The toolkit runs four independent test modules from a single CLI entry point.
Each module targets a specific vulnerability class:
Tests both error-based and blind SQL injection across form parameters, JSON body
fields, and URL query strings. The scanner sends a battery of 24 payload patterns:
python src/pentest_helper.py --target https://api.example.com --mode sqli
# Sample output:
# [HIGH] POST /api/login username=' OR '1'='1 → 200 (SQL error disclosed)
# [MED] GET /search q=1' ORDER BY 1-- → 500 (column count inferable)Checks for reflected XSS with seven encoding bypass strategies (double URL encode,
Unicode hex, base64, UTF-7, entity encode, mixed case, and null byte injection):
python src/pentest_helper.py --target https://shop.example.com --mode xss
# [HIGH] GET /product?q=<script>alert(1)</script> → 200 (unfiltered reflection)Sends parameter mutation sequences based on common API misconfiguration patterns:
schema probing, type mismatches, boundary violations, and mass assignment attempts.
{
"endpoint": "/api/users",
"method": "POST",
"tests": [
{"payload": {"role": "admin"}, "expected": 403},
{"payload": {"email": "test'"}, "expected": 400},
{"payload": {"id": -1}, "expected": 404}
]
}Every finding is emitted as a JSON object with severity, endpoint, payload,
response code, remediation hint, and CWE reference:
{
"severity": "HIGH",
"endpoint": "/api/login",
"type": "sql-injection",
"payload": "' OR '1'='1",
"cwe": "CWE-89",
"remediation": "Use parameterized queries or an ORM"
}The combined --mode all flag runs all three modules sequentially with
rate limiting built in (--delay 500 adds 500ms between requests). Results
merge into a single JSON report ready for import into Jira, DefectDojo, or
your tracking system.
For vulnerability severity scoring methodology, see 02_scoring-guide.md.
Follow this guide to get Pentest Helper up and running in your environment.
# Fuzz an endpoint
python src/pentest_helper.py --target https://app.example.com --mode fuzz
# Test for SQL injection
python src/pentest_helper.py --target https://example.com --mode sqli
# Test for XSS
python src/pentest_helper.py --target https://example.com --mode xss
# Run all tests with JSON output
python src/pentest_helper.py --target https://example.com --mode all --output report.jsonConsole output shows each test with pass/fail status and severity. JSON output provides full request/response details for each finding, suitable for security reports or ticketing systems.
Get the full Pentest Helper and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.