Ravan is a JavaScript Distributed Computing system that uses HTML5 WebWorkers to perform brute force attacks on salted hashes in background JavaScript threads across a farm of workers.

Salted and plain versions of the following hashing algorithms are currently supported:

  • MD5
  • SHA1
  • SHA256
  • SHA512
Try it online  Description 


JS-Recon a HTML5 based JavaScript Network Reconnaissance tool. It uses HTML5 features like CrossOriginRequests and WebSockets to perform network and port scanning from the browser.

Current functionality:

  • Port Scanning
  • Network Scanning
  • Detecting Internal IP Address
Try it online  Description 

Shell of the Future

Shell of the Future is a Reverse Web Shell handler. It can be used to hijack sessions where JavaScript can be injected using Cross-site Scripting or through the browser's address bar. It makes use of HTML5's Cross Origin Requests and can bypass anti-session hijacking measures like Http-Only cookies and IP address-Session ID binding.

It can be used to:

  • Demonstrate the severity of XSS and JavaScript injection attacks
  • Create POCs for XSS vulnerabilities in Penetration test reports
  • Run automated scans on internal websites from outside by tunneling the traffc through an internal browser
Download  UserGuide  Video  Source Code


This is a plugin template for Burp Proxy that is used for penetration testing of JAVA Serialzied Objects passed in POST data. It was part of the demo presented at BlackHat Europe 2010.

The plug-in provides the following:

  • Deserialized the JAVA Object from the captured POST data
  • Injects a (J)IRB shell within Burp Proxy
  • Provides helper methods to access private varialbles and other useful stuff
Download  Video


Imposter is a flexible framework to perform Browser Phishing attacks.

The lists of attacks performed are:

  • Steal cookies
  • Set cookies
  • Steal Local Shared Objects
  • Steal stored passwords from FireFox
  • Steal cached files
  • Poison browser cache
  • Steal files from the victim's local file system through Internet Explorer
  • Run SQL queries on the victim's Google Gears database and transfer the results
  • Create ResourceStore and Managed ResourceStore on the victim's Google Gears LocalServer
Download  UserGuide  Videos


During Penetration testing it can be seen that thick-clients sometimes communicate with a server whose IP address is hardcoded in to it. The HTTP communication between such client and server is harder to intercept and test. Sniff-n-Snip is a very useful utility in such scenarios. It sniffs for HTTP packets from the client to server and forwards them to your favorite proxy (Burp, WebScarab , Paros etc).

Download  User Guide