+ | `--show-404s` | `-s` | Show endpoints tested that returned a 404 |
37
+ | `--disable-extra-files` | `-d` | Disable scanning of extra structural mapping files (robots, sitemaps, manifests, etc.) |
38
+ | `--show-media` | `-m` | Include assets/media like images and fonts in scan results |
39
+ | `--show-prog` | `-sp` | Print endpoints to the terminal one by one in real-time as they are found. Warning: will show duplicate paths if endpoints are defined multiple times in the code. Results will not contain duplicates. |
40
+ | `--output-file` | `-o` | Save formatted results directly to a local text file. |
41
+ | `--disable-og` | `-do` | Disable code from showing the original endpoint with variables. Keeps output tidier. Will NOT remove original tag from progress if the --show-prog flag is present. |
42
+ | `--tidy` | `-ti` | Script will not show where it got extra endpoints from, and will not show if it is a client side route and requires login, or react shell etc (or any SPA shell). Will also not show if an endpoint is a potential service. |
43
+ | `--tidy-all` | `-ta` | Flags --disable-og and --tidy combined. |
44
+ | `--only-res` | `-or` | Only show summarised endpoints. |
45
+ | `--only-original` | `-oo` | Only show the original version of the flag instead of it being replaced with a 1. Will also affect show prog. |
46
+ | `--show-source` | `-ss` | Print the source of each endpoint during progress, like printing out which file it found the endpoint from. |
47
+ | `--scan-timeout` | `-st` | Stop scan completely after given number of minutes and print/save any results found in that time window. Will leave unsorted endpoints in a section labelled 'UNSORTED', and will leave out sensitive endpoints. Will NOT interrupt rate limiting test. |
48
+ | `--raw-output` | `-ro` | Do not sort out endpoints after finding them. Will leave out sensitive endpoints whether they are exposed or not. |
49
+
50
+ ## Installation
51
+
52
+ You MUST have python 3.9 or above to use this!!
53
+ To install endpointscanner, run the command:
54
+
55
+ ```bash
56
+ python3 -m pip install endpointscanner
57
+ ```
58
+
59
+ After that, install chromium on playwright (playwright will be installed when you install endpointscanner):
60
+
61
+ ```bash
62
+ playwright install chromium
63
+ ```
64
+
65
+ ### You may need to create a virtual environment if there is PEP 668. (For the endpointscanner installation, not playwright install chromium.)
66
+
67
+ To create a virtual environment named 'myvenv':
68
+
69
+ ```bash
70
+ python3 -m venv myvenv
71
+ ```
72
+
73
+ To activate virtual environment on Mac/Linux:
74
+
75
+ ```bash
76
+ source myvenv/bin/activate
77
+ ```
78
+
79
+ To activate virtual environment on Windows Command Prompt:
80
+
81
+ ```text
82
+ myvenv\Scripts\activate
83
+ ```
84
+
85
+ To activate virtual environment on Windows PowerShell:
86
+
87
+ ```powershell
88
+ myvenv\Scripts\Activate.ps1
89
+ ```
90
+
91
+ ### Alternative (Not Recommended)
92
+
93
+ If you do not want to create a virtual environment, you can run:
94
+
95
+ ```bash
96
+ python3 -m pip install endpointscanner --break-system-packages
97
+ ```
98
+
99
+ to install it without PEP 668.
100
+
101
+ **Warning**: Using `--break-system-packages` may corrupt your OS-managed python environment. Proceed entirely at your own risk. The author is not liable for any system damage if you run this.
102
+
103
+ ### Updating script
104
+
105
+ To update the script, you can run:
106
+
107
+ ```bash
108
+ python3 -m pip install --upgrade endpointscanner
109
+ ```
110
+
111
+ ## Example Commands
112
+
113
+ Example command to run to scan a site (show inaccessible endpoints, show assets, show progress as it finds endpoints, and show files that it got endpoints from):
114
+
115
+ ```bash
116
+ endpointscanner https://example.com -s -m -sp -ss
117
+ ```
118
+
119
+ Example command to run to test a site (Assuming you are testing 5000 requests and creating 5k accounts)
120
+
121
+ ```bash
122
+ endpointscanner example.com -r 5000 -t /signup -rt POST -rb '{"username":"ExampleUser{X}", "pass":"ExamplePassword"}' -rv '{X}' --force -rh 'POST /signup HTTP/2
123
+ Host: example.com
124
+ Cookie: clearedcaptcha=true
125
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:151.0) Gecko/20100101 Firefox/151.0
126
+ Accept: application/json, text/plain, */*
127
+ Accept-Language: en-US,en;q=0.9
128
+ Prefer: safe
129
+ Accept-Encoding: gzip, deflate, br
130
+ Content-Type: application/json
131
+ Content-Length: 60
132
+ Origin: https://example.com
133
+ Referer: https://example.com/
134
+ Sec-Fetch-Dest: empty
135
+ Sec-Fetch-Mode: cors
136
+ Sec-Fetch-Site: same-origin
137
+ Priority: u=0
138
+ Te: trailers'
139
+ ```
140
+
141
+ Example command to only show the original endpoint, only print endpoints and output to a file:
142
+
143
+ ```bash
144
+ endpointscanner example.com -oo -or -o examplescan.txt
145
+ ```
146
+
147
+ ## Weaknesses
148
+
149
+ - If there is a login page, the script will either show that all of the pages require login, or label all of them as 403.
150
+ - If there are shells (e.g. React SPA shells) in the page, it may give false positives for sensitive endpoints. If you see sensitive endpoints in the scan, they may not actually be exposed on the website if the website has a shell. (E.g. .gitignore, .env.local)
151
+ - The rate limit test is more susceptible to captchas as it uses a module (httpx, not curl_cffi) that is not built to specifically pass through firewalls/captchas. This is as the httpx module for requests is better for asynchronous functions for rate limit testing on websites.
152
+
153
+ ## What was added
154
+
155
+ Version 7.2 added:
156
+
157
+ - Timeout after a set number of minutes (defined with the -st flag). Accepts floats, not just integers.
158
+ - Raw output flag to not sort out endpoints. Will make output faster as sorting takes up the majority of the time.
159
+ - New rate limit test flags, -rh, -rb, -rv, -rt. Allows defining of the HTTP method for the test, rate limiting headers (Either seperated by newlines or pipes), rate limiting body (may include an {X}), and rate limiting variable (can be defined as {X}, so each body will be different.) Example use is to test login attempts, testing passwords from 1 - 100 with {X} bein the iteration variable.
160
+ - -ss flag, shows source files for where endpoints are found in progress and in the final result.
161
+ - -oo flag, Show only the original endpoint with variables instead of the version replaced with 1.
162
+ - Headers to avoid 304 responses so code and files is always received.
163
+ - Detecting of 405 responses.
164
+ - More accurate sorting (previous bug that put /api/health in SPAs patched)
165
+ - Removed the 'Scraped from JS' label as extra files and html src are being scraped.
166
+
167
+ ## Plans for next version and the future
168
+
169
+ Version 7.3 is planned to have:
170
+
171
+ - Optimisation to make sorting of endpoints faster
172
+ - Detecting what type of captcha was used if the script is blocked.
173
+
174
+ Future plans (May be added in the next version):
175
+
176
+ - Recursive scanning (Going into each valid path to find more endpoints as some files only show up in specific endpoints.)
177
+ - More JS Stacks to detect
178
+
179
+ ai assisted code btw
180
+
181
+ # Legal Disclaimer
182
+
183
+ Note that this tool is strictly meant for **authorised** testing and security research. Running this script on websites where you are not permitted to do so can result in legal action. The author of this script assumes no responsibility for any misuse or legal consequences from running this script. Ensure you have received permission from the owner of the target website before performing tests or scans on their website.
endpointscanner-7.2/endpointscanner.egg-info/PKG-INFO ADDED
@@ -0,0 +1,201 @@
1
+ Metadata-Version: 2.4
2
+ Name: endpointscanner
3
+ Version: 7.2
4
+ Summary: Website endpoint reconnaissance tool and rate limit tester that bypasses simple captchas.
5
+ Project-URL: Homepage, https://github.com/SphericalFlower52811/endpointscanner
6
+ Project-URL: Issues, https://github.com/SphericalFlower52811/endpointscanner/issues
7
+ Project-URL: Repository, https://github.com/SphericalFlower52811/endpointscanner
8
+ Keywords: endpoint-scanner,website-recon,bug-bounty,rate-limiting,dir-search,url-discovery,web-reconnaissance
9
+ Requires-Python: >=3.9
10
+ Description-Content-Type: text/markdown
11
+ License-File: LICENSE
12
+ Requires-Dist: curl_cffi
13
+ Requires-Dist: beautifulsoup4
14
+ Requires-Dist: playwright
15
+ Requires-Dist: playwright-stealth
16
+ Requires-Dist: httpx[http2]>=0.27.0
17
+ Dynamic: license-file
18
+
19
+ # Website Endpoint Scanner and Rate Limit Tester For Websites (Version 7.2.0)
20
+
21
+ A fast automated website reconnaissance tool that extracts endpoints, files, and even external links from websites. Tests for IDOR or other broken access control bugs on websites by changing variables in endpoints to 1. Has a built in rate limit tester that can test on any endpoint, and can bypass simple WAFs/captchas and client-side SPAs.
22
+
23
+ For Installation, please go to the Installation section below!
24
+
25
+ ## How it works
26
+
27
+ - Uses curl_cffi and playwright-stealth to bypass simple captchas
28
+ - Uses a fake path to test which are real paths and which are shells. (websites like SPAs give a lot of trouble to current tools)
29
+ - Scrapes all `.js` and `.xml` files and `<script>` tags inside the html with a regex to find paths
30
+ - Has a hardcoded set of paths that should never exist in a website to test. (e.g. .env.local, .git/config)
31
+ - Differentiates paths by website endpoints, assets, redirects etc.
32
+ - Autofills {id} variables in endpoints as '1' to test the endpoints (can reveal potential IDORs)
33
+ - Checks server uptime and prints out JS Stack of the website
34
+ - Has a rate limit tester by sending n requests to a certain endpoint
35
+ - Can scan extra files like robots.txt for more endpoints
36
+ - Also scans for assets like images with a flag to disable showing them
37
+
38
+ ## How to run
39
+
40
+ Command to run after installing **(For installation, look for the 'Installation' section.)**:
41
+
42
+ Passable arguments:
43
+
44
+ | Argument | Short Form | Description |
45
+ | :---------------------- | :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
46
+ | `target` | `NIL` | URL |
47
+ | `--ratelimit` | `-r` | Number of requests to send during the rate limit test. Default is 100. |
48
+ | `--ratelimit-type` | `-rt` | HTTP Method to use for the rate limit test. Defaults to GET. |
49
+ | `--ratelimit-body` | `-rb` | Payload data to send in request to use for POST, PATCH and PUT requests. If the custom payload contains double quotes, please use single quotes instead of double quotes to pass this flag. |
50
+ | `--ratelimit-var` | `-rv` | Variable in payload data (e.g. {X}) to use. |
51
+ | `--ratelimit-header` | `-rh` | Custom headers. Must be seperated by a pipe(\|), or newlines. Example use: Cookies: {ExampleCookie: example} \| Accept: application/json, text/plain, _/_. If the custom header contains double quotes, please use single quotes instead of double quotes to pass this flag. |
52
+ | `--force` | `NIL` | Mandatory flag to pass if doing a rate limit test with over 2500 requests using a non-GET HTTP method. Has no short form flag. |
53
+ | `--testpath` | `-t` | Endpoint to test for rate limiting. |
54
+ | `--show-404s` | `-s` | Show endpoints tested that returned a 404 |
55
+ | `--disable-extra-files` | `-d` | Disable scanning of extra structural mapping files (robots, sitemaps, manifests, etc.) |
56
+ | `--show-media` | `-m` | Include assets/media like images and fonts in scan results |
57
+ | `--show-prog` | `-sp` | Print endpoints to the terminal one by one in real-time as they are found. Warning: will show duplicate paths if endpoints are defined multiple times in the code. Results will not contain duplicates. |
58
+ | `--output-file` | `-o` | Save formatted results directly to a local text file. |
59
+ | `--disable-og` | `-do` | Disable code from showing the original endpoint with variables. Keeps output tidier. Will NOT remove original tag from progress if the --show-prog flag is present. |
60
+ | `--tidy` | `-ti` | Script will not show where it got extra endpoints from, and will not show if it is a client side route and requires login, or react shell etc (or any SPA shell). Will also not show if an endpoint is a potential service. |
61
+ | `--tidy-all` | `-ta` | Flags --disable-og and --tidy combined. |
62
+ | `--only-res` | `-or` | Only show summarised endpoints. |
63
+ | `--only-original` | `-oo` | Only show the original version of the flag instead of it being replaced with a 1. Will also affect show prog. |
64
+ | `--show-source` | `-ss` | Print the source of each endpoint during progress, like printing out which file it found the endpoint from. |
65
+ | `--scan-timeout` | `-st` | Stop scan completely after given number of minutes and print/save any results found in that time window. Will leave unsorted endpoints in a section labelled 'UNSORTED', and will leave out sensitive endpoints. Will NOT interrupt rate limiting test. |
66
+ | `--raw-output` | `-ro` | Do not sort out endpoints after finding them. Will leave out sensitive endpoints whether they are exposed or not. |
67
+
68
+ ## Installation
69
+
70
+ You MUST have python 3.9 or above to use this!!
71
+ To install endpointscanner, run the command:
72
+
73
+ ```bash
74
+ python3 -m pip install endpointscanner
75
+ ```
76
+
77
+ After that, install chromium on playwright (playwright will be installed when you install endpointscanner):
78
+
79
+ ```bash
80
+ playwright install chromium
81
+ ```
82
+
83
+ ### You may need to create a virtual environment if there is PEP 668. (For the endpointscanner installation, not playwright install chromium.)
84
+
85
+ To create a virtual environment named 'myvenv':
86
+
87
+ ```bash
88
+ python3 -m venv myvenv
89
+ ```
90
+
91
+ To activate virtual environment on Mac/Linux:
92
+
93
+ ```bash
94
+ source myvenv/bin/activate
95
+ ```
96
+
97
+ To activate virtual environment on Windows Command Prompt:
98
+
99
+ ```text
100
+ myvenv\Scripts\activate
101
+ ```
102
+
103
+ To activate virtual environment on Windows PowerShell:
104
+
105
+ ```powershell
106
+ myvenv\Scripts\Activate.ps1
107
+ ```
108
+
109
+ ### Alternative (Not Recommended)
110
+
111
+ If you do not want to create a virtual environment, you can run:
112
+
113
+ ```bash
114
+ python3 -m pip install endpointscanner --break-system-packages
115
+ ```
116
+
117
+ to install it without PEP 668.
118
+
119
+ **Warning**: Using `--break-system-packages` may corrupt your OS-managed python environment. Proceed entirely at your own risk. The author is not liable for any system damage if you run this.
120
+
121
+ ### Updating script
122
+
123
+ To update the script, you can run:
124
+
125
+ ```bash
126
+ python3 -m pip install --upgrade endpointscanner
127
+ ```
128
+
129
+ ## Example Commands
130
+
131
+ Example command to run to scan a site (show inaccessible endpoints, show assets, show progress as it finds endpoints, and show files that it got endpoints from):
132
+
133
+ ```bash
134
+ endpointscanner https://example.com -s -m -sp -ss
135
+ ```
136
+
137
+ Example command to run to test a site (Assuming you are testing 5000 requests and creating 5k accounts)
138
+
139
+ ```bash
140
+ endpointscanner example.com -r 5000 -t /signup -rt POST -rb '{"username":"ExampleUser{X}", "pass":"ExamplePassword"}' -rv '{X}' --force -rh 'POST /signup HTTP/2
141
+ Host: example.com
142
+ Cookie: clearedcaptcha=true
143
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:151.0) Gecko/20100101 Firefox/151.0
144
+ Accept: application/json, text/plain, */*
145
+ Accept-Language: en-US,en;q=0.9
146
+ Prefer: safe
147
+ Accept-Encoding: gzip, deflate, br
148
+ Content-Type: application/json
149
+ Content-Length: 60
150
+ Origin: https://example.com
151
+ Referer: https://example.com/
152
+ Sec-Fetch-Dest: empty
153
+ Sec-Fetch-Mode: cors
154
+ Sec-Fetch-Site: same-origin
155
+ Priority: u=0
156
+ Te: trailers'
157
+ ```
158
+
159
+ Example command to only show the original endpoint, only print endpoints and output to a file:
160
+
161
+ ```bash
162
+ endpointscanner example.com -oo -or -o examplescan.txt
163
+ ```
164
+
165
+ ## Weaknesses
166
+
167
+ - If there is a login page, the script will either show that all of the pages require login, or label all of them as 403.
168
+ - If there are shells (e.g. React SPA shells) in the page, it may give false positives for sensitive endpoints. If you see sensitive endpoints in the scan, they may not actually be exposed on the website if the website has a shell. (E.g. .gitignore, .env.local)
169
+ - The rate limit test is more susceptible to captchas as it uses a module (httpx, not curl_cffi) that is not built to specifically pass through firewalls/captchas. This is as the httpx module for requests is better for asynchronous functions for rate limit testing on websites.
170
+
171
+ ## What was added
172
+
173
+ Version 7.2 added:
174
+
175
+ - Timeout after a set number of minutes (defined with the -st flag). Accepts floats, not just integers.
176
+ - Raw output flag to not sort out endpoints. Will make output faster as sorting takes up the majority of the time.
177
+ - New rate limit test flags, -rh, -rb, -rv, -rt. Allows defining of the HTTP method for the test, rate limiting headers (Either seperated by newlines or pipes), rate limiting body (may include an {X}), and rate limiting variable (can be defined as {X}, so each body will be different.) Example use is to test login attempts, testing passwords from 1 - 100 with {X} bein the iteration variable.
178
+ - -ss flag, shows source files for where endpoints are found in progress and in the final result.
179
+ - -oo flag, Show only the original endpoint with variables instead of the version replaced with 1.
180
+ - Headers to avoid 304 responses so code and files is always received.
181
+ - Detecting of 405 responses.
182
+ - More accurate sorting (previous bug that put /api/health in SPAs patched)
183
+ - Removed the 'Scraped from JS' label as extra files and html src are being scraped.
184
+
185
+ ## Plans for next version and the future
186
+
187
+ Version 7.3 is planned to have:
188
+
189
+ - Optimisation to make sorting of endpoints faster
190
+ - Detecting what type of captcha was used if the script is blocked.
191
+
192
+ Future plans (May be added in the next version):
193
+
194
+ - Recursive scanning (Going into each valid path to find more endpoints as some files only show up in specific endpoints.)
195
+ - More JS Stacks to detect
196
+
197
+ ai assisted code btw
198
+
199
+ # Legal Disclaimer
200
+
201
+ Note that this tool is strictly meant for **authorised** testing and security research. Running this script on websites where you are not permitted to do so can result in legal action. The author of this script assumes no responsibility for any misuse or legal consequences from running this script. Ensure you have received permission from the owner of the target website before performing tests or scans on their website.
{endpointscanner-7.0.4 → endpointscanner-7.2}/endpointscanner.egg-info/requires.txt RENAMED
@@ -2,3 +2,4 @@ curl_cffi
2
2
  beautifulsoup4
3
3
  playwright
4
4
  playwright-stealth
5
+ httpx[http2]>=0.27.0