Agartha - LFI, RCE, SQLi, Auth, HTTP to JS

Agartha, specializes in advance payload generation and access control assessment. It adeptly identifies vulnerabilities related to injection attacks, and authentication/authorization issues. The dynamic payload generator crafts extensive wordlists for various injection vectors, including SQL Injection, Local File Inclusion (LFI), and Remote Code Execution(RCE). Furthermore, the extension constructs a comprehensive user access matrix, revealing potential access violations and privilege escalation paths. It also assists in performing HTTP 403 bypass checks, shedding light on auth misconfigurations. Additionally, it can convert HTTP requests to JavaScript code to help digging up XSS issues more.

In summary:

'Payload Generator': It dynamically constructs comprehensive wordlists for injection attacks, incorporating various encoding and escaping characters to enhance the effectiveness of security testing. These wordlists cover critical vulnerabilities such as SQL Injection, Local File Inclusion (LFI), and Remote Code Execution, making them indispensable for robust security testing.
- Local File Inclusion, Path Traversal helps identifying vulnerabilities that allow attackers to access files on the server's filesystem.
- Remote Code Execution, Command Injection aims to detects potential command injection points, enabling robust testing for code execution vulnerabilities.
- SQL Injection assists to uncover SQL Injection vulnerabilities, including Stacked Queries, Boolean-Based, Union-Based, and Time-Based.
'Auth Matrix': By constructing a comprehensive access matrix, the tool reveals potential access violations and privilege escalation paths. This feature enhances security posture by addressing authentication and authorization issues. You can use the web 'Spider' feature to generate a sitemap/URL list, and it will crawl visible links from the user's session automatically.
'403 Bypass': It aims to tackle common access restrictions, such as HTTP 403 Forbidden responses. It utilizes techniques like URL manipulation and request header modification to bypass implemented limitations.
'Copy as JavaScript': It converts Http requests to JavaScript code for further XSS exploitation and more.

For additional information or to report any issues, please visit the project's homepage.

Author	Author Volkan Dindar
Version	Version 2.0
Rating	Rating
Popularity	Popularity
Last updated	Last updated 30 August 2024
Estimated system impact	Estimated system impact Overall impact: Medium Memory Low CPU Low General Medium Scanner Low

Author

Author

Volkan Dindar

Version

Version

2.0

Rating

Rating

Popularity

Popularity

Last updated

Last updated

30 August 2024

Estimated system impact

Estimated system impact

Overall impact: Medium

Memory

Low

CPU

Low

General

Medium

Scanner

Low

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

	You can view the source code for all BApp Store extensions on our GitHub page.
	Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.