← Back to all products
$29
Pentest Helper
Penetration testing toolkit for testing your own apps with request fuzzing and injection detection.
JSONMarkdownPython
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 10 files
pentest-helper/
├── LICENSE
├── README.md
├── examples/
│ └── pentest_config.json
├── free-sample.zip
├── guide/
│ ├── 01_features.md
│ ├── 02_quick-start.md
│ ├── 03_configuration-reference.md
│ └── 04_license.md
├── index.html
└── src/
└── pentest_helper.py
📖 Documentation Preview README excerpt
Pentest Helper
A lightweight penetration testing toolkit for testing YOUR OWN applications. Request fuzzing, SQL injection detection, and XSS scanning in a single Python script.
Disclaimer: Only use this tool against systems you own or have explicit written authorization to test. Unauthorized penetration testing is illegal in most jurisdictions.
Features
- Request fuzzer — sends common payload patterns to discover unexpected behavior
- SQL injection tester — error-based and blind injection pattern detection
- XSS scanner — reflected XSS detection with encoding bypass checks
- Multiple test modes — run
fuzz,sqli,xss, orallin one pass - Configurable endpoints — test multiple URLs and HTTP methods from a config file
- Rate limiting — built-in delays to avoid overwhelming targets
- Severity-rated findings — each vulnerability tagged with risk level
- JSON report output — structured results for tracking and remediation
Requirements
- Python 3.10+
- No external dependencies (stdlib only)
Quick Start
# Fuzz an endpoint
python src/pentest_helper.py --target https://app.example.com --mode fuzz
# Test for SQL injection
python src/pentest_helper.py --target https://example.com --mode sqli
# Test for XSS
python src/pentest_helper.py --target https://example.com --mode xss
# Run all tests with JSON output
python src/pentest_helper.py --target https://example.com --mode all --output report.json
Output
Console output shows each test with pass/fail status and severity. JSON output provides full request/response details for each finding, suitable for security reports or ticketing systems.
Configuration Reference
Use a config file for batch testing (see examples/pentest_config.json):
{
"target": "https://app.example.com",
"modes": ["sqli", "xss", "fuzz"],
"endpoints": [
{"url": "https://app.example.com/search?q=test", "method": "GET"},
{"url": "https://app.example.com/login", "method": "POST"}
],
"rate_limit_ms": 500,
"timeout_seconds": 10
}
| Field | Type | Description |
... continues with setup instructions, usage examples, and more.
📄 Code Sample .py preview
src/pentest_helper.py
#!/usr/bin/env python3
"""
Pentest Helper — Security Kit (DataNest)
A lightweight penetration testing toolkit for testing YOUR OWN applications.
Includes request fuzzing, SQL injection pattern testing, and XSS detection.
⚠️ IMPORTANT: Only use this tool against systems you own or have explicit
written permission to test. Unauthorized testing is illegal.
Usage:
python pentest_helper.py --target https://api.example.com --mode fuzz
python pentest_helper.py --target https://example.com --mode sqli
python pentest_helper.py --target https://example.com --mode xss
python pentest_helper.py --target https://example.com --mode all --output report.json
Dependencies: Python 3.10+ stdlib only (no pip packages)
License: MIT
"""
from __future__ import annotations
import argparse
import html
import json
import logging
import re
import sys
import urllib.error
import urllib.parse
import urllib.request
from dataclasses import dataclass, field, asdict
from datetime import datetime, timezone
from pathlib import Path
from typing import Any
# ---------------------------------------------------------------------------
# Constants
# ---------------------------------------------------------------------------
logger = logging.getLogger("pentest_helper")
HTTP_TIMEOUT = 10
USER_AGENT = "SecurityKit-PentestHelper/1.0"
# SQL injection test payloads — classic error-based patterns
# Why these: They trigger database errors if input is unsanitized,
# revealing SQL injection vulnerabilities without causing damage.
SQLI_PAYLOADS: list[dict[str, str]] = [
{"payload": "'", "name": "single-quote", "type": "error-based"},
# ... 467 more lines ...