Pegasus Pentest Arsenal (PPA)

                                                    
                                   /\               
                               _  / |               
                              / \ |  \              
                             |  |\|  |              
                             |  | | /               
                             | /| |/                
                             |/ |/                  
                        ,/;  ;  ;                   
                     ,'/|; ,/,/,                    
                   ,'/ |;/,/,/,/|                   
                ,/;  |;|/,/,/,/,/|                  
              ,/';   |;|,/,/,/,/,/|                 
            ,/';     |;|/,/,/,/,/,/|,              
           /  ;      |;|,/,/,/,/,/,/|              
          / ,';      |;|/,/,/,/,/,/,/|             
         /,/';       |;|,/,/,/,/,/,/,/|            
        /;/ ';       |;|/,/,/,/,/,/,/,/|           
                                                    
     ██████╗ ███████╗ ██████╗  █████╗ ███████╗██╗   ██╗███████╗
     ██╔══██╗██╔════╝██╔════╝ ██╔══██╗██╔════╝██║   ██║██╔════╝
     ██████╔╝█████╗  ██║  ███╗███████║███████╗██║   ██║███████╗
     ██╔═══╝ ██╔══╝  ██║   ██║██╔══██║╚════██║██║   ██║╚════██║
     ██║     ███████╗╚██████╔╝██║  ██║███████║╚██████╔╝███████║
     ╚═╝     ╚══════╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝ ╚═════╝ ╚══════╝
                    P E N T E S T   A R S E N A L                

A comprehensive web application security testing toolkit that combines 20 powerful penetration testing features into one tool.

Author

• Letda Kes Dr. Sobri, S.Kom
• GitHub: sobri3195
• Email: muhammadsobrimaulana31@gmail.com

Support the Project

If you find this tool useful, consider supporting the development:

Features

1. Subdomain + Curl HTTP Scanner

   • Discovers subdomains using a wordlist
   • Checks HTTP status and security headers
   • Identifies potential security misconfigurations

2. JWT Token Inspector

   • Analyzes JWT token structure and claims
   • Identifies security issues in token configuration
   • Detects common JWT vulnerabilities

3. Parameter Pollution Finder

   • Tests for HTTP Parameter Pollution (HPP)
   • Identifies vulnerable parameters
   • Detects server-side parameter handling issues

4. CORS Misconfiguration Scanner

   • Tests for CORS policy misconfigurations
   • Identifies dangerous wildcard policies
   • Detects credential exposure risks

5. Upload Bypass Tester

   • Tests file upload restrictions
   • Attempts various bypass techniques
   • Identifies dangerous file type handling

6. Exposed .git Directory Finder

   • Scans for exposed version control files
   • Identifies leaked Git repositories
   • Tests for sensitive information disclosure

7. SSRF (Server Side Request Forgery) Detector

   • Tests for SSRF vulnerabilities
   • Identifies vulnerable parameters
   • Includes cloud metadata endpoint tests

8. Blind SQL Injection Time Delay Detector

   • Tests for time-based SQL injection
   • Supports multiple database types
   • Identifies injectable parameters

9. Local File Inclusion (LFI) Mapper

   • Tests for LFI vulnerabilities
   • Includes path traversal detection
   • Supports various encoding bypasses

10. Web Application Firewall (WAF) Fingerprinter

    • Identifies WAF presence
    • Detects WAF vendor/type
    • Tests WAF effectiveness

11. Security Headers Auditor

    • Checks for missing or weak security headers
    • Highlights CSP, HSTS, and clickjacking protection gaps
    • Provides actionable recommendations

12. Robots.txt & Sitemap Analyzer

    • Retrieves robots.txt directives and sitemap locations
    • Highlights sensitive disallowed paths
    • Extracts URLs from sitemap files

13. Directory & File Discovery

    • Probes common admin, API, and backup paths
    • Identifies exposed services and entry points

14. Backup/Config Exposure Scanner

    • Looks for leaked backup archives and config files
    • Flags potential data leakage points

15. Open Redirect Tester

    • Tests redirect parameters for unsafe redirect behavior
    • Flags reflected external redirect destinations

16. Reflected XSS Tester

    • Injects XSS payloads into parameters
    • Detects reflection that may lead to XSS

17. Host Header Injection Tester

    • Sends forged Host/X-Forwarded-Host headers
    • Checks for unsafe host reflection and redirect issues

18. HTTP Method Tester

    • Identifies dangerous or unexpected HTTP methods
    • Displays server Allow headers for quick review

19. Cookie Security Checker

    • Audits Secure, HttpOnly, and SameSite flags
    • Highlights weak session cookie configurations

20. Rate Limiting Tester

    • Sends burst requests to detect rate limiting
    • Flags response time spikes or 429 responses

Installation

1. Clone the repository:

git clone https://github.com/sobri3195/pegasus-pentest-arsenal.git
cd pegasus-pentest-arsenal

2. Create a virtual environment (recommended):

python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

3. Install dependencies:

pip install -r requirements.txt

Usage

1. Run the main script:

python pegasus_pentest.py

2. Select a tool from the menu (1-20)
3. Follow the prompts to enter target information
4. Review the results

Requirements

• Python 3.8+
• Required packages (see requirements.txt):
  • requests
  • httpx
  • urllib3
  • colorama
  • pyjwt
  • beautifulsoup4

Security Considerations

• This tool is for educational and authorized testing purposes only
• Always obtain proper authorization before testing any target
• Some features may trigger security alerts or be blocked by security controls
• Use responsibly and ethically

Contributing

1. Fork the repository
2. Create a feature branch
3. Commit your changes
4. Push to the branch
5. Create a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer

This tool is provided for educational and authorized testing purposes only. Users are responsible for obtaining proper authorization before testing any target. The authors are not responsible for any misuse or damage caused by this tool.