SessionProbe: Open-source multi-threaded pentesting tool
SessionProbe is a multi-threaded pentesting tool designed to evaluate user privileges in web applications. It takes a user’s session token and checks for a list of URLs if access is possible, highlighting potential authorization issues. It deduplicates URL lists and provides real-time logging and progress tracking.
- Test for authorization issues
- Automatically dedupes URLs
- Sorts the URLs by response status code and extension (e.g., .css, .js), and provides the length
- Proxy functionality to pass all requests e.g. through Burp
“SessionProbe is directly usable with Burp Suite‘s “Copy URLs in this host” output (just copy this output into a file and pass it into SessionProbe). It then checks for a given user what they can access and provides a nice, easy-to-skim over output. It allows filtering out files that may not be interesting for broken access control, like JS or CSS. It allows filtering the output by a regex or content length,” Florian Walter, the creator of the tool, told Help Net Security.
“One idea I’m excited about is checking for outliers (say, concerning the response length, status code, or some basic body parsing). This would be useful for massive apps with massive URLs, where manual review would be complex. Here, I wonder if a tool could already give you candidates for broken access control to review. I also want to implement a functionality to pass in a Swagger file and automatically check all URLs from there. This makes testing super easy and even allows people who don’t use Burp to use the tool,” Walter concluded.
SessionProbe is available for free on GitHub.
More open-source tools to consider:
- Latio Application Security Tester: Use AI to scan your code
- CVEMap: Open-source tool to query, browse and search CVEs
- Faction: Open-source pentesting report generation and collaboration framework
- Adalanche: Open-source Active Directory ACL visualizer, explorer
- AuthLogParser: Open-source tool for analyzing Linux authentication logs
- DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts
- Subdominator: Open-source tool for detecting subdomain takeovers
- EMBA: Open-source security analyzer for embedded devices