Share
## https://sploitus.com/exploit?id=BA6E6A92-D62E-5A18-A900-CDEE3CAF577A
# Zparty
**Automated web penetration testing framework with local AI, built in Python.**
Zparty runs a full black-box security audit in one command โ recon, scanning, 30+ vulnerability modules, CVSS scoring, compliance mapping, and an AI-directed exploit engine โ all from a browser UI with live streaming output.
No API keys. No cloud. Everything runs on your machine.

---
## What it does
A target URL goes in. A scored security report comes out.
Zparty runs five phases automatically:
```
Phase 0 โ Validation DNS, reachability, scope enforcement
Phase 1 โ Recon WHOIS, DNS, subdomains, tech stack, SSL, JS secrets, Wayback
Phase 2 โ Active Scan Ports, directories, crawl, headers, WAF detection
Phase 3 โ Vulnerabilities 30+ concurrent modules (see list below)
Phase 4 โ Scoring CVSS 3.1, OWASP Top 10, PCI-DSS 4.0 compliance mapping
Phase 5 โ Report HTML + SARIF reports, Playwright PoC screenshots
```
After the scan, the **AI Agent** loads the findings into a local LLM (Ollama), identifies exploit chains, selects the highest-impact targets, and attempts live exploitation with automated PoC screenshots.
---
## Architecture
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Browser UI (FastAPI) โ
โ Live log stream via WebSocket โ
โโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Pipeline (asyncio) โ
โ โ
โ Phase 1: Recon modules (sequential, 60s timeout) โ
โ Phase 2: Scan modules (sequential, 60s timeout) โ
โ Phase 3: Vuln modules (concurrent, 300s hard cap) โ
โ โ
โ Rate limiter โ Scope filter โ Tor proxy โ
โโโโโโโโฌโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 30+ Vulnerability Modules โ
โ Each module: async, timeout-guarded, self-contained โ
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Scoring + Compliance + Reports โ
โ CVSS 3.1 ยท OWASP Top 10 ยท PCI-DSS 4.0 ยท SARIF โ
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AI Exploit Engine (local) โ
โ Ollama LLM โ chain analysis โ Playwright PoC โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## Vulnerability modules
### Recon (Phase 1)
| Module | What it finds |
|---|---|
| WHOIS | Registrar, owner, expiry, ASN |
| DNS Enumeration | A, AAAA, MX, TXT, NS, CNAME, SOA records |
| Subdomain Enumeration | crt.sh + DNS brute-force (top 5000) |
| Tech Fingerprint | Server, framework, CMS, language from headers/HTML/JS |
| SSL Analysis | Cipher strength, certificate validity, HSTS enforcement |
| JS Analysis | API keys, secrets, internal URLs leaked in JavaScript files |
| Wayback Miner | Historical endpoints from the Wayback Machine |
| Error Analysis | Stack traces, debug pages, version disclosure |
### Scan (Phase 2)
| Module | What it finds |
|---|---|
| Port Scanner | Open ports with service fingerprinting (nmap / socket fallback) |
| Dir Bruteforce | Exposed admin panels, `.env`, `.git`, backup files, sensitive paths |
| Crawler | Endpoint and parameter discovery |
| Header Analysis | Missing CSP, HSTS, X-Frame-Options, cookie flags |
| WAF Detection | Firewall presence and bypass surface |
### Vulnerabilities (Phase 3 โ concurrent)
| Module | Technique |
|---|---|
| SQL Injection | Error-based, boolean-blind, time-blind, UNION extraction |
| XSS | Reflected, stored, DOM โ 50+ context-aware payloads |
| SSTI | Jinja2, Twig, Freemarker, Velocity, Pebble detection |
| SSTI โ RCE | Template sandbox escapes โ `os.popen()` chain |
| Command Injection | Shell metacharacter injection with OOB confirmation |
| LFI | Path traversal, PHP filter bypass, log poisoning paths |
| SSRF | Internal network probe + cloud metadata (169.254.169.254) |
| SSRF Chain | Multi-hop SSRF with AWS/GCP/Azure credential extraction |
| XXE | External entity injection with OOB exfiltration |
| JWT Attacks | `alg:none`, weak secret brute-force, kid injection |
| CORS | Misconfigured `Access-Control-Allow-Origin` |
| Open Redirect | Parameter-based redirect to attacker-controlled URL |
| Path Traversal | Directory traversal + file read confirmation |
| NoSQL Injection | MongoDB operator injection (`$gt`, `$regex`, `$where`) |
| Deserialization | Java, Python pickle, PHP object injection patterns |
| HTTP Smuggling | CL.TE / TE.CL request smuggling probes |
| HTTP Methods | TRACE, PUT, DELETE, CONNECT method enumeration |
| Race Conditions | Concurrent request timing attacks on sensitive endpoints |
| Race Conditions (AI) | AI-targeted race window detection on financial/coupon endpoints |
| IDOR | Parameter ID enumeration with cross-user response diffing |
| IDOR Chain | Cross-endpoint ID correlation (object A's ID โ object B's data) |
| Subdomain Takeover | Dangling CNAME detection for major cloud services |
| GraphQL | Introspection, batching, field suggestion, DoS probes |
| OAuth / OIDC | State parameter, redirect_uri, PKCE, token leakage |
| Mass Assignment | Hidden parameter injection on REST endpoints |
| File Upload | Extension bypass, MIME confusion, webshell delivery |
| Default Credentials | 200+ credential pairs against admin panels |
| Business Logic | Price manipulation, quota bypass, plan escalation |
| CVE Checks | Version-based CVE matching from tech fingerprint |
| Nuclei | Community template engine (1000+ templates) |
---
## AI Exploit Engine
After the scan, an optional AI agent loads findings into a **local LLM via Ollama** โ zero data leaves the machine:
1. **Chain analysis** โ identifies multi-step exploit paths across findings (e.g. SSRF โ cloud metadata โ credentials โ account takeover)
2. **Target selection** โ ranks findings by exploitability and selects the highest-impact ones
3. **Live exploitation** โ runs focused exploit routines per finding type:
- SQLi: UNION-based table/column/data extraction
- XSS: cookie theft with Playwright browser automation
- SSTI: sandbox escape โ `os.popen()` RCE chain
- LFI: `/etc/passwd`, `config.php`, PHP filter bypass
- Default creds: automated login with screenshot proof
4. **Playwright PoC** โ captures browser screenshots of confirmed exploits as evidence
Supported local models: `llama3.1`, `qwen2.5-coder`, `mistral`, `deepseek-r1:8b`, `llama3.2`
---
## Evasion & anonymity
- **User-agent rotation** โ random real browser UA per request, no tool fingerprint in headers
- **Jitter** โ 0โ300ms randomized delay between requests (human pacing)
- **Tor integration** โ Phase 3 attack traffic routes through Tor SOCKS5, new exit node per module via NEWNYM
- **Proxy support** โ HTTP/HTTPS/SOCKS5 proxies, round-robin rotation across a list
- **Scope enforcement** โ configurable out-of-scope domains, excluded paths, include-only lists
---
## Output
Every scan produces a timestamped results folder:
```
results/scan_2026-05-19_00-33-18/
โโโ report/
โ โโโ report.html # Full HTML report with CVSS scores
โ โโโ poc_report.html # AI exploit PoC report with screenshots
โ โโโ report.sarif # SARIF format (GitHub Code Scanning compatible)
โโโ findings.json # Raw findings (machine-readable)
โโโ scan_data.json # Full scan context (recon, endpoints, config)
โโโ checkpoints/ # Phase-by-phase incremental saves
```
**Scoring:** starts at 100, deducts per finding (Critical โ40, High โ20, Medium โ8, Low โ3). Letter grade S โ E.
**Compliance:** each finding is mapped to OWASP Top 10 2021 and PCI-DSS 4.0 controls.
**Notifications:** Slack webhook, email, Jira ticket creation, custom webhook โ all configurable in `config.yaml`.
---
## Browser UI
```bash
python ui_launch.py
# opens http://localhost:8000
```
- **Full Scan** โ runs all phases with live log streaming over WebSocket
- **AI Agent** โ loads findings from a previous scan and runs the exploit engine
- Real-time phase progress, per-module status, filterable log terminal
- Scan history and result browser
---
## Installation
**Requirements:** Python 3.11+
```bash
git clone https://github.com/Sid00011/zparty.git
cd zparty
pip install -r requirements.txt
playwright install chromium
```
**Optional โ Nuclei integration:**
```bash
python install_tools.py # downloads nuclei binary automatically
```
**Optional โ AI features:**
```bash
# Install Ollama: https://ollama.com/download
ollama pull llama3.1 # 4.7 GB โ best reasoning
ollama pull llama3.2 # 2.0 GB โ fastest, lowest RAM
```
**Optional โ Tor anonymity:**
```bash
# Linux / macOS
sudo apt install tor
# Windows โ downloaded automatically on first scan
```
---
## Usage
**1. Set your target in `config.yaml`:**
```yaml
target:
url: "https://your-target.com"
```
**2. Launch:**
```bash
# Browser UI
python ui_launch.py
# CLI
python main.py scan --target https://your-target.com
# AI exploit engine on existing scan
python main.py analyze --session results/scan_2026-05-19_00-33-18/
```
---
## Configuration
`config.yaml` controls every aspect of the scan:
```yaml
rate_limit:
requests_per_second: 10
max_concurrent_threads: 15
modules:
vulns:
sqli: true
xss: true
nuclei: true
# enable/disable any module individually
tor:
enabled: true
rotate_between_modules: true # new exit node per module = new IP per module
ai:
enabled: true
model: "llama3.1"
auth:
type: bearer # none | cookie | bearer | basic | apikey | form
bearer: "your-token"
notify:
slack:
webhook_url: "https://hooks.slack.com/..."
jira:
url: "https://yourcompany.atlassian.net"
project_key: "SEC"
```
---
## Tech stack
| Component | Technology |
|---|---|
| Language | Python 3.11 |
| Async runtime | asyncio |
| HTTP client | httpx (HTTP/1.1, HTTP/2, SOCKS5) |
| Web UI | FastAPI + WebSocket |
| Browser automation | Playwright (Chromium) |
| AI engine | Ollama (local LLM, fully offline) |
| Port scanning | nmap + socket fallback |
| Tor control | stem |
| Reports | Jinja2 (HTML) + SARIF |
| CLI | Typer + Rich |
---
## Project structure
```
zparty/
โโโ core/ # Pipeline, rate limiter, auth, scope, Tor, AI engine, CVSS
โโโ modules/
โ โโโ recon/ # 8 passive recon modules
โ โโโ scan/ # 5 active scan modules
โ โโโ vulns/ # 30 vulnerability modules
โโโ scoring/ # CVSS 3.1 scoring + grading engine
โโโ reports/ # HTML, SARIF, and PoC report generators
โโโ ui/ # FastAPI server + WebSocket live streaming
โโโ config.yaml # All scan settings (annotated)
โโโ requirements.txt
โโโ main.py # CLI entrypoint
```
---
## Legal
**For authorized security testing only.**
Only use Zparty against systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions. The author assumes no liability for misuse.
Intended use cases:
- Penetration testers with a signed scope agreement
- Security researchers testing their own infrastructure
- CTF competitions (HackTheBox, TryHackMe, PicoCTF)
- Students in lab environments (DVWA, WebGoat, VulnHub, Metasploitable)
---
*Built as an independent security research project.*