Share
## https://sploitus.com/exploit?id=2529AEE1-AF79-5EA7-A1C4-451CF61EB465
# Plasma
   
**Web Application Security Testing Framework**
Plasma is a modular, async Python framework for web application penetration testing and security research. It combines a high-performance async HTTP engine with a multi-phase scan pipeline covering passive analysis, active vulnerability detection, fuzzing, exploit chaining, and professional report generation.
> **Legal notice:** Plasma is intended for authorized security testing only. Do not run it against systems you do not have explicit written permission to test.
---
## Table of Contents
1. [Features](#features)
2. [Installation](#installation)
3. [Quick Start](#quick-start)
4. [CLI Reference](#cli-reference)
5. [Scan Profiles](#scan-profiles)
6. [Detectors](#detectors)
7. [Fuzzing and Exploit Chaining](#fuzzing-and-exploit-chaining)
8. [Reporting](#reporting)
9. [Web Dashboard](#web-dashboard)
10. [Architecture](#architecture)
11. [Testing](#testing)
12. [Contributing](#contributing)
---
## Features
- **18 vulnerability detectors** — CSRF, XSS, SQLi, SSRF, RCE, IDOR, SSTI, HTTP Smuggling, GraphQL, JWT, CORS, CRLF, XPath, cache poisoning, directory traversal, open redirect, misconfiguration, sensitive file exposure
- **Full-surface fuzzer** with exploit chaining (SSTI to RCE OOB, SSRF to RCE, SQLi to IDOR, traversal to LFI)
- **Playwright headless browser crawler** for JavaScript-heavy single-page applications
- **WebSocket fuzzing** with 17 mutation payload categories
- **JWT algorithm confusion** — RS256/HS256 confusion, JKU/JWK/kid header injection, alg:none
- **GraphQL security testing** — introspection, mutation fuzzing with nested input generation, depth/complexity DoS, batch abuse
- **HAR file import** — replay authenticated browser sessions directly into the scanner
- **Subdomain takeover detection** — 13 provider fingerprints with CNAME confirmation
- **TLS/SSL analysis** — certificate expiry, weak ciphers, outdated protocol versions, CVE correlation
- **Cache poisoning detection** — six header injection vectors
- **Scan diff tool** — compare two scan outputs to detect regressions in CI/CD pipelines
- **Adaptive concurrency** — AIMD rate control with WAF fingerprinting and automatic rate limit calibration
- **32 Nuclei-compatible detection templates**
- **HTML, Markdown, and PDF report generation** with SHA-256 integrity verification
---
## Installation
**Requirements:** Python 3.10 or later.
```bash
git clone https://github.com/your-org/plasma.git
cd plasma
python -m venv venv
source venv/bin/activate # Linux / macOS
# venv\Scripts\activate.bat # Windows Command Prompt
pip install -r requirements.txt
pip install -e .
```
After installation, you can run Plasma from anywhere using the `plasma` command instead of `python main.py`.
```bash
plasma --help
```
### Optional Dependencies
**Headless browser crawling** (`--browser`):
```bash
pip install playwright
playwright install chromium
```
**HTTP/2 support** (`--http2`):
```bash
pip install httpx[http2]
```
**WebSocket fuzzing** (`--fuzz-websocket`):
```bash
pip install websockets
```
**PDF report generation** (`--report pdf`):
```bash
# Linux / Debian
sudo apt-get install python3-cffi libcairo2 libpango-1.0-0 libpangocairo-1.0-0
pip install weasyprint
# macOS
brew install pango gdk-pixbuf libffi
pip install weasyprint
```
**Subdomain takeover DNS resolution** (`--subdomain-takeover`):
```bash
pip install dnspython
```
---
## Quick Start
```bash
# Basic scan — default profile, all detectors
plasma -u https://target.example.com
# Full scan with browser crawling, fuzzing, and HTML report
plasma -u https://target.example.com --browser --fuzz -r html
# Aggressive scan — all detectors, full fuzzing, TLS analysis, subdomain takeover
plasma -u https://target.example.com --profile aggressive \
--browser --fuzz --fuzz-websocket --tls-analysis \
--subdomains --subdomain-takeover -r html,pdf
# Import from browser HAR recording (preserves authenticated session)
plasma -u https://app.example.com --har session.har --fuzz
# Scan diff for CI/CD regression detection
plasma -u https://example.com --output-json scan-new.json
plasma --diff-scans scan-old.json scan-new.json
# Stream findings as JSON Lines for pipeline consumption
plasma -u https://example.com --jsonl | jq 'select(.severity == "CRITICAL")'
```
---
## CLI Reference
### Target
| Flag | Description |
|------|-------------|
| `-u URL`, `--url URL` | Single target URL |
| `-b FILE`, `--batch FILE` | File containing one URL per line |
| `--har FILE` | Import all requests from a browser HAR recording |
| `--replay FILE` | Replay a scan saved with `--save-scan` |
| `--diff-scans A B` | Compare two Plasma JSON scan outputs |
### Scan Profile
| Flag | Description |
|------|-------------|
| `-p PROFILE`, `--profile PROFILE` | `safe`, `default`, `aggressive`, `stealth` |
| `-d N`, `--depth N` | Crawl depth (default: 2) |
| `-t N`, `--timeout N` | Request timeout in seconds (default: 10) |
### Detectors
| Flag | Description |
|------|-------------|
| `--test-csrf` | CSRF — token absence, SameSite weaknesses |
| `--test-sqli` | SQL injection — error-based, time-based, OOB |
| `--test-xss` | Cross-site scripting — reflected, DOM, stored indicators |
| `--test-ssrf` | Server-side request forgery |
| `--test-rce` | Remote code execution |
| `--test-idor` | Insecure direct object reference |
| `--test-misconfig` | Security misconfiguration |
| `--test-dir-traversal` | Directory and path traversal |
| `--test-ssti` | Server-side template injection with RCE chain |
| `--test-smuggling` | HTTP request smuggling — CL.TE and TE.CL |
| `--test-xpath` | XPath injection |
| `--test-crlf` | CRLF injection and response splitting |
| `--test-jwt` | JWT: alg:none, RS256/HS256 confusion, JKU/JWK/kid injection |
| `--test-cache-poisoning` | HTTP cache poisoning via header injection |
| `--test-all` | Enable all detectors |
| `--detectors LIST` | Comma-separated list of detector names to enable |
| `--skip LIST` | Comma-separated list of detectors to disable |
### Scan Modes
| Flag | Description |
|------|-------------|
| `--browser` | Playwright headless crawl for JavaScript-heavy applications |
| `--browser-parallel N` | Parallel browser pages during crawl (default: 3) |
| `--fuzz` | Enable the fuzz engine |
| `--fuzz-websocket` | Fuzz discovered WebSocket endpoints |
| `--fuzz-chain` | Enable multi-step exploit chain detection |
| `--fuzz-stealth` | Add timing jitter and user-agent rotation between probes |
| `--fuzz-profile PROFILE` | Override the fuzzer profile independently of `--profile` |
| `--fuzz-dry-run` | Print all generated payloads without sending any requests |
| `--fuzz-target-param PARAM` | Restrict fuzzing to a single named parameter |
| `--api-mode` | API testing — JSON body injection, REST endpoint discovery |
| `--bypass` | Access control bypass — header spoofing, method tampering |
| `--http2` | Use HTTP/2 via httpx (falls back to HTTP/1.1 automatically) |
### Reconnaissance
| Flag | Description |
|------|-------------|
| `--subdomains` | DNS subdomain brute-force enumeration |
| `--subdomain-takeover` | Check discovered subdomains for dangling CNAMEs |
| `--param-discovery` | Hidden parameter discovery |
| `--tls-analysis` | TLS/SSL — certificates, ciphers, protocol versions, CVE correlation |
| `--no-js` | Disable JavaScript endpoint extraction |
### Authentication
| Flag | Description |
|------|-------------|
| `--auth-cookie VALUE` | Inject session cookie string |
| `--login-url URL` | Form-based login endpoint |
| `--login-data JSON` | Login POST body as JSON |
| `--login-script FILE` | Python script for complex authentication flows (OAuth, MFA) |
| `--collaborator URL` | OOB callback server for blind SSRF, RCE, and SSTI |
| `--blind-xss URL` | Blind XSS callback URL |
### Output
| Flag | Description |
|------|-------------|
| `-r FORMATS`, `--report FORMATS` | Report formats: `html`, `markdown`, `pdf` (comma-separated) |
| `--report-dir DIR` | Report output directory (default: `reports/`) |
| `--poc` | Generate proof-of-concept exploit files |
| `--poc-dir DIR` | PoC output directory (default: `poc_output/`) |
| `--output-json FILE` | Write all findings as JSON; exits with code 1 if findings exist |
| `--jsonl` | Stream findings as JSON Lines to stdout |
| `--save-scan` | Save scan state for later replay or diff |
| `--scan-dir DIR` | Scan storage directory (default: `scans/`) |
### Performance
| Flag | Description |
|------|-------------|
| `--concurrency N` | Maximum concurrent requests |
| `--rate-limit RPS` | Target requests per second (0 = auto-calibrate) |
| `--no-dedup` | Disable request deduplication |
| `--no-verify-ssl` | Disable SSL certificate verification |
| `--proxy URL` | HTTP/HTTPS proxy (e.g. `http://127.0.0.1:8080`) |
---
## Scan Profiles
| Profile | Payload Volume | Delay | Evasion | Production-Safe |
|---------|---------------|-------|---------|-----------------|
| `safe` | Passive only | 1.0 s | Off | Yes |
| `default` | Moderate | 0.3 s | Off | Usually |
| `aggressive` | Full coverage | None | On | No |
| `stealth` | Reduced | 3.0 s | On | Depends |
```bash
# Stealth crawl and recon, aggressive fuzzing on discovered endpoints
plasma -u https://target.example.com --profile stealth --fuzz --fuzz-profile aggressive
```
See [docs/scan-profiles.md](docs/scan-profiles.md) for full profile specifications.
---
## Detectors
All 18 detectors implement `BaseDetector` from `core/vulnerability_detectors/base_detector.py` and are registered in `core/detector_registry.py`.
| Detector | NAME | Primary Techniques |
|----------|------|--------------------|
| CSRF | `csrf` | Token absence, SameSite=None, preflight bypass |
| SQLi | `sqli` | Error-based, boolean-blind, time-based, OOB |
| XSS | `xss` | Reflected, DOM sink analysis, attribute context |
| SSRF | `ssrf` | Internal IP probing, cloud metadata, OOB DNS |
| RCE | `rce` | Command injection, deserialization patterns |
| IDOR | `idor` | Numeric ID enumeration, UUID traversal |
| Misconfiguration | `misconfig` | Security headers, CORS policy, exposed admin paths |
| Directory Traversal | `directory_traversal` | `../` sequences, URL-encoded and null-byte variants |
| SSTI | `ssti` | 7 engine fingerprints, RCE OOB chain |
| HTTP Smuggling | `http_smuggling` | CL.TE, TE.CL timing probes |
| XPath | `xpath` | Error-based XPath injection |
| CRLF | `crlf` | Header injection, log injection |
| JWT | `jwt` | alg:none, RS256/HS256 confusion, JKU/JWK/kid injection |
| GraphQL | `graphql` | Introspection, mutation fuzzing, depth/complexity DoS, batch abuse |
| CORS | `cors` | Origin reflection, null origin, credentialed misconfiguration |
| Cache Poisoning | `cache_poisoning` | X-Forwarded-Host, X-Original-URL, Forwarded |
| Open Redirect | `open-redirect` | Parameter-based, header-based |
| Sensitive Files | `sensitive-files` | .env, .git, backup files, credential exposure |
---
## Fuzzing and Exploit Chaining
The fuzz engine (`modules/fuzz_engine.py`) runs after standard detectors and tests all discovered parameters with context-aware payloads across five attack categories: SQL injection, XSS, SSTI, path traversal, and SSRF.
**Exploit chains** link related findings into multi-step attacks:
| Chain | Trigger | Escalation |
|-------|---------|------------|
| `sqli→idor` | SQLi confirmed | Extracted IDs used for IDOR enumeration |
| `ssrf→rce` | SSRF confirmed | Internal service probed for command execution |
| `traversal→lfi→rce` | Path traversal confirmed | File read escalated to code execution |
| `xss→csrf` | XSS confirmed | CSRF token exfiltration attempt |
| `ssti→rce-oob` | SSTI confirmed + `--collaborator` | OOB RCE via Freemarker/Velocity payload |
**WebSocket fuzzing** sends 17 payload categories over live `ws://` and `wss://` connections and detects abnormal close codes, payload reflection, and timing anomalies:
```bash
plasma -u https://target.example.com --fuzz --fuzz-websocket \
--collaborator https://your.oob.server
```
See [docs/fuzzing.md](docs/fuzzing.md) for detailed fuzzer documentation.
---
## Reporting
```bash
# HTML, Markdown, and PDF reports with PoC files
plasma -u https://target.example.com -r html,markdown,pdf --poc --report-dir ./results
# Launch the web dashboard
plasma --ui
# Dashboard available at http://127.0.0.1:5000
```
All reports include a SHA-256 integrity hash (`.sha256` sidecar file). See [docs/reporting.md](docs/reporting.md) for output format specifications.
---
## Web Dashboard
The web dashboard provides a real-time GUI equivalent to the CLI. All V1 features are accessible through the interface, including browser crawl, WebSocket fuzzing, TLS analysis, HAR import, subdomain takeover, and JSON Lines output.
```bash
plasma --ui
```
The dashboard streams scan progress and findings in real time via Server-Sent Events and supports exporting results as JSON.
---
## Architecture
```
plasma/
main.py CLI entry point and argument parser
config.py Global constants and scan profiles
core/
scan_manager.py Scan phase orchestrator
async_http_engine.py Adaptive async HTTP engine with LRU deduplication cache
adaptive_concurrency.py AIMD concurrency controller
models.py ScanContext, ScanSettings, Finding, Endpoint data models
detector_registry.py Detector loader and registry
crawler.py BFS web crawler (sync and async)
passive/
passive_analyzer.py Security headers, error messages, CSP, cookie analysis
tls_analyzer.py TLS/SSL analysis with CVE correlation
security_hardening.py CSP evaluator, cookie auditor, audit log, report hasher
recon/
subdomain_discovery.py DNS brute-force enumeration
parameter_discovery.py Hidden parameter discovery
takeover_detector.py Subdomain takeover (13 providers)
browser/
browser_crawler.py Playwright headless crawler with parallel page support
vulnerability_detectors/ 18 detector implementations
templates/
template_loader.py Parallel async Nuclei template execution
evasion/
rate_limiter.py WAF fingerprinting and rate limit auto-calibration
modules/
fuzz_engine.py FuzzEngine and ExploitChainer
websocket_fuzzer.py WebSocket mutation fuzzer
oob_collaborator.py Out-of-band callback server integration
poc_generator.py Proof-of-concept file generation
utils/
har_parser.py Browser HAR recording importer
scan_diff.py Scan output comparison tool
reporting/
report_builder.py HTML, Markdown, and PDF generation
ui/
server.py Flask API server
static/
index.html Web dashboard
style.css Dark red theme (IBM Plex Mono + IBM Plex Sans)
app.js SSE-based real-time client
tests/
test_detectors.py Unit tests for all detectors and utilities
test_integration.py Integration tests for the scan pipeline
templates/
nuclei/ 32 YAML detection templates
docs/ Extended documentation
```
See [docs/architecture.md](docs/architecture.md) for a full description of the scan pipeline, async HTTP engine, and detector lifecycle.
---
## Testing
```bash
# Run the full test suite
python -m unittest discover tests/ -v
# Run a single test class
python -m unittest tests.test_detectors.TestCSPEvaluator -v
# Print all fuzzer payloads without sending any requests
plasma -u https://example.com --fuzz --fuzz-dry-run --verbose
```
The test suite covers 52 tests across: HAR parser, scan diff, CSP evaluator, cookie auditor, rate limiter WAF fingerprinting, GraphQL type unwrapping, report hasher, adaptive LRU cache, `ScanSettings` field completeness, CLI flag registration, fuzz engine payload coverage, detector registry integrity, template loader, `build_settings` wiring, and WebSocket fuzzer payload categories.
---
## Contributing
1. **Code style** — Python 3.10+. Use type annotations throughout. No bare `except:` clauses.
2. **Async** — Use `asyncio.get_running_loop()` in async contexts, not the deprecated `asyncio.get_event_loop()`.
3. **New detector** — Implement `BaseDetector`, register the class in `core/detector_registry.py`, and add unit tests in `tests/test_detectors.py`.
4. **Security** — Do not log request payloads at `INFO` level. Findings are written to the append-only scan audit log only.
5. **Tests** — All new features require unit tests. All 52 existing tests must continue to pass before a pull request is submitted.
6. **Documentation** — Update the relevant file in `docs/` when adding or changing features. Update the CLI reference table in this README when adding or removing flags.
---
*Plasma V1 — For authorized security testing only.*