Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Future features

Note Jeff Bezos last bit of this youtube video, thinking small is a self fulfilling prophecy.

LETS BUILD THE BEST BUG BOUNTY TOOLS IN THE WORLD! THIS INCLUDES ULTRA FAST AND SCALABLE SCANNERS, AND A BEAUTIFUL GUI TO MANAGE THEM! PROXY SERVER, REPEATER, BIG CONTINUOUS SCRAPERS, CERT TRANSPARENCY MONITORING, DNS RESOLVER, AND MORE!

IT WILL BE THE BEST AND CHEAPEST TOOL IN THE WORLD! BUILT USING RUST AND LEVERAGING THE BEST SCALABLE AND CHEAPEST AWS CLOUD SERVICES.

Create HTTP service that exposes our scanners

Similar to how Caido works, build a web frontend for the scanner that can kick off scans. This will open up a lot of flexibility in how we can use the scanner, and is very similar to how Caido is built:

  • Run scanner on localhost and get your SwiftUI app to interface into it
  • Run the scanner in a container or VM and kick off scans
  • Create another web service that acts as an aggregator of scanners. Manage multiple scanners through one place. The scanners will provide callbacks to the aggregator service. The GUI can contact the aggregator service to get the status of all scanners and push jobs to other scanners.

We have to make sure that the web services are not directly tied into the scanner code logic itself. Otherwise we would not be able to easily run the scanners from serverless functions or other code bases.

Http1/1 and H2 packet generation using the pnet packet marco

Is there already, or can I leverage the pnet packet macro for adding http1 and http2 support to pnet? That will make it easier to generate http packets.

TCP Fast Open

See if we want to implement TCP Fast Open for SNI scanning. Linux apparently does support it by default, windows doesn't. This could reduce the round trip time of SNI scraping tasks.

Race condition testing

implement a scanner that does this: https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/

Since this technique relies on crafting IP re-assembled packets and using TCP sequence numbers in a particular way, it will likely not be able to leverage the normal Engine as that leverages syn cookies to sync the transmit and receiving threads.

HTTP1 Pipelining

Can I use my engine to implement HTTP1 pipelining?

HTTP-to-DNS

Use my engine to very quickly resolve domains against CloudFlare. Can we make this very memory efficient as most packets will look very much alike. I could perhaps use the streaming json library https://github.com/pydantic/jiter

Caido/Burp repeater using my HTTP engine

Integrate my HTTP engine with websocket frontend into MPF iOS app. I'm not going to create a proxy (at least not yet :D) but something similar to the repeater feature in Burp.

  • One part that allows you to craft the binary request
  • Within the request I can use my template variables
  • I can select existing wordlists to use for my template variables
  • I can set rate limits for the scanner
  • Starting the scan will show the results in a table view
  • Doubleclick a result will drill into the result. Back arrow goes back to the table view
  • Easily import common HTTP request payloads

This would actually be a feature that could help me find bugs (a bit) faster. At the moment a lot of my time is spent inside the repeater tab, manually crafting payloads. If I have all my wordlists and templates ready, I can way more easily use them. That in combination with my fast scanner could be a very powerful tool (of course would have to be careful with rate limits).

Since I can have my scanner running somewhere else, I can also use it from my phone. Of course thats a bit less screen space but at least I could get some stuff to work.

Of course, when this is built, whats stopping me from creating my own proxy? :D there I can also create a websockets frontend and then get a history in my iOS tool and send requests to the repeater.