JSPM

crowbar-security

0.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 12
  • Score
    100M100P100Q49692F
  • License MIT

autonomous black-box web penetration testing. give it a URL, it finds everything exploitable.

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (crowbar-security) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    crowbar

    autonomous web penetration testing. give it a url, it finds everything exploitable.

    what it does

    crowbar crawls a live website, fingerprints the stack, selects attack vectors, exploits vulnerabilities, and hands you a proof-of-concept report. no source code needed. no manual endpoint mapping. point and shoot.

    npx crowbar-security scan https://target.com
    crowbar v0.1.0

target: https://target.com
[recon] passive: 14 subdomains, 23 historical endpoints
[recon] complete: 47 endpoints, 12 forms, 8 JS files
[mapper] stack: server=nginx, language=Node.js, framework=Express, database=PostgreSQL, waf=Cloudflare
[mapper] found 6 hidden parameters across 3 endpoints
[mapper] 142 attack vectors planned
[mapper] payload order randomized (anti-fingerprinting)
[attack] 142/142 (5 vulns found)
[verify] 4 vulnerabilities confirmed
[chain] 2 attack chains identified
[report] saved: ./crowbar-report.md, ./crowbar-report.json

crowbar scan complete in 27.3s
4 vulnerabilities confirmed across 47 endpoints

    install

    npm install -g crowbar-security
npx playwright install chromium

    or from source:

    git clone https://github.com/crowbar-security/crowbar.git
cd crowbar
npm install
npm run setup   # installs chromium + creates .env from template

    requires node 20+.

    api keys

    cp .env.example .env
# edit .env with your keys
    • ANTHROPIC_API_KEY and/or OPENAI_API_KEY -- enables AI-driven payload generation, strategy adaptation, chain discovery, and ambiguous response analysis. crowbar works without these but loses its smartest features. typical scan costs $1-5 in API spend.
    • CROWBAR_API_KEY -- optional, protects the crowbar serve dashboard API with Bearer token auth.

    publish to npm

    ./scripts/publish.sh         # publish current version
./scripts/publish.sh patch   # bump + publish

    battle testing

    ./scripts/battle-test.sh all   # requires docker

    spins up DVWA, Juice Shop, and WebGoat in containers, runs crowbar against each, produces per-target detection reports.

    cli

    8 commands:

    # full autonomous scan
crowbar scan https://target.com

# recon only (no attacks)
crowbar recon https://target.com

# attack specific endpoint
crowbar attack https://target.com --endpoint /api/users

# re-verify findings from a previous report
crowbar verify ./crowbar-report.json

# CI/CD pipeline scan (non-interactive, exits with status code)
crowbar ci https://target.com --fail-on high --webhook https://hooks.slack.com/xxx

# scan multiple targets from a file
crowbar multi targets.txt --parallel 3

# continuous monitoring (periodic scans, delta alerts)
crowbar watch https://target.com --interval 6h --webhook https://hooks.slack.com/xxx

# web dashboard (localhost only)
crowbar serve --port 3333

    scan options

    # authentication
crowbar scan https://target.com --cookie "session=abc123"
crowbar scan https://target.com --bearer "eyJ..."

# modes
crowbar scan https://target.com --mode stealth
crowbar scan https://target.com --mode aggressive

# output formats
crowbar scan https://target.com --format md,json,html,sarif,csv

# external knowledge bases
crowbar scan https://target.com --nuclei-templates ~/nuclei-templates
crowbar scan https://target.com --wordlist ~/SecLists
crowbar scan https://target.com --payloads ~/PayloadsAllTheThings

# incremental scanning (only test new/changed endpoints)
crowbar scan https://target.com --incremental

# resume interrupted scan
crowbar scan https://target.com --resume

# with pinata integration (white-box-guided)
crowbar scan https://target.com --gaps gaps.json

# dry run (recon + mapping, no attacks)
crowbar scan https://target.com --dry-run

# scope and safety
crowbar scan https://target.com --rate-limit 5 --max-requests 1000
crowbar scan https://target.com --scope "target.com,api.target.com"

    ci/cd integration

    # .github/workflows/security.yml
- uses: crowbar-security/scan@v1
  with:
    target: https://staging.yourapp.com
    fail-on: high
    format: sarif
    auth-cookie: ${{ secrets.SESSION_COOKIE }}

    the GitHub Action runs crowbar ci, uploads SARIF to GitHub Security tab, and fails the build if findings exceed the severity threshold.

    how it works

    URL
 |
RECON --> MAPPER --> ATTACKER --> VERIFIER --> REPORTER
 |          |          |            |
 v          v          v            v
          KNOWLEDGE GRAPH
          (queryable by all phases)
              |
           AI BRAIN
   (strategy, adaptation, chains)

    9-phase pipeline:

    1. passive recon: DNS enumeration (100+ subdomain wordlist), certificate transparency (crt.sh), Wayback Machine historical endpoints
    2. active recon: Playwright crawl (SPAs, forms, links), JS bundle analysis (extract API endpoints from fetch/axios calls), source map harvesting, path probing (~150 common paths), robots.txt/sitemap parsing
    3. tech fingerprinting: 60+ detection rules across headers, cookies, error messages, body patterns, WAF signatures
    4. parameter discovery: Arjun-style hidden parameter enumeration with batch testing and binary search
    5. attack planning: context-aware attack selection based on parameter name heuristics, tech stack rules, and priority scoring
    6. attack execution: 36 attack plugins with 5-layer WAF evasion, early stopping, payload randomization, incremental scanning
    7. verification: separate verification agent replays and confirms each finding. deterministic plugin verification + AI fallback
    8. chain discovery: 8 chain templates (SSRF to cloud takeover, JWT to data exfil, XSS to session hijack, etc.) plus AI-driven novel chain discovery
    9. reporting: markdown, JSON, HTML (dark theme), SARIF, CSV. each vulnerability includes a reproducible curl proof-of-concept and compliance mapping

    36 attack plugins

    injection: SQL injection (error + blind boolean + blind timing + UNION), NoSQL injection (MongoDB operators), command injection (output + timing), server-side template injection (Jinja2, Twig, Freemarker, Velocity, ERB, Pug), XML external entity (file + SSRF + parameter entity), second-order SQLi/XSS (cross-endpoint correlation)

    cross-site: reflected XSS (context-aware: HTML body, attribute, script, URL), stored XSS, DOM XSS (Playwright source-sink tracing), CSRF (cross-origin token check), postMessage origin validation

    access control: IDOR (sequential + UUID probing), BOLA (cross-object authorization, method override), CORS misconfiguration (origin reflection, null trust, regex bypass), forced browsing, auth bypass (default credentials), mass assignment (27 sensitive fields), broken access control (method + header injection), rate limit bypass (header-based IP spoofing)

    infrastructure: SSRF (localhost, cloud metadata AWS/GCP/Azure/DigitalOcean, 12 IP bypass variants), path traversal (encoding variants, null byte), subdomain takeover (13 service fingerprints), host header injection, WebSocket security (cross-site hijacking, origin validation)

    code execution: malicious file upload (web shells, polyglot, extension bypass), prototype pollution (server-side + client-side via Playwright), insecure deserialization

    auth: JWT algorithm confusion (alg none + admin forgery), OAuth/OIDC (state parameter CSRF, redirect_uri bypass with 10 evasion variants, scope escalation, implicit flow token exposure)

    logic: race conditions (parallel TOCTOU), workflow bypass (step skipping, state machine violation), open redirect, GraphQL (introspection dump, batching, field suggestion)

    caching: web cache poisoning (unkeyed header injection, unkeyed parameter injection, path-based cache deception, delimiter discrepancy, hop-by-hop header abuse)

    external: known CVE detection via nuclei templates

    waf evasion

    5 escalating layers, triggered automatically when a WAF blocks:

    1. encoding: URL, double URL, unicode, HTML entity
    2. structural: case randomization, SQL comment insertion, null bytes
    3. http-level: content-type switching, HTTP parameter pollution
    4. protocol-level: chunked transfer encoding obfuscation
    5. network-level: IP spoofing headers (10 variants), proxy rotation

    detects Cloudflare, AWS WAF, ModSecurity, Akamai, Imperva, F5, Azure WAF.

    ai brain

    uses Anthropic Claude and OpenAI GPT with model routing: cheap models (gpt-4o-mini) for response parsing and payload generation, expensive models (claude sonnet) for strategy planning, verification, and chain discovery.

    cost tracking: every AI call tracked. configurable budget cap (default $10). typical scan costs $1-5. works without AI too.

    external knowledge bases

    crowbar ships with its own payloads and wordlists, but scales massively with external repos:

    • nuclei-templates: --nuclei-templates ~/nuclei-templates loads YAML templates as a fast-pass known-CVE layer. runs before the AI engine. supports status/word/regex matchers, extractors, AND/OR conditions
    • SecLists: --wordlist ~/SecLists expands path discovery, parameter enumeration, subdomain bruteforce, and attack payloads. 10-100x coverage boost over built-in lists
    • PayloadsAllTheThings: --payloads ~/PayloadsAllTheThings imports comprehensive attack payloads organized by type (SQLi, XSS, SSRF, SSTI, XXE, LFI, RCE, NoSQLi)

    continuous monitoring

    crowbar watch https://target.com --interval 6h --webhook https://hooks.slack.com/xxx

    runs periodic scans, maintains a history of findings, alerts when new vulnerabilities appear, and tracks when old ones get fixed. configurable interval (1h, 6h, 1d, 7d), safety-capped at max runs. webhook alerts fire only on deltas, not every scan.

    web dashboard

    crowbar serve --port 3333

    dark-theme web UI at http://127.0.0.1:3333. start scans, view history, inspect vulnerabilities, track remediation. binds to localhost only -- never exposed to the network. optional API key auth via CROWBAR_API_KEY env var. REST API at /api/ for programmatic access. rate limited to 60 req/min. max 3 concurrent scans.

    honeypot detection

    analyzes target responses for 5 honeypot signals before wasting attack budget: suspiciously high vuln rate (>90%), fake SQL errors on non-SQL input, artificially consistent timing, known honeypot signatures (HFish, Cowrie, T-Pot), fingerprint mismatches.

    pipeline integration

    crowbar is the third tool in a security pipeline:

    pinata (white-box) scans source code, outputs gaps.json

    whackamole (gray-box) attacks known endpoints, generates and verifies fixes

    crowbar (black-box) needs nothing. optionally pass --gaps gaps.json for guided priorities

    pinata (knows code)  -->  whackamole (knows gaps)  -->  crowbar (knows nothing)

    safety

    • scope enforcement: every request checked against domain allowlist. DNS pre-resolution. private IP blocking
    • banned targets: .gov, .mil, .edu, major platforms blocked by default
    • rate limiting: configurable with hard cap at 100 req/s. adaptive slowdown on 429
    • destructive prevention: no DELETE/DROP by default. explicit flag required
    • request logging: every request/response as compressed JSONL audit trail
    • confirmation prompt: explicit yes/no before first attack
    • cost cap: AI budget enforced. scan completes gracefully if exceeded
    • payload randomization: shuffled per scan to avoid fingerprinting
    • honeypot detection: aborts or warns before wasting budget on decoys

    compliance

    vulnerability reports include regulatory compliance references:

    • PCI-DSS (payment card security)
    • OWASP (web application security)
    • HIPAA (healthcare data)
    • SOC2 (service organization controls)
    • GDPR (data protection)

    tech stack

    • TypeScript, Node.js 20+
    • Playwright (browser crawling, DOM XSS, client-side pollution, postMessage)
    • commander.js (CLI)
    • zod (runtime type validation)
    • Anthropic SDK + OpenAI SDK (AI brain)
    • vitest (testing)
    • tsup (bundling)

    development

    npm run dev      # watch mode
npm test         # run tests (1249 tests)
npm run build    # production build (408KB)
npm run lint     # type check

    this tool is for authorized security testing only. users must have explicit written permission to test targets. unauthorized access to computer systems is illegal. report findings responsibly.

    license

    MIT