Introducing Vajra — an advanced web hacking framework

8 min readMar 11, 2021

Table of Content:

Introduction
Prerequisites
Tools Used by Vajra
Usage
Selecting Types of Scan
Scan Status
Using Monitoring Service
How Vajra Works (Module wise description)

Introduction

Vajra is an automated web hacking framework to automate boring recon tasks and same scans for multiple target during web applications penetration testing. Vajra has highly customizable target scope based scan feature. Instead of running all the scan on target, it runs only those scan selected by you which will minimize unnecessary traffic and stores output in one place at CouchDB.

Vajra uses most common open source tools which every Bug Hunter runs during their testing on target. It does all the stuffs through web browser with very simple UI that makes it absolute beginner friendly framework. Vajra is fully compatible with mobile devices. Thus you can do your recon through your phone also.

Analyzing your data from scan result is very important in Bug Bounty. The chances of missing anything is less only if you could visualize your data in proper way and Vajra does so with a lot of filters.

I created this project for my personal use (about 6 months ago) but looking at its usefulness, I decided to make it open-source so that it can save your time and can get some more improvement from community. I’m not a developer but I know how to automate my stuffs so my code may not be that clean.

Currently, I added only 27 unique bug bounty feature to it but more will be added in near future.

Prerequisites

Debian based OS (currently tested in Ubuntu and Kali Linux)
Minimum of 1.5 GB of RAM
Recommended RAM is 3 GB
Minimum storage of 12 GB
A VPS is recommended

Tools Used by Vajra

Vajra uses only open source tools and custom scripts with some tweaks to complete its job. It’s accuracy totally depends upon that tools which I’m going to list below

Subdomain Enumeration: Subfinder, Amass and Assetfinder
Resolve Subdomains: httpx
Subdomain Takeover: Custom Tool
Port Scan : Masscan
URL with Parameters: ParamSpider
CVE Scan: Nuclei
Fuzzing: ffuf
Extract Javascript: gau with custom script
Extract Endpoints: gau
Extract Endpoints with Extensions: gau with grapX
Extract Secrets: Secret Finder
Broken Links: blc
Favicon Hash: FavFreak
Github Dorks: GitDorker
Templates Scan: Nuclei
Custom Wordlist: gau with unfurl
CORS: CORS Scanner and Corsy
Hidden Endpoints from JS: Linkfinder
CRLF Scan: CRLF Injection Scanner
403 Bypass: byp4xx
Hidden Parameters: Arjun
JavaScript Monitor: JsMon
Subdomain Monitor: CertEagle
To store result: CouchDB

Usage

To add the target, go to home page and add any domain name and select Types of Scan and click on Start Scanning. You can check your ongoing scans in Ongoing Scan tab in navigation bar.

The beauty of Vajra is that it is highly specific to target and provides wide range of options while selecting Scan Types.

Note:

If you want to perform any scan on target that includes subdomains then make sure to find subdomains first as it requires subdomains to complete scan.

Similarly, Hidden endpoints from JS is dependent upon Javascript. So, it is mandatory to scan javascript first and then hidden enpoints from JS.

Selecting Types of Scan

The UI of this framework is very simple. You only needs to enter target name and select types of scan to start Scanning.

Demo

https://www.youtube.com/watch?v=WLurj5Lg8cI

How to use Monitoring Service

If you want to win game in Bug Bounty, monitoring your target plays crucial role. Keeping this in mind, I’ve included Subdomain Monitor and JavaScript Monitor in this framework. If any new subdomains of target is added or any changes will be made in Javascript then you’ll be notified in Telegram.

Note: Monitoring your target assets may not allowed in some programs. Read the program rules carefully before using this feature.

Use Javascript Monitor

To use this feature, you need to provide target name and javascript URL which you’re going to monitor.

Click on Add to Scan and you will get a message if it’s added successfully.

To verify this or to check how many target you’re monitoring, click on Jsmon Status and you will name of your added target.

Use Subdomain Monitor

Currently, you can only see how many subdomains your are monitoring through web interface. To add target name to monitor, you have to use CLI.

Steps to use Subdomain Monitor

SSH to your VPS.
Navigate to directory vajra/tools/CertEagle/
Use any editor to open domains.yml file and add your target name and save the file
Run screen command to start monitoring on another screen. “screen -S certeagle”
Run this command: “python3 certeagle.py” and press “ctrl + A and D” respectively to exit screen.
For more detail on how to CertEagle. click on this link.

How Vajra Works (Module wise description)

If you are using any open source tools or framework then it is very important to know how it works so that you can trust its feature and make optimal use of it. To keep this in mind, I’ve explained the working of Vajra.

Subdomain Enumeration:

Vajra uses Amass, AssetFinder and Subfinder for enumerating subdomains. After getting subdomains from all the sources, it resolves with the help of httpx to get IP’s ,Title and response code of subdomains and saves it into all subdomains row in database. After this, it seperates subdomains with 200 and 302 response code in valid subdomains in row for further processing.

Subdomain Takeover:

For subdomain takeover, Vajra filters all subdomains with 404 response code with httpx and then checks for CNAME. If target name is not there in CNAME then Vajra marks it as vulnerable for subdomain takeover. If target in not vulnerable then it will not shows in database.

Port Scan:

There is three options available for port scanning. Either you can select less than 10,000 ports or less than 30,000 or even Full port scan. To complete this task, masscan comes into play. Masscan runs on 1000 rate for port scanning.

Fuzz Directory/Files:

For fuzzing, I used ffuf tool with 30 threads. There is 3 option for wordlist available in Vajra. One is a list of directories which contains 87,000 directory list taken from some good sources. Another is critical files that contains some sensitive files like .bak, .git , etc. And the last one is custom wordlist. Custom wordlist is target specific wordlist which you need to generate it first to use.

Currently there is no web interface to upload any other wordlist but you can do so with SSH. Replace the wordlist in vajra/tools/wordlist directory with another one.

Extract JavaScript:

For this purpose, Vajra uses gau to get all urls and a custom script to filter live javascript from it.

Note: It removes javascript which contains jquery or .min.js in url.

Extract Endpoints:

Vajra only uses gau to get all endpoints of a target. After getting endpoints, it seperates endpoints according to the extension like php, js, json for easy further analysis and save it in Endpoints with Extensions.

Extract Secrets:

Secret Finder comes into play to get secrets like api keys, javascripts,etc. If only root domain is selected then secret finder runs only on root domain not on Javascripts. But include subdomains option is selected then it also runs on Javascripts along with subdomains and for this Javascript must be available in database.

Favicon Hash:

FavFreak tool is used to get favicon hash of target. It only generates favicon hash and doesn’t check for its service according to fav hash.

Github Dorks:

Vajra has GitDorker tool to generate github dorks. Well this tools saves a lot of time for github recon. There is a lot of filters in Vajra to filters generate dorks like filter all dorks according to maximum number of matches.

Templates Scan:

There is only one tools available for template scan and i.e. Nuclei. It has a lot of potential. All the templates are available in vajra/tools/nuclei-templates.

To update templates, go to vajra/tools/ and remove nuclei-templates directory. After this git clone the latest update of nuclei templates in the same directory.

Custom Wordlist:

This generates target specific wordlist to find hidden directory or files. Vajra uses gau to get all urls and unfurl to make wordlist from it.

CORS Scan:

To check CORS Vulnerability, Vajra uses two tools. One is corsy and another is CORS Scanner. After getting output from these two tools, it store result in database.

Hidden Endpoints from JS:

First of all Vajra downloads all the javascript from database and then runs linkfinder on it to get all sensitive hidden endpoints from it. To run this scan, javascript should be available in database.

403 Bypass:

byp4xx is used for this service. You need to provide a url and if the bypass success then it will alert you with output otherwise it says Bypass Failed.

Note: It takes 1–2 minutes to check for bypass.

Find Hidden Parameters:

Arjun tool is used to find hidden parameters. You can also send cookies to perform authenticated bruteforce to find parameters. It takes 3–4 minutes to complete its process. Till then do not move to another tab. After running the scan, it will shows output in alert.

Vajra is definitely worth giving a try. Make sure to star the project on GitHub!

Link: https://github.com/r3curs1v3-pr0xy/vajra