Skip to content

moon0deva/aegis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
ai
ai
 
 
core
core
 
 
modules
modules
 
 
payloads
payloads
 
 
utils
utils
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
aegis.py
aegis.py
 
 
config.py
config.py
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

Aegis

A full OWASP Top 10 web vulnerability scanner with auto-crawling, threaded scanning, and multi-format reports.

For authorized security testing only. Never scan targets without explicit written permission.

"Knowledge is only POTENTIAL power. It only becomes power when we apply it and use it” — Tony Robbins."

Quick Start

git clone https://github.com/moon0deva/aegis.git
python setup.py                      
python aegis.py http://target.com

Features

Feature Details
OWASP Top 10 All 10 categories (2021 edition)
12 scan modules WAF, info, headers, CSRF, XSS, SQLi, LFI, SSRF, XXE, SSTI, redirect, dirs
Threaded Concurrent scanning (default 10 threads)
AI triage Post-scan Claude API analysis (--ai)
3 report formats JSON + PDF + Interactive HTML dashboard
WAF detection Header + body signature fingerprinting

Scan Modules

Module OWASP Tests
waf WAF/IDS detection (15 signatures)
info A05 PHP version, server, generator fingerprinting, phpinfo exposure
headers A05 8 security headers, cookie flags, version disclosure
csrf A01 Missing CSRF tokens, unauthenticated endpoint access
xss A03 40+ payloads — reflected, SVG, HTML5, filter bypass, encoding
sqli A03 55+ payloads — error/union/boolean/time-blind across MySQL/MSSQL/Oracle/PG/SQLite/NoSQL
lfi A01 35+ payloads — path traversal, PHP wrappers, null byte, encoding
ssti A03 20+ payloads — Jinja2, Twig, Freemarker, Velocity, Smarty, ERB, Mako
ssrf A10 30+ payloads — localhost variants, AWS/GCP/Azure metadata, protocol bypass
xxe A05 9 payloads — file read, SSRF via XXE, XInclude, SVG, OOB
redirect A01 17 payloads across 20 param names
dirs A05 70+ paths — admin panels, .env, .git, backups, CMS paths, API docs

Usage

# Full scan (all modules)
python aegis.py http://target.com

# Specific modules only
python aegis.py http://target.com --modules xss sqli headers lfi

# More threads, verbose output
python aegis.py http://target.com --threads 20 --verbose

# With AI analysis (requires ANTHROPIC_API_KEY env var)
export ANTHROPIC_API_KEY=sk-ant-...
python aegis.py http://target.com --ai

# Skip PDF report
python aegis.py http://target.com --no-pdf

# Custom output directory
python aegis.py http://target.com --output ./pentest_results

AI Analysis (Optional)

When run with --ai, Aegis sends all findings to Claude and gets back:

  • Executive summary for non-technical stakeholders
  • Overall risk rating with justification
  • Top 3 most critical findings with remediation code
  • Attack chain analysis (e.g. SSRF + LFI = potential RCE)
  • Full remediation checklist

Requires ANTHROPIC_API_KEY environment variable.

Legal

Authorized penetration testing only.
Scanning targets without written permission is illegal in most jurisdictions.
The authors accept no liability for misuse.

About

A full OWASP Top 10 web vulnerability scanner with auto-crawling, threaded scanning

Topics

security-audit owasp cybersecurity penetration-testing bug-bounty sql-injection xss-vulnerability web-security lfi owasp-top-10 vulnerability-scanner

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages