shiva/modules/web/default.nix

{ pkgs, config, lib, ... }:
let
  cfg = config.shiva.modules.web;
  gui = config.shiva.gui-tools;
in
{
  options.shiva.modules.web = {
    enable = lib.mkEnableOption "Web Application and API Hacking";
    burpsuite.proEdition = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Install Burpsuite Pro";
    };
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      apachetomcatscanner # Tool to scan for Apache Tomcat server vulnerabilities 
      arjun # HTTP parameter discovery suite
      brakeman # Static analysis security scanner for Ruby on Rails
      cansina # Web Content Discovery Tool 
      cariddi # Crawler for URLs and endpoints
      chopchop # CLI to search for sensitive services/files/folders
      clairvoyance # Tool to obtain GraphQL API schemas
      commix # Automated Command Injection Exploitation Tool
      crackql # GraphQL password brute-force and fuzzing utility
      crlfsuite # CRLF injection (HTTP Response Splitting) scanner
      dalfox # Tool for analysing parameter and XSS scanning
      dismap # Asset discovery and identification tools
      dirstalk # Tool to brute force paths on web servers
      gau # Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.  
      gospider # Fast web spider written in Go 
      gotestwaf # Tool for API and OWASP attack simulation
      gowitness # Web screenshot utility
      graphqlmap # Tool to interact with a GraphQL endpoint
      graphw00f # GraphQL Server Engine Fingerprinting utility 
      gungnir # A command-line tool that continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates
      hakrawler # Web crawler for the discovery of endpoints and assets
      httpx # Fast and multi-purpose HTTP toolkit 
      jsubfinder # Tool to search for subdomains and secrets hidden in JavaScript
      jwt-hack # Tool for attacking JWTs 
      mantra # Tool used to hunt down API key leaks in JS files and pages 
      ntlmrecon # Information enumerator for NTLM authentication enabled web endpoints 
      plecost # Vulnerability fingerprinting and vulnerability finder for Wordpress blog engine
      snallygaster # Tool to scan for secret files on HTTP servers 
      wad # Tool for detecting technologies used by web applications
      webanalyze # Tool to uncover technologies used on websites 
      wprecon # WordPress vulnerability recognition tool 
      wpscan # Black box WordPress vulnerability scanner
      wsrepl # WebSocket REPL
      wuzz # Interactive cli tool for HTTP inspection
      xcrawl3r # A CLI utility to recursively crawl webpages
    ] ++ lib.optionals gui [
      (burpsuite.override {
        proEdition = cfg.burpsuite.proEdition;
      }) # An integrated platform for performing security testing of web applications
      zap
    ];
  };
}
initial commit 2024-06-09 13:38:32 +00:00			`{ pkgs, config, lib, ... }:`
			`let`
			`cfg = config.shiva.modules.web;`
			`gui = config.shiva.gui-tools;`
			`in`
			`{`
			`options.shiva.modules.web = {`
			`enable = lib.mkEnableOption "Web Application and API Hacking";`
			`burpsuite.proEdition = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`description = "Install Burpsuite Pro";`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`environment.systemPackages = with pkgs; [`
			`apachetomcatscanner # Tool to scan for Apache Tomcat server vulnerabilities`
			`arjun # HTTP parameter discovery suite`
			`brakeman # Static analysis security scanner for Ruby on Rails`
			`cansina # Web Content Discovery Tool`
			`cariddi # Crawler for URLs and endpoints`
			`chopchop # CLI to search for sensitive services/files/folders`
			`clairvoyance # Tool to obtain GraphQL API schemas`
			`commix # Automated Command Injection Exploitation Tool`
			`crackql # GraphQL password brute-force and fuzzing utility`
			`crlfsuite # CRLF injection (HTTP Response Splitting) scanner`
			`dalfox # Tool for analysing parameter and XSS scanning`
			`dismap # Asset discovery and identification tools`
			`dirstalk # Tool to brute force paths on web servers`
			`gau # Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.`
			`gospider # Fast web spider written in Go`
			`gotestwaf # Tool for API and OWASP attack simulation`
			`gowitness # Web screenshot utility`
			`graphqlmap # Tool to interact with a GraphQL endpoint`
			`graphw00f # GraphQL Server Engine Fingerprinting utility`
			`gungnir # A command-line tool that continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates`
			`hakrawler # Web crawler for the discovery of endpoints and assets`
			`httpx # Fast and multi-purpose HTTP toolkit`
			`jsubfinder # Tool to search for subdomains and secrets hidden in JavaScript`
			`jwt-hack # Tool for attacking JWTs`
			`mantra # Tool used to hunt down API key leaks in JS files and pages`
			`ntlmrecon # Information enumerator for NTLM authentication enabled web endpoints`
			`plecost # Vulnerability fingerprinting and vulnerability finder for Wordpress blog engine`
			`snallygaster # Tool to scan for secret files on HTTP servers`
			`wad # Tool for detecting technologies used by web applications`
			`webanalyze # Tool to uncover technologies used on websites`
			`wprecon # WordPress vulnerability recognition tool`
			`wpscan # Black box WordPress vulnerability scanner`
			`wsrepl # WebSocket REPL`
			`wuzz # Interactive cli tool for HTTP inspection`
			`xcrawl3r # A CLI utility to recursively crawl webpages`
			`] ++ lib.optionals gui [`
			`(burpsuite.override {`
			`proEdition = cfg.burpsuite.proEdition;`
			`}) # An integrated platform for performing security testing of web applications`
			`zap`
			`];`
			`};`
			`}`