Web Pentest Chain

Local, no‑cost web pentesting toolkit with:

• One‑command scans (scan <target>) and a Streamlit GUI (pentest-gui).
• ProjectDiscovery stack, ZAP, discovery/fuzzing, screenshots, wordlists.
• WAF‑aware adaptation (auto backoff, Slow/Very Slow), proxy, randomized headers.
• Browser priming (Playwright) + cookie reuse for bot‑managed paths.

Install (one‑liner)

Run the bootstrap installer — it clones this repo, installs deps, and creates launchers:

bash -c "$(curl -fsSL https://raw.githubusercontent.com/KasraBayani/web-pentest-orchestrator/main/scripts/bootstrap.sh)"

Alternatively, manual steps:

git clone https://github.com/KasraBayani/web-pentest-orchestrator.git ~/web-pentest-orchestrator
cd ~/web-pentest-orchestrator
./scripts/install.sh

This will:

• Install needed CLI tools (subfinder, httpx-toolkit, naabu, nuclei, dnsx, ffuf, feroxbuster, katana, gowitness, zaproxy, seclists, etc.)
• Install Python add‑ons (LinkFinder, SecretFinder, corscanner, streamlit), Go add‑ons (gau, waybackurls, anew, etc.)
• Set up ~/bin/scan, ~/bin/webscan, ~/bin/webauth, and the pentest-gui launcher
• Create a desktop entry (Applications → Web Pentest Orchestrator)

Quick Start

• CLI: scan example.com --deep (add --slow or --very-slow for strict WAFs)
• GUI: pentest-gui

Authenticated Scans

• authsetup example.com then edit ~/pentest/auth/example.com.env, and run scan example.com --auth

Files

• bin/ lightweight wrappers
• pentest/run-web.sh orchestration script
• pentest/bin/* helpers
• pentest/gui/app.py Streamlit UI
• kali-harden/* optional hardening scripts
• docs/SESSION_NOTES.md operational notes

Outputs

• Results are written to ~/pentest/out/<host>/ (outside this repo)

Uninstall

• Remove the repo dir ~/web-pentest-orchestrator and the launchers in ~/bin/ (scan, webscan, webauth, pentest-gui).

License

MIT — see LICENSE.