Share
## https://sploitus.com/exploit?id=2529AEE1-AF79-5EA7-A1C4-451CF61EB465
# Plasma

![Python](https://img.shields.io/badge/python-3.10%2B-blue) ![GitHub Actions](https://img.shields.io/github/actions/workflow/status/Jadexzc/Plasma/python-package.yml?branch=main) ![License](https://img.shields.io/github/license/Jadexzc/Plasma) ![Documentation](https://img.shields.io/badge/docs-v1.0-brightgreen)

**Web Application Security Testing Framework**

Plasma is a modular, async Python framework for web application penetration testing and security research. It combines a high-performance async HTTP engine with a multi-phase scan pipeline covering passive analysis, active vulnerability detection, fuzzing, exploit chaining, and professional report generation.

> **Legal notice:** Plasma is intended for authorized security testing only. Do not run it against systems you do not have explicit written permission to test.

---

## Table of Contents

1. [Features](#features)
2. [Installation](#installation)
3. [Quick Start](#quick-start)
4. [CLI Reference](#cli-reference)
5. [Scan Profiles](#scan-profiles)
6. [Detectors](#detectors)
7. [Fuzzing and Exploit Chaining](#fuzzing-and-exploit-chaining)
8. [Reporting](#reporting)
9. [Web Dashboard](#web-dashboard)
10. [Architecture](#architecture)
11. [Testing](#testing)
12. [Contributing](#contributing)

  ---

  ## Features

  - **18 vulnerability detectors** — CSRF, XSS, SQLi, SSRF, RCE, IDOR, SSTI, HTTP Smuggling, GraphQL, JWT, CORS, CRLF, XPath, cache poisoning, directory traversal, open redirect, misconfiguration, sensitive file exposure
  - **Full-surface fuzzer** with exploit chaining (SSTI to RCE OOB, SSRF to RCE, SQLi to IDOR, traversal to LFI)
  - **Playwright headless browser crawler** for JavaScript-heavy single-page applications
  - **WebSocket fuzzing** with 17 mutation payload categories
  - **JWT algorithm confusion** — RS256/HS256 confusion, JKU/JWK/kid header injection, alg:none
  - **GraphQL security testing** — introspection, mutation fuzzing with nested input generation, depth/complexity DoS, batch abuse
  - **HAR file import** — replay authenticated browser sessions directly into the scanner
  - **Subdomain takeover detection** — 13 provider fingerprints with CNAME confirmation
  - **TLS/SSL analysis** — certificate expiry, weak ciphers, outdated protocol versions, CVE correlation
  - **Cache poisoning detection** — six header injection vectors
  - **Scan diff tool** — compare two scan outputs to detect regressions in CI/CD pipelines
  - **Adaptive concurrency** — AIMD rate control with WAF fingerprinting and automatic rate limit calibration
  - **32 Nuclei-compatible detection templates**
  - **HTML, Markdown, and PDF report generation** with SHA-256 integrity verification

  ---

  ## Installation

  **Requirements:** Python 3.10 or later.

  ```bash
  git clone https://github.com/your-org/plasma.git
  cd plasma
  python -m venv venv
  source venv/bin/activate        # Linux / macOS
  # venv\Scripts\activate.bat   # Windows Command Prompt
  pip install -r requirements.txt
  pip install -e .
  ```

  After installation, you can run Plasma from anywhere using the `plasma` command instead of `python main.py`.

  ```bash
  plasma --help
  ```

  ### Optional Dependencies

  **Headless browser crawling** (`--browser`):

  ```bash
  pip install playwright
  playwright install chromium
  ```

  **HTTP/2 support** (`--http2`):

  ```bash
  pip install httpx[http2]
  ```

  **WebSocket fuzzing** (`--fuzz-websocket`):

  ```bash
  pip install websockets
  ```

  **PDF report generation** (`--report pdf`):

  ```bash
  # Linux / Debian
  sudo apt-get install python3-cffi libcairo2 libpango-1.0-0 libpangocairo-1.0-0
  pip install weasyprint

  # macOS
  brew install pango gdk-pixbuf libffi
  pip install weasyprint
  ```

  **Subdomain takeover DNS resolution** (`--subdomain-takeover`):

  ```bash
  pip install dnspython
  ```

  ---

  ## Quick Start

  ```bash
  # Basic scan — default profile, all detectors
  plasma -u https://target.example.com

  # Full scan with browser crawling, fuzzing, and HTML report
  plasma -u https://target.example.com --browser --fuzz -r html

  # Aggressive scan — all detectors, full fuzzing, TLS analysis, subdomain takeover
  plasma -u https://target.example.com --profile aggressive \
    --browser --fuzz --fuzz-websocket --tls-analysis \
    --subdomains --subdomain-takeover -r html,pdf

  # Import from browser HAR recording (preserves authenticated session)
  plasma -u https://app.example.com --har session.har --fuzz

  # Scan diff for CI/CD regression detection
  plasma -u https://example.com --output-json scan-new.json
  plasma --diff-scans scan-old.json scan-new.json

  # Stream findings as JSON Lines for pipeline consumption
  plasma -u https://example.com --jsonl | jq 'select(.severity == "CRITICAL")'
  ```

  ---

  ## CLI Reference

  ### Target

  | Flag | Description |
  |------|-------------|
  | `-u URL`, `--url URL` | Single target URL |
  | `-b FILE`, `--batch FILE` | File containing one URL per line |
  | `--har FILE` | Import all requests from a browser HAR recording |
  | `--replay FILE` | Replay a scan saved with `--save-scan` |
  | `--diff-scans A B` | Compare two Plasma JSON scan outputs |

  ### Scan Profile

  | Flag | Description |
  |------|-------------|
  | `-p PROFILE`, `--profile PROFILE` | `safe`, `default`, `aggressive`, `stealth` |
  | `-d N`, `--depth N` | Crawl depth (default: 2) |
  | `-t N`, `--timeout N` | Request timeout in seconds (default: 10) |

  ### Detectors

  | Flag | Description |
  |------|-------------|
  | `--test-csrf` | CSRF — token absence, SameSite weaknesses |
  | `--test-sqli` | SQL injection — error-based, time-based, OOB |
  | `--test-xss` | Cross-site scripting — reflected, DOM, stored indicators |
  | `--test-ssrf` | Server-side request forgery |
  | `--test-rce` | Remote code execution |
  | `--test-idor` | Insecure direct object reference |
  | `--test-misconfig` | Security misconfiguration |
  | `--test-dir-traversal` | Directory and path traversal |
  | `--test-ssti` | Server-side template injection with RCE chain |
  | `--test-smuggling` | HTTP request smuggling — CL.TE and TE.CL |
  | `--test-xpath` | XPath injection |
  | `--test-crlf` | CRLF injection and response splitting |
  | `--test-jwt` | JWT: alg:none, RS256/HS256 confusion, JKU/JWK/kid injection |
  | `--test-cache-poisoning` | HTTP cache poisoning via header injection |
  | `--test-all` | Enable all detectors |
  | `--detectors LIST` | Comma-separated list of detector names to enable |
  | `--skip LIST` | Comma-separated list of detectors to disable |

  ### Scan Modes

  | Flag | Description |
  |------|-------------|
  | `--browser` | Playwright headless crawl for JavaScript-heavy applications |
  | `--browser-parallel N` | Parallel browser pages during crawl (default: 3) |
  | `--fuzz` | Enable the fuzz engine |
  | `--fuzz-websocket` | Fuzz discovered WebSocket endpoints |
  | `--fuzz-chain` | Enable multi-step exploit chain detection |
  | `--fuzz-stealth` | Add timing jitter and user-agent rotation between probes |
  | `--fuzz-profile PROFILE` | Override the fuzzer profile independently of `--profile` |
  | `--fuzz-dry-run` | Print all generated payloads without sending any requests |
  | `--fuzz-target-param PARAM` | Restrict fuzzing to a single named parameter |
  | `--api-mode` | API testing — JSON body injection, REST endpoint discovery |
  | `--bypass` | Access control bypass — header spoofing, method tampering |
  | `--http2` | Use HTTP/2 via httpx (falls back to HTTP/1.1 automatically) |

  ### Reconnaissance

  | Flag | Description |
  |------|-------------|
  | `--subdomains` | DNS subdomain brute-force enumeration |
  | `--subdomain-takeover` | Check discovered subdomains for dangling CNAMEs |
  | `--param-discovery` | Hidden parameter discovery |
  | `--tls-analysis` | TLS/SSL — certificates, ciphers, protocol versions, CVE correlation |
  | `--no-js` | Disable JavaScript endpoint extraction |

  ### Authentication

  | Flag | Description |
  |------|-------------|
  | `--auth-cookie VALUE` | Inject session cookie string |
  | `--login-url URL` | Form-based login endpoint |
  | `--login-data JSON` | Login POST body as JSON |
  | `--login-script FILE` | Python script for complex authentication flows (OAuth, MFA) |
  | `--collaborator URL` | OOB callback server for blind SSRF, RCE, and SSTI |
  | `--blind-xss URL` | Blind XSS callback URL |

  ### Output

  | Flag | Description |
  |------|-------------|
  | `-r FORMATS`, `--report FORMATS` | Report formats: `html`, `markdown`, `pdf` (comma-separated) |
  | `--report-dir DIR` | Report output directory (default: `reports/`) |
  | `--poc` | Generate proof-of-concept exploit files |
  | `--poc-dir DIR` | PoC output directory (default: `poc_output/`) |
  | `--output-json FILE` | Write all findings as JSON; exits with code 1 if findings exist |
  | `--jsonl` | Stream findings as JSON Lines to stdout |
  | `--save-scan` | Save scan state for later replay or diff |
  | `--scan-dir DIR` | Scan storage directory (default: `scans/`) |

  ### Performance

  | Flag | Description |
  |------|-------------|
  | `--concurrency N` | Maximum concurrent requests |
  | `--rate-limit RPS` | Target requests per second (0 = auto-calibrate) |
  | `--no-dedup` | Disable request deduplication |
  | `--no-verify-ssl` | Disable SSL certificate verification |
  | `--proxy URL` | HTTP/HTTPS proxy (e.g. `http://127.0.0.1:8080`) |

  ---

  ## Scan Profiles

  | Profile | Payload Volume | Delay | Evasion | Production-Safe |
  |---------|---------------|-------|---------|-----------------|
  | `safe` | Passive only | 1.0 s | Off | Yes |
  | `default` | Moderate | 0.3 s | Off | Usually |
  | `aggressive` | Full coverage | None | On | No |
  | `stealth` | Reduced | 3.0 s | On | Depends |

  ```bash
  # Stealth crawl and recon, aggressive fuzzing on discovered endpoints
  plasma -u https://target.example.com --profile stealth --fuzz --fuzz-profile aggressive
  ```

  See [docs/scan-profiles.md](docs/scan-profiles.md) for full profile specifications.

  ---

  ## Detectors

  All 18 detectors implement `BaseDetector` from `core/vulnerability_detectors/base_detector.py` and are registered in `core/detector_registry.py`.

  | Detector | NAME | Primary Techniques |
  |----------|------|--------------------|
  | CSRF | `csrf` | Token absence, SameSite=None, preflight bypass |
  | SQLi | `sqli` | Error-based, boolean-blind, time-based, OOB |
  | XSS | `xss` | Reflected, DOM sink analysis, attribute context |
  | SSRF | `ssrf` | Internal IP probing, cloud metadata, OOB DNS |
  | RCE | `rce` | Command injection, deserialization patterns |
  | IDOR | `idor` | Numeric ID enumeration, UUID traversal |
  | Misconfiguration | `misconfig` | Security headers, CORS policy, exposed admin paths |
  | Directory Traversal | `directory_traversal` | `../` sequences, URL-encoded and null-byte variants |
  | SSTI | `ssti` | 7 engine fingerprints, RCE OOB chain |
  | HTTP Smuggling | `http_smuggling` | CL.TE, TE.CL timing probes |
  | XPath | `xpath` | Error-based XPath injection |
  | CRLF | `crlf` | Header injection, log injection |
  | JWT | `jwt` | alg:none, RS256/HS256 confusion, JKU/JWK/kid injection |
  | GraphQL | `graphql` | Introspection, mutation fuzzing, depth/complexity DoS, batch abuse |
  | CORS | `cors` | Origin reflection, null origin, credentialed misconfiguration |
  | Cache Poisoning | `cache_poisoning` | X-Forwarded-Host, X-Original-URL, Forwarded |
  | Open Redirect | `open-redirect` | Parameter-based, header-based |
  | Sensitive Files | `sensitive-files` | .env, .git, backup files, credential exposure |

  ---

  ## Fuzzing and Exploit Chaining

  The fuzz engine (`modules/fuzz_engine.py`) runs after standard detectors and tests all discovered parameters with context-aware payloads across five attack categories: SQL injection, XSS, SSTI, path traversal, and SSRF.

  **Exploit chains** link related findings into multi-step attacks:

  | Chain | Trigger | Escalation |
  |-------|---------|------------|
  | `sqli→idor` | SQLi confirmed | Extracted IDs used for IDOR enumeration |
  | `ssrf→rce` | SSRF confirmed | Internal service probed for command execution |
  | `traversal→lfi→rce` | Path traversal confirmed | File read escalated to code execution |
  | `xss→csrf` | XSS confirmed | CSRF token exfiltration attempt |
  | `ssti→rce-oob` | SSTI confirmed + `--collaborator` | OOB RCE via Freemarker/Velocity payload |

  **WebSocket fuzzing** sends 17 payload categories over live `ws://` and `wss://` connections and detects abnormal close codes, payload reflection, and timing anomalies:

  ```bash
  plasma -u https://target.example.com --fuzz --fuzz-websocket \
    --collaborator https://your.oob.server
  ```

  See [docs/fuzzing.md](docs/fuzzing.md) for detailed fuzzer documentation.

  ---

  ## Reporting

  ```bash
  # HTML, Markdown, and PDF reports with PoC files
  plasma -u https://target.example.com -r html,markdown,pdf --poc --report-dir ./results

  # Launch the web dashboard
  plasma --ui
  # Dashboard available at http://127.0.0.1:5000
  ```

  All reports include a SHA-256 integrity hash (`.sha256` sidecar file). See [docs/reporting.md](docs/reporting.md) for output format specifications.

  ---

  ## Web Dashboard

  The web dashboard provides a real-time GUI equivalent to the CLI. All V1 features are accessible through the interface, including browser crawl, WebSocket fuzzing, TLS analysis, HAR import, subdomain takeover, and JSON Lines output.

  ```bash
  plasma --ui
  ```

  The dashboard streams scan progress and findings in real time via Server-Sent Events and supports exporting results as JSON.

  ---

  ## Architecture

  ```
  plasma/
    main.py                          CLI entry point and argument parser
    config.py                        Global constants and scan profiles
    core/
      scan_manager.py                Scan phase orchestrator
      async_http_engine.py           Adaptive async HTTP engine with LRU deduplication cache
      adaptive_concurrency.py        AIMD concurrency controller
      models.py                      ScanContext, ScanSettings, Finding, Endpoint data models
      detector_registry.py           Detector loader and registry
      crawler.py                     BFS web crawler (sync and async)
      passive/
        passive_analyzer.py          Security headers, error messages, CSP, cookie analysis
        tls_analyzer.py              TLS/SSL analysis with CVE correlation
        security_hardening.py        CSP evaluator, cookie auditor, audit log, report hasher
      recon/
        subdomain_discovery.py       DNS brute-force enumeration
        parameter_discovery.py       Hidden parameter discovery
        takeover_detector.py         Subdomain takeover (13 providers)
      browser/
        browser_crawler.py           Playwright headless crawler with parallel page support
      vulnerability_detectors/       18 detector implementations
      templates/
        template_loader.py           Parallel async Nuclei template execution
      evasion/
        rate_limiter.py              WAF fingerprinting and rate limit auto-calibration
    modules/
      fuzz_engine.py                 FuzzEngine and ExploitChainer
      websocket_fuzzer.py            WebSocket mutation fuzzer
      oob_collaborator.py            Out-of-band callback server integration
      poc_generator.py               Proof-of-concept file generation
    utils/
      har_parser.py                  Browser HAR recording importer
      scan_diff.py                   Scan output comparison tool
    reporting/
      report_builder.py              HTML, Markdown, and PDF generation
    ui/
      server.py                      Flask API server
      static/
        index.html                   Web dashboard
        style.css                    Dark red theme (IBM Plex Mono + IBM Plex Sans)
        app.js                       SSE-based real-time client
    tests/
      test_detectors.py              Unit tests for all detectors and utilities
      test_integration.py            Integration tests for the scan pipeline
    templates/
      nuclei/                        32 YAML detection templates
    docs/                            Extended documentation
  ```

  See [docs/architecture.md](docs/architecture.md) for a full description of the scan pipeline, async HTTP engine, and detector lifecycle.

  ---

  ## Testing

  ```bash
  # Run the full test suite
  python -m unittest discover tests/ -v

  # Run a single test class
  python -m unittest tests.test_detectors.TestCSPEvaluator -v

  # Print all fuzzer payloads without sending any requests
  plasma -u https://example.com --fuzz --fuzz-dry-run --verbose
  ```

  The test suite covers 52 tests across: HAR parser, scan diff, CSP evaluator, cookie auditor, rate limiter WAF fingerprinting, GraphQL type unwrapping, report hasher, adaptive LRU cache, `ScanSettings` field completeness, CLI flag registration, fuzz engine payload coverage, detector registry integrity, template loader, `build_settings` wiring, and WebSocket fuzzer payload categories.

  ---

  ## Contributing

  1. **Code style** — Python 3.10+. Use type annotations throughout. No bare `except:` clauses.
  2. **Async** — Use `asyncio.get_running_loop()` in async contexts, not the deprecated `asyncio.get_event_loop()`.
  3. **New detector** — Implement `BaseDetector`, register the class in `core/detector_registry.py`, and add unit tests in `tests/test_detectors.py`.
  4. **Security** — Do not log request payloads at `INFO` level. Findings are written to the append-only scan audit log only.
  5. **Tests** — All new features require unit tests. All 52 existing tests must continue to pass before a pull request is submitted.
  6. **Documentation** — Update the relevant file in `docs/` when adding or changing features. Update the CLI reference table in this README when adding or removing flags.

  ---

  *Plasma V1 — For authorized security testing only.*