{ pkgs, config, lib, ... }:
let
  cfg = config.shiva.modules.web;
  gui = config.shiva.gui-tools;
in
{
  options.shiva.modules.web = {
    enable = lib.mkEnableOption "Web Application and API Hacking";
    burpsuite.proEdition = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Install Burpsuite Pro";
    };
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      apachetomcatscanner # Tool to scan for Apache Tomcat server vulnerabilities 
      arjun # HTTP parameter discovery suite
      brakeman # Static analysis security scanner for Ruby on Rails
      cansina # Web Content Discovery Tool 
      cariddi # Crawler for URLs and endpoints
      chopchop # CLI to search for sensitive services/files/folders
      clairvoyance # Tool to obtain GraphQL API schemas
      commix # Automated Command Injection Exploitation Tool
      crackql # GraphQL password brute-force and fuzzing utility
      crlfsuite # CRLF injection (HTTP Response Splitting) scanner
      dalfox # Tool for analysing parameter and XSS scanning
      dismap # Asset discovery and identification tools
      dirstalk # Tool to brute force paths on web servers
      gau # Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.  
      gospider # Fast web spider written in Go 
      gotestwaf # Tool for API and OWASP attack simulation
      gowitness # Web screenshot utility
      graphqlmap # Tool to interact with a GraphQL endpoint
      graphw00f # GraphQL Server Engine Fingerprinting utility 
      gungnir # A command-line tool that continuously monitors certificate transparency (CT) logs for newly issued SSL/TLS certificates
      hakrawler # Web crawler for the discovery of endpoints and assets
      httpx # Fast and multi-purpose HTTP toolkit 
      jsubfinder # Tool to search for subdomains and secrets hidden in JavaScript
      jwt-hack # Tool for attacking JWTs 
      mantra # Tool used to hunt down API key leaks in JS files and pages 
      ntlmrecon # Information enumerator for NTLM authentication enabled web endpoints 
      plecost # Vulnerability fingerprinting and vulnerability finder for Wordpress blog engine
      snallygaster # Tool to scan for secret files on HTTP servers 
      wad # Tool for detecting technologies used by web applications
      webanalyze # Tool to uncover technologies used on websites 
      wprecon # WordPress vulnerability recognition tool 
      wpscan # Black box WordPress vulnerability scanner
      wsrepl # WebSocket REPL
      wuzz # Interactive cli tool for HTTP inspection
      xcrawl3r # A CLI utility to recursively crawl webpages
    ] ++ lib.optionals gui [
      (burpsuite.override {
        proEdition = cfg.burpsuite.proEdition;
      }) # An integrated platform for performing security testing of web applications
      zap
    ];
  };
}